- This Week on Absolute AppSec
- Posts
- Episode 257
Episode 257
In-Person vs. Virtual Training, Compliance Violations
Seth Law
August 30, 2024
This week, episode 257 of Absolute AppSec starts with an in-depth discussion on the pros and cons of in-person and virtual trainings. In short, the duo prefers in-person due for the advantages, but financial pressures can be a factor, so virtual is a good substitute. This is followed by a deep dive into the complexities of cybersecurity compliance through a look at the lawsuit involving the Georgia Institute of Technology. Third-party risk assessments may not be the most fun part of security, but what happens when an organization doesn't meet their obligations? Seems like both sides are in the "find out" phase of FAFO. The full episode with video is found at: https://youtube.com/live/hjnSfZLyKM0
The U.S. government has filed a suit against the university’s research corporation, accusing them of failing to comply with federal cybersecurity requirements. This case is particularly noteworthy as it represents a growing trend of whistleblower lawsuits centered around cybersecurity compliance failures. The lawsuit alleges that, from May 2019 to February 2020, Georgia Tech did not properly secure data and resources tied to government contracts. The accusations come from two whistleblowers who were senior members of the university’s cybersecurity compliance team. They claim that the lab involved with the research was not meeting cybersecurity standards outlined in its contracts with the government.
“From a compliance/GRC perspective, you have to dot your i’s and cross your t’s. And if you don’t you better damn well have mitigating controls and evidence and reasoning behind it that is rock solid.”
One of the more startling allegations is that Georgia Tech’s lab refused to install antivirus software on certain systems, a clear violation of both federal cybersecurity requirements and the university’s own policies. This decision, allegedly made to satisfy the demands of a professor heading the lab, raises some serious concerns about the lab’s commitment to security.
Seth points out that this case highlights a common issue in large organizations, particularly those tied to academic institutions: the tension between academic freedom and stringent cybersecurity requirements. While labs and research environments often operate under different rules, this lawsuit shows that cutting corners on security, especially when dealing with government data, can lead to severe consequences. Ken adds that there could be nuances to the situation, such as specific technical reasons why antivirus software might not have been suitable for the lab’s needs. However, both agree that if you’re going to bypass standard security protocols, you need to have solid, justifiable reasons— and you should never misrepresent your security posture, especially when dealing with government contracts.
“Is it legal or is it actual security? Because those are two different answers and the cost can be very different based on what they’re actually trying to accomplish. So third-party risk in this situation seems to have been driven from a legal perspective.”
This lawsuit is a wake-up call for the entire cybersecurity community. It underscores the importance of ensuring that cybersecurity practices not only meet contractual obligations but also stand up to legal scrutiny. Ken and Seth also discuss the potential for more lawsuits like this in the future, particularly as the legal landscape around cybersecurity compliance continues to evolve. Seth brings up an important point about third-party vendor assessments, questioning whether they are primarily used as a legal cover (CYA) or as a genuine measure to ensure proper security practices. Both hosts believe that while legal protection is often the driving factor, the need for real, effective security measures that should be noticed, or they may find themselves in hot water.
Join us for further discussion on Slack. More trainings are available, including a virtual version of Practical Secure Code Review on October 2-3, 2024. Registration and further details available at training.absoluteappsec.com. And remember that you can represent the podcast by grabbing a new t-shirt or hat at merch.absoluteappsec.com.
This episode was sponsored by DryRun Security. DryRun Security delivers near-instant security code reviews and feels as if you’ve just hired a team of the best AppSec code reviewers. It gathers security context in just seconds after a developer makes a change. From that gathered context, the company’s proprietary code review process interrogates each code change based on behaviors, not just static patterns. Try it free for yourself at https://dryrun.security.
Stay Secure,
Seth & Ken
https://youtu.be/miaOUki5Eas - Episode #69 - Eric Ellett (of Segment at recording time) discusses competing priorities of development and security.
https://youtu.be/3AcL_37gnhY - Episode #170 - Security Basics, Planning for Failure.
https://youtube.com/live/odGayTvT1A4 - Episode #237 - Security 101, Nation State Hackers, Malicious Code. Lack of compliance to specified requirements can lead to multiple issues.
Absolute AppSec Happenings
https://www.justice.gov/opa/pr/aerojet-rocketdyne-agrees-pay-9-million-resolve-false-claims-act-allegations-cybersecurity - Previous whistleblower lawsuit similar to one discussed on the podcast.
https://research.kudelskisecurity.com/2024/08/29/careful-where-you-code-multiple-vulnerabilities-in-ai-powered-pr-agent/ - The research team at Kudelski Security finds vulnerabilities in PR-Agent. Really good examples of the problems that can exist with any AI Agent with elevated permissions.
https://www.linkedin.com/posts/dustinlehr_securitychampions-securityawareness-securityculture-activity-7234918211308109824-E_8f/ - OWASP is cancelling Developer Days associated with Global AppSec San Francisco. This lack of interest and involvement from the development community needs to be remedied and Dustin Lehr (one of the keynotes and podcast guest) discusses the possibilities.