T’is my fave cybersecurity podcast (https://defensivesecurity.org/defensive-security-podcast-episode-259/) = )
So recording thoughts about their first episode of 2022.
- I thoroughly enjoyed the dynamics and humour between Jerry and Andrew, our two hosts = )
- They spent time discussing cloud / backups (usable ones, located elsewhere from your live operations) and Log4j “Log4Shell” RCE (CVE-2021-44228), a remote code execution vulnerability. You can find explanations from https://www.fortinet.com/blog/psirt-blogs/apache-log4j-vulnerability (with diagram) and https://avleonov.com/2021/12/27/log4j-log4shell-rce-explained-cve-2021-44228/ (with video). This IT weakness is expected to continue falling out.
- This pushed them into vulnerability management (VM), which is a helpful but not a cure-all tool. They also referred to the US President’s Executive Order on Improving the Nation’s Cybersecurity (https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/). This taps on a software bill of materials (SBOM) to identify “all parts, including open-source software (OSS) dependencies (direct), transitive OSS dependencies (indirect), open-source packages, vendor agents, vendor application programming interfaces (APIs) and vendor software development kits.” (https://techcrunch.com/2021/08/26/to-prevent-cyberattacks-the-government-should-limit-the-scope-of-a-software-bill-of-materials/). Now Manish Gupta, who wrote the TechCrunch article suggests reducing the scope of this SBOM… If used internally however, it should help organisations limit software vulnerabilities.
- Adrian Sanabria on Security Weekly Labs (https://www.scmagazine.com/product-test/vulnerability-management/sw-labs-overview-vulnerability-scanners) opines that VM is “traditionally labor-intensive process shouldn’t distract from more important security work.” He cited the 18 CIS (Center for Internet Security) Critical Security Controls (version 8, 2021) [“Formerly the SANS Critical Security Controls (SANS Top 20) these are now officially called the CIS Critical Security Controls (CIS Controls).”] where you find VM as CIS Critical Security Control 7: Continuous Vulnerability Management (https://www.cisecurity.org/controls/continuous-vulnerability-management/).
- I believe these ideas converge, which tasks the security team to set up and maintain “guardrails” for DevOps (combination of software development and operation teams). So this looks like creating and enforcing good cybersecurity policies.
That’s it. Hope to hear from them again, sooner = )