Matt Topper

As an industry, we transitioned from no focus on security to expecting an underfunded and under-tooled discipline to handle the topic for an entire organization. From there, we started to shift the responsibility to produce and deploy software securely back onto developers and operators. We did this without providing them the tools or training to perform these jobs effectively. We’ve also neglected creating and deploying the kind of tools that enable an organization to assess if their SDL and overall security programs are effective, instead focusing on tactical tools without considering their effectiveness. At the same time, we’ve continued to rely on blind faith that vendors are doing the right thing and have failed to hold them accountable for repeated mistakes. In essence, we have regressed back to where we started, with voices in the corner screaming about how we need to be making informed decisions to mitigate threats proactively instead of chasing the latest novelty. We can’t have it both ways. Either security teams continue to exist, work closely with the product and operations teams, and grow proportional to the teams they support, or we build the kind of products that allow security teams to assess what’s happening at scale, augmenting developers with expert systems that enable them to access the knowledge to design and build secure systems from the get-go. We must stop papering over issues and make the right thing the easy thing.

@rmhrisk Your local WPA could probably give you a place wpaflys.org

My middle son is doing ground school via a community college in Washington and is having a hard time finding a air school just that will give him his flight training without doing their ground school. Any pilots I’m the greater seattle area with advice?

@_ChezDaniela @Dave_Maynor Isn't that the Microsoft approach? Sorry to we messed up. Pay us more for those E5 licenses so you can tell us the next time it happens.

@Dave_Maynor How things really work ⬇️ (this was sarcastic by the way 🙃)

At this point single factor auth seems more secure than using Okta. #mgmhack

@rmhrisk I'm sorry sir, we do zero trust in this org. I don't need to know where the root of trust is established.

Do you know where your cryptographic keys are? If you store them in PKCS#12 or JKS files I bet you don't :)

@HackingDave Just put in a 7-11 on the corner and make that part of the exercise program.

I just definitely got busted. FedEx delivered a box that the packaging of what I ordered was on the side. Erin: “um did you buy a commercial grade hot dog maker with bun warmer???!!” Me: so listen…

Bubbles, anchors, and end links. This is why I can't sleep tonight.

@lorenc_dan Also, are they going to mention the key used expired in 2021? I haven't seen anything in the write ups saying they fixed that issue yet.

@lorenc_dan So sadly true, the response to customers has been "See, we told you that you should have been paying for E5 licenses. Do you want to write that check now?

@arynncrow Hopefully it was don't in a medical facility and you didn't wake up in a bathtub full of ice. Glad everything turned out OK. Maybe we can find a way to get @tomsegura to sign your appendix?

Update: I’m doing alright. Thanks to folks who have reached out to check in. The nurses told me I’d be shocked how many people leave their appendix in Vegas 🤣

@jgrantindc No denial here

Obvious conspiracy.

@elinesterov We can't cross populate these communities soon enough

Did you know it is pronounced “jot” not “j-w-t”

@rmhrisk I know who to invite to the next DoD TEM. What do you think @evan2645 ?

Ryan Hurst: (noun) A person who exhibits a strong affection for neglected infrastructure, specifically with an emphasis on often-dismissed elements of various fundamental security assumptions.

@MalwareJake @BrianVarnerVA This is what normally ends up happening but it's one of those fun questions for the auditors that don't suck. All 3 of them. I kid, I kid.

@topperge @BrianVarnerVA If for no other reason than not dealing with auditor questions, I'd use another account. Pragmatically, this comes with significant verification challenges, so I'm unsure why anyone would want to do it.

I'm 100% convinced that you can't secure an environment without threat modeling access to your control planes. It is frankly insane to have a single SSO account be in scope for Slack, email, and the enterprise AWS portal.

@BrianVarnerVA @MalwareJake It's a debate that I've seen regularly. If it's the same identifier for the account but a different credential is it was same account? Comes around the same discussions with step up auth, MFA, passkeys, etc.

@topperge @MalwareJake Then it’s not really the same account is it.

@lorenc_dan I actually posted something similar in the @idpro_org slack channels as a perfect exercise between the IAM and SOC teams.

Tabletop scenario. A vendor you use to store PII with confirms reports that there is an exploitable vulnerability that allows unauthenticated access to your account. Third-parties have been aware of the vulnerability since March. It won't be fixed for at least two months.

@SMB_Attorney And the accountant in the corner just shyly nodded in agreement

A lawyer dies and goes to Heaven. "There must be some mistake," the lawyer argues. "I'm only 55." "According to our calculations, you're 82." says St. Peter. "How'd you get that?" the lawyer asks. Answers St. Peter, "We added up your time sheets."

@ian_infosec It smells like Sarbox in here...

SEC adopts a new rule consultants everywhere:

@rmhrisk It's incredible how many threat models can be thrown out the window with a ball peen hammer. Also much easier approach if the target is work from home. Sometimes I hate that my brain works this way.

When designing key management strategies for high-net-worth individuals or businesses my top threats almost always include thuggery, extortion, and collusion.

@mquintin257 @USWNT @kelleymohara Probably looking at Vlatko and thinking about how much better they will be when Kelly's the coach.

@USWNT @kelleymohara Probably looking at Vladko wondering if he is ever going to actually play her...or like, anyone else. Ever.

KOH 🔒