Episode 259 with Paul McCarty & Daniel Ting

State of Australian AppSec, Evolving Software Security Supply Chain

Author

Seth Law
September 18, 2024

This week on Episode #259 of Absolute Appsec, Seth (@sethlaw) and Ken (@cktricky) record the podcast during their recent visit to Melbourne after conducting training. For this episode, the duo is joined by locals Paul McCarty and Daniel Ting (@hoodiepony). They discuss secure code review, the state of application security in Australia, and the evolving software security supply chain. You can see the whole pixelated episode at https://youtube.com/live/s8-0taf-X_Y.

Paul McCarty is a software supply chain expert and vulnerability researcher with over two decades of experience. As the founder of SecureStack, Paul focused on integrating security tools directly into the development process, helping teams secure their CI-CD pipelines and local environments. In addition to his hands-on work, Paul is an active educator, speaker, and author. He is currently working on a book related to software supply chain security. His current project, Git Hacks, is aimed at helping organizations address the escalating threats in the software supply chain.

Daniel Ting is just a friendly local cyber security sherpa. Helping people verifiably build a safer, secure, and more resilient world by sharing knowledge and experience through the intersection of Human-centered Design, and Cybersecurity. This includes the privilege of presenting at DefCon DCG VR Village previously, BSides Melbourne, and a keynote at ChCon NZ, amongst many other conferences. Dan is also a contributing author to 97 Things Every Application Security Professional Should Know book published by O'Reilly. Dan grounded by the many years of experience spent security advising and assessing critical infrastructure in Australia, and governments, to small startups, and nurturing communities. That said, Dan is just another nerd of figuring out how things work, tinkering, and challenging assumptions; sharing stories and experiences so that we can all make better informed decisions through broader perspectives.

“What does it look like for somebody who wants to specialize as an AppSec professional [in Australia] that goes beyond? [They’ll just] run SAS test on a CI/CD pipeline and call it a day, but there’s so much more…Trying to find interesting opportunities [and find] organizations that will match up with what you actually want to accomplish, [places] willing to engage and move that needle… [you’ll find] there is still a compliance-heavy mentality.”

Daniel

In this episode, Seth and Ken and guests find themselves comparing the AppSec spheres of Australia and the U.S. They agree that Australia’s application security landscape lags behind that of the U.S., estimating the gap to be around 10-15 years. While the U.S. has made significant strides in integrating secure development practices, Australia remains more compliance-driven, with fewer organizations recognizing the importance of mature software security practices. A “check-the-box” approach to application security limits the broader adoption of proactive security measures, and many Australian companies are still grappling with the basic steps of integrating security into CI/CD pipelines, let alone practices like threat modeling or using secure development guardrails. 

This compliance-heavy process results in a trend where companies often underreport or downplay security breaches to avoid negative publicity. This culture of keeping breaches under wraps to avoid public accountability keeps companies from having to invest in improved security posture. In light of Australia’s exposé that publicly disclosed companies involved in security breaches, the government made the list private after CEOs claimed it hurt their reputations, further reducing transparency and accountability. While the U.S. and Europe have been experiencing a growing culture of transparency due to new regulations and stricter data breach notification laws, Australia is not quite there. 

“What’s driving [this breakdown] is the fact that regardless of what the manager is and the C-suite says, the reality is that of the value of our industry, our economy derives from software engineers because they deliver features and functionality that we can then sell as quickly as possible. And security, as much as people will say on stage that it’s important, it’s really not [valued].” 

Paul

A substantial portion of the conversation was spent on rising concerns of software supply chain security. This area has become increasingly vulnerable to attacks, particularly attacks targeting widely used repositories like NPM, PyPl, and Docker Hub. These platforms, essential to software development across industries, are being exploited to inject malicious code into open-source packages, making the entire ecosystem more fragile. While organizations might have solid security controls in place for their proprietary code, they often overlook or underestimate the risks associated with third-party code integrated into their applications. These vulnerabilities, which can affect thousands of companies, make it essential for organizations to adopt a more comprehensive approach to securing their software supply chains. 

While supply chain risks such as dependency confusion attacks, typosquatting, and compromised packing maintainers continue to grow, most organizations lack robust processes for detecting these threats. Many rely solely on their CI/CD processes to detect these threats, but as the attack surface continues to broaden, these systems are not designed to catch such vulnerabilities. Some markets are making strides to address supply chain security, but there are challenges in getting organizations to adopt these practices. Due to the fragmented nature of the market, tools often target different buyers, creating distance between the resources that security teams and engineering teams implement. 

This episode was sponsored by Redpoint Security. Redpoint specializes in "Code Security. By Coders," which is bolstered by years of experience testing applications and conducting code reviews against all types of applications, including AI, web, and mobile. Redpoint also offers secure code training to help ground your teams in better security practices across the development lifecycle. So check out redpointsecurity.com for more information and put your company on a path to better security.

Be sure to catch this outside-the-normal episode on your preferred platform, and support the podcast by repping some merch, such as the featured lojikil sweatshirt. As always, join us in Slack for further discussion.

Stay Secure,

Seth & Ken

https://youtube.com/live/NsMx36Qe4aQ - Episode #244 - Kyle Kelly joins the podcast to talk about the Software Security Supply Chain

https://youtube.com/live/RSHITObMB8g - Episode #231 - Thoughts on software supply chain security from Seth & Ken

https://youtu.be/fnm3mz01kFQ - Episode #165 - Software Supply Chain Attacks occurring in the wild along with discussions of Portswigger’s 2021 Top 10.

Absolute AppSec Happenings

https://gizmodo.com/google-has-officially-killed-cache-links-1851220408 - Google has officially killed their cache links of previously seen pages. This has some side effects for OSINT, discovery, and other application or organization profiling activities.

https://tracebit.com/blog/the-security-canary-maturity-model - Previous podcast guest Rami McCarthy discusses use of canaries and how it shows organizational maturity. While honeypot tokens are an initial foray into this space, there are unique uses across a program that help gauge monitoring, incident response, and other security controls.

https://apnews.com/article/lebanon-hezbollah-israel-exploding-pagers-8893a09816410959b6fe94aec124461b - These articles are everywhere, but the exploding pagers via remote signals feels like nation-state attacks on the level of StuxNet. Protection of devices, attack surface monitoring, threat modeling, and other security controls all combine in physical attacks. Not sure where it leads in the AppSec space outside of being aware that online attacks can do real-world harm, as talked about and expected.

Upcoming Events

Where in the world are Seth & Ken? Some of these are training courses, speaking engagements, or just conferences we will be attending. Join Slack for more info.

September 26-27, 2024 - OWASP Global AppSec San Francisco - San Francisco, CA

October 2-3, 2024 - Practical Secure Code Review - AI Enhanced - Virtual Training