"We don't have enough people in this industry" - The industry that keeps raising the bar
When making what is likely the largest purchase of your life, hiring a home inspector to make sure a home is safe is standard procedure. Yet, we don't require a home inspector to know how to mix concrete, draw up architectural diagrams, or run electrical wiring.
Somewhere along the way, we decided that it was ok to hold security professionals to a different standard, repeating the outdated idea that to understand security, you must ascend the traditional ladder of working in non-security roles like help desk or sysadmin to grasp how security works fully.
If that were true, I wonder how an 18-year-old can routinely bypass the security of some of the world's largest companies without working a help desk role. Curious. No one would make an argument that more experience isn't better, but perfect should never stand in the way of good especially when there is so much security work that needs to be done.
If we believe that to work in cyber-security, someone must have worked in an IT/engineering role to be good at their job, the number of systems that require inspection will grow exponentially faster than the rate of those "qualified" to look at them, resulting in more insecure systems.
Most security professionals I know work multiple jobs in some capacity whether that's side projects, tool development, volunteering, or contract work because there is too much work to be done. We need more people rowing in the same direction, even if it's their first time.
UX 🤝 Security
User experience (UX)/user interface (UI) plays an underappreciated role in security. This ranges from making the most secure option the most visible (and thus clickable), ensuring warnings are displayed in a manner the user will notice, to using subtle formatting tricks to ensure people read a technical document.
A friend and mentor recently sold me on the idea of using colors, formatting, charts, graphs, and different styles of font is one of the most important ways we can convey information. When conveying technical information, most people skim through documents. Using subtle clues to draw their attention to the information you're attempting to convey is critical.
This is not limited to just text. A whole micro-industry has cropped up around this idea.
The business: Take open-source tooling developed to be run from a Linux command line and populate it into a sleek web app interface. The command nmap -A -T4 $IP -oA initialScan can be replaced by a simple GUI with results populated into a nicely formatted table (bonus points if you can somehow render a ✨ graph ✨ from the data).
A good case study is the attack surface management tools that offer a click-button solution for identifying organizational security issues. How many tools use open-source tools like Nuclei under the hood? Project discovery even openly offers this service. The difference is in how the data is presented. Anyone can look at a dashboard and see the issues but experienced security professionals can't always make heads or tails of the output of security tools.
Caught My Eye
- Exploring the Kubernetes API Server Proxy: Fantastic overview of some of the interesting aspects of the Kubernetes API server and how SSRF as a Service can potentially have some security downsides. Who knew?
- Security Engineering and Threat Modeling Jabbercracky: A great write-up of how to threat model an application.
- mitmproxy 11 is out: mitm proxy is a wonderful tool I've used for highly nefarious things. I recommend learning how it works :)
- HackSpaceCon CFP Extended: If you're looking for a fun conference check out HackSpaceCon!
- ZenBrowser: A firefox-like browser with an interesting "workspace" feature
- Unauthorized image of Kong Ingress Controller: The Kong ingress controller for Kubernetes had an interesting breach with the attacker deploying an XMR miner which was only caught after users noticed high CPU usage after deploying 2 pods.
- Bypass Envoy Proxy By Changing UID to 1337 (I'm not joking): I found this GitHub issue from 2018 (which has been closed twice for inactivity), that allows an attacker who can change their UID inside a pod to 1337, can bypass rules applied by envoy proxy. Wonderful.