Join Evan Johnson as he speaks with security professionals about recent security news!
Welcome to Hacker Time, our weekly show about by four hackers, by hackers, by real hackers.
And we have with us this week, my special guest, Mike McCabe. Mike, how are you doing today?
Doing pretty good. Two cups of coffee. So it's about right. I'm on my first about six sips of coffee that I have right here.
I'm, if you hear me slurping during the show that's drinking a lot of coffee this morning to start my day.
And Mike, in our past couple weeks, I had last week, President Bifan, Justin Collins, the brake man himself.
That was actually two weeks ago. Last week, we didn't have a show, but he and I talked a lot about, first of all, being a business owner in security, because he had a business that he'd been sold to Synopsys and the brake man.
And the brake, or brake man, the brake man. He is the brake man, right.
And, and I thought that was really interesting. His perspective on consulting, and I think you have a lot more perspective on the consulting side of the security industry than he does, because that's something that he's been inside a lot of companies on the AppSec team.
And he really transitioned over for a short period of time to Synopsys, saw a little bit of it.
And this is something you've been doing for a lot longer than he has.
Can you tell me a little about your background and kind of some color on the AppSec consulting industry?
Yeah, sure. So, I've been doing AppSec and cloud security consulting for, I guess, off and on for almost 10 years now.
I've done some internal security at Capital One and Living Social back in the day.
But mostly done consulting, which has been pretty interesting.
I mean, I have a love-hate relationship with consulting. When I'm internal consultants, they're there to get a certain job done.
But I'm not a huge fan of just like hire a bunch of consultants to get work done, because they don't always believe in the mission that you have.
They're not always as integrated. Sometimes there's friction with consultants, things like that.
But I also recognize that it's kind of a necessary way to get some work done.
So, I think it's definitely useful.
And there's skill sets that are just really hard to hire for, you have to get consultants to come in.
Cloud security is one right now where I see that it's almost impossible to hire.
You pretty much have to bring in people who might have a different skill set and teach them cloud security.
And that's where consultants can help is kind of bring that skill set already.
So, yeah, it's interesting.
The thing I like about consulting is I get to work with different clients.
So, I could work with a large bank who's doing a cloud migration one week, then do an assessment for a four -person startup the week after that.
So, I think that's the fun thing about consulting is you're not doing the same thing every week.
Yeah, I'm curious, you mentioned cloud security in there. And that gets me on a whole tangent, because that's such a growing trend.
Sorry, the famed parrots of San Francisco are right outside my window.
It's pretty cool. I'd love to watch, but I'm on TV right now.
And so, cloud security is growing like crazy.
I'm curious what you think the growth trajectory of that is compared to the AppSec industry.
And do you see it really doing the same thing? Because AppSec, you're really evaluating for the OWASP top 10, you're looking for vulnerabilities.
Cloud security, it's rare that you find just like vulnerabilities. I guess you'll find them like over -provisioned IAM type resources and stuff like that.
But is it really the same kind of work? No, not exactly. So, like with AppSec, usually in consulting, you're hired to do an assessment.
So, here's a code base, here's an app, spend 40 hours working on it, write a report of the findings, and then that gets put into a JIRA backlog to never be seen again, unless it's like a critical injection, pre -auth or something like that.
Cloud security, there are some assessments that are done.
I do some of that work. People just want to get kind of a baseline for their app.
But a lot of it is how do we build our set of controls and our methods of doing provisioning and IAM and secrets management.
So, it's usually more an ongoing engagement, whereas an AppSec engagement is kind of a quick hit.
So, it's definitely different. I mean, there's value to doing assessments, but you spin up more EC2s, you start using ECS, you start using a new database, your model is completely different.
So, that assessment is kind of out of date.
So, yeah, it's definitely different. I think AppSec is kind of like was network security was really big, pen testing, and then AppSec was like the fresh thing and mobile security.
Now, I think AppSec, you kind of look at it from a talent perspective, it's easier to hire AppSec people.
There's a wider pool.
And now cloud security is kind of that niche where there's not a huge amount of people who have a lot of experience doing it.
A big part of that is just because the cloud is relatively new.
So, I think that's kind of where things are going.
And also, with the whole push like DevSecOps and everything, people want to integrate security into their pipelines.
And that's where being more of an engineer versus just like a pen tester comes into it.
So, that's kind of, I think, where things are going.
And even AppSec people, like you have to know cloud security.
Like if you have a SSRF vulnerability and you want to hit the metadata service to further exploit the app, things like that.
So, there's a lot of overlap between those two things.
You can't just be a web app tester anymore. So, the big question I have is if more people are doing this for good security when they talk to you, are you seeing more people talk to you because they want to do good security or because they have to get a third-party assessment or what?
Because my whole perspective is that a lot of people do get a third-party assessment or call in a security consultant, not because they want to, but because they have to.
And that leads to the kind of perverse incentives where the consultant isn't incentivized to do the best work.
They're kind of incentivized to produce a blank sheet of paper that says we found three lows or like two informationals.
And I'm kind of curious, like nobody really says I want to see your cloud security, latest cloud security assessment when they're doing a vendor audit.
And so, my feeling is that the results that people are getting are probably better on that because they're calling in somebody to look at their cloud security because they want to do good security, not because they want a clean report.
What do you think? Is this a hot take?
No, I think it's pretty accurate. I mean, I think the problem is there's a lot of really large security vendors out there.
And they're all about the relationships because they have to keep their pipeline full of work.
And they're also usually hiring folks straight out of college, throwing them onto assessments.
So, you're not going to get the highest quality work. I'm a relatively small shop, so I have a pretty personal relationship with the clients that I work with.
So, I don't think I've been asked to change something to make it lower risk or like, let's make this report look better so that our auditor or potential customer doesn't see it and like freak out or lose a contract.
But I also think there are people who get into it to just have that piece of paper, have that third-party report.
But you can talk to them about like, okay, here's ways you can improve your security.
I think a big part of it working with smaller companies is how do you improve security without costing thousands of dollars?
A lot of places don't have the ability to buy like Veracode or check marks, things like that to integrate.
So, you have to find solutions that are more affordable and more agile.
So, I think that's kind of the fun challenge with that. So, there definitely is still some, we just have to get this done.
But I don't see, I don't do too much of that work.
I'll say that. Yeah, yeah. I have one, I have a personal story of a three-letter security consultancy that threw somebody onto a assessment that we had hired for in a past life at a different company.
And they didn't find like a bunch of hilariously easy to find critical issues.
And we got back a clean report that we spent a ton of money on.
And then the bugs started rolling in on our bug bounty.
And it was just really clear that the person who did the assessment had no clue what was going on.
Yeah, yeah, that happens. Now, there's also issues with like, you know, the scope and making sure that covers everything you need to cover.
I mean, bug bounties are like hit anything and pen tests are like hit this one page and don't do it between the hours of 8.30am to 9pm.
So, it's kind of ridiculous.
We give bug bounty wide scope. And even if something's not in scope, you're still going to get bug reports, which then you can go turn around and fix even if you don't pay out.
So, it's like, ironically, best of both worlds.
But yeah, I get it. I'm not a big fan of large consulting companies. I've always had better luck with small kind of boutique places.
Yeah, for sure. I really think that the right way to think about it is if you need a sheet of paper, if you have customers in the SaaS business, we get customers asking us for information about our latest pen test report and all of these things.
And a lot of what you're paying for is a brand name when you're going to these big consultancies and the results aren't as good.
But if you want real good security done, then I try to tend to look for smaller boutique people, people I have relationships with and try to get good security out of it as opposed to like, I don't really care about what the report says.
I just want to find the issues. Yeah. Yeah, there's a saying, I think it's like, no one ever got fired for hiring IBM or PwC or any of the big companies.
If you hire a tiny company to do a terrible job, you're going to get in trouble for taking a shot with them.
But hey, if IBM screws up, there's someone you can call and get on the phone to fix things.
And they're an established player. So, that's part of the reason why it happens.
But yeah, I mean, I think it's a pretty simple issue of talented people want to work with other talented people and big companies have a lot of overhead and BS you have to deal with versus doing the work.
And so, you can't keep high quality people for that long and always incentivized to make money versus doing actual interesting work.
And so, people just rotate through those large shops.
So, you're never sure what you're going to get.
And double billing is a big thing and all that kind of stuff. Since you are a security business owner and you do a lot of security and you also do all the business side of the house, how is business during Coronavirus?
Have things slowed down, sped up?
I think some areas have sped up, some areas have slowed down. I mean, it depends on industry.
Thankfully, I don't have only airlines as customers because I'd probably lose a decent amount of work.
The financial industry that I work with, they're definitely going through adjustments.
Things haven't slowed down completely.
But I think there's also kind of a long tail for those things.
They're not going to change their business month one, but six months, 12 months down the line.
But yeah, it seems like so far things haven't changed that much.
We'll see how much more uncertainty there is. If people are going off the stock market, things are great.
But if they're going off like all the other numbers, yeah, I'm sure people are wondering how things are going to change and adjusting budgets based on that.
Yeah, at least in the tech world, it's put a lot of companies like Zoom, like all of these companies that are helping to facilitate working from home and people not being in an office in the spotlight.
And I've wondered how, if that's had an effect on the security industry at large, because it kind of puts a, I know Zoom had a lot of press early on and the coronavirus, some deserved, some seemed undeserved about their security.
And without going too much into that, it seems like it's a good time to be in the security business.
And all right, well, anything to wrap up on the world of consulting and any hot takes about the world of security consulting to close out?
No, I think anyone who's ever been internal should spend some time being a consultant, both because you're forced to learn new skills and you get to see a different side of the world and vice versa.
If you've only been a consultant, go do some blue team and see the reality that you can't just fix everything in one day, even if it's super simple.
And what the real challenges are of doing security in a business.
That's my hot take. Nice. A balanced approach.
That's a very hot take. Eat a balanced diet of internal and being a consultant.
Yeah. Love it. All right. Well, I thought one, I was looking for security news while planning out this show and it was kind of tough to come by.
It was kind of a quiet week in the world of Internet security, especially when compared to the previous weeks, because we were talking about Twitter, the Twitter issue for weeks.
But one, one thing that kind of stuck out that we haven't talked about on the show was I was curious about your thoughts around TikTok and the there's a report a while ago, Amazon banned it and then it was not accurate.
And there seems to be a lot of discussion about the Apple app store and how they moderate things for, not for the antitrust reasons, why people have been talking about it, but for security reasons, they, they care about they care about the security of the applications on the app store.
What do you think about the real risks of TikTok?
Are there real cyber risks when it comes to TikTok? I mean, if you're on Android, sure.
Android's a firefighter of an ecosystem. So I think iOS is relatively locked down.
So it's not like you're pulling, you know, the app can pull as much data off the phone.
I think their Black Hills did a pretty good breakdown of the app doing a lot of traffic interception, a turn of what can see what it's actually doing and what domains it's I think one thing they called out was a lot of the payloads are encrypted, like the actual HTTP payloads, which, which is kind of interesting because a lot of apps don't do that.
So you wonder what secret sauce is in there potentially. But I mean, even if it's not pulling any sensitive data from your phone, I think like, I think the interesting thing is they clearly have their tailoring algorithms worked out really well.
So they, they can figure out very quickly, you know, what topics you're interested in, what communities you're interested in, and they'll keep feeding you that stuff.
It's like you watch one Call of Duty video, and you're just inundated with more of those kinds of things.
And so I think it'd be interesting to see what kind of profile they can build off you just based on your viewing habits, because they're doing it to feed you more of what you want to see.
So you probably also figure out what your interests are.
And I don't know, you know, maybe they could leverage that somehow.
But if you're an Android, I just wouldn't trust anything.
Sorry, Android people. Yeah, sorry, Android people. I'm actually I just pulled up the Black Hills assessment on TikTok that they published.
And they kind of went through all the permissions on Android that it requests.
And it requests to read contacts, which is kind of normal for a lot of applications, sad as it is, they want to see who you know, and try to try to recommend people already on the app, find the location.
I'm trying to look for anything else interesting.
And then it doesn't look like anything too worrying, but it is Android.
And so there, it's a little squishier of a target than an iOS, generally.
But this is a lot of permissions, a lot of permissions.
That's really interesting. And were you saying that the the phone would make a TLS connection to to TikTok servers, and then the HTTP requests that it was sending to TikTok at the application layer were encrypted as well?
Yeah, that was in the report, which is sort of interesting, because most apps don't do that.
They just do TLS. And they may be like cert pinning, but not an additional layer of encryption on the actual payload.
So And that makes things just a nightmare to kind of, kind of reverse engineer and, and try to figure out what endpoints you're talking to and what formats they're expecting their JSON blobs.
Yeah. So that's sort of interesting. I don't know. I mean, there's the whole like political side to it, too.
Yeah, I definitely see the profile thing, which is they, they can build a really good profile off of you.
I have, I created a TikTok account to, to like, be one with Gen Z and learn about TikTok.
And I, I was watching cooking, cooking videos, and I was just getting inundated with cooking videos.
But then the same thing happened to me on Instagram, this whole reels thing came out.
And I, yeah, I clicked on one reels on accident. And now I'm just getting shown tons of videos of people dancing all these.
That's pretty much all it is anyway.
So Yeah, it's, it's pretty crazy. I'm, I definitely, I definitely hear you.
And I don't think that on the, there's a, it doesn't seem to me like there's a real cyber risk standpoint, in terms of are they doing something malicious to your phone, where they're going to be snooping on other data and other apps, like your corporate email or something like, because Amazon, the report said that Amazon banned this on corporate devices.
And it didn't seem like having TikTok was making, having TikTok on their device was making the other apps on Amazon employees phones at risk of like data exfil.
So that, through that standpoint, I think that TikTok is probably relatively safe.
But on the other hand, it could be, you never know what they're doing with your contacts, you never know what, what types of why the, I guess, you never know what they're doing with your contacts, but you never know what anybody's doing with your contacts.
And so that's just a shady industry practice.
So it's kind of, kind of a weird situation. But in terms of vulnerabilities, I think there's not much to talk about.
Yeah, I think if you're on iOS, you're probably relatively safe.
Android might be a little different, but yeah.
Yeah, in the context of like, the, the, what's going on in the world right now, control of the algorithms is probably, that, that show you, that inundate you with the cooking videos or the dancing videos or whatever it is, is probably a big deal.
And that kind of leads me to the other topic that I had, which is election security.
And, and that's kind of a heavy topic. And we have about nine minutes left on the show.
And we're not gonna, we're not gonna solve it really quick.
Yeah, I mean, it's, it's so straightforward. We might as well just knock it out in the next nine minutes.
But I've talked to a bunch of campaigns over the past year about their tech.
And I'm curious, like going into the, and this is kind of general as well.
It doesn't have to be just for campaigns. It could be for any business really, because campaigns are just, are just organizations with an email account and all of this stuff that, that everybody has.
What would you say the top like five things that campaigns should be doing to secure their, their assets are?
I mean, I guess it depends.
I think some campaigns have pretty advanced kind of infrastructures.
And a lot are just, you know, spinning up stuff quickly to get things done.
I think that's probably the hardest part is that are running off of a, off of, you know, a skunk works kind of operation and with volunteers and people, things are changing all the time.
So there's always like the best practices MFA, you know, have, if you can have some kind of identity provider that everything's tied to, so you're not managing people on, you know, spreadsheets and things like that.
That's probably some of the big things. It kind of bothers me that like, well, it doesn't bother me, but elections get a new opportunity.
Anytime you form a campaign, they get a new opportunity to like set up the G suite all nice and how you want to enforce security keys and all of these good, good practices.
And, and so I hope they're, they're using this opportunity of like creating the new G suite org and everything from scratch and doing a good job with it and thinking through all these things.
Yeah. That's a, that's a big hope. Yeah.
We from at Cloudflare, we have an election campaign offering. And one of the things you can Google Cloudflare elections.
And one of the things that we did was we released a doc about things that you'd want to do with your Cloudflare account.
They, I think when, when campaigns actually sign up, if they sign up, they actually get a PDF from us and it and it will say like, you need to turn on two factor authentication or use single sign on.
You need to, you probably want to use rate limiting for any sensitive API endpoints.
We have these features, which will probably help you.
You probably just want to turn on the WAF and forget about it.
And so we, we kind of have this this, this list of 10 things that, that people should be doing.
And I kind of, I kind of thought it was pretty, pretty awesome that, that we were able to do this.
And I wish more SaaS companies would, would just release general security guidance like that.
And but yeah, the, the big thing that I've noticed is a lot of, a lot of campaigns are pretty actually nascent in their, in their kind of tech abilities.
Like it's the, for example, if you look at the Biden campaign over the last three months, it's probably grown astronomically in headcount and infrastructure.
And in the past six months, it's probably grown even it's probably 10 X.
I don't know. I don't really have numbers, but, but with the, all of that stress, it's so important to get things ironed out ahead of time with your single sign on and all of that at the early days of the campaign.
But also at the early days of the campaign, you're most likely to just not be campaigning anymore pretty soon.
If you, if you're, if the person's not doing very well.
So the it's very much like a startup where if you do everything by the book perfectly, the first cut, you might not have a business to, to be protecting for much longer.
So it's complex. It's, it's a difficult one. Yeah, for sure. It is confusing how they don't have like elections are scheduled.
They happen every, you know, like between Congress and presidential elections, they happen every two years.
Why don't they have like this infrastructure set up that they can reuse? Instead they're like, let's set up 15 Salesforce orgs and three G suite accounts.
And the passwords are in a sticky note or they're, you know, saved in a Slack channel.
I don't know. It's confusing, but these also aren't tech companies doing this work.
So yeah, that kind of mindset, there's no like CISO who's there year after year setting the, you know, long-term strategy.
So, right. It's volunteers early on a lot of volunteer work.
It's if, if there's a paid CISO, it's like, what budget does that CISO have?
Like what, what headcount does that CISO have?
So just, yeah. What, what is, what ability do they really have to change much?
Besides telling them to, they can tell them to turn on 2FA and that's probably, that's probably a good, good job well done by the CISO, but.
Yeah. It's a tough job.
All right. Well in the world of security, anything else on your mind? No, I mean, my head is mostly in the cloud security world.
So I've been having interesting conversations with people in terms of like how, how I firmly don't believe AWS knows how to do security.
I'd love to see like behind the curtain over there of how they actually do their security.
And it's kind of a mess. We were discussing this in a Slack channel of like, you have a million different security controls.
This is specifically for AWS. What is your model for actually implementing all these?
And which one do you use for which? Like it feels like AWS has different teams internally and they're each like trying to grab a piece of the market share, but they're not building them to integrate together.
So you don't have one one kind of streamlined model of how you do all the different things.
So. Yeah, that's my hot take for the week right there.
I've got to get, ask Scott Piper to come on the AWS security guru to, to, to vent about this.
I agree. I think that the, I think that there's no winning with AWS security and you know that that might be true when people recommend that every single application have its own AWS account because people are like, we have no idea how to build a perimeter around anything.
Just put it in its own separate account where they're supposed to be a perimeter around the account.
And, and there is no like best way to do things. There's no, there's no guidebook.
There's no PDF that they send to AWS customers. Here's how to release a data plane on, on AWS.
Here's how to have a web application secure, securely and a database and all the basic web website.
It's, it's crazy. Well, we're out of time.
I appreciate you coming on the show and you have a great kind of background in consulting and AppSec and, and kind of more than just that also being in-house.
And so I really appreciate your perspective after two weeks ago when we were kind of trashing it with president beef and I, and so I appreciate your perspective on things.
Yeah. Thanks for having me. Yeah. Anytime. And also the absolute AppSec shirt.
Really? You're those guys support. I got to support the guy.
I mean, they're competition, but you know, they're competition at different times.
They're going down. They're going down. You're West Coast or East Coast.
It's fine. I'm absolute AppSec West. I'll take it. Oh wait, no.
Utah is close enough to out here. So. Yeah. All right. Well, it'll be a fistfight the next time that we we have a real conference.
Yeah. Sounds good. All right.
I appreciate it. All right. Thanks.