- This Week on Absolute AppSec
- Posts
- Episode #261
Episode #261
Security Economy, Password Resets, Vendor Consolidation
Seth Law
September 27, 2024
While you may be tired of hearing about it, you really should join us for next week’s Practical Secure Code Review virtual training session. We explore new techniques for using Generative AI/LLMs to enhance the code review process. Register at https://training.redpointsecurity.com/.
This week, on episode #261 of Absolute AppSec, Seth (@sethlaw) and Ken (@cktricky) sit down to discuss the shifting economic winds that affect the cybersecurity industry and recent updates in password management. You can watch the full episode at https://www.youtube.com/watch?v=KorQHgTVDqE
“If the economy is going down, usually that means more cybercrime, more concerns, and that usually means spending on security goes up. So we actually have a positive inverse relationship, typically, to downturn economies.[…] This is a unique [time] in that it’s pretty globally shitty across the board.”
Many professionals are starting to feel the pressure of tightened budgets and fewer jobs. While cybersecurity has been considered to be more resilient during economic downturns, the impacts have been felt differently in recent years. Many notable shifts are occurring in the industry. Security companies are no longer seeing longer sales cycles for third-party assessments and services. Organizations that once had large budgets for cybersecurity are now tightening their belts, often canceling or delaying projects in the pipeline. Hiring processes also have changed, with Ken noting that many companies are posting job openings, but some of these positions are not actively hiring, instead using job listings to create a perception of growth or security presense without the actual intent to hire. The wider trend of reduction in security spending can also be seen in the decreasing demand for consulting services. While traditionally, these companies have been viewed as safety nets during times of economic downturn, they have not seen the same spike in demand as during previous recessions. This broader economic shift has affected security teams, consultants, and product companies alike— raising concerns about the future of growth within the industry.
In the face of slower economic periods, Seth and Ken encourage listeners to take advantage of slower periods to focus on improving their skill sets. They suggested that the best way to stay competitive in the industry is to keep learning, stay updated on new technologies, like generative AI, and refine practical security skills, such as secure code review or cloud security. By doing this, security professionals can stay ahead of the curve and be in a stronger position when the market rebounds. Downturns also show the importance of networking and community involvement, which can help boost morale and open doors to new collaborations. During times of uncertainty, fostering connections with other professions can help individuals find new roles, freelance opportunities, or even launch new initiatives. Most of all, Seth and Ken push security professionals to stay prepared, patient, and optimistic. Both have their own experiences with previous downturns but remind listeners that the cybersecurity industry is still robust in the long run and will continue to grow— economic cycles will eventually shift, and opportunities will return for those who are prepared.
“It’s only been […] the last ten years that we’ve really started to realize that password resets were detrimental to the actual security systems.”
Seth and Ken shift gears to talk about NIST’s evolving guidelines on secure password policies. Previously, organizations have mandated frequent password resets, typically every 30 or 90 days, to ensure security. However, this has become less effective for a number of reasons. Constantly changing passwords often leads to user fatigue and encourages insecure protection methods, such as minor variations on previous passwords or writing them down in insecure locations. They also generally provide a false sense of security— while changing passwords every 30 or 90 days might seem secure, it often results in weak password practices like sequential numbers, calendar references, or rotating symbols, which can be easily guessed by attackers. NIST’s recent guidance now discourages this frequent password resetting, moving toward a risk-based approach that encourages users to create longer, stronger password phrases combined with multi-factor authentication (MFA). Ken and Seth also praised the approach of conditional access policies, where users are asked to authenticate when suspicious or high-risk activities are detected. This shift away from constant password resets marks a significant shift towards both user-friendly and risk-based security, balancing protection with a realistic approach to consumer tendencies.
This episode is sponsored by Cloud Security Partners - your partner in dealing with modern risk. Cloud Security Partners works with customers to ensure that their cloud solutions are architected with security in mind. Talk to them today and mention Absolute AppSec for a complimentary cloud maturity review. While you're at it, check out their podcasts: Cocktails and Cloud and Relating to DevSecOps.
While you are listening to the audio version of the podcast, show your support by visiting the merch store and getting one of the Absolute AppSec Basic tees, we hear they are all the rage at weekend hackathons. Plus, if you haven’t already, join Slack and say hello.
Stay Secure,
Seth & Ken
https://youtube.com/live/VFcojWV50rA - Episode #234 - Password Re-use across organizations by administrators. Will we never learn?
https://youtube.com/live/gqpdEpVm4oM - Episode #232 - Security Jobs, Surveillance, Prompt Injection - Getting into security based upon experience of someone moving from IT into penetration testing and how it didn’t go as expected.
https://youtu.be/kDkA-ubrYEQ - Episode #173 - Enumeration Attacks! - Further exploration of password weaknesses that results in account takeover. Check your authentication flows, please.
Absolute AppSec Happenings
https://www.businesswire.com/news/home/54125974/en - While a good portion of the industry is at Global AppSec SF, Defect Dojo (and podcast guest Matt Tesauro) announced funding to develop a professional version of the tool in the ASPM space. Open Source to Paid projects do not always work out, but still a huge congratulations to the Defect Dojo team.
https://techcrunch.com/2024/09/25/wordpress-org-bans-wp-engine-blocks-it-from-accessing-its-resources/ - In further open source project news, it came out this week that wordpress.org is blocking wpengine.com (a competitor in the managed Wordpress space) from accessing resources. Something something about PHP and how we should let it go.
https://blog.torproject.org/tor-tails-join-forces/ - Privacy could be improved or could take a hit when consolidation happens. Tor and Tails are two projects that should be able to navigate the hurdles well, but good space to watch.
Upcoming Events
Where in the world are Seth & Ken? Some of these are training courses, speaking engagements, or just conferences we will be attending. Join Slack for more info.
September 26-27, 2024 - OWASP Global AppSec San Francisco - San Francisco, CA - Ken is working the dryrun.security booth. Go see him and get some swag if you are there.
October 2-3, 2024 - Practical Secure Code Review - AI Enhanced - Virtual Training - A few seats still availabled.
October 22-25, 2024 - SaintCon - Provo, UT - Seth will be at the AppSec Community booth most days. Come try out the beginner’s challenges or find and fix vulnerabilities in code in the AppSec Challenge.
November 2-3, 2024 - Practical Secure Code Review - AI Enhanced - DEF CON Trainings, Seattle WA
November 21-22, 2024 - DeepSec, Vienna, Austria - Seth will be presenting “Modern vs. 0ld 5k00l” where everything old is new again.