Summary
In this conversation, Joe and Aaron discuss Aaron's journey into cybersecurity, highlighting the importance of curiosity, perseverance, and continuous learning in the field. Aaron shares his early experiences with hacking, his transition into professional security roles, and the unique challenges of pen testing SaaS applications. The discussion emphasizes the need for passion and dedication in overcoming obstacles and achieving success in cybersecurity. In this conversation, Joe and Aaron discuss the importance of sharing knowledge in the field of SaaS security, highlighting how personal initiatives like blogging can lead to unexpected career opportunities. They delve into the challenges organizations face regarding SaaS application risks, the significance of inventory management, and the shared responsibility model in security. The discussion also emphasizes the need for awareness of misconfigurations and reassures listeners that coding skills are not a prerequisite for entering the SaaS security space.
Chapters
00:00 Introduction and Personal Background
08:27 Journey into Cybersecurity
17:00 Perseverance in Learning and Growth
20:49 Pen Testing SaaS Applications
26:51 The Power of Sharing Knowledge
29:06 Discovering New Opportunities in SaaS Security
32:45 Understanding SaaS Application Risks
35:32 The Importance of SaaS Inventory Management
38:43 Shared Responsibility in SaaS Security
41:51 Misconfigurations and Security Awareness
45:01 Navigating SaaS Security Without Coding Skills
Follow the Podcast on Social Media!
Tesla Referral Code: https://ts.la/joseph675128
YouTube: https://www.youtube.com/@securityunfilteredpodcast
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:01):
How's it going, aaron ?
It's great to get you on thepodcast.
My life is a bit crazy rightnow.
I have a second kid comingpretty soon here and trying to
schedule everyone in, and youcan see I got a bunch of home
repair, home project materialsabove me that I very
conveniently forgot to take outof the frame today.
(00:23):
But you know how's it going I'mfantastic.
Speaker 2 (00:27):
Thank you, um, and congratulations on that
wonderful news yeah, yeah,thanks, it's um, it's fantastic.
Speaker 1 (00:35):
I'm really excited.
I love being a dad, I lovebeing a parent, you know, and uh
, it's like the best thing inthe world if I, I could like
quit everything and just do that24 seven, I totally would Right
, like only if my wife was likea lawyer or something like that.
Speaker 2 (00:50):
Right, absolutely, yeah, that's it Well yeah, yeah,
absolutely.
Speaker 1 (00:56):
So.
You know, aaron, why don't we,why don't we start with your
background, right, what, what,right, what, what made you want
to get into it?
What made you want to go into,you know, security overall?
Right, the reason why I startedeveryone there is because, you
know, I remember when I wastrying to get into security,
right, and all I really wantedto hear was that someone else
(01:17):
had that same passion, that sameinterest as me, maybe even came
from a similar background as me, and it helped me mentally when
I finally, you know, found thatright to to know, like, oh okay
, if they did it, maybe it'spossible for me, right?
So I always turn someone offthere because you know there's
probably someone listening thatyou know is in that same
(01:40):
situation, right?
Speaker 2 (01:42):
yeah, yeah.
So, um, it's definitely aninteresting one.
So it started back when I was15, maybe 16, 13, about 15 years
ago now.
So, like any teenage boy, a lotof gaming, console gaming, pc
gaming.
Um, one of my my accountsactually got compromised, um,
(02:06):
and they took everything thatI'd worked for.
I was like how could someone,how could someone do this?
Right, like, how is thispossible?
And so I started kind ofdigging into that and found this
entire like hacking space.
Now my uncle at the time didwork, um, in cyber security,
more on the compliance side ofthings.
So I knew a little bit, right,but not so much the actual
(02:30):
technical hacking.
And so I started digging aroundin forums.
That kind of got me into gamehacking, console hacking, right
Like soldering consoles, likeflashing them, selling custom
firmware.
So I could like do all thesethese crazy things.
And the more I started to tolook in these forums, the more
my kind of eyes open to allthese other areas.
Right, like it's such a big,broad like industry and that
(02:54):
kind of brought me to the, theweb application side of cyber
security and that reallyinterested me because it was far
more impactful than justhacking games.
Right, like the game.
Hacking stuff was fun, but whenyou think about like actual
impact and real world impact,that that really caught my
attention.
It caught my eye, started doinga ton of of research every day.
(03:16):
I'd be bringing in notes fromthe night before into school
like reading them throughoutlunch.
I learn and absorb all thisinformation and it was all like
your typical, like sequel,inject and like all of that, and
wrapping my head around how allthat works and really I wanted
to just apply that knowledge.
Right, that was the next thing,because the the only way to
really solidify the thing asyou're learning and naturally,
(03:39):
just in a way or I thought atleast at the time there was no
way of me doing that likelegally, you know.
I started doing a bit moreresearch and asking questions on
forums.
I discovered like, oh, thereare actually organizations that
you can hack and they won't sueyou and throw you into prison
right through these vulnerablevulnerability disclosure
programs, and some of them mighteven pay you.
(04:01):
So I thought, wait, hang on asecond, I'm a teenage boy that
can hack things and potentiallyget paid.
Like that to me was the dream,and so I started doing that in
my spare time quite a lot and Iwent to university after school
did my computer science degreedidn't really touch on
cybersecurity too much and fromthere went into your kind of
(04:22):
typical security engineer a roleat vmware.
So things like threat modelingwe're doing internal, like pen
testing for applications that wewere building.
But in parallel with that theentire time I was doing like
bootlenty, so finding the samething again, finding
vulnerabilities in webapplications and, in an
authorized fashion, gettinggetting paid for it.
(04:43):
And one of the things thatbecame very apparent to me was I
was spending quite a lot oftime researching a single target
that had built a singlecookbook web application and the
issue with that is the payoutwas not always worth the
investment of time because thatknowledge is not transferable to
another organization.
(05:03):
It built everything using adifferent language, different
infrastructure and that's awhole different way of doing
things.
So that's how I found SaaSsecurity.
I had identified a way in okay,if I find something that isn't
necessarily a vulnerability buta way to take advantage of a
(05:25):
risky configuration made by acustomer of Salesforce or
ServiceNow, I'm talking aboutlike a.
If we actually look at the morewell-known examples of like
public AWS buckets, it's exactlythat kind of thing of like
that's just a repeatable methodin which you can locate and
exploit something and do itupscale, and so that's exactly
(05:47):
what I wanted to apply to sass,because it was a very niche area
, not a lot of research havingdone into sass, and that was
just a goldmine for me, um,really, but from a career
perspective I had to timefiguratively, figuratively like
a goldmine.
So I released my first article,which was a effectively a
(06:08):
summary as to how one mightexploit data exposure issues in
sales for the situation fromwhich customers accidentally
expose data to the publicinternet and how one could
defend against it but alsoidentify, um, those risks and
that kind of blew blew up theinternet a little bit and it
caught the attention of mycurrent employer, app Omni,
(06:29):
which is like a SSPM tool usedto assist, or to date, with
locking down and securing theirSaaS posture.
So they reached out to me andsaid, hey, we saw this article,
this is exactly the kind ofthing that we're doing, and at
that time I was actuallyunemployed and looking for my
next role, so I was like, yeah,sure, we'll do like a paid, like
(06:51):
joint article to talk about it.
So I jumped on a call and I waseffectively ambushed because
they were like why don't youjust join us?
We'll hire you and just giveyou a job if you're looking for
one, and it seems like you knowwhat you're talking about just
give you a job if you're lookingfor one.
And it seems like you know whatyou're talking about.
And so I was employee number Ithink 28th at the company and
the founding member of the AppOmni Labs security research
(07:12):
function of the company and asof current I'm the chief of
security research over there andleading up that function.
That's really my background,how I fell into the space in in
the first place, really, and howit kind of developed into where
I am yeah, it's, that'sfascinating, you know, because
(07:32):
you know hearing your, hearingyour story just brings to mind,
right, that curiosity that youhave to have.
Speaker 1 (07:40):
You know getting into security and you know having
like having like that, that,that thirst that you can like
never quench.
You know, no matter how muchresearch you do, no matter like
how much you know pen testing orvulnerabilities, you find
you're like always kind oflooking for that next thing and
that that was like the numberone thing when I was trying to
(08:01):
get into security.
I got my bachelor's degree incriminal justice, fully intended
on going into federal lawenforcement, being sent overseas
, whatever might be, and doingthat whole thing for the rest of
my life.
I did IT literally in college.
I was on the help desk team incollege just for, like beer
(08:25):
money, like that was that was it.
You know like okay, this paysfor my cell phone and my beer
for the week.
You know like that's right,that's, that's all I needed.
But I hated everything aboutthat, you know, help desk job.
I was like man, this is stupid,you know.
And then right after college, Ihave these student loans.
So it's like, okay, let's,let's get in the help desk,
(08:49):
let's, you know, get some moneycoming in, right, because it
takes forever to get into anyfederal agency Right.
And that's when I kind ofdiscovered security.
I never thought about it oranything like that, but someone
introduced me to it and like Icouldn't stop.
You know, I started again tolike wireless security and
infrastructure security,vulnerability management, like
(09:09):
that whole thing.
You know I was so passionateabout it.
I mean I probably should havebeen fired like five different
times from this job, right, butI like forced my way into
handling all the vulnerabilitymanagement for this company that
didn't have any like whatsoevermanagement for this company
that didn't have any likewhatsoever, you know.
And I like had to sit down withthese developers that had
created this code from scratchthat we had sold hundreds of
(09:31):
times over and over and runthrough, you know, my open
source vulnerability scans andbeing like, hey, guys, we have,
we have 1500 highvulnerabilities.
This, this is really bad.
When I go to these federalagencies, you know, and I'm on
site, they're pen testing theapp.
Live in front of me, like thatcan't happen.
(09:53):
This isn't even allowed to runin their environment.
You know, and like, justthinking back, it's like man, I
was so young and stupid I'mstill pretty stupid, but less
stupid, you know.
And stupid, I'm still prettystupid, but less stupid.
You know, like I was so stupidand young at the time that like
it was like man.
How did I even get through that,you know?
But you start, you start doingso much research because I was
(10:16):
researching at work, I wasresearching at home, I was
sleeping and thinking about it.
You know, like, like that's thekind of passion that you really
need getting into security.
One because there's so much tolearn, right, but two because
it's also so hard at times that,uh, that you need that, you
(10:37):
need that passion, you need thatdrive to be like, yeah, it's
difficult, but I still want todo it.
You know, like I'm a terriblehacker with web app security.
I mean, it's like man.
Whenever I go to a new company,it's like I hope they have an
AppSec guy, because I don't wantto touch that, I don't want to
think about that.
I don't want to install BurpSuite on my computer Like end of
(10:58):
story.
You know, I don't even want tothink about it, right?
Speaker 2 (11:06):
right, give me every other facet of security app.
Sec is the one I don't want todo.
Well, everyone, everyone's gotgot their niche.
And it's funny, like it justreminds me you saying that kind
of that's thirst for knowledgelike I, this is so, so bad.
But I I used to not let myselfgo to bed until I could recite
everything I learned that singleday.
Well, I would pace your pen,the dining room while my parents
were asleep and basically justrecite and ask myself questions
(11:26):
about about what I learned.
You know, I don't want to makeit seem like when I talk about
my background.
It was such a streamlinedprocess because there's so much
that I left out right.
There was so many areas that Itried um with insecurity and
just couldn't take to, and thatcould be for various reasons.
Maybe it's too difficult for me.
(11:48):
At the time I couldn't wrap myhead around this um.
I remember looking at likefunctional programming and
thinking like, okay, I willnever understand this.
Yeah, and there was so manytimes where I I did really kind
of want to give up um because Iwas just struggling to
understand all of these conceptsand it's it is a slow and
(12:09):
steady wins the race, likesometimes, yes, you can just
pick something up and take to itnaturally, as if it's second
nature, but other things they dotake time and effort and really
it's like that's saying ofwhich like good things, like
take time right?
Um, I've been doing this for so, so many years and I think when
(12:29):
people read my research orspeak to me about it, they
forget that and they might thinklike, oh, you know so much
about this.
I was like, well, I've beendoing social security now for
like over four years, everysingle day in my spare time at
work.
It's not like I'm some naturalporn genius.
I'm really not.
Like I'm a.
I'm a trial and effort guy.
I fail many, many times beforeI succeed yeah, you know it's.
Speaker 1 (12:52):
Um, there's something very true about I think I heard
, you know, maybe elon musk saythis several years ago right is
the industry.
The industry.
I guess right on this is thatyou need to get 10,000 hours in
to really feel like you'reexcelling in an area or being an
.
You know, I wouldn't even callit an expert, but you know, to
(13:16):
feel like you're competent inany you know principle or domain
, whatever it might be right,principal or domain, whatever it
might be right.
And so when you say youstruggled, you know, for that
many years, right, you got tothink about okay, well, I put in
100 hours this week of doing itat my day job, going home,
doing it more like staying uplate.
(13:37):
You know you probably put inthat time right, and the key
there is getting through those10,000 hours as quickly as
possible.
Because if you can get those10,000 hours in, you know in a
year when it takes other peoplefive years, right, because
that's, I think that's theactual like average nine to five
(13:57):
like time span.
Right, like that's how long ittakes.
It takes like five years orsomething like that.
I can't remember what it isbecause once I learned it, I
went after it and I hit it and Iforgot about it, right.
But if you can do that in oneyear, you know, you sat through
and it's like, okay, I'mactually at year five in my
brain.
You know, let's, let's buildoff of this, you know, and maybe
you dial things back a littlebit, you know.
(14:19):
So you have some like work-lifebalance and whatnot.
But you know, I remember, Iremember when I was just getting
started and I was in that thathelp desk job and uh, I, I mean
I applied.
I applied to somewhere betweenthree and 500 different jobs,
right Every single day I wasapplying and interviewing and I
(14:41):
was employed, I was fullyemployed.
At that time.
I would literally go into ourbreak room, take an interview,
you know, get bomb it, go rightback to work Like nothing ever
happened, you know, and figurestuff out, right, but it's that
constant knocking, Right I'm.
I got to the point where I waslike, okay, well, surely not
every company in the world willsay no to me.
I just got to find one thatsays yes.
(15:03):
That mentality is so helpfulbecause you just got to break it
down like that.
I don't need everyone to sayyes to me, I need one to say yes
to me.
How many companies are there?
Millions, okay.
Well, I just got to find one.
Speaker 2 (15:18):
Yeah, that's exactly it.
It's really the perseverance.
I think that's exactly the wordto describe how to go from
being a complete newbie insecurity whatever domain that's
in to becoming an expert.
And it is just perseverance.
Speaker 1 (15:34):
Yeah, yeah, yeah, that is man that is so critical.
I remember when I was gettingmy master's degree in
cybersecurity and it was a veryhands-on program, right.
So we're not just talking aboutyou know theory all day, like
we're literally you know hackingthings and everything else like
that, right, like you know, oneday we're learning about
(15:54):
wireless security on you knowvpa and web and you know why you
would want to stay away fromweb and you're doing an exploit
to actually see why, right, andthere was one, there was one
project where they they said,okay, find a vulnerability
exploded on a device and give melike a, like a report on it.
Right, didn't realize that itwas basically a pen test report.
(16:14):
You know that, like, that'swhat you're putting together.
And so I chose, of course, youknow something, wireless, right,
and so I didn't do very muchwith bluetooth, but I knew
bluetooth was vulnerable to alot of like basic things you
know of, like you know naming,functions and stuff like that,
right.
So I figured, okay, let's uh,let's challenge myself a little
bit here.
I was probably stupid on it,let's, you know I procrastinate
(16:37):
very well, right.
So I'm, you know, 48 hoursbefore I have to hand in this
project.
Oh, yeah, yeah and uh, you knowI'm I'm starting to try and
exploit this Bluetoothvulnerability on an iPhone and,
uh, it took me, you know, 24hours I mean straight like I did
not sleep.
You know, my, my now life waslike falling asleep, you know,
(16:59):
in my bed, while I had, whileI'm sitting at my desk, like
working through this problem,and I gave up after 24 hours.
I was like, all right, let'sjust go to Android.
You know 24, you know a littlebit longer, right, but I go to
Android 20 minutes.
I got root and I'm just sittinghere like I'm a terrible hack.
You know, like I'm like I'm sobad at this If I can get root on
(17:23):
Android via Bluetooth hack,that should never.
Like you should never be ableto get root on any device via
anything Bluetooth.
Like Bluetooth and root do notgo together.
You know, in security, likethose two things should not be
happening.
If I'm so bad that I can getthis on Android, you know, like
what is really going on here,right, but like that talks about
(17:43):
that perseverance where it'slike it wasn't just the deadline
that I had.
It was like I was so frustratedthat I couldn't get it to work
on iPhone.
I was so beyond mad that I justcouldn't get this thing to work
that I had switched to anotherplatform to figure out if it was
a platform architecture thing.
And then, you know, sure enough, the next class I take is
(18:06):
mobile security architecture,and we're talking about why
basically that happened, youknow yeah, it's, it's funny
you're talking about your wifethere.
Speaker 2 (18:14):
Like I've, I've been testing SaaS applications for
like weeks on end with nothing,right, I'm gaining knowledge of
the platform, but in terms offindings, it's like nothing.
And some reason it always seemsto be when I'm not supposed to
be doing it that I findsomething.
So my girlfriend will literallybe like you need to go to bed.
(18:36):
I'll be like okay, just justfive minutes, I promise.
I'm like I'll go to bed andwith like two minutes to spare,
I'll find something crazy.
And I'm like okay, well, hangon 10 more minutes because I
think I just found something.
And then, all of a sudden, twohours later, it's like a full
exploit chain.
I always think like that's, ifI had gone to bed, I wouldn't
have found that.
It just always seems to be whenI'm not just to actually be
(18:58):
doing it, um, which is which isfunny.
But once again, perseverance.
Speaker 1 (19:04):
Talk to me about what it's like pen testing a SaaS
app.
I would assume that it'sprobably a little bit different
from pen testing a regularapplication, right that's maybe
built on S3 or lives in S3 orsomething like that.
How is it different?
Are you limited in thetechniques that you can use?
(19:25):
Since it's technically a SaaSapp, it's like a service
offering in a cloud.
Speaker 2 (19:30):
Yeah, that's a great question.
So I like to look at thisthrough two facets, right.
So there's the vulnerabilityside of things generally what
we've been talking aboutthroughout this discussion and
that is like your zero days,that is, exploits in the sas
application itself that only thevendor can fix um right, like
(19:52):
here's, like a sql injection inlike the core platform and in
the software itself.
And then there is themisconfiguration side of things,
in which there is no issue withthe software.
There's no inherent out ofthe-the-box vulnerability or
zero-day at the fault of thevendor, but a customer of theirs
has toyed around where theyshouldn't, with configuration
(20:13):
and security controls or a lackof playing with them, and that's
resulted in some kind ofexposure, like a data exposure
issue.
Throughout my work I mostlyfocus on that misconfiguration
bucket that often uncovers zerodays in the process, because I
will see something that's alittle janky and be like, oh,
(20:34):
like, how does this play withanother, another feature?
But the biggest thing that'sreally helped me um kind of kind
of understand platforms, evenfrom a security perspective, is
just becoming almost like aplatform administrator, like
having the same knowledge as aplatform administrator or a
platform developer.
A lot of these platforms allowfor custom application
(20:56):
development through like someframework that they have.
So I'll get myself certified asa platform developer.
I'll take the exam.
I'll learn all about thefeatures and how they interact
with each other, or stand alone.
I'll learn the flavor ofJavaScript, whatever they're
using on the platform, as acertified developer.
And that gives me a fantasticbase to start off, because the
(21:22):
mindset that I've always appliedwhen it comes to web
application hacking in generalis looking at like, how do these
various features interact witheach other in a way that is
potentially insecure, and justhaving an understanding of the
(21:43):
product.
I'm not one of these hackers.
That's kind of like spray andpray.
I like to really know what'sgoing on under the hood wherever
possible.
I like to really know what'sgoing on with the hood wherever
possible.
I never review a SaaSapplication from a target
perspective initiative.
I view it from a learner's,beginner's perspective of what
does this even do, what arepeople using it for, how can I
(22:07):
implement this, and that I'llfollow documentation.
Sometimes there's none that'sprovided by the vendor.
I'll use Stack Overflow.
I'll learn what common problemspeople are having, um, and just
to get that general knowledgeand then from there I can
actually have that attackerperspective of like okay, are
there any areas that I've lookedat that are having no security
(22:28):
controls around, or are thesecurity controls decentralized
in a way that it managing themis potentially difficult?
So I'm quite lucky working atAppOmni, because there's a
couple reasons.
Number one getting access tothese applications is not always
easy.
Servicenow and Salesforce it'sgreat because you've got a free
(22:51):
developer license.
You can spin up an instance,your own personal instance, in
like two minutes.
Um, but often that's not thecase and a license could be like
20k a month, right, so I havethe the luxury and the privilege
of having access to things thata lot of other research has
done.
So that's one requirement Ialways tell people like if
you're like a book bounty hunteror hacker, like pool together
(23:12):
with your friends, everyone,throw in a little bit of money,
I get yourself an instance ifyou want to find like a lot of
cool new things.
But also I have the luxury ofanything I find that I believe
may be exploitable.
Um, like a misconfiguration, Ican productize that, so I'll
actually build a check or a scanflight in the product and see
(23:34):
how many customers that itlights up and that kind of
brings me into one of my mostrecent pieces of research, and
that was part of it.
I was able to productize what Ifound and I was like, okay,
this is actually a big issue,this is a seriously big problem,
and that kind of validates myfindings and allows me to then
(23:58):
start educating our customers,educating the vendor as to
what's going on in theircustomer instances and then
educating the security communityand just platform
administrators in general with apublic disclosure.
Speaker 1 (24:13):
So there's a lot there, but I want to circle back
a little bit, just so I just soI personally remember it right,
I had maybe I'm like a terriblepodcast host.
I take like no notes when we'retalking.
You know it's a conversation,right, but you know I want back.
Right, because you saidsomething earlier where,
(24:34):
essentially, you made this postand AppOmni reached out and
wanted to collaborate, right,and that's kind of how you got,
you know, the current job and Iwant to highlight the importance
of that.
Right, because the normalperson, the normal workflow, is
saying I don't have anythingunique here, I don't have
(24:54):
anything really cool here, I'mnot providing that much value to
others.
Why would I make a blog postabout it?
Why would I make a podcastabout it?
Or, you know, go anywhere andtalk about it, right, like I'm
not doing.
You know novel things, right,but you still, you know, thought
that it was cool, you thoughtthat it was interesting and you
(25:16):
made that post about it with nointention of, hey, this is going
to get me a job, you know, atAppOmni, being a security
researcher in this space, that Ilove Right, and I want to
highlight that because insecurity, or really just in the
world overall.
Right, I feel like you have tofind ways to stand out.
You know, this podcast helps mestand out significantly, right,
(25:39):
like when I, when I go into aninterview or even a call
internally at a company, right,and immediately people add some
sort of value to what I'm sayingjust because I have a podcast.
Right, not not knowing, like,hey, you know you could have a
podcast too, but it brings alevel of authenticity and you
(26:02):
know, it almost like qualifiesyou without qualifying you for
these different things, which isreally important because and I
bring it up too because I know acouple of people that are
really struggling, trying tofind work right now, and they're
great, you know securitypractitioners, but they're
having trouble finding work andI keep on telling them like, hey
, go outside the box and dosomething, like make a blog post
(26:27):
.
You know, make make a website.
Right, like, offer up differentthings, and it adds a lot of
recognition to your brandwithout you having to do
anything.
Speaker 2 (26:36):
You know, and that's a really important thing that a
lot of people miss, that'sexactly it and it's so funny
because I made the blog post, asyou said one because it was
interesting.
I thought I found somethinglike net new and novel, and I
did.
But the SaaS security spacewasn't like my target audience
necessarily.
I was writing it well, firstlyfor anything curious, but mainly
(26:58):
for, like red teamers, like thekind of de facto stereotypical
people who would apply thatmethodology, um, and then also
for organizations that protectthemselves.
So I really ended up in a spacethat I didn't even know existed
.
I didn't know SaaS security wasa thing.
I just saw this as like oh,misconfigurations being widely
(27:21):
applied to SaaS instances,here's how you exploit them.
It's cool, it's novel and I justyeah, I just fell into it and I
don't know where I would be ifI hadn't made that blog post.
I could be doing more standardweb application stuff.
Go back to the securityengineering and the threat
modeling.
But yeah, it was nice.
(27:42):
It was great validation thatthere is an entire space that
found value from what I did andthat's an entire space I did not
exist in.
So that was really cool.
Speaker 1 (27:54):
Yeah, you know, um, it's fascinating what we do with
like no intention, right, andthen something good, you know,
comes from it, like, you know,that's a really interesting
situation, right.
It's kind of like your passion.
Your passion brought you to bethe forefront of, you know, app
Omni is it's a really importantcompany, right, and I'll give
(28:18):
you this example.
You know, I was recently, youknow, employed by one of the
largest automotive manufacturersyou know in the world, right,
for their financial services arm.
My CISO got on call it wasinternal to security only and he
said, yeah, you know, we havethree core SaaS applications.
And I had to stop him rightthere, right, because I was
(28:41):
recently, literally like thatweek, looking at our SaaS apps
and talking to the developersthat are, you know, working on
these SaaS apps, and I said, no,that's wrong.
We have seven and we're goingto 10 at the end of the year.
And he was like, what are they?
And I had to, like list themout, you know, and he goes I
didn't even know that that was athing, right, and like how, how
(29:03):
common is that, though?
I mean, that's, that'sextremely common If you ask, you
know, any organization, right,if you took a poll across the
globe and said what applicationsdo you have in your environment
, how many SaaS, how manynatively run on EC2 or S3 or you
know whatever that flavor is inAzure or GCP?
(29:24):
Maybe 1% would be able to tellyou and actually answer that you
know, and so you need aplatform like AppOmni that comes
in, gets plugged in and pullsin that information.
Because, you know, as asecurity professional, not every
(29:45):
company can have a team of 100,200, 300 security professionals
.
I was at one company that had,I think, 250 people on the
security team right that itwasn't that big of a company
overall they were a globalcompany, but they were like a
credit bureau, right, so theyhad the funding.
Like they would just writeblank checks to these companies
and spunk would be like, yeah,you're gonna pay us, you know
(30:05):
two million in a year and mycso's, like you should have
doubled it and writes the checkfor two million.
You know, like, whatever it is,like he doesn't even care.
Yeah, that's that, that's thatenvironment.
But everywhere else, I mean,I've been one of three, you know
one of five, now I'm one of one, yes, you know.
And so people need thesepowerful tools to even have a
(30:29):
chance at like telling thedevelopers hey, you need to fix
this, exactly like right here,this is how you fix it.
This is what's going on andthat's why you know app omni in
particular.
App omni is not sponsoring thispodcast or anything like that.
But I've looked at the platforma lot like unfortunately, maybe
for myself.
(30:49):
I've looked at the platformquite a lot and so I know it
pretty well and it's like okay,I need this thing, you know,
in-house, I need to be workingwith this immediately.
Speaker 2 (30:59):
Yeah, it's interesting because, while you
touched on at the beginningthere, that sprawl is like
everywhere, every organizationseems to have this problem.
You will have a department withmultiple teams, even in a small
organization, and these teamsmay be doing very similar work,
(31:20):
but they'll have preference forone.
One sass to fulfill onefunction and another team will
use a different one to fulfillthat same function.
And you have this situationwhich all of a sudden, you've
got.
You're using hundreds right andyou're granting different apps
access to like god knows howmuch of your data, which is a
(31:41):
massive problem.
And if app omni was simply justan inventory tool to surface
what sas apps are being acrossorganization, that alone would
be so valuable.
But it's not all of these otherfantastic features, but it's
absolutely crucial to understand, just get a grip on that
(32:03):
inventory in the first place,like how can you secure
something if you don't even knowyou're using it?
And while that's not theforefront of my research, it's
the same underlying concept of,like the unknown to my.
In my opinion, the unknown isthe biggest danger the unknown
API endpoints that can do um,that can be exploited or
leveraged by threat actor right,like unknown SAS object you're
(32:24):
using that you have no idea whatthat is being stored there, um
how it's being secured uh,unused?
Is it being used responsiblyand appropriately from a
security perspective?
So, yeah, I'm, I'm.
It's definitely not new whatI'm hearing from you.
Um, every organization has itum, and that's why we're seeing
a lot more um uptake andattention uh as well from from
(32:50):
organizations.
They are learning over timemaybe hopefully as a result of
my research and my blog posts,that this is an area to take
seriously, because your mostsensitive data is most likely
sitting one of your SaaS appsand you may not even know it.
Speaker 1 (33:05):
Yeah, that's a really good point.
Actually, when I was at anemployer the automotive
manufacturer I was just talkingto the Salesforce admin and my
CCO kind of pointed me in thatdirection because he's like,
look, we don't really ever lookat this.
We need someone with that cloudmindset to go in there and just
look at what's going on,because we literally don't know.
(33:27):
Look at what's going on, right,because we literally don't know
.
You know, I'm talking to himand it's interesting.
I have a way of gettingdevelopers to tell me too much
information or much more thanwhat they should be telling me.
You know, maybe I'm easy totalk to or something.
But I was talking to him and hesaid, yeah, like we, you know,
we store 100% of our customerdata here and this part of the
(33:50):
database is sending info overhere and you know all this other
stuff, right, and I'm justsitting here and I asked him one
question.
I said so if Salesforce evergot breached, you know what,
what, what are we looking at?
It was, oh no, that'severything.
Yeah, I was like you don'tunderstand what a breach is.
(34:11):
You don't know what.
I just asked.
You know it's.
It's interesting because, assecurity, he didn't even know
that it was that high of a risk.
Right, we had some idea, like,yeah, there's some risk over
there, but I think that we wereso used to our risk being
mitigated or accepted somewhereelse in the business that we
(34:32):
didn't realize hey, we're usinga pretty critical to our
business application.
It has a lot of our data.
We need to focus more time andresources on this and even
beyond that.
Our Salesforce environment wasgrowing significantly and
security didn't even know.
We already had, I think it was,seven salesforce clouds, like
(34:56):
cloud instances, right, and thenwe migrated that down to five
and then down to three and that,like now it was going back up
to five.
Right, yeah, but that's a lotof data, that's a lot of cloud
presence.
You know, in a sas app that youprobably didn't even realize
was there and there's, you know,literally one guy at the
company that knows, oh yeah,that's how it all works, that's
(35:20):
what it is, right, literallyyou're lucky, it's one, um, yeah
, nothing, zero, it's often zero.
Speaker 2 (35:28):
And another thing that really I feel like
contributes to a lot inorganizations like this problem
is the misunderstanding of thatshared responsibility model.
It's like, oh no, salesforce,like it's secure, like they have
their own security team,they're securing it and it's
like, okay, but they are notgoing to stop you from
misconfiguring your accesscontrols and just leaving
(35:48):
everything wide open.
Like that could be a businessuse case for you.
They don't know, they don'tcare, it's not on their side of
the shared responsibility model.
And then, secondly, it's likewho owns SaaS security in your
organization?
Like, whose responsibility isit?
Because you've got like yourplatform owners right, who
(36:09):
aren't necessarilysecurity-minded individuals far
too much on their plate already.
Right, they're managingthousands, potentially, of users
and processes and making surethat the instance is functioning
.
And they'll be like well, we dopen tests on our own
applications.
This isn't our own application.
(36:33):
Yes, we've purchased theproduct, but it's not really
falling into our role.
Plus, you know how it works,you're the platform owner, so
why don't you deal with it?
And there's this friction and,as a result, nothing gets done
because no one wants to takenecessarily responsibility for
it and that is changing wants totake necessarily responsibility
for it and and that is changing.
And that is once again why sucha need for app omni because
(36:54):
anyone can can learn to use theproduct very easily, the app
product, and become like a sassecurity expert.
Because my team is doing thatnet novel research for you.
Like we're your sas securityexperts.
If you've got salesforceservice now netsv, whatever it
might be, we know where therisks are, we're going to
productize it, build in thosescans.
(37:14):
So when you log in youinstantly see like okay, high
critical medium, click into thefinding, review it and you get
your resolution guidance that weprovide and all of a sudden
you've just got rid of like fivepotential critical issues
without not necessarily needingto fully understand the
(37:37):
technicalities of that.
So in that way it's extremelypowerful because we're enabling
anyone to become a SaaS securityexpert internally in the
organization.
Speaker 1 (37:47):
Yeah, that is.
It's really fascinating.
You know you bring up a reallygood point.
So I have, you know, the CCSBcertification.
Ccsk, right, specifically talksabout the cloud and so you know
SaaS falls into there, right,and when you're reviewing the
material, they hardly even talkabout misconfiguration within
(38:13):
SACS apps.
I mean, like they touch on it,like it's a line item, it's a
bullet point, right, but theydon't tell you.
You know, hey, you need toreally focus on this and pay
attention to it.
You know, because you can openyourself up to you know risks
that you're not, you knowaccounting for that you don't
even know are there and that'sstill a very big misconception
(38:37):
with SaaS apps.
Overall, I'm finding which, youknow, it took us, like what,
five years, five plus years, toget over that misconception with
the cloud.
You know, like there was a hugemisconception to think just the
cloud, the cloud secures it,right, I mean aws would have to
put out blog posts and videosand all that sort of stuff just
(38:57):
to educate their customers that,hey, you still have security
stuff that you have to do and ifyou don't do it, this bucket's
going to be public, right, likeI mean they, they used to have a
public first.
You know bucket configurationwhere, like, you would have to
specifically say make thisprivate.
Now they switched it, of course, but it's really interesting
(39:20):
because you know SaaS is a partof the cloud, right, it's bigger
in the cloud than ever before,than any other area of the cloud
.
You know thinking about, likeinfrastructure and paths, as you
know paths, right, like sas, isprobably the biggest part of
the cloud now and people areforgetting that they have to
still do that securityconfigurations within their,
(39:42):
within their sas app.
Speaker 2 (39:44):
You know it's it's interesting, it's it's funny.
You mentioned the publicdefault first right, because it
passes the exact same thing.
I've seen all of these big,powerful SaaS applications
evolve with security over time,largely as a result of research,
and it's situations like oh,when you create an access
(40:06):
control, it's blank by default,like nothing gets added to it.
Or if you write some customcode on top of the platform, if
you don't specify explicitlythat it should run in like user
mode, it will run in system mode.
So effectively anyone executingthe code is running a system.
It's like an instant privilegeescalation.
(40:26):
And these are interestingdevelopments because it's almost
like we're not just educatingthe security community and the
customers, but also the vendors,in a sense, on helping them
improve their product.
It's not just the customersthat we're focusing on.
Atfigurations are neverhardened right out of the box.
It's lucrative for you becauseyou have a product, so then
(40:56):
you're just going to keepfinding criticals and everyone's
going to want to buy you.
But at the end of the day thatjust doesn't help anyone.
It isn't the best feeling,hooking up like an M365 or a
Salesforce instance and I nowhave to sit through multiple
errors to walk through like 100findings with the customer, but
it's so overwhelming for them,right?
(41:18):
So, yeah, I just want to get toa place in which we can assist
the vendors while also assistingour customers in like the most
frictionless way possible.
Speaker 1 (41:28):
Yeah, that's probably , you know, the only path
forward.
Like, we need these vendors tokind of be to have their own.
I mean, they probably do.
I would certainly assume thatthey have their own like
security research team, right.
But you know, we, we need thesevendors to kind of make it
dummy proof, you know, for, foridiots, you know, know, like me,
(41:49):
that are not developers, thatyou know may still be tasked
with, like application security.
Like, when I'm tasked with it,I'm immediately looking for,
like tools and shortcuts and youknow what, what tells me the
most amount of information mostaccurately, and things like that
.
You know when, when, whenyou're you know pen testing a
(42:13):
status app.
Do you have to be a developer?
Like, do you have to have thatskill set?
And I ask, because previouslyyou mentioned how you know you
don't like functions.
Functions are confusing, youknow as they are for me, like
functions are super confusingfor me.
That's where my pythoneducation like ends.
Every single time I try to godown.
It right is like as soon as Ihit functions, I get the basic
(42:35):
level of functions and then theylike step it up to the advanced
stuff and I'm just like, yeah,I'm done, like I don't, I don't
want to look at this yeah, yeah,the, the functional programming
I yeah, I'm never going toreturn to that.
Speaker 2 (42:47):
I haven't whatsoever.
Haskell is a no for me.
Um, I mean, you don't have tohave that knowledge, you don't
have to be able to write code.
There's a lot of securityresearchers and we're talking
like de facto, like bug huntersor individual individuals who
perform code auditing of opensource projects that can't
necessarily write the code, butthey can understand it and read
(43:09):
it and, depending on you, on thelanguage that the code's
written in, that can be easy orit can be hard.
Right, it's very easy to read aPython script in comparison to
assembly language, right, and so, while you don't necessarily
need to be able to write it, forsome types of issues, issues it
(43:32):
can be very useful to be ableto at least understand what's
going on, and typically that'susually javascript.
Um is is what I find on a lotof these powerful platforms uh,
which isn't, it's not awful andit's not the worst thing to have
to read um, but it's just,that's just like a small subset
(43:53):
um of potential risk.
Uh, the whole like customdevelopment side of things.
So, yeah, you don't need tonecessarily come into soft
security having, like all ofthis, this, this expert
knowledge of programminglanguages.
Um, the one of the benefits is,if you're looking for things
like exploitable mythconfigurations, then you don't
(44:15):
necessarily need to know aboutSQL injection, you don't
necessarily need to know aboutXML external entity attacks.
That's also a benefit, right?
So, yeah, it takes a while toget used to.
A lot of the individuals whocome into the, the sas security
(44:36):
space from more of a traditionalbackground and, like pen
testing, do struggle quite a lotbecause it's a shift in mindset
.
So it's not just like,necessarily the skill set we're
talking about, but it's also themindset.
Um, I have to explain to people, like, I'm not necessarily
looking for zero is here, right,I'm looking for things that
look suspicious, that lookdangerous, and I'm seeing, okay,
(44:59):
how can this be exploited?
And sometimes I can't, right,and that's that's just just the
case, but oftentimes it can.
So, yeah, it's just just acouple, just some food for
thought for anyone who wants tokind of get into the space.
I don't want to put anyone off,but it takes a while to wrap
your head around it for sure.
Speaker 1 (45:16):
Yeah, it's interesting that you put it like
that.
You know, I can find I findmyself with myself, at least,
you know, starting from scratchand and coding it's really
difficult for me, like juststarting from scratch and trying
to like piece it all together,right, like that's really
difficult, but I can read itreally well, right, so I
(45:40):
understand what's going on.
When I, you know, read a pythonscript or javascript, whatever
it is like, I typicallyunderstand it pretty well.
And so now I'm actually likeI'll use, you know, ai or you
know grok, right, to write methe script and then I plug in
everything that I need and, youknow, adjust it to how it'll
(46:01):
work and whatnot, right, youknow, as I'm doing, right, like
you're learning the differenttechniques and things like that.
When you're reading through it,you know're learning how it
operates.
But it's, it's really helpful,you know, to hear like, hey, you
don't have to be a developer toget into the app sec space.
You know, I think that'sprobably like the biggest hurdle
(46:22):
that anyone you know looking atsecurity and saying where do I
want to focus my time?
That's probably like thebiggest hurdle for AppSec
overall is people just saying,well, I don't want to be a
developer.
An application that sounds likedeveloper, so why would I not
have to be a developer to secureit?
You know?
Speaker 2 (46:40):
Yeah, yeah, absolutely.
And you know, back when I was asecurity engineer I didn't do
any development whatsoever, andeven up on me today, any of the
development that I do is just anew area for me that I wanted to
explore.
Like I enjoy productizing myown findings because I like
seeing that end to end, likefrom finding the issue to
building the scan and thenseeing it benefit our customers
(47:01):
in that sense.
But I really don't have to bedoing that.
I could be.
My role is purely securityresearch.
To be honest with you, and alsoyou made a good point is purely
security research.
To be honest with you, and alsoyou made a good point.
I mean you could just throwthese code snippets from these
scripts that the vendors areputting on customer instances
where customer-developed codefrom the Chops UBT, right, and
(47:22):
you'll hopefully get somecoherent explanation for it and
in that sense you'll both learnhow to better read it and also
better understand it.
So it's a good point yeah, yeah, absolutely.
Speaker 1 (47:35):
well, you know, aaron , I'm very mindful, you know, of
the time that I since I saidfor for podcasts, as I know
everyone in this industry is sobusy.
But you know, before I let yougo for one, you know this was a
fantastic conversation.
I absolutely want to have youback on.
We'll connect, we'll maybecollaborate on a couple things,
(47:56):
but it was a very fascinatingconversation.
Really enjoyed having you on.
Speaker 2 (48:01):
Thank you so much.
It's honestly fantastic to beon.
I thoroughly enjoyed it.
It's fantastic to learn aboutyourself and your background too
, yeah.
Speaker 1 (48:10):
Yeah, yeah, absolutely.
Well, you know, before I letyou go, I'll let you tell my
audience you know where theycould find you if they wanted to
, you know, reach out or connector maybe just see what you're
posting out there and where theycan find out about me and maybe
a little bit about your, yourresearch.
Speaker 2 (48:28):
Yeah, so I mean to start from more of a kind of a
personal perspective.
My twitter is conspiracy proof,all one word.
I made it when I was like 16.
Don't judge me.
Conspiracy proof on on twitteror x, uh, as that's not called.
Um, you can find me on linkedin, rn costello.
Um, I'm very, very active thereas well, so give me a message
on another platform.
(48:48):
Um, I do have one of my ownpersonal blog, that's
enumeratedie, where I will, moreso now backlink to the app omni
blog.
But my original research is ispresent there.
So there's a couple articlesand that are potentially too
spicy right to to put on thework website, but a good, the.
The biggest chunk of myresearch is on the appomnicom
(49:09):
website.
So we've got a section of ourblog called app omni labs and
that's where you'll really finda lot of my stuff.
So you got white papers, blogposts, tons of different uh
types of content that hopefullyreally useful to to awesome well
, thanks, uh.
Speaker 1 (49:27):
Thanks again, aaron, you know for coming on and you
know everyone listening.
Go ahead and check out Aaron'sposts, the resources that he
mentioned, and check out AppOmni.
All right?
Well, thanks everyone.
Speaker 2 (49:39):
Hope you enjoyed this episode Cool.
How's it going, aaron ?
It's great to get you on thepodcast.
My life is a bit crazy rightnow.
I have a second kid comingpretty soon here and trying to
schedule everyone in, and youcan see I got a bunch of home
repair, home project materialsabove me that I very
conveniently forgot to take outof the frame today.
(00:23):
But you know how's it going I'mfantastic.
Speaker 2 (00:27):
Thank you, um, and congratulations on that
wonderful news yeah, yeah,thanks, it's um, it's fantastic.
Speaker 1 (00:35):
I'm really excited.
I love being a dad, I lovebeing a parent, you know, and uh
, it's like the best thing inthe world if I, I could like
quit everything and just do that24 seven, I totally would Right
, like only if my wife was likea lawyer or something like that.
Speaker 2 (00:50):
Right, absolutely, yeah, that's it Well yeah, yeah,
absolutely.
Speaker 1 (00:56):
So.
You know, aaron, why don't we,why don't we start with your
background, right, what, what,right, what, what made you want
to get into it?
What made you want to go into,you know, security overall?
Right, the reason why I startedeveryone there is because, you
know, I remember when I wastrying to get into security,
right, and all I really wantedto hear was that someone else
(01:17):
had that same passion, that sameinterest as me, maybe even came
from a similar background as me, and it helped me mentally when
I finally, you know, found thatright to to know, like, oh okay
, if they did it, maybe it'spossible for me, right?
So I always turn someone offthere because you know there's
probably someone listening thatyou know is in that same
(01:40):
situation, right?
Speaker 2 (01:42):
yeah, yeah.
So, um, it's definitely aninteresting one.
So it started back when I was15, maybe 16, 13, about 15 years
ago now.
So, like any teenage boy, a lotof gaming, console gaming, pc
gaming.
Um, one of my my accountsactually got compromised, um,
(02:06):
and they took everything thatI'd worked for.
I was like how could someone,how could someone do this?
Right, like, how is thispossible?
And so I started kind ofdigging into that and found this
entire like hacking space.
Now my uncle at the time didwork, um, in cyber security,
more on the compliance side ofthings.
So I knew a little bit, right,but not so much the actual
(02:30):
technical hacking.
And so I started digging aroundin forums.
That kind of got me into gamehacking, console hacking, right
Like soldering consoles, likeflashing them, selling custom
firmware.
So I could like do all thesethese crazy things.
And the more I started to tolook in these forums, the more
my kind of eyes open to allthese other areas.
Right, like it's such a big,broad like industry and that
(02:54):
kind of brought me to the, theweb application side of cyber
security and that reallyinterested me because it was far
more impactful than justhacking games.
Right, like the game.
Hacking stuff was fun, but whenyou think about like actual
impact and real world impact,that that really caught my
attention.
It caught my eye, started doinga ton of of research every day.
(03:16):
I'd be bringing in notes fromthe night before into school
like reading them throughoutlunch.
I learn and absorb all thisinformation and it was all like
your typical, like sequel,inject and like all of that, and
wrapping my head around how allthat works and really I wanted
to just apply that knowledge.
Right, that was the next thing,because the the only way to
really solidify the thing asyou're learning and naturally,
(03:39):
just in a way or I thought atleast at the time there was no
way of me doing that likelegally, you know.
I started doing a bit moreresearch and asking questions on
forums.
I discovered like, oh, thereare actually organizations that
you can hack and they won't sueyou and throw you into prison
right through these vulnerablevulnerability disclosure
programs, and some of them mighteven pay you.
(04:01):
So I thought, wait, hang on asecond, I'm a teenage boy that
can hack things and potentiallyget paid.
Like that to me was the dream,and so I started doing that in
my spare time quite a lot and Iwent to university after school
did my computer science degreedidn't really touch on
cybersecurity too much and fromthere went into your kind of
(04:22):
typical security engineer a roleat vmware.
So things like threat modelingwe're doing internal, like pen
testing for applications that wewere building.
But in parallel with that theentire time I was doing like
bootlenty, so finding the samething again, finding
vulnerabilities in webapplications and, in an
authorized fashion, gettinggetting paid for it.
(04:43):
And one of the things thatbecame very apparent to me was I
was spending quite a lot oftime researching a single target
that had built a singlecookbook web application and the
issue with that is the payoutwas not always worth the
investment of time because thatknowledge is not transferable to
another organization.
(05:03):
It built everything using adifferent language, different
infrastructure and that's awhole different way of doing
things.
So that's how I found SaaSsecurity.
I had identified a way in okay,if I find something that isn't
necessarily a vulnerability buta way to take advantage of a
(05:25):
risky configuration made by acustomer of Salesforce or
ServiceNow, I'm talking aboutlike a.
If we actually look at the morewell-known examples of like
public AWS buckets, it's exactlythat kind of thing of like
that's just a repeatable methodin which you can locate and
exploit something and do itupscale, and so that's exactly
(05:47):
what I wanted to apply to sass,because it was a very niche area
, not a lot of research havingdone into sass, and that was
just a goldmine for me, um,really, but from a career
perspective I had to timefiguratively, figuratively like
a goldmine.
So I released my first article,which was a effectively a
(06:08):
summary as to how one mightexploit data exposure issues in
sales for the situation fromwhich customers accidentally
expose data to the publicinternet and how one could
defend against it but alsoidentify, um, those risks and
that kind of blew blew up theinternet a little bit and it
caught the attention of mycurrent employer, app Omni,
(06:29):
which is like a SSPM tool usedto assist, or to date, with
locking down and securing theirSaaS posture.
So they reached out to me andsaid, hey, we saw this article,
this is exactly the kind ofthing that we're doing, and at
that time I was actuallyunemployed and looking for my
next role, so I was like, yeah,sure, we'll do like a paid, like
(06:51):
joint article to talk about it.
So I jumped on a call and I waseffectively ambushed because
they were like why don't youjust join us?
We'll hire you and just giveyou a job if you're looking for
one, and it seems like you knowwhat you're talking about just
give you a job if you're lookingfor one.
And it seems like you know whatyou're talking about.
And so I was employee number Ithink 28th at the company and
the founding member of the AppOmni Labs security research
(07:12):
function of the company and asof current I'm the chief of
security research over there andleading up that function.
That's really my background,how I fell into the space in in
the first place, really, and howit kind of developed into where
I am yeah, it's, that'sfascinating, you know, because
(07:32):
you know hearing your, hearingyour story just brings to mind,
right, that curiosity that youhave to have.
Speaker 1 (07:40):
You know getting into security and you know having
like having like that, that,that thirst that you can like
never quench.
You know, no matter how muchresearch you do, no matter like
how much you know pen testing orvulnerabilities, you find
you're like always kind oflooking for that next thing and
that that was like the numberone thing when I was trying to
(08:01):
get into security.
I got my bachelor's degree incriminal justice, fully intended
on going into federal lawenforcement, being sent overseas
, whatever might be, and doingthat whole thing for the rest of
my life.
I did IT literally in college.
I was on the help desk team incollege just for, like beer
(08:25):
money, like that was that was it.
You know like okay, this paysfor my cell phone and my beer
for the week.
You know like that's right,that's, that's all I needed.
But I hated everything aboutthat, you know, help desk job.
I was like man, this is stupid,you know.
And then right after college, Ihave these student loans.
So it's like, okay, let's,let's get in the help desk,
(08:49):
let's, you know, get some moneycoming in, right, because it
takes forever to get into anyfederal agency Right.
And that's when I kind ofdiscovered security.
I never thought about it oranything like that, but someone
introduced me to it and like Icouldn't stop.
You know, I started again tolike wireless security and
infrastructure security,vulnerability management, like
(09:09):
that whole thing.
You know I was so passionateabout it.
I mean I probably should havebeen fired like five different
times from this job, right, butI like forced my way into
handling all the vulnerabilitymanagement for this company that
didn't have any like whatsoevermanagement for this company
that didn't have any likewhatsoever, you know.
And I like had to sit down withthese developers that had
created this code from scratchthat we had sold hundreds of
(09:31):
times over and over and runthrough, you know, my open
source vulnerability scans andbeing like, hey, guys, we have,
we have 1500 highvulnerabilities.
This, this is really bad.
When I go to these federalagencies, you know, and I'm on
site, they're pen testing theapp.
Live in front of me, like thatcan't happen.
(09:53):
This isn't even allowed to runin their environment.
You know, and like, justthinking back, it's like man, I
was so young and stupid I'mstill pretty stupid, but less
stupid, you know.
And stupid, I'm still prettystupid, but less stupid.
You know, like I was so stupidand young at the time that like
it was like man.
How did I even get through that,you know?
But you start, you start doingso much research because I was
(10:16):
researching at work, I wasresearching at home, I was
sleeping and thinking about it.
You know, like, like that's thekind of passion that you really
need getting into security.
One because there's so much tolearn, right, but two because
it's also so hard at times that,uh, that you need that, you
(10:37):
need that passion, you need thatdrive to be like, yeah, it's
difficult, but I still want todo it.
You know, like I'm a terriblehacker with web app security.
I mean, it's like man.
Whenever I go to a new company,it's like I hope they have an
AppSec guy, because I don't wantto touch that, I don't want to
think about that.
I don't want to install BurpSuite on my computer Like end of
(10:58):
story.
You know, I don't even want tothink about it, right?
Speaker 2 (11:06):
right, give me every other facet of security app.
Sec is the one I don't want todo.
Well, everyone, everyone's gotgot their niche.
And it's funny, like it justreminds me you saying that kind
of that's thirst for knowledgelike I, this is so, so bad.
But I I used to not let myselfgo to bed until I could recite
everything I learned that singleday.
Well, I would pace your pen,the dining room while my parents
were asleep and basically justrecite and ask myself questions
(11:26):
about about what I learned.
You know, I don't want to makeit seem like when I talk about
my background.
It was such a streamlinedprocess because there's so much
that I left out right.
There was so many areas that Itried um with insecurity and
just couldn't take to, and thatcould be for various reasons.
Maybe it's too difficult for me.
(11:48):
At the time I couldn't wrap myhead around this um.
I remember looking at likefunctional programming and
thinking like, okay, I willnever understand this.
Yeah, and there was so manytimes where I I did really kind
of want to give up um because Iwas just struggling to
understand all of these conceptsand it's it is a slow and
(12:09):
steady wins the race, likesometimes, yes, you can just
pick something up and take to itnaturally, as if it's second
nature, but other things they dotake time and effort and really
it's like that's saying ofwhich like good things, like
take time right?
Um, I've been doing this for so, so many years and I think when
(12:29):
people read my research orspeak to me about it, they
forget that and they might thinklike, oh, you know so much
about this.
I was like, well, I've beendoing social security now for
like over four years, everysingle day in my spare time at
work.
It's not like I'm some naturalporn genius.
I'm really not.
Like I'm a.
I'm a trial and effort guy.
I fail many, many times beforeI succeed yeah, you know it's.
Speaker 1 (12:52):
Um, there's something very true about I think I heard
, you know, maybe elon musk saythis several years ago right is
the industry.
The industry.
I guess right on this is thatyou need to get 10,000 hours in
to really feel like you'reexcelling in an area or being an
.
You know, I wouldn't even callit an expert, but you know, to
(13:16):
feel like you're competent inany you know principle or domain
, whatever it might be right,principal or domain, whatever it
might be right.
And so when you say youstruggled, you know, for that
many years, right, you got tothink about okay, well, I put in
100 hours this week of doing itat my day job, going home,
doing it more like staying uplate.
(13:37):
You know you probably put inthat time right, and the key
there is getting through those10,000 hours as quickly as
possible.
Because if you can get those10,000 hours in, you know in a
year when it takes other peoplefive years, right, because
that's, I think that's theactual like average nine to five
(13:57):
like time span.
Right, like that's how long ittakes.
It takes like five years orsomething like that.
I can't remember what it isbecause once I learned it, I
went after it and I hit it and Iforgot about it, right.
But if you can do that in oneyear, you know, you sat through
and it's like, okay, I'mactually at year five in my
brain.
You know, let's, let's buildoff of this, you know, and maybe
you dial things back a littlebit, you know.
(14:19):
So you have some like work-lifebalance and whatnot.
But you know, I remember, Iremember when I was just getting
started and I was in that thathelp desk job and uh, I, I mean
I applied.
I applied to somewhere betweenthree and 500 different jobs,
right Every single day I wasapplying and interviewing and I
(14:41):
was employed, I was fullyemployed.
At that time.
I would literally go into ourbreak room, take an interview,
you know, get bomb it, go rightback to work Like nothing ever
happened, you know, and figurestuff out, right, but it's that
constant knocking, Right I'm.
I got to the point where I waslike, okay, well, surely not
every company in the world willsay no to me.
I just got to find one thatsays yes.
(15:03):
That mentality is so helpfulbecause you just got to break it
down like that.
I don't need everyone to sayyes to me, I need one to say yes
to me.
How many companies are there?
Millions, okay.
Well, I just got to find one.
Speaker 2 (15:18):
Yeah, that's exactly it.
It's really the perseverance.
I think that's exactly the wordto describe how to go from
being a complete newbie insecurity whatever domain that's
in to becoming an expert.
And it is just perseverance.
Speaker 1 (15:34):
Yeah, yeah, yeah, that is man that is so critical.
I remember when I was gettingmy master's degree in
cybersecurity and it was a veryhands-on program, right.
So we're not just talking aboutyou know theory all day, like
we're literally you know hackingthings and everything else like
that, right, like you know, oneday we're learning about
(15:54):
wireless security on you knowvpa and web and you know why you
would want to stay away fromweb and you're doing an exploit
to actually see why, right, andthere was one, there was one
project where they they said,okay, find a vulnerability
exploded on a device and give melike a, like a report on it.
Right, didn't realize that itwas basically a pen test report.
(16:14):
You know that, like, that'swhat you're putting together.
And so I chose, of course, youknow something, wireless, right,
and so I didn't do very muchwith bluetooth, but I knew
bluetooth was vulnerable to alot of like basic things you
know of, like you know naming,functions and stuff like that,
right.
So I figured, okay, let's uh,let's challenge myself a little
bit here.
I was probably stupid on it,let's, you know I procrastinate
(16:37):
very well, right.
So I'm, you know, 48 hoursbefore I have to hand in this
project.
Oh, yeah, yeah and uh, you knowI'm I'm starting to try and
exploit this Bluetoothvulnerability on an iPhone and,
uh, it took me, you know, 24hours I mean straight like I did
not sleep.
You know, my, my now life waslike falling asleep, you know,
(16:59):
in my bed, while I had, whileI'm sitting at my desk, like
working through this problem,and I gave up after 24 hours.
I was like, all right, let'sjust go to Android.
You know 24, you know a littlebit longer, right, but I go to
Android 20 minutes.
I got root and I'm just sittinghere like I'm a terrible hack.
You know, like I'm like I'm sobad at this If I can get root on
(17:23):
Android via Bluetooth hack,that should never.
Like you should never be ableto get root on any device via
anything Bluetooth.
Like Bluetooth and root do notgo together.
You know, in security, likethose two things should not be
happening.
If I'm so bad that I can getthis on Android, you know, like
what is really going on here,right, but like that talks about
(17:43):
that perseverance where it'slike it wasn't just the deadline
that I had.
It was like I was so frustratedthat I couldn't get it to work
on iPhone.
I was so beyond mad that I justcouldn't get this thing to work
that I had switched to anotherplatform to figure out if it was
a platform architecture thing.
And then, you know, sure enough, the next class I take is
(18:06):
mobile security architecture,and we're talking about why
basically that happened, youknow yeah, it's, it's funny
you're talking about your wifethere.
Speaker 2 (18:14):
Like I've, I've been testing SaaS applications for
like weeks on end with nothing,right, I'm gaining knowledge of
the platform, but in terms offindings, it's like nothing.
And some reason it always seemsto be when I'm not supposed to
be doing it that I findsomething.
So my girlfriend will literallybe like you need to go to bed.
(18:36):
I'll be like okay, just justfive minutes, I promise.
I'm like I'll go to bed andwith like two minutes to spare,
I'll find something crazy.
And I'm like okay, well, hangon 10 more minutes because I
think I just found something.
And then, all of a sudden, twohours later, it's like a full
exploit chain.
I always think like that's, ifI had gone to bed, I wouldn't
have found that.
It just always seems to be whenI'm not just to actually be
(18:58):
doing it, um, which is which isfunny.
But once again, perseverance.
Speaker 1 (19:04):
Talk to me about what it's like pen testing a SaaS
app.
I would assume that it'sprobably a little bit different
from pen testing a regularapplication, right that's maybe
built on S3 or lives in S3 orsomething like that.
How is it different?
Are you limited in thetechniques that you can use?
(19:25):
Since it's technically a SaaSapp, it's like a service
offering in a cloud.
Speaker 2 (19:30):
Yeah, that's a great question.
So I like to look at thisthrough two facets, right.
So there's the vulnerabilityside of things generally what
we've been talking aboutthroughout this discussion and
that is like your zero days,that is, exploits in the sas
application itself that only thevendor can fix um right, like
(19:52):
here's, like a sql injection inlike the core platform and in
the software itself.
And then there is themisconfiguration side of things,
in which there is no issue withthe software.
There's no inherent out ofthe-the-box vulnerability or
zero-day at the fault of thevendor, but a customer of theirs
has toyed around where theyshouldn't, with configuration
(20:13):
and security controls or a lackof playing with them, and that's
resulted in some kind ofexposure, like a data exposure
issue.
Throughout my work I mostlyfocus on that misconfiguration
bucket that often uncovers zerodays in the process, because I
will see something that's alittle janky and be like, oh,
(20:34):
like, how does this play withanother, another feature?
But the biggest thing that'sreally helped me um kind of kind
of understand platforms, evenfrom a security perspective, is
just becoming almost like aplatform administrator, like
having the same knowledge as aplatform administrator or a
platform developer.
A lot of these platforms allowfor custom application
(20:56):
development through like someframework that they have.
So I'll get myself certified asa platform developer.
I'll take the exam.
I'll learn all about thefeatures and how they interact
with each other, or stand alone.
I'll learn the flavor ofJavaScript, whatever they're
using on the platform, as acertified developer.
And that gives me a fantasticbase to start off, because the
(21:22):
mindset that I've always appliedwhen it comes to web
application hacking in generalis looking at like, how do these
various features interact witheach other in a way that is
potentially insecure, and justhaving an understanding of the
(21:43):
product.
I'm not one of these hackers.
That's kind of like spray andpray.
I like to really know what'sgoing on under the hood wherever
possible.
I like to really know what'sgoing on with the hood wherever
possible.
I never review a SaaSapplication from a target
perspective initiative.
I view it from a learner's,beginner's perspective of what
does this even do, what arepeople using it for, how can I
(22:07):
implement this, and that I'llfollow documentation.
Sometimes there's none that'sprovided by the vendor.
I'll use Stack Overflow.
I'll learn what common problemspeople are having, um, and just
to get that general knowledgeand then from there I can
actually have that attackerperspective of like okay, are
there any areas that I've lookedat that are having no security
(22:28):
controls around, or are thesecurity controls decentralized
in a way that it managing themis potentially difficult?
So I'm quite lucky working atAppOmni, because there's a
couple reasons.
Number one getting access tothese applications is not always
easy.
Servicenow and Salesforce it'sgreat because you've got a free
(22:51):
developer license.
You can spin up an instance,your own personal instance, in
like two minutes.
Um, but often that's not thecase and a license could be like
20k a month, right, so I havethe the luxury and the privilege
of having access to things thata lot of other research has
done.
So that's one requirement Ialways tell people like if
you're like a book bounty hunteror hacker, like pool together
(23:12):
with your friends, everyone,throw in a little bit of money,
I get yourself an instance ifyou want to find like a lot of
cool new things.
But also I have the luxury ofanything I find that I believe
may be exploitable.
Um, like a misconfiguration, Ican productize that, so I'll
actually build a check or a scanflight in the product and see
(23:34):
how many customers that itlights up and that kind of
brings me into one of my mostrecent pieces of research, and
that was part of it.
I was able to productize what Ifound and I was like, okay,
this is actually a big issue,this is a seriously big problem,
and that kind of validates myfindings and allows me to then
(23:58):
start educating our customers,educating the vendor as to
what's going on in theircustomer instances and then
educating the security communityand just platform
administrators in general with apublic disclosure.
Speaker 1 (24:13):
So there's a lot there, but I want to circle back
a little bit, just so I just soI personally remember it right,
I had maybe I'm like a terriblepodcast host.
I take like no notes when we'retalking.
You know it's a conversation,right, but you know I want back.
Right, because you saidsomething earlier where,
(24:34):
essentially, you made this postand AppOmni reached out and
wanted to collaborate, right,and that's kind of how you got,
you know, the current job and Iwant to highlight the importance
of that.
Right, because the normalperson, the normal workflow, is
saying I don't have anythingunique here, I don't have
(24:54):
anything really cool here, I'mnot providing that much value to
others.
Why would I make a blog postabout it?
Why would I make a podcastabout it?
Or, you know, go anywhere andtalk about it, right, like I'm
not doing.
You know novel things, right,but you still, you know, thought
that it was cool, you thoughtthat it was interesting and you
(25:16):
made that post about it with nointention of, hey, this is going
to get me a job, you know, atAppOmni, being a security
researcher in this space, that Ilove Right, and I want to
highlight that because insecurity, or really just in the
world overall.
Right, I feel like you have tofind ways to stand out.
You know, this podcast helps mestand out significantly, right,
(25:39):
like when I, when I go into aninterview or even a call
internally at a company, right,and immediately people add some
sort of value to what I'm sayingjust because I have a podcast.
Right, not not knowing, like,hey, you know you could have a
podcast too, but it brings alevel of authenticity and you
(26:02):
know, it almost like qualifiesyou without qualifying you for
these different things, which isreally important because and I
bring it up too because I know acouple of people that are
really struggling, trying tofind work right now, and they're
great, you know securitypractitioners, but they're
having trouble finding work andI keep on telling them like, hey
, go outside the box and dosomething, like make a blog post
(26:27):
.
You know, make make a website.
Right, like, offer up differentthings, and it adds a lot of
recognition to your brandwithout you having to do
anything.
Speaker 2 (26:36):
You know, and that's a really important thing that a
lot of people miss, that'sexactly it and it's so funny
because I made the blog post, asyou said one because it was
interesting.
I thought I found somethinglike net new and novel, and I
did.
But the SaaS security spacewasn't like my target audience
necessarily.
I was writing it well, firstlyfor anything curious, but mainly
(26:58):
for, like red teamers, like thekind of de facto stereotypical
people who would apply thatmethodology, um, and then also
for organizations that protectthemselves.
So I really ended up in a spacethat I didn't even know existed
.
I didn't know SaaS security wasa thing.
I just saw this as like oh,misconfigurations being widely
(27:21):
applied to SaaS instances,here's how you exploit them.
It's cool, it's novel and I justyeah, I just fell into it and I
don't know where I would be ifI hadn't made that blog post.
I could be doing more standardweb application stuff.
Go back to the securityengineering and the threat
modeling.
But yeah, it was nice.
(27:42):
It was great validation thatthere is an entire space that
found value from what I did andthat's an entire space I did not
exist in.
So that was really cool.
Speaker 1 (27:54):
Yeah, you know, um, it's fascinating what we do with
like no intention, right, andthen something good, you know,
comes from it, like, you know,that's a really interesting
situation, right.
It's kind of like your passion.
Your passion brought you to bethe forefront of, you know, app
Omni is it's a really importantcompany, right, and I'll give
(28:18):
you this example.
You know, I was recently, youknow, employed by one of the
largest automotive manufacturersyou know in the world, right,
for their financial services arm.
My CISO got on call it wasinternal to security only and he
said, yeah, you know, we havethree core SaaS applications.
And I had to stop him rightthere, right, because I was
(28:41):
recently, literally like thatweek, looking at our SaaS apps
and talking to the developersthat are, you know, working on
these SaaS apps, and I said, no,that's wrong.
We have seven and we're goingto 10 at the end of the year.
And he was like, what are they?
And I had to, like list themout, you know, and he goes I
didn't even know that that was athing, right, and like how, how
(29:03):
common is that, though?
I mean, that's, that'sextremely common If you ask, you
know, any organization, right,if you took a poll across the
globe and said what applicationsdo you have in your environment
, how many SaaS, how manynatively run on EC2 or S3 or you
know whatever that flavor is inAzure or GCP?
(29:24):
Maybe 1% would be able to tellyou and actually answer that you
know, and so you need aplatform like AppOmni that comes
in, gets plugged in and pullsin that information.
Because, you know, as asecurity professional, not every
(29:45):
company can have a team of 100,200, 300 security professionals
.
I was at one company that had,I think, 250 people on the
security team right that itwasn't that big of a company
overall they were a globalcompany, but they were like a
credit bureau, right, so theyhad the funding.
Like they would just writeblank checks to these companies
and spunk would be like, yeah,you're gonna pay us, you know
(30:05):
two million in a year and mycso's, like you should have
doubled it and writes the checkfor two million.
You know, like, whatever it is,like he doesn't even care.
Yeah, that's that, that's thatenvironment.
But everywhere else, I mean,I've been one of three, you know
one of five, now I'm one of one, yes, you know.
And so people need thesepowerful tools to even have a
(30:29):
chance at like telling thedevelopers hey, you need to fix
this, exactly like right here,this is how you fix it.
This is what's going on andthat's why you know app omni in
particular.
App omni is not sponsoring thispodcast or anything like that.
But I've looked at the platforma lot like unfortunately, maybe
for myself.
(30:49):
I've looked at the platformquite a lot and so I know it
pretty well and it's like okay,I need this thing, you know,
in-house, I need to be workingwith this immediately.
Speaker 2 (30:59):
Yeah, it's interesting because, while you
touched on at the beginningthere, that sprawl is like
everywhere, every organizationseems to have this problem.
You will have a department withmultiple teams, even in a small
organization, and these teamsmay be doing very similar work,
(31:20):
but they'll have preference forone.
One sass to fulfill onefunction and another team will
use a different one to fulfillthat same function.
And you have this situationwhich all of a sudden, you've
got.
You're using hundreds right andyou're granting different apps
access to like god knows howmuch of your data, which is a
(31:41):
massive problem.
And if app omni was simply justan inventory tool to surface
what sas apps are being acrossorganization, that alone would
be so valuable.
But it's not all of these otherfantastic features, but it's
absolutely crucial to understand, just get a grip on that
(32:03):
inventory in the first place,like how can you secure
something if you don't even knowyou're using it?
And while that's not theforefront of my research, it's
the same underlying concept of,like the unknown to my.
In my opinion, the unknown isthe biggest danger the unknown
API endpoints that can do um,that can be exploited or
leveraged by threat actor right,like unknown SAS object you're
(32:24):
using that you have no idea whatthat is being stored there, um
how it's being secured uh,unused?
Is it being used responsiblyand appropriately from a
security perspective?
So, yeah, I'm, I'm.
It's definitely not new whatI'm hearing from you.
Um, every organization has itum, and that's why we're seeing
a lot more um uptake andattention uh as well from from
(32:50):
organizations.
They are learning over timemaybe hopefully as a result of
my research and my blog posts,that this is an area to take
seriously, because your mostsensitive data is most likely
sitting one of your SaaS appsand you may not even know it.
Speaker 1 (33:05):
Yeah, that's a really good point.
Actually, when I was at anemployer the automotive
manufacturer I was just talkingto the Salesforce admin and my
CCO kind of pointed me in thatdirection because he's like,
look, we don't really ever lookat this.
We need someone with that cloudmindset to go in there and just
look at what's going on,because we literally don't know.
(33:27):
Look at what's going on, right,because we literally don't know
.
You know, I'm talking to himand it's interesting.
I have a way of gettingdevelopers to tell me too much
information or much more thanwhat they should be telling me.
You know, maybe I'm easy totalk to or something.
But I was talking to him and hesaid, yeah, like we, you know,
we store 100% of our customerdata here and this part of the
(33:50):
database is sending info overhere and you know all this other
stuff, right, and I'm justsitting here and I asked him one
question.
I said so if Salesforce evergot breached, you know what,
what, what are we looking at?
It was, oh no, that'severything.
Yeah, I was like you don'tunderstand what a breach is.
(34:11):
You don't know what.
I just asked.
You know it's.
It's interesting because, assecurity, he didn't even know
that it was that high of a risk.
Right, we had some idea, like,yeah, there's some risk over
there, but I think that we wereso used to our risk being
mitigated or accepted somewhereelse in the business that we
(34:32):
didn't realize hey, we're usinga pretty critical to our
business application.
It has a lot of our data.
We need to focus more time andresources on this and even
beyond that.
Our Salesforce environment wasgrowing significantly and
security didn't even know.
We already had, I think it was,seven salesforce clouds, like
(34:56):
cloud instances, right, and thenwe migrated that down to five
and then down to three and that,like now it was going back up
to five.
Right, yeah, but that's a lotof data, that's a lot of cloud
presence.
You know, in a sas app that youprobably didn't even realize
was there and there's, you know,literally one guy at the
company that knows, oh yeah,that's how it all works, that's
(35:20):
what it is, right, literallyyou're lucky, it's one, um, yeah
, nothing, zero, it's often zero.
Speaker 2 (35:28):
And another thing that really I feel like
contributes to a lot inorganizations like this problem
is the misunderstanding of thatshared responsibility model.
It's like, oh no, salesforce,like it's secure, like they have
their own security team,they're securing it and it's
like, okay, but they are notgoing to stop you from
misconfiguring your accesscontrols and just leaving
(35:48):
everything wide open.
Like that could be a businessuse case for you.
They don't know, they don'tcare, it's not on their side of
the shared responsibility model.
And then, secondly, it's likewho owns SaaS security in your
organization?
Like, whose responsibility isit?
Because you've got like yourplatform owners right, who
(36:09):
aren't necessarilysecurity-minded individuals far
too much on their plate already.
Right, they're managingthousands, potentially, of users
and processes and making surethat the instance is functioning
.
And they'll be like well, we dopen tests on our own
applications.
This isn't our own application.
(36:33):
Yes, we've purchased theproduct, but it's not really
falling into our role.
Plus, you know how it works,you're the platform owner, so
why don't you deal with it?
And there's this friction and,as a result, nothing gets done
because no one wants to takenecessarily responsibility for
it and that is changing wants totake necessarily responsibility
for it and and that is changing.
And that is once again why sucha need for app omni because
(36:54):
anyone can can learn to use theproduct very easily, the app
product, and become like a sassecurity expert.
Because my team is doing thatnet novel research for you.
Like we're your sas securityexperts.
If you've got salesforceservice now netsv, whatever it
might be, we know where therisks are, we're going to
productize it, build in thosescans.
(37:14):
So when you log in youinstantly see like okay, high
critical medium, click into thefinding, review it and you get
your resolution guidance that weprovide and all of a sudden
you've just got rid of like fivepotential critical issues
without not necessarily needingto fully understand the
(37:37):
technicalities of that.
So in that way it's extremelypowerful because we're enabling
anyone to become a SaaS securityexpert internally in the
organization.
Speaker 1 (37:47):
Yeah, that is.
It's really fascinating.
You know you bring up a reallygood point.
So I have, you know, the CCSBcertification.
Ccsk, right, specifically talksabout the cloud and so you know
SaaS falls into there, right,and when you're reviewing the
material, they hardly even talkabout misconfiguration within
(38:13):
SACS apps.
I mean, like they touch on it,like it's a line item, it's a
bullet point, right, but theydon't tell you.
You know, hey, you need toreally focus on this and pay
attention to it.
You know, because you can openyourself up to you know risks
that you're not, you knowaccounting for that you don't
even know are there and that'sstill a very big misconception
(38:37):
with SaaS apps.
Overall, I'm finding which, youknow, it took us, like what,
five years, five plus years, toget over that misconception with
the cloud.
You know, like there was a hugemisconception to think just the
cloud, the cloud secures it,right, I mean aws would have to
put out blog posts and videosand all that sort of stuff just
(38:57):
to educate their customers that,hey, you still have security
stuff that you have to do and ifyou don't do it, this bucket's
going to be public, right, likeI mean they, they used to have a
public first.
You know bucket configurationwhere, like, you would have to
specifically say make thisprivate.
Now they switched it, of course, but it's really interesting
(39:20):
because you know SaaS is a partof the cloud, right, it's bigger
in the cloud than ever before,than any other area of the cloud
.
You know thinking about, likeinfrastructure and paths, as you
know paths, right, like sas, isprobably the biggest part of
the cloud now and people areforgetting that they have to
still do that securityconfigurations within their,
(39:42):
within their sas app.
Speaker 2 (39:44):
You know it's it's interesting, it's it's funny.
You mentioned the publicdefault first right, because it
passes the exact same thing.
I've seen all of these big,powerful SaaS applications
evolve with security over time,largely as a result of research,
and it's situations like oh,when you create an access
(40:06):
control, it's blank by default,like nothing gets added to it.
Or if you write some customcode on top of the platform, if
you don't specify explicitlythat it should run in like user
mode, it will run in system mode.
So effectively anyone executingthe code is running a system.
It's like an instant privilegeescalation.
(40:26):
And these are interestingdevelopments because it's almost
like we're not just educatingthe security community and the
customers, but also the vendors,in a sense, on helping them
improve their product.
It's not just the customersthat we're focusing on.
Atfigurations are neverhardened right out of the box.
It's lucrative for you becauseyou have a product, so then
(40:56):
you're just going to keepfinding criticals and everyone's
going to want to buy you.
But at the end of the day thatjust doesn't help anyone.
It isn't the best feeling,hooking up like an M365 or a
Salesforce instance and I nowhave to sit through multiple
errors to walk through like 100findings with the customer, but
it's so overwhelming for them,right?
(41:18):
So, yeah, I just want to get toa place in which we can assist
the vendors while also assistingour customers in like the most
frictionless way possible.
Speaker 1 (41:28):
Yeah, that's probably , you know, the only path
forward.
Like, we need these vendors tokind of be to have their own.
I mean, they probably do.
I would certainly assume thatthey have their own like
security research team, right.
But you know, we, we need thesevendors to kind of make it
dummy proof, you know, for, foridiots, you know, know, like me,
(41:49):
that are not developers, thatyou know may still be tasked
with, like application security.
Like, when I'm tasked with it,I'm immediately looking for,
like tools and shortcuts and youknow what, what tells me the
most amount of information mostaccurately, and things like that
.
You know when, when, whenyou're you know pen testing a
(42:13):
status app.
Do you have to be a developer?
Like, do you have to have thatskill set?
And I ask, because previouslyyou mentioned how you know you
don't like functions.
Functions are confusing, youknow as they are for me, like
functions are super confusingfor me.
That's where my pythoneducation like ends.
Every single time I try to godown.
It right is like as soon as Ihit functions, I get the basic
(42:35):
level of functions and then theylike step it up to the advanced
stuff and I'm just like, yeah,I'm done, like I don't, I don't
want to look at this yeah, yeah,the, the functional programming
I yeah, I'm never going toreturn to that.
Speaker 2 (42:47):
I haven't whatsoever.
Haskell is a no for me.
Um, I mean, you don't have tohave that knowledge, you don't
have to be able to write code.
There's a lot of securityresearchers and we're talking
like de facto, like bug huntersor individual individuals who
perform code auditing of opensource projects that can't
necessarily write the code, butthey can understand it and read
(43:09):
it and, depending on you, on thelanguage that the code's
written in, that can be easy orit can be hard.
Right, it's very easy to read aPython script in comparison to
assembly language, right, and so, while you don't necessarily
need to be able to write it, forsome types of issues, issues it
(43:32):
can be very useful to be ableto at least understand what's
going on, and typically that'susually javascript.
Um is is what I find on a lotof these powerful platforms uh,
which isn't, it's not awful andit's not the worst thing to have
to read um, but it's just,that's just like a small subset
(43:53):
um of potential risk.
Uh, the whole like customdevelopment side of things.
So, yeah, you don't need tonecessarily come into soft
security having, like all ofthis, this, this expert
knowledge of programminglanguages.
Um, the one of the benefits is,if you're looking for things
like exploitable mythconfigurations, then you don't
(44:15):
necessarily need to know aboutSQL injection, you don't
necessarily need to know aboutXML external entity attacks.
That's also a benefit, right?
So, yeah, it takes a while toget used to.
A lot of the individuals whocome into the, the sas security
(44:36):
space from more of a traditionalbackground and, like pen
testing, do struggle quite a lotbecause it's a shift in mindset
.
So it's not just like,necessarily the skill set we're
talking about, but it's also themindset.
Um, I have to explain to people, like, I'm not necessarily
looking for zero is here, right,I'm looking for things that
look suspicious, that lookdangerous, and I'm seeing, okay,
(44:59):
how can this be exploited?
And sometimes I can't, right,and that's that's just just the
case, but oftentimes it can.
So, yeah, it's just just acouple, just some food for
thought for anyone who wants tokind of get into the space.
I don't want to put anyone off,but it takes a while to wrap
your head around it for sure.
Speaker 1 (45:16):
Yeah, it's interesting that you put it like
that.
You know, I can find I findmyself with myself, at least,
you know, starting from scratchand and coding it's really
difficult for me, like juststarting from scratch and trying
to like piece it all together,right, like that's really
difficult, but I can read itreally well, right, so I
(45:40):
understand what's going on.
When I, you know, read a pythonscript or javascript, whatever
it is like, I typicallyunderstand it pretty well.
And so now I'm actually likeI'll use, you know, ai or you
know grok, right, to write methe script and then I plug in
everything that I need and, youknow, adjust it to how it'll
(46:01):
work and whatnot, right, youknow, as I'm doing, right, like
you're learning the differenttechniques and things like that.
When you're reading through it,you know're learning how it
operates.
But it's, it's really helpful,you know, to hear like, hey, you
don't have to be a developer toget into the app sec space.
You know, I think that'sprobably like the biggest hurdle
(46:22):
that anyone you know looking atsecurity and saying where do I
want to focus my time?
That's probably like thebiggest hurdle for AppSec
overall is people just saying,well, I don't want to be a
developer.
An application that sounds likedeveloper, so why would I not
have to be a developer to secureit?
You know?
Speaker 2 (46:40):
Yeah, yeah, absolutely.
And you know, back when I was asecurity engineer I didn't do
any development whatsoever, andeven up on me today, any of the
development that I do is just anew area for me that I wanted to
explore.
Like I enjoy productizing myown findings because I like
seeing that end to end, likefrom finding the issue to
building the scan and thenseeing it benefit our customers
(47:01):
in that sense.
But I really don't have to bedoing that.
I could be.
My role is purely securityresearch.
To be honest with you, and alsoyou made a good point is purely
security research.
To be honest with you, and alsoyou made a good point.
I mean you could just throwthese code snippets from these
scripts that the vendors areputting on customer instances
where customer-developed codefrom the Chops UBT, right, and
(47:22):
you'll hopefully get somecoherent explanation for it and
in that sense you'll both learnhow to better read it and also
better understand it.
So it's a good point yeah, yeah, absolutely.
Speaker 1 (47:35):
well, you know, aaron , I'm very mindful, you know, of
the time that I since I saidfor for podcasts, as I know
everyone in this industry is sobusy.
But you know, before I let yougo for one, you know this was a
fantastic conversation.
I absolutely want to have youback on.
We'll connect, we'll maybecollaborate on a couple things,
(47:56):
but it was a very fascinatingconversation.
Really enjoyed having you on.
Speaker 2 (48:01):
Thank you so much.
It's honestly fantastic to beon.
I thoroughly enjoyed it.
It's fantastic to learn aboutyourself and your background too
, yeah.
Speaker 1 (48:10):
Yeah, yeah, absolutely.
Well, you know, before I letyou go, I'll let you tell my
audience you know where theycould find you if they wanted to
, you know, reach out or connector maybe just see what you're
posting out there and where theycan find out about me and maybe
a little bit about your, yourresearch.
Speaker 2 (48:28):
Yeah, so I mean to start from more of a kind of a
personal perspective.
My twitter is conspiracy proof,all one word.
I made it when I was like 16.
Don't judge me.
Conspiracy proof on on twitteror x, uh, as that's not called.
Um, you can find me on linkedin, rn costello.
Um, I'm very, very active thereas well, so give me a message
on another platform.
(48:48):
Um, I do have one of my ownpersonal blog, that's
enumeratedie, where I will, moreso now backlink to the app omni
blog.
But my original research is ispresent there.
So there's a couple articlesand that are potentially too
spicy right to to put on thework website, but a good, the.
The biggest chunk of myresearch is on the appomnicom
(49:09):
website.
So we've got a section of ourblog called app omni labs and
that's where you'll really finda lot of my stuff.
So you got white papers, blogposts, tons of different uh
types of content that hopefullyreally useful to to awesome well
, thanks, uh.
Speaker 1 (49:27):
Thanks again, aaron, you know for coming on and you
know everyone listening.
Go ahead and check out Aaron'sposts, the resources that he
mentioned, and check out AppOmni.
All right?
Well, thanks everyone.
Speaker 2 (49:39):
Hope you enjoyed this episode Cool.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!