April 26, 2023
Live from RSAC, Disclosure Transparency, Google Authenticator
In this Episode:
Mark Miller and Brian Reed live at RSAC
?? Mark Miller, San Francisco, CA ↗
Trac Bannon and DJ Schleen, Kadi Grigg live at RSAC
?? Tracy (Trac) Bannon, San Francisco , California ↗
?? DJ Schleen, Golden, Colorado ↗
?? Kadi Grigg, San Francisco, CA ↗
Changing Nature of Disclosure Transparency
?? Shannon Lietz, San Diego, California ↗
Google Authenticator Now Synchronises to the Cloud. Should You Enable It?
?? Edwin Kwan, Sydney, Australia ↗
Google Authenticator introduces two-factor access code synchronization to the cloud | TechSpot
Mysk????: “Google has just updated its 2F…” – DEF CON Social
Episode Transcription:
[00:00:00] Pokie Huang:
Hey, it’s 5:05 on Wednesday, April 26th, 2023 from the Sourced Podcast Network in New York City, this is your host, Pokie Huang Stories in today’s episode, come from Edwin Kwan in Sydney, Australia, Shannon Lietz in San Diego, California, Trac Bannon live at RSAC with DJ Schleen and Kadi Grigg, Mark Miller reporting live at the RSAC floor with Brian Reed.
Let’s get to it.
[00:00:33] Mark Miller:
I’m standing here with Brian Reed at the after hours party. Brian, yesterday at the DevSecOps event, what session really got you? What session or sessions?
[00:00:42] Brian Reed:
I think that yesterday was great. I’ve been around these sessions for years now. It’s great to have everybody back. I think there were three great sessions, I remember.
Oh, right. So it’s hard to pick one. Shannon and what she’s got going on with the metrics and the adversaries and working with developers. John Willis always rocks. He’s got a new book coming. I’m excited about the new book. And I think Chenxi and Andrew did a great job. They launched a new tool, an open source tool looking at open source tools. which I thought was really helpful. Our research team is already looking at the inventory they’ve created to see where else we might be able. Your team is participate. Our team here at NowSecure. We do mobile security. We’re here with GitHub at our party and we found yesterday was really great.
DevSecOps is the place to be.
[00:01:22] Mark Miller:
I think it’s not. I think DevSecOps is done. Isn’t that Shannon’s motto now?
[00:01:28] Brian Reed:
Well, that is her motto. I think it depends on which company you’re in as to how new or old they are. Right. I think it’s all about security is part of death, right? That is true. The question is how do you help dev built high quality software at scale.
[00:01:43] Mark Miller:
It’s interesting that the godmother of DevSecOps who invented the word says, “I’m done.”
[00:01:48] Brian Reed:
Yeah, I’m on. I’m onto the new thing. No, I, it, it is indeed. Interesting. I think what we’re finding in the market is you have, the more advanced organizations are actually moving past DevSecOps and it’s not really part of their vocabulary because they’re more in a fast moving cycles, friction free, and all the rest.
You have the. folks that haven’t done much, and they’re looking at it as a way to do shift left or developer enablement or whatever else, right? You know, we, we still have networks, we still have wifi, right? That hasn’t gone away either, even with carriers. So, you know, the reality is that, that as we’re trying to help organizations work together, The people in the room yesterday will learn it.
They were learning how to…
[00:02:24] Mark Miller:
It looked like it. It looked like it. It’s interesting. I’ve talked to her in depth about her new idea, and the idea is that trust is the container of everything. Mm-hmm. We need to simplify the job for the developer, and we have to be able to integrate trust. As a major component of that.
[00:02:43] Brian Reed:
I would agree and do that in the way that developers operate in the language and behaviors that they know. Right. Too much of the world today is still dev speaking French and you know, security speaking Japanese and they don’t even have the same character set sometimes.
[00:02:56] Mark Miller:
What other companies you’re looking at, just cool companies that you’re seeing.
Anything you’ve seen new here? For me, as I’m walking around, it’s the same old, same old,
[00:03:04] Brian Reed:
You know how these events go. I haven’t even been on the show floor. Um, I think that actually John Willis’s new company. Newish company. Kosli. Kosli.
They’re doing some real interesting stuff. Actually have my DevOps guys take a look at it already and we’re thinking about it cuz they solve a real DevOps problem with the way they bring all that content together. The metrics and content and data together in front of the screen of the DevOps team in order to make it run.
[00:03:27] Mark Miller:
I think that interesting yesterday, Sonotype, Kosli and JupiterOne. If you could get those all at the same table and working together, it’d be an interesting trilogy.
[00:03:37] Brian Reed:
Uh, it certainly could be, right? They’re, so they’re, they’re addressing different slices of the onion, right? Yep. Kind as, as it were and bring it all together.
I think, um, I’ll give a shout out to DJ Schleen. He brought back the DevSecOps reference Architecture’s reborn is the SBOM reference archirtecture..
[00:03:52] Mark Miller:
How did you like that diagram yesterday?
[00:03:54] Brian Reed:
Well, I love the original diagram. Yeah. I still remember standing with DJ and a group of people over a giant table back pre-covid in the Marriott Marquee with the first giant printout of that thing, and we were editing it in real time with about eight people around the table figuring out the first generation of the DevSecOps reference architecture. So when you popped the picture up, like wait a minute, you stole your own picture, then was all about SBOMs.
Two things about that. First thing was, I had no idea how many tools there were for SBOMs that he showed there. Mm-hmm. Which I think was pretty wild. But the second thing is he made it practical. Here’s how, how a way to use them within your workflow and tool chain. Use this tool here, use this tool here. Do this task here, route this information there.
SBOMs are almost like DevSecOps where we’re in the, everybody’s talking about it, but not everybody’s doing it or using it or understanding how to use it.
[00:04:46] Mark Miller:
I think one of the things about SBOM, if people really understand what it’s about, it could be an easy cherry pick that makes you a differentiator if you were actually started providing SBOMs with your tool.
[00:05:00] Brian Reed:
Well, it’ll, it’ll be interesting if you look at the history of food labeling in the US, the food manufacturers fought food labeling at the beginning. Yep. Now, today, people buy food based on what’s labeled. Is it organic? Is it healthy for me? Does it have, you know, the right level of fat or carb or whatever else?
We would never eat something without a food label on, or we would trust that maybe the restaurant used the food label to choose what to buy and serve to you. Mm-hmm. It is amazing that things like software don’t have a label on it. Right. So I do think it’s time to bring transparency to market.
And so I think SBOMs really are two things. One thing is the, do you actually know what your ingredients are if you’re the. baker of the software. And then the second one is telling your customers that you sell your software to, what are your ingredients? Right. Okay. So they can help manage it better.
It’s amazing we made it here this long without something like that. I actually do think it’s gonna take some mandates. The industry hasn’t solved that transparency problem yet. So some industry mandate is gonna be needed with the government. And it started. It started and it’s gonna happen.
And I believe what, what a number of of the top people in SBOM are saying is it’s not about SBOM themselves, it’s about the transparency it brings towards software labeling. Towards observability. Towards understanding what’s in there and the implications of what’s in there. And really the best thing about an SBOM for production software is what changed compared to my last release.
Yeah, it helps you track that. So I know I can trust every new release until something in the SBOM says this thing materially changed, maybe you should go look at it.
[00:06:25] Mark Miller:
The dilemma that DJ is trying to cover in his daBOM podcast is that everybody’s talking about the software bill materials itself, but how do you consume it and utilize it?
Right. Is the next big step and nobody’s talking about that.
[00:06:43] Brian Reed:
Absolutely. I think Steve Spring it and the OWASP CycloneDX project has done really well. The tooling that they’ve put out, uh, is great, you know, and, and using, uh, the bomb tools with it. Mm-hmm. Um, you know, that, that what DJ’s showing and some of the other source tools, was it GUAC and a few of the others in storage, um, they’re all coming together. I actually think the open source community’s gonna solve most of the SBOM tooling requirements, the tooling enablement, right? And then we’ve gotta get the human enablement, which is how do I put these things to work to do something of value for?
Cool. Thanks. Thanks for the time, mark. Good to see you.
[00:07:18] Tracy Bannon:
Hey there, this is Tracy Bannon coming to you from RSAC, and I am here with two of the other 5:05 journalists, DJ Schleen and Kadi Griggs. Oh my gosh, guys, what do you think of the conference so far?
[00:07:33] DJ Schleen:
You know what? It’s been crazy. We had, uh, DevOps Connect yesterday and it was. So awesome to actually meet both of you in person and a bunch of 5:05 podcasters.
[00:07:43] Kadi Grigg:
Yeah, likewise. It was great being able to catch up with DJ again, Tracy meeting you in person, but I think today it’s just the buzz in here. It’s electric with all these people coming in and out and all wanting to ask questions about how they can approve their cybersecurity posture. So it’s just, it is just kind of crazy seeing the mix of everyone here.
[00:07:59] Tracy Bannon:
So there, are there any trends or is there anything that you’re seeing that’s missing so far?
[00:08:05] DJ Schleen:
I was really surprised that there was a lack of AI here. I was looking for GitHub and I couldn’t find ’em anywhere. They said they were in the Microsoft booth and when I went there they’re like, get who? And I was like, oh my gosh, come on guys.
So it’s, it’s been interesting. I, you know, looking for SBOM, looking for AI and really it’s, it’s not around except here. Sonatype booth. They do have BOMDoctor up here, which is actually pretty cool.
[00:08:29] Trac Bannon:
Are you seeing any trends as you’re walking around checking out booths or talking to people?
[00:08:33] Kadi Grigg:
Yeah, so I think there’s a
lot here going on when people are looking at SBOMs, but I’m also hearing Zero Trust a lot. So Zero Trust. For me, everybody’s got a little different spin on it. So for me, I’m trying to make sense of all that and find my own kind of rationale for what it is. And I think that’s something we all need to explore a little bit.
[00:08:50] Trac Bannon:
So you guys know I’m Dev, married to Ops, and both of us are furious that there is never enough Secure by Design. We’re always talking. All of this amazing, hundreds of millions of dollars on this expo floor. Yeah. Show me where somebody is talking about how to be Secure by Design. I saw a little bit from s e I, from our friends from Carnegie Mellon, but in general it’s a gap.
Why try to waterproof something if it wasn’t built to be waterproof? That’s really hard. So at any rate, guys, high five. Here we go. Hey, reach in here, Mr. Ops. All for one. One for all. We’ll be back tomorrow, guys. Thank you.
5:05!
[00:09:27] Shannon Lietz:
‘Buckle up!’ says Equifax, CISO of disclosure transparency.
This is Shannon Lietz reporting from San Francisco, California.
SC Magazine published an article this week regarding a RSA panel where Jamil Farshchi along with Scott Giordano and several other folks, discussed the changing nature of disclosure transparency.
Jamil Farshchi of Equifax stated: “Buckle up. The regulators are upset and they’ve seen where this is going. This is a different game. We all have to step up.” Scott Giordano also stated: “In addition to the 72 hour reporting requirements, the SEC will also expect companies to anticipate and mitigate cyber risk.”
Giordano stated – “this is a game changer.”
This comes just weeks after CISA made several bold announcements to help drive the industry towards greater software accountability and transparency. So here’s my take- you know, recent incidents have had quite a few published notes, and it’s a refreshing change for all of us within the industry to learn what’s happening and to understand how it might impact all of our environments and ecosystems.
It’s also aligned with some of the sentiment in this article. We should look for ways to get comfortable with greater transparency. Number two, we have to think about how we’re gonna manage our reputation from the beginning of the software creation process. And we’ve gotta stop being so reactive to events as if we don’t actually know what’s gonna happen.
In fact, there’s plenty of ways where we can start with the right understanding of what an adversary might do and anticipate greater what could possibly happen.
And then number three, no one’s perfect. In fact, we all just need to understand that customers would rather we caught our issues before they do.
This is part of establishing trust and ownership with a customer and increasing your customer relationship. I think this article nicely highlights the important and critical trends that we must all be aware of.
[00:11:43] Edwin Kwan:
This is Edwin Kwan from Sydney, Australia.
Google has just added a synchronization feature to its two-factor authentication app for Android and iOS. The Google Authenticator app can back up one-time access codes, or OTP, into your Google account. This makes it easier to manage and use the code across different devices and services.
This OTP synchronization is completely optional and Google isn’t providing any additional security measures. A researcher on DefCon social recommends to not use the synchronization feature, as they have discovered that the network traffic for syncing the secrets is not encrypted, and to end. This means that Google can see the secrets, likely even while they’re stored on their servers.
There is also no option to add a pass-phrase to protect the secrets and make them accessible only by the user.
[00:13:10] Pokie Huang:
That’s it for today’s open source and cybersecurity updates. For direct links to all stories and resources mentioned in today’s episode, go to 505Updates.com, where you can listen to our growing library of over 100 episodes. You can also download the transcript of all episodes for easy reference.
5:05 is a Sourced Networks Production with updates available Monday through Friday on your favorite audio streaming platform. Just search for “It’s 5:05!”. And please consider subscribing while you’re there.
Thank you to Mark Miller, Trac Bannon, Shannon Lietz, Edwin Kwan for today’s contributions. The Executive Producer is Mark Miller. The editor and the sound engineer is Pokie Huang. Music for today’s episode is by Blue Dot Sessions. We use Descript for spoken text editing and Audacity to layer in the soundscapes. The show distribution platform is provided by Captivate.fm. This is Pokie Huang. See you tomorrow… at 5:05.