Risky Business hits several nails

Email update, 9 October 2017

I’ve finally been catching up on my podcasts since arriving in Sweden, and a couple of recent Risky Business episodes were so good I had to share them with you all.

As an aside, if you’re remotely interested in infosec (and if you’re not, why haven’t you told me to stop spamming you yet?) Risky Business is one of those “must subscribe” podcasts. It’s that good.

Business #470 — Project Zero’s Natalie Silvanovich on reducing attack surface

First off the rank is Episode #470, which starts with a good discussion with Natalie Silvanovich from Google’s Project Zero team, and ends with a chat with Haroon Meer from Thinkst Canary.

Haroon’s main thesis from the latter discussion (direct timestamp link here) is that security teams need to improve their software engineering skills - actually building tools to fit in their company’s production environments, rather than relying on vendor products to do the same.

He gives some excellent examples here: all of the best security teams from places like Facebook and Google have the software engineering expertise to build their own security solutions, and aren’t reliant on black box products from security vendors. There’s a reason, for instance, that osquery was spun out of an internal Facebook project.

The general idea is that with sufficient in-house development skills, security teams can have the confidence to write their own tools and do things with their production environments which actually make a big difference to security. Historically this has been frowned upon, because the security vendors are experts in their field, and (the theory goes) you shouldn’t re-invent the wheel by trying to duplicate their work in-house yourself.

As Haroon succinctly puts it: “One of the things that we’ve figured out over the last 20 years is that the guys you’re buying from aren’t necessarily doing any better.”

And later on, another excellent quote (paraphrasing slightly for readability):

For the average corporate organisation, this is a mind-shift because it means empowering security to do this stuff. Security also needs to go to an uncomfortable space because instead of being right all the time and telling people why they suck, they’ve now actually gotta do solid engineering and build solutions that don’t suck.

That last bit is bang-on, and relates to another article I’ll send out in a separate catfact. It’s very easy in security to poke holes in other people’s things and then point and laugh, but it’s a lot harder to actually build something and keep it secure.

This is also one of the reasons it’s a lot more fun (and arguably easier) being on the red team as opposed to the blue team.

Risky Business #471 — Good Microsoft, bad Microsoft

The second episode is worth listening to just for the initial weekly news section. Patrick’s guest is the grugq, who you might recall from yesterday’s catfact article and a whole bunch of other ones I’ve shared over the last couple of months.

They cover the CCleaner supply-chain attack in a fair bit of detail, and it’s awesome stuff. This piece is one of the best summaries you’ll find, although it’s a lot easier to follow if you’ve been reading about the attack elsewhere (such as in these emails) and know what they’re talking about going in.