Community Knowledge Sharing with CyberNest - Ben Siegel, Aaron Costello - ESW #379

Oct 11, 2024

Ben Siegel, founder of CyberNest, and Aaron Costello, chief of SaaS security research at AppOmni, dive into the complexities of knowledge sharing in cybersecurity. They discuss overcoming corporate reluctance to share information, emphasizing community-driven collaboration. Aaron highlights the dangers of SaaS misconfigurations, stressing user responsibility. The conversation also touches on the blurred lines of shared responsibility in cloud services and the evolving dynamics of cybersecurity tools and market consolidation.

Ask episode

Chapters

Transcript

Episode notes

Intro

00:00 • 3min

Navigating Knowledge in Cybersecurity

02:48 • 11min

Engagement Models for Security Expertise

13:20 • 14min

Introduction to CyberNest and Future Discussions on SaaS Security

27:01 • 3min

Navigating Misconfigurations in SaaS Security

29:55 • 19min

From Gaming to Cybersecurity

48:26 • 6min

Investigating Scalable Vulnerabilities in SaaS Products

54:30 • 2min

The Art of Translating Technical Findings for Accessibility

56:36 • 2min

Transitioning from Insights to Weekly Cybersecurity News

58:57 • 2min

A Toast to Moldy Cheese and Farewells

01:01:24 • 2min

Navigating Tech Funding and Backup Solutions

01:02:56 • 16min

Trends in Cybersecurity Acquisitions

01:18:42 • 3min

Navigating Cybersecurity Knowledge Gaps

01:21:55 • 17min

Navigating the Complexities of SaaS Shared Responsibility

01:39:16 • 3min

Navigating Cybersecurity Market Consolidation

01:42:24 • 10min

For this interview, Ben from CyberNest joins us to talk about one of my favorite subjects: information sharing in infosec. There are so many amazing skills, tips, techniques, and intel that security professionals have to share. Sadly, a natural corporate reluctance to share information viewed as privileged and private has historically had a chilling effect on information sharing.

We'll discuss how to build such a community, how to clear the historical hurdles with information sharing, and how to monetize it without introducing bias and compromising the integrity of the information shared.

Aaron was already a skilled bug hunter and working at HackerOne as a triage analyst at the time. What he discovered can't even be described as a software bug or a vulnerability. This type of finding has probably resulted in more security incidents and breaches than any other category: the unintentional misconfiguration.

There's a lot of conversation right now about the grey space around 'shared responsibility'. In our news segment later, we'll also be discussing the difference between secure design and secure defaults. The recent incidents revolving around Snowflake customers getting compromised via credential stuffing attacks is a great example of this. Open AWS S3 buckets are probably the best known example of this problem. At what point is the service provider responsible for customer mistakes? When 80% of customers are making expensive, critical mistakes? Doesn't the service provider have a responsibility to protect its customers (even if it's from themselves)?

These are the kinds of issues that led to Aaron getting his current job as Chief of SaaS Security Research at AppOmni, and also led to him recently finding another common misconfiguration - this time in ServiceNow's products. Finally, we'll discuss the value of a good bug report, and how it can be a killer addition to your resume if you're interested in this kind of work!

Segment Resources:

Aaron's blog about the ServiceNow data exposure.
The ServiceNow blog, thanking AppOmni for its support in uncovering the issue.

In the enterprise security news,

Eon, Resolve AI, Harmonic and more raise funding
Dragos acquires Network Perception
Prevalent acquires Miratech
The latest DFIR reports
A spicy security product review
Secure by Whatever
New threats
Hot takes

All that and more, on this episode of Enterprise Security Weekly.

Visit https://www.securityweekly.com/esw for all the latest episodes!

Show Notes: https://securityweekly.com/esw-379