Recorded December 19, 2019 at G-Unit Studios in Rhode Island!
- 1 Introduction
- 2 Segment 1: DevOps and Securing Applications
- 3 Segment 2: Security vs. Compliance
- 4 Segment 3: Security History - Lessons from the past
First up in this episode is our round table discussion on DevOps and Securing Applications where we'll cover how to navigate the wide variety of options for securing modern applications and the processes used to build and deploy software today. Next up we debate one of information security's long-standing debates: security versus compliance in what is sure to be a lively round table discussion. The final segment in this episode assembles a panel of experts to discuss the history of security and what we can learn from the past. Stay tuned for all that and more on this very special episode of Paul's Security Weekly.
Segment 1: DevOps and Securing Applications
Welcome to our round table discussion on DevOps and Security Applications. Quick reminder for our listeners, every week we record Application Security Weekly, featuring Mike Sheema, John Kinsella and Matt Alderman covering all of the latest application security news and research along with interviews with some of the best and brightest minds in appsec today. You can subscribe to Application Security Weekly, and all of our shows on the Security Weekly network by visiting securityweekly.com/subscribe.
- Given that DevOps is a process and its execution requires many different tools, how do we get started "doing DevOps"?
- What about DevOps allows us to produce more secure applications?
- What concepts inside of DevOps do most people lose site of?
- What are the major challenges involved in taking an application from traditional development to DevOps?
- What are some of the best approaches to making an application more resilient to threats, specifically:
- Static Code Analysis
- Software Compisition Analysis
- Software Testing
- Web Application Scanning
- To ORM or not to ORM?
- Which services do you implement yourself vs. using a cloud service?
- How do I choose the best secrets vault?
- What should I use an orchestrator for and what should I not use an orchestrator for?
- How do I build a secure API for my app?
- Thoughts on GraphQL vs. REST security implications?
- For over the last 20 years, Jason has been ethically peering into Client Behavior, Wireless Networks, Web Applications, APIs and Cloud Systems, helping organizations secure their assets and intellectual property from unauthorized access. As a consultant he's taken hundreds of organizations through difficult compliance mine fields, ensuring their safety. As a researcher he has found flaws in consumer IOT systems and assisted in hardening them against external attacks. At Cequence Security Jason does research, community outreach and supports efforts in identifying Automated Attacks against Web, Mobile, and API-based Applications to keep Cequence's customers safe.
- As a technology leader with wide-ranging experience over 24 years at ADP, instilling entrepreneurial dynamism into product development has been a constant theme of my career. ADP is a world-class provider of solutions. My efforts delivered the technical vision and direction for dozens of products addressing complex business needs with well-designed simplicity. This set me up well to transition to helping other companies solve difficult problems.. My value comes from knowing what to do to bring a product to life with minimal risk and maximum benefit to customers and the bottom line. I’ve seen just about every business, project, and technology situation, and can look at an idea from both big picture and detail perspectives to ensure a product’s success. Much of my work focuses on the people side of technology. I thrive on shaping great teams and cultures needed for breakthrough innovation, and on being an evangelist – I love to share knowledge about new products, practices, and technologies to help emerging companies punch above their weight and achieve their business goals through technology.
Segment 2: Security vs. Compliance
It was once said that if Security and Compliance were in a relationship the status would be "It's Complicated". This discussion will aim to help you understand this relationship and how it can be beneficial or a mere distraction to an organization's overall security posture.
- Define "Secure" and "Compliant".
- Does compliance merely raise awareness about security shortcomings?
- What is the relationship between Security and Compliance?
- Being Secure and being Compliant are mere points in time, how can we best develop a process to ensure we are always striving to a secure and compliant state?
- How does Security impact and/or influence Compliance?
- How does Compliance impact and/or influence Security?
- How do you balance these extremes: "We will be Secure and ignore compliance" vs. "We will be compliant but ignore security"
Jon Fredrickson is the Information Security & Privacy Officer for Blue Cross & Blue Shield of Rhode Island. He graduated from the University of Rhode Island with a B. A. in Economics. Prior to joining BCBSRI, Jon was the CISO of Southcoast Health and has had various other IT Security positions in healthcare, services & manufacturing. During the past 12 years of working in the IT security field, Jon has developed a pragmatic approach to implementing cyber security solutions and assisting his organizations in properly measuring and managing cyber and privacy risk. Jon is a member of the Association for Executives in Healthcare Information Security, the Healthcare Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG), and is a Certified Information Security Manager.
- Jeff Recor
Segment 3: Security History - Lessons from the past
The history of security can be traced back to a variety of different sources. The amount of articles on the topic is dizzying. Most will cite names of early phone phreaks, Kevin Mitnick, Kevin Poulsen, Steve Jobs, Steve Wozniak and quickly transition to many other more recent "hacks" or breaches. Our goal is to not review the history of hacking. This is the history of security. We've carefully chosen key events and research to discuss the very beginnings of security, and their impact and lessons for today's ever-evolving security landscape.
- 1903 - Nevil Maskelyne Hacked A Wireless Telegraph Demonstration - The second it became physically possible to hack into something, somebody did it. That somebody’s name was Nevil Maskleyne, history’s first hacker, and he was around a lot earlier than you might expect. He hacked into a live telegraph demonstration in 1903. - Dot-dash-diss: The gentleman hacker's 1903 lulz
- 1939-1940 - Breaking the Enigma cipher - BOMBE was the name of an electro-mechanical machine, developed during WWII by Alan Turing and Gordon Welchman, whilst working as codebreakers at Bletchley Park. It was used to help breaking the German Enigma codes and was (partly) based on the so-called BOMBA, an earlier machine developed by Polish mathematicians in 1938. From 1943 onwards, an improved version of the British BOMBE was built in the US by the US Navy and — independently — by the US Army.
- 1966 - The World's First Computer Password? It Was Useless Too - Fernando Corbató implements passwords on CTSS on an IBM 7090. CTSS may also have been the first system to experience a data breach. One day in 1966, a software bug jumbled up the system's welcome message and its master password file so that anyone who logged in was presented with the entire list of CTSS passwords. But that's not the good story. Twenty-five years after the fact, Allan Scherr, a Ph.D. researcher at MIT in the early '60s, came clean about the earliest documented case of password theft. In the spring of 1962, Scherr was looking for a way to bump up his usage time on CTSS. He had been allotted four hours per week, but it wasn't nearly enough time to run the detailed performance simulations he'd designed for the new computer system. So he simply printed out all of the passwords stored on the system.
- 1969 - RABBITS Was Probably The First Computer Virus: 1969 - The first computer virus in history may have been a program called RABBITS. Nobody knows who made it, and nobody knows why, but whoever it was brought the University of Washington Computer Center down. It was a tiny, inconspicuous program that made copies of itself—breeding, as its name suggested, like rabbits. In 1969, someone installed it onto a computer at the university and let it run. The program made two copies of itself, and then each of those copies made copies until the computer overloaded and stopped working.
- 1971 - Creeper and Reaper - Creeper was an experimental computer program written by Bob Thomas at BBN in 1971. Its original iteration was designed to move between DEC PDP-10 mainframe computers running the TENEX operating system using the ARPANET, with a later version by Ray Tomlinson designed to copy itself between computers rather than simply move. This self-replicating version of Creeper is generally accepted to be the first computer worm. The program was not actively malicious software as it caused no damage to data, the only effect being a message it output to the teletype reading "I'm the creeper: catch me if you can". Reaper (program) was a similar program created by Ray Tomlinson to move across the ARPANET and delete the self-replicating Creeper.
- 1973 - Oral History of Robert Metcalfe - What had happened was a couple of high school students hacked into the Arpanet through one of the early TIPs. A TIP [Terminal IMP] was a way to dial into a Telnet program so you could then log in to any of the computers on the Arpanet. Imagine that! And some high school students, as I recall they were probably in Los Angeles around UCLA, somewhere like that, managed to find out the phone number. No one was keeping it a secret. Acoustically coupled modems were the big thing in those days, and so these high school kids got into some of the computers and did some mischief. They caught my attention, so I wrote this 602 RFC saying “Look out! Trouble!”
- RFC 602 The Stockings Were Hung by the Chimney with Care - Individual sites, used to physical limitations on machine access, have not yet taken sufficient precautions toward securing their systems against unauthorized remote use. For example, many people still use passwords which are easy to guess: their fist names, their initials, their host name spelled backwards, a string of characters which are easy to type in sequence (e.g. ZXCVBNM).
- 1986 - A Brief History of Cyber Crime - In 1986 the systems administrator at the Lawrence Berkeley National Laboratory, Clifford Stoll, noted certain irregularities in accounting data. Inventing the first digital forensic techniques, he determined that an unauthorized user was hacking into his computer network. Stoll used what is called a “honey pot tactic,” which lures a hacker back into a network until enough data can be collected to track the intrusion to its source. Stoll’s effort paid off with the eventual arrest of Markus Hess and a number of others located in West Germany, who were stealing and selling military information, passwords and other data to the KGB.
- 1988 - THE HISTORY OF CYBERSECURITY - a man named Robert Morris had an idea: he wanted to gauge the size of the internet. To do this, he wrote a program designed to propagate across networks, infiltrate Unix terminals using a known bug, and then copy itself. This last instruction proved to be a mistake. The Morris worm replicated so aggressively that the early internet slowed to a crawl, causing untold damage. The worm had effects that lasted beyond an internet slowdown. For one thing, Robert Morris became the first person successfully charged under the Computer Fraud and Abuse Act (although this ended happily for him – he’s currently a tenured professor at MIT). More importantly, this act also led to the formation of the Computer Emergency Response Team (the precursor to US-CERT), which functions as a nonprofit research center for systemic issues that might affect the internet as a whole. Morris Worm
- 1987 -History Of Antivirus - At the end of 1987 there was big movement in the antivirus industry, with the founding of the, now world famous, McAfee company (now owned by Intel) and the creation of first set of antivirus products. G Data Software was reportedly the first to market that year with ‘Ultimate Virus Killer 2000’, shortly followed by McAfee’s ‘Virus Scan’.
- 1984-1986 - The History and Evolution of Intrusion Detection - Between 1984 and 1986, Dorothy Denning and Peter Neumann researched and developed the first model of a real-time IDS. This prototype was named the Intrusion Detection Expert System (IDES). This IDES was initially a rule-based expert system trained to detect known malicious activity. This same system has been refined and enhanced to form what is known today as the Next-Generation Intrusion Detection Expert System (NIDES)
- 1980-1994 - Who Invented The Firewall? - William Cheswick and Steven Bellovin, who literally wrote the book on firewalls in 1994 while at AT&T Bell Labs, say they didn't invent the firewall, either -- they built a circuit-level gateway and packet filtering technology. Most security experts trace the firewall's roots, back to work done at Digital Equipment Corp. in the late 1980s by Jeff Mogul, Brian Reid, and Paul Vixie, starting with the gatekeeper.dec.com gateway, as well as to Mogul's "screend" technology. DEC SEAL, which was shipped in 1992, was the first commercial firewall and included proxies developed by Ranum. "DEC SEAL was interesting because it had a part number and a manual and a corporation behind it," Ranum says.