Welcome to the 15th episode of our Security Culture Campaign! On today’s show Matt Konda discusses Zoom Security.

We wrote a longread blog post about Zoom security earlier this week; but given the attention around Zoom and all the questions we have gotten from customers, we wanted to put a quick culture video/podcast together for it as well.

There are a couple of concerns.

Protecting data … the bottom line on Zoom is that you can’t assume that it is secure between you and your meeting guests. Therefore, you shouldn’t use Zoom for protected or regulated information.

Security issues … Zoom has had a number of embarrasingly bad security issues. Many software companies will have those. We think Zoom will have more.

All of this being said, for meetings that aren’t about security critical information, we use Zoom because it continues to be the most reliable service we have used. We are looking for alternatives with better security profiles, but … well we’re still looking.

Click here for the associated YouTube video.

The Jemurai Security Culture Campaign Series is a stream of topical content released every Thursday intended to help developers think about security in a particular area. The content will be available in associated videos, podcasts and blog posts.

Click here to request a topic.

Welcome to the 14th episode of our Security Culture Campaign! On today’s show Matt Konda discusses OWASP Juice Shop.

The OWASP Juice Shop is an amazing resource for both developers and folks working in application security(or those interested in learning application security!). It is easy to run. You can run it in Heroku at the click of a button. Or you can build from source or run in a Docker container. Remember that it is a vulnerable application though!

Once you have it running, you can use an open book Pwning OWASP Juice Shopto learn more about the exercises or setting it up for training.

The platform includes a ton of challenges from SQL Injection, to XSS to Privilege Escalation and Business Logic Abuse. Many of the challenges can be completed with just browser developer tools!

Click here for the associated YouTube video.

The Jemurai Security Culture Campaign Series is a stream of topical content released every Thursday intended to help developers think about security in a particular area. The content will be available in associated videos, podcasts and blog posts.

Click here to request a topic.

Welcome to the 13th episode of our Security Culture Campaign! On today’s show Matt Konda discusses least privilege.

Least Privilege is at first glance obvious and self defining. It means only giving users the access they actually need to perform a particular task in a system. On its face, it seems like you would never give users more privileges than they need so it should be something we do by default all the time.

Examples where we apply least privilege include:

Google Drive - who should be able to read, comment and edit on which drives and documents?

AWS - what services does a given application need?

Our custom code - what do the roles and privilege models look like?

In practice, applying least privilege can be difficult for a couple of reasons.

Learn more on the blog

Click here for the associated YouTube video.

The Jemurai Security Culture Campaign Series is a stream of topical content released every Thursday intended to help developers think about security in a particular area. The content will be available in associated videos, podcasts and blog posts.

Click here to request a topic.

Welcome to the 12th episode of our Security Culture Campaign! On today’s show Matt Konda discusses adversaries and some of the things they might be thinking about as they come at you in the real world.

For example, adversaries are engaging in spam campaigns targeting all of the folks who’ve suddenly found themselves working from home.

I recently received a spam email message about a delivery confirmation for a “WiFi Extender” that I had supposedly purchased from Amazon for $250 with a $50 delivery charge.

Just seeing the email made me angry - I would never pay $50 for delivery, I’m a PRIME member darn it! - and I almost clicked through.

Then I realized that was the intent: I was being baited into taking an action. I never bought the extender from Amazon in the first place! Of course, on closer inspection, the email wasn’t from Amazon nor was the order link to the Amazon website.

This brief podcast talks about how an adversary might use anger, fear, or even jealousy in a time of heightened emotions to get you to do something you wouldn’t otherwise do.

Click here for the associated YouTube video.

The Jemurai Security Culture Campaign Series is a stream of topical content released every Thursday intended to help developers think about security in a particular area. The content will be available in associated videos, podcasts and blog posts.

Click here to request a topic.

Welcome to the 11th episode of our Security Culture Campaign! On today’s show Matt Konda discusses remote work and security.

We put together a checklist for securing your remote work environment that you can download and use across your teams.

The highlights are:

Secure your home network. Use WPA2, a complex password and don’t share it with everyone.

Phishing is always something to watch for, but expect more of it and for coronavirus related tricks

Use 9.9.9.9 as your DNS provider

Have a room that closes with storage that locks and keep any company private information locked up

Don’t share your computer with your family, relatives or friends

Make sure your laptop is encrypted (BitLocker or FileVault for most people)

Update your operating system and programs frequently. Favor automatic updates if possible.

Use antivirus.

Use approved file sharing and communications (eg. Drive and Slack or OneDrive and Teams)

Check out the corresponding blog post to learn more.

Click here for the associated YouTube video.

The Jemurai Security Culture Campaign Series is a stream of topical content released every Thursday intended to help developers think about security in a particular area. The content will be available in associated videos, podcasts and blog posts.

Click here to request a topic.

Welcome to the 10th episode of our Security Culture Campaign! On today’s show Matt Konda talks vulnerable dependencies.

When we build software, we use lots of libraries that we didn’t write. They could be open source, they could be commercial, they could even be framework code provided by a big company as part of a platform.

In any case, we have lots of code running in, over, under and around the code we actually write. If there is a problem in any of that surrounding code, it can affect the security of the software we are writing.

Check out the corresponding blog post to learn more.

Click here for the associated YouTube video.

The Jemurai Security Culture Campaign Series is a stream of topical content released every Thursday intended to help developers think about security in a particular area. The content will be available in associated videos, podcasts and blog posts.

Click here to request a topic.

Welcome to the 9th episode of our Security Culture Campaign! On today’s show Matt Konda talks passwords and password managers.

The first thing to know is that weak passwords are often the easiest way to get access to information.

People:

Choose really simple passwords, like password or abcd1234

When special characters are required, tend to use something like P@ssword1

Use surprisingly easy to guess formats like CompanyYear!

Reuse passwords across different websites

When we do pen testing, guessing passwords is a surprisingly effective way to get access to a system!

We’ve worked with clients where we’ve seen an adversary running a botnet with 100,000 computers slowly but consistently testing passwords one by one gleaned from, for example, the billion user Yahoo! data breach. So this is very real.

Read more on the blog.

Click here for the associated YouTube video.

The Jemurai Security Culture Campaign Series is a stream of topical content released every Thursday intended to help developers think about security in a particular area. The content will be available in associated videos, podcasts and blog posts.

Click here to request a topic.

Welcome to the 8th episode of our Security Culture Campaign! On today’s show Matt Konda talks testing for Authorization.

Authorization is the idea that a user can only do what they should be able to based on their role. It is synonymous with access control.

Consider the case of a consulting firm with:

Consultants that record time and submit timesheets (Let’s say Joe and Brian are consultants)

Managers who approve timesheets (Let’s say Matt is a manager)

There are several types of authorization that need to be implemented in a typical time tracking system.

We need vertical access control implemented to prevent a consultant from approving their own timesheet.

We need horizontal access control or instance based access control to prevent Joe from seeing, modifying or submitting Brian’s timesheet.

Unfortunately, in all my years as a developer, I often observed that we needed to apply security to search functions and admin functions but not necessarily update, delete and view functions on an instance - because we thought it would someehow be very difficult to create a fake request. I believe this issue is common in real world applications. We certainly see it in many pen tests.

Read more on the blog.

Click here for the associated YouTube video.

The Jemurai Security Culture Campaign Series is a stream of topical content released every Thursday intended to help developers think about security in a particular area. The content will be available in associated videos, podcasts and blog posts.

Click here to request a topic.

Welcome to the 7th episode of our Security Culture Campaign! On today’s show Matt Konda talks Secrets.

A secret is anything that is used in a running system as a way to prove that you are who you say you are.

A secret could be:

Database Password

SSH Key

Private Key

API Key

AWS Secret

User’s Password

In this episode you’ll learn how to find and protect Secrets.

Read more on the blog.

Click here for the associated YouTube video.

The Jemurai Security Culture Campaign Series is a stream of topical content released every Thursday intended to help developers think about security in a particular area. The content will be available in associated videos, podcasts and blog posts.

Click here to request a topic.

Welcome to the 6th episode of our Security Culture Campaign! On today’s show Matt Konda talks Static Analysis.

There are a lot of static analysis tools out there. The simplest might be eslint , for which there are even security rulesets - the docs for which have some handy illustrations for the types of things these tools can find.

We recommend:

Using a linter locally in your code editor if applicable - but only if applicable

Using a static analysis tool in your CI/CD pipeline - if it finds useful things

Assuming you may need to spend time tuning the tool to get the results you want

Start with free tools and build the process and habit, then consider using commercial tools

Augment static analysis with code review

Consider an assisted code review strategy

Read more on the blog.

Click here for the associated YouTube video.

The Jemurai Security Culture Campaign Series is a stream of topical content released every Thursday intended to help developers think about security in a particular area. The content will be available in associated videos, podcasts and blog posts.

Click here to request a topic.