SecPro Community Wisdom #5: The best way to begin assessing threats, attack paths, and adversaries
Hey!
Hello and welcome to the fifth Community Wisdom issue of 2022!
Here is another issue, filled to the brim with wisdom from people who have been working in cybersecurity and related industries for a long time. Thank you to everyone who responded – we will be selecting winners from the pool of respondents tomorrow and sending out emails to the winners of our competition.
As always, if you have any extra comments that you would like to share, send them to me and I will try to work them into our newsletter. We are grateful for all the replies we receive and want to make sure that our community sees its voice represented in everything we put out.
Cheers,
Austin Miller
Editor-in-Chief
Top Questions This Week
1. Blue Team
Q: To build up effective defense over time, what is the best way to begin assessing threats, attack paths, and adversaries?
Our organization, which contracts for a federal agency, requires significant code releases to go through a automated security scan. In addition, the top level IT departments will mandate specific patches as high priority. Those responsibilities for system administration are outside of the scope of my application development team. Still, I would recommend this as a basic starting point for any software-oriented business.
- Jose, developer
The first defense is to remove the vulnerability that can be used from the attacker side. But not always the vulnerability is easy to find, sometimes the idea is to have good pentesting procedures that can open the cyberanalyst mind to a not easy to find threats.
- Mario, security analyst
Q: What common tactics do hackers use when trying to hide their identity from you?
Bot networks and phishing via semi-genuine looking domains.
- Jose, developer
By using proxies and VPNs to hide their point of attack and try to break the authentication system of the application is one of the most used.
- Mario, security analyst
2. DevSecOps
Q: How do you ensure that open-source web frameworks are trustworthy, especially when they have many dependencies (possibly from unknown or untrusted parties)?
Some of the node package managers for front end development will start throwing known security vulnerabilities or required patches during the build step itself.
The tricky part is paying attention to the council during every day development, because our continuous integration processes may not always catch those warnings.
- Jose, developer
I can´t assure that, you can always have a problem with an open source dependency (example Log4J), so with some exceptions we use all the time not open-source web frameworks and we are checking the vulnerabilities of the open source dependencies in order to use the most secure options.
We are not using unknown or untrusted parties. We have scanning tools that are checking those problems.
- Mario, security analyst
Q: What are the best practices for securing API access?
Have a very good JSON Web Token system, based in a very good user validation (if it is possible) and with a very strong signature. This is one of the solutions.
At the same time, use a very strength parameter validation control, and use some (more than one) vulnerability scanners, that can play with the parameters trying to find problems.
Checking the business logic is also important. Securing API access is not an easy work.
- Mario, security analyst
