Join Sean Martin as he engages with Jim Manico in a riveting discussion about the critical aspects of application security, from managing vulnerable libraries to the strategic integration of security into development processes. Discover practical insights and actionable advice on navigating the evolving landscape of application security.
Guest: Jim Manico, Founder and Secure Coding Educator, Manicode Security
On LinkedIn | https://www.linkedin.com/in/jmanico/
On Twitter | https://x.com/manicode
____________________________
Hosts:
Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/sean-martin
Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli
____________________________
Episode Notes
In this episode of On Location with Sean and Marco, host Sean Martin engages in a compelling discussion with Jim Manico about the current landscape of application security. Jim, a notable leader in the field, delves into several critical topics surrounding application security and its evolving challenges.
The conversation opens by touching on the significant influence of artificial intelligence (AI) on application security, suggesting a future episode dedicated entirely to exploring this complex topic. They then shift focus to the necessity of having a formalized approach when dealing with security vulnerabilities. Jim underscores the importance of planning and preparation before tackling security threats, emphasizing that structured processes lead to more effective management of potential issues.
A significant portion of the dialogue explores the challenges associated with identifying and managing vulnerable or outdated libraries within codebases. Jim and Sean discuss how modern development practices often lead to the incorporation of various libraries, each of which can introduce potential security risks if not properly maintained. The intricacies of keeping these libraries updated to prevent vulnerabilities are highlighted, including the frequent necessity of updating or replacing libraries to ensure robust security.
Jim also touches upon the noise generated by automated security findings, which can overwhelm development teams with alerts and potential issues. He stresses the value of effectively prioritizing and addressing these findings to ensure that the most critical vulnerabilities are tackled promptly, reducing the risk of exploitation.
Throughout the episode, Jim and Sean highlight the balance that must be struck between developing new features and maintaining a secure, resilient application environment. Ensuring that security is integrated into the development lifecycle rather than being an afterthought is a recurring theme in their discussion.
This engaging episode provides listeners with a deep dive into the strategic and tactical aspects of application security, offering valuable insights and practical advice on navigating the often complex and ever-evolving security landscape.
Be sure to follow our Coverage Journey and subscribe to our podcasts!
____________________________
Follow our OWASP AppSec Global Lisbon 2024 coverage: https://www.itspmagazine.com/owasp-global-2024-lisbon-application-security-event-coverage-in-portugal
On YouTube: 📺 https://www.youtube.com/playlist?list=PLnYu0psdcllTzdBL4GGWZ_x-B1ifPIIBV
Be sure to share and subscribe!
____________________________
Resources
Training: https://lisbon.globalappsec.org/trainings/#sku_ASTJM
OWASP ASVS: https://github.com/OWASP/ASVS/tree/master/5.0/en
OWASP Cheatsheet Series: https://cheatsheetseries.owasp.org/
Learn more about OWASP AppSec Global Lisbon 2024: https://lisbon.globalappsec.org/
____________________________
Catch all of our event coverage: https://www.itspmagazine.com/technology-cybersecurity-society-humanity-conference-and-event-coverage
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit: https://www.itspmagazine.com/redefining-cybersecurity-podcast
To see and hear more Redefining Society stories on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-society-podcast
Are you interested in sponsoring our event coverage with an ad placement in the podcast?
Learn More 👉 https://itspm.ag/podadplc
Want to tell your Brand Story as part of our event coverage?
Learn More 👉 https://itspm.ag/evtcovbrf
Application Security: Standards, UI, Identity, Access, Cryptography, Process, and More | An OWASP AppSec Global Lisbon 2024 Conversation with Jim Manico | On Location Coverage with Sean Martin and Marco Ciappelli
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] And hello everybody. You're very welcome to a new episode of On Location here with Sean Martin. I'm, uh, I'm going to cover this event myself. Marco gets to stay in the States and, uh, catch up on all things. ITSB magazine. I get to go visit friends in Lisbon for OWASP ACTSEC Global. And, uh, one of my good friends.
It's on with me today. Jim Manico. It's good to see you, man.
Jim Manico: Good to see you, Sean. It's been a long time. It's really good to see you.
Sean Martin: It's been a few days and I'm excited to, uh, give you a big bear hug in Lisbon and learn all things app set, get an update on everything that's going on there. And you're, you're, you're doing a training there.
And. As part of our On Location coverage, I just wanted to dig in to that with you about, uh, what are some of the things that teams need to think about when they're, when they're educating their teams, skilling them up to, uh, to tackle all the latest and greatest in AppSec.
So we're going to get into some of that, but before we [00:01:00] do that, it's been a while since you've been on the show, so maybe a few words, Jim, about all the cool stuff you've been up to and what you're working on now.
Jim Manico: Wow. You know, I, I'm, I'm doing a lot of the same stuff, Sean. I'm like, I'm constantly updating my materials to be a good educator.
I'm teaching a lot, you know, as the years tick on my, my business and educating developers about security increases linearly every year. So I just keep, I'm in the classroom a lot, a lot of it's switched to virtual trainings over zoom. Um, And I spent a lot of time the last year updating material, like advancing things on like supply chain security is getting more important.
The maturity of depth DevSecOps is getting more and more important. Um, I'm showing a lot of AI driven static analysis enablement, which is taking all the IaaS tools like SaaS, all the IaaS tools are starting to really hit new levels of maturity after some stagnation for years. API security has advanced a lot.
JSON Web [00:02:00] Tokens is now way more important than traditional session management, supply chain security, cloud security, zero trust architectures, quantum resistant crypto, the list goes on. So it's, I'm doing a lot of content refresh the last year to, You know, to make sure that content is in a good place. I think the, the biggest change is AI security is starting to become a really big deal.
AI for code generation, the OWASP top 10 for large language models. It never ends, Sean.
Sean Martin: It never ends.
Jim Manico: All the content updating and the research part of my job, that's, that's the fun stuff. I really enjoy learning myself. I'm a teacher. I'm also a student. Always learning new things.
Sean Martin: Yep. Yep. That's what I love about you, Jim.
And, um, so you mentioned so you referenced the The OWAS top 10 for LLMs, which, and you didn't mention the traditional top 10. [00:03:00] And I'm wondering maybe, so let's start here. Have we reached a point? I know the answer is no. Have we reached a point where engineering teams have a handle on the traditional vectors and weaknesses that get thrown into code?
Jim Manico: No. No. I mean, by the time I get brought in, the company wants change. They're going to put me in front of developers for a couple days in large number. That means they're already at a state of maturity where they want to do developer education. So I have a jaded view. Of looking at teams that already care about application security in some way.
I mean, the schools aren't teaching it in a very mature way. And so I'm still sometimes teaching a couple hours of SQL injection in 2024. And that, cause that's what customers ask for. I usually build my classes very custom to each. Each class, every class is different. [00:04:00] Surprises me sometimes, but I'm still talking.
The last top 10 is super relevant. What number one is access control. That's something that's that's really an unsolved issue. There's not a lot of good good tools to build it out. Do a lot of custom stuff. Scanning tools can't really address access control. You know, another, another one of the top 10 is authentication.
That's not going away. You know, identity providers are not easy to integrate with. If you build it yourself, it's, it's non trivial. Crypto is becoming more important. It's being asked for more and privacy in other engineering standards. Um, you know, and the, and the cloud providers are making it easier, but it's still hard work to implement crypto solutions, right?
So like all the basics in the iOS top 10 are still critical today. Very much so I'm looking forward to the next revision of it. Don't get me wrong. Even though I was top 10 from, it was like December of 2021. I still get asked to teach that on a very regular basis. I'm out of, I changed the material to update [00:05:00] to new things, but still important basics are still critical.
Sean Martin: Yeah, absolutely. And I'm wondering have the, well, the thing that's in my mind is kind of the, the development process. Um, I know there's been a lot of change in containers and, and delivery across multiple cloud service providers and different internal environments. Has that impacted, or I guess our team's focused on learning that stuff because that's just the way the devs going.
And therefore, security is getting traded off, or what do you think?
Jim Manico: Talking, the biggest change in software development life cycles is embracing DevSecOps. And the tools to implement it are getting a lot more mature. Like GitHub capability for DevSecOps. is extremely mature at this point. And out of OWASP, we have [00:06:00] like Defect Dojo, a big open source uh, DevSecOps platform that's also extremely fine grained and extremely mature.
So, I think the difference is the tools are getting mature but more people are doing it because there's a lot of intrinsic value and continuous integration and continuous security testing. I like, I like what I call mean DevOps, Sean. I like mean DevOps. I'm not letting, well, I let developers, you know, do a PR and then we kick off a bunch of scanning, but I don't let my developers merge until they pass some battery of, of security scanning because I'm a little mean, Sean, I mean, it's some, it upsets developers, but once they get past the initial impact of it and they start cleaning up their mess, it's just the way to do business.
And it really does help security assurance be driven, you know, at the left of the. Dev lifecycle earlier is cheaper. We can integrate variety of different scan. I can even do a whole entire open source [00:07:00] stack of scanning tools. And provide good assurance these days. There's so many tools out there, but there's no, no one way to do it.
That's the thing you got. It's experimentation, like SQL injection, Sean parameterize your damn queries, but rolling out DevOps, there's, you know, infinite number of ways to roll it out with different nuance and it's experimentation with your team that brings a win when it comes to that.
Sean Martin: And. Are our teams comfortable experimenting, or do they fear that they're not starting in the right place?
I guess I'm wondering, are there, are there blockers to get started? Um, is it a cultural thing? Is it a, we're just not sure, or if we don't know where to start? What, what's the, what's going on?
Jim Manico: It's usually, it's usually management. Is management going to support it or not? Is management going to provide the resources?
Because maintaining a pipeline takes some, takes some savvy these days, right? And you need to give developers time to handle the initial impact of [00:08:00] doing some more stronger forms of DevSecOps and try out different tools and it's just, it's non trivial to roll out because of what a high impact it has to teams and usually the major win factor is, you know, Do you have management buy in, like tech management buy in to make these moves?
And do you have the expertise on your team to like really maturely manage a pipeline? It's not, it's non trivial, especially if you have a large team or especially if you have a product with a lot of security backlog and you have dates you want to hit, and now you want to like change the process fundamentally to DevSecOps without missing dates, you know, that, that can be non trivial, it takes a little time to adjust, especially if you have a backlog of security problems.
Then you flip on DevOps and run some security scanning for the first time. You got to handle that backlog. That's, that's non trivial at all.
Sean Martin: Yeah. Yeah. I can, I can recall back, uh, early days when I was [00:09:00] at Symantec, we, I was fortunate enough to lead the team moving, moving from an ad hoc waterfall to more of a, more of a formal waterfall then over to Agile and, uh, I'd led that company wide, that effort.
And it was, it was a challenge. To get buy in and of course, the process is how you communicate, uh, how you report all the different teams. You have QA, you have QA engineering, you have engineering, you have programming, all the teams, product management, all this stuff. It's not just the developer flipping, flipping on a DAST and getting the result and fixing it back.
Right.
Jim Manico: Exactly. And Agile you're releasing like on a, on a sprint cycle every couple of weeks usually, and now move to DevOps. If you're really doing continuous integration and continuous deployment, Now you're deploying 10 times a day. Whoa. That's, that's sometimes a culture thrash that, number one, some people are not ready for.
[00:10:00] And two, some people just can't tolerate. Like you, you go back to Etsy, one of the first big DevOps shops, they DevOps and did CD many times a day, continuous deployment on their like web code. But they're like credit card repository. That was not DevOps. That was more waterfall. And if you're like running critical infrastructure, DevOps is really great in theory.
But it's not that good in practice for certain kinds of software. If you're like building like a controller for, for like, um, for like, uh, uh, replacement heart, surgical, like, you know, artificial heart, you're probably not going to like at step ups that heart, you know, you're probably going to do a little more, you're probably going to water more.
I like continuous integration through the build life cycle for critical infrastructure, for medical and some of the more high risk software out there. But continuous deployment. Not so much for certain kinds of software. I, when I need really certain levels of assurance, I need to do really thorough testing [00:11:00] before I push live.
And like, I got schooled the other day by, by my girlfriend in a really good way. She's a computer scientist as well. She's, you know, I'm a, I I'm a PowerPoint Jack. I'm a researcher and I'm a PowerPoint jockey. And I'm proud of it, Sean. I'm great at PowerPoint. You know, my girlfriend, she actually, you know, runs a big, a big team.
And like, I'm like, you'll keep your libraries up to date. Keep your libraries up to date as my supply chain mantra. And I had a few people at a German engineer. Um, I was teaching recently and my lady and they're like, yeah, Jim, how about FIPS? FIPS is not going to even let me deploy. Cryptograph cryptographic module updates fast.
How about them apples or how about compliance or every time I update a library? I got to go through assurance because of german law or because of infrastructure Regulations and like yeah, you can cry all you want update your libraries boohoo But sometimes these things called reality law And the wrist posture doesn't, it doesn't allow that.
And so, you know, I've been schooled. I, I love getting schooled on stuff [00:12:00] because you know what I do? I immediately integrate it into my material and, you know, try to take the lessons I've learned and pass them on, but
it's not good stuff.
Sean Martin: There's always an exception to the rule. Um, that doesn't mean we can, we can roll, uh, free of rules and completely lawless and Wild West in our, in our, uh, development.
One of the things that I've always. And I can't even imagine today with, with the number of releases that go out, but user stories or use cases that you're validating the, the function of the application against, and, and also the, the error handling, which I, I'd lump in. The security stuff is part of the air handling.
Does it, does it do what it's supposed to? Does it not do what it's not supposed to? Does it, you know, that whole thing when I was in quality assurance that keeping the, keeping track of all the use cases and the user stories [00:13:00] was difficult, even in a waterfall, um, because they're all piling up, you release the code, you test them all, you validate them.
You might, you might skim some off, but when you're doing a continuous integration, continuous deployment, testing all of them all the time. And I, I put security in this as well. Um, how did teams get a handle on that these days, other tools to help with some of that, or.
Jim Manico: The teams that I see that are most successful at keeping track of user stories and quality and, and, and similar in the, in the fast paced world of DevOps is those who do test driven development, like I like to write a series of unit tests before I write a function and, you know, map those user stories and map those to business needs.
And so as I move fast. You know, and as I swap out third party libraries or build new functionality and similar, more and more, I see teams that have extensive, well built unit testing. It really helps [00:14:00] cover the gap that all other kinds of automated testing are not going to cover. And I think as you go to DevOps and you're moving fast and you're not doing as much traditional QA within your life cycle.
Automating the QA and unit testing and similar becomes even more important. And again, teams that have, that take that seriously, like there's a theory development called test driven development, where you kind of write your unit tests first to some degree. Right. I'm I've had a lot of, I've seen teams that I, that I teach be very successful in that area.
And. In the advent of AI for code generation, especially if you know how to use it properly, you know, don't just use raw copilot. I don't think that's a good idea. Using things like prompt engineering and using language specific GPTs and providing requirements, um, before you start generating code and stuff like that and style guidelines and similar, then using AI, even against an existing code base has really helped me speed up building meaningful unit tests, or even just taking [00:15:00] your existing unit test battery and using AI.
To generate more permutations of those unit tests. I've seen a lot of success in that success in that, especially around teams that have mastered the use of AI, which is a tool requires sophisticated use, not just like you throw up a prompt and start using it. There's ways to talk to AI, like a junior developer to train them to be more effective, even with like big, big fat LLM LLMs, like Gemini or like.
Sean Martin: Yeah, the whole AI thing, um, maybe, maybe, maybe we have a chat about that as a separate topic. I want to, um, I think there's, there's a ton in there. He mentioned a few points that, uh, really interesting. Just the, uh, Yeah, that is, you have a formal plan when you, when you go in there, um, talk to me a bit about the, the noise, um, [00:16:00] the findings and the, so you, you brought up the, the, the point of, of libraries as well, um, so we can identify vulnerable libraries, those need to be updated or outdated libraries, those need to be updated, we write a bunch of code, we find a bunch of stuff in there.
How. Our team is kind of grappling with the amount of noise that they're dealing with.
Jim Manico: Horribly.
Sean Martin: It comes down to, it comes down to prioritization, right?
Jim Manico: There's no easy answer, Sean. Like, the average, like, software that developers are maintaining is mostly legacy. And even just a few years ago, the philosophy was, you know, throw a bunch of libraries in, who cares?
And now all of a sudden, You're doing security scanning, got a big backlog of security problems, and you do some third party library scanning, and it lights up because you haven't had a culture of updating your libraries, and you haven't had a culture of vetting libraries for their real need in the first place.
You got hundreds of [00:17:00] libraries and legacy software, now security is forcing you to update it. You know what the easy win here is there is no easy win, right? github went through a multi year process to remove Like all of their many many third party libraries took them years to wean it down for a piece of software like github So and then there's regulation that limits you from updating at some times at some places and It's just painful, Sean.
And so I, like, I can talk about it if it's a fresh app, like I'm going to be really judicious about picking a third party library. So I understand the impact of it. Now I'll even go as far as writing unit tests and a wrapper class around my third party libraries so I can swap them out for other functionality and test to make sure I'm not breaking anything.
So it's just if, unless you're on a new project and you're taking a lean third party library approach. Legacy software, you got abandoned libraries, insecure libraries, low quality [00:18:00] libraries, and you're depending on this stuff, and you're trying to do a quick update. And there's no update and you got to do it because of security problem.
And now you're going to spend huge amounts of time to update your application in some way without any net functional benefit. And that just burns developers out. And so honestly, there's no, there is no clean win here, Sean, for a lot of other reasons I can talk about if you want.
Sean Martin: Yes. Um, but I, I want to take you here first.
Um, Cause my, maybe it's a, maybe it's a fantasy. I I've, I've had the fortune of building a platform for a solution in the past. And I'm, I'm big on platform engineering as a, as an idea or in a model. Is there a way for that to. Kind of do what you say where you're abstracting a lot of the stuff that you're able to build unit tests around things and [00:19:00] put a put a layer between the things that are doing the work and and the environment with within which it runs and is built.
Is there a role for platform engineering to because yes nobody you update the library and then you're spending weeks or months kind of revalidating everything if you can kind of get ahead of that now and do something fun. Build a platform, some extractions and some containers and some, and something. I don't know.
Is that my, am I in fantasy land?
Jim Manico: If I'm picking like say spring or Django or some kind of big framework, I can't really abstract that very easily. I made a, I made a choice. This app is on a certain framework. I'm going to have to live with that. But as I start bringing in utility libraries, Like for apply crypto string manipulation, you know, for at a variety, I'm trying to parse some kind of like high trust object and medical.
And I have all these different utility libraries. I want to pick that stuff [00:20:00] up front. If it's a new project as best I can. And then I do want to abstract them because I may want to like block one function to write it myself. I may want to swap out some functionality and have multiple libraries support this.
I may want to write it myself someday and get away from the library. So. I've had a lot of luck writing a facade pattern around my third party libraries. So I'm not directly coding to that library. I'm coding to like an abstraction again, that lets me handle some of the innards on my own flexibly with flexibility based on what's happening.
I have to do a rapid update, maybe a block of function and go live. You know, I think the, the other thing is. I'm trying to be more judicious about using less third party libraries. And also if I'm going to build some kind of like wrapper class around my utility libraries. I can do really good unit testing at the wrapper level and then swap out innards and still make sure that, you know, I'm [00:21:00] satisfying why I'm using this library from a unit testing point of view.
These are not common strategies, Sean, but I think they're really effective when, When developers really realize just how painful it is to manage third party libraries over time, then these strategies start to show up. And I think platform engineering, abstraction, this is a great idea. I think, you know, Netflix has done a lot of talks about their platform and how much security they've baked in.
And that's been very successful for them. And so having like putting a lot of effort into a platform with as much built in security as you can custom to your company or even to your application. I think that's always useful in my experience. That's always a positive thing.
Sean Martin: Love it. All right. So I'm not completely, uh, Bunkers.
I love it. Well, let's, um, we have a few minutes left here as [00:22:00] part of this. We can chat some more, of course, but, um, you've rattled off a few tools and you made the comment, if I remember correctly, that there was some stagnation in the space for a while. And then a bit of a resurgence.
Can you, can you give me an overview of. Kind of the the tool space sure. Um, yeah, what's going on there? What's kind of new
Jim Manico: tool number one? Security scanning tool. I think the first one to roll out is static analysis code scanner looking for security bugs I didn't go far as saying for most projects if you're not doing static analysis on a daily basis It's negligence at this point.
That's it. I think that's the cost of doing business. GitHub, you can flip on their built in, it's code scanning. You got Semgrep for free. You got dozens of other tools that are language specific. And these tools have gotten much more mature in the [00:23:00] last couple of years. And they're going to see a whole new level of maturity with AI.
Frankly, I can throw code in unprompted chat GPT and ask for security bugs. And I'm getting really good results and deep explanations. And so number one, you wrote static analysis. I think that's a no brainer. Get your backlog cleaned up, set up, set a point of severity where you have to fix before you can merge.
Take that hit for some teams that can handle that culturally. And then very, a very, very soon after that as a second tool is third party library scanning. I'm very idealistic when it comes to libraries. Hey, keep your freaking libraries up to date damage on. And that's not that idealistic point of view.
Sean Martin: It's great. I'd be fortunate.
Jim Manico: Oh, it's great. The classroom. Oh, it's great. Strong, dramatic. I can, you know, I can like ride my high horse of keeping your libraries up to date up on. I love do. I love my high horse is my favorite big, but like the reality of deadlines, regulation. [00:24:00] And abandoned libraries and all the other problems that come with it.
It makes it a real, like nuanced, difficult topic to deal with, but that's the second thing I'd roll out is a software composition analysis tool to do some kind of scanning. I tend to like depend a bot and renovate bot quite a bit. Sneak is a powerful tool. There's a lot of open source tools like, like Pupio in the Python world goes, got a, goes, got a built in bone scanner.
Oh, it's got dependency check. That's great at Java dependent bot renovate bot are great for JavaScript. There's so many tools that are language specific to check your code for third party library insecurity. That's the second, that's the second tool I'd roll out. Dast. Dask started our whole industry.
That's like the, you know, attack scanner, right? That whole industry started with that. That's I'm, I'm less excited about Dask. I like services. Like I'm a big fan of what EdgeScan is doing, but I, but like Dask, I'll run it. I like StackHawk. I like Burp is really mature in a [00:25:00] rapid pace DevOps environment.
It's a little trickier to run it. So I tend rather than rather than have DAST run usually early in my life cycle, I'm usually seeing mature teams run DAST after I post deployment to verify their deployment. But it's, it's a good tool, but I think SAST and software composition analysis are really fundamental to DevOps.
After, um, DAST, we got secret scanners, which are great as pre commit hooks before I even commit my code. I have to check for hard coded secrets. I'm a fan of those are nice, easy win kind of tools. And then last, I think the, I asked never really excited me, Sean. And that's not, I've seen teams
Sean Martin: hard to pronounce as well.
Jim Manico: Yeah, it's I asked. It's just because I have to start installing plugins and so I have to like install into my dev environment into my like, do you hit the profiling API of Java? I'm a little less excited about I asked. [00:26:00] Let's just say it takes a lot more maturity to roll it out. If you're going to use it and last, I like the same with API security scanning, right?
This is a space I'm invested in. But like, this is about like putting plugins at the network level or a proxy or, you know, and be able to introspect on traffic between between microservices. I can get really good visibility into what's happening. I have to do really invasive installs. Like das, I hit your code.
I'm sorry, I sas. I hit your code, um, third party library getting hit your code dast, I fired out your app, but like if I'm doing like I asked or I'm doing really deep API security scanning, I'm installing stuff. And your production environment typically. And that's just, it's a much, it's just, I think the benefits are dramatic even with I asked, even with API security, but the setup and the, the, the work it takes to get it rolling is much more challenging and that's why it's a much slower sales [00:27:00] cycle for those kinds of companies.
They got to really get up your business for those tools to be effective in my experience.
Sean Martin: Yeah. Yeah. I'm, I'm thinking back to some of the, I mean, I did a lot of call checks and API checks and a lot of that stuff was purpose built, right? So your, your one team is building alongside the, my team is building alongside the engineering team.
Absolutely. Doing all those checks, uh, local and on the network. Let me, let me ask you this, Jim, uh, cause it's something I've heard recently as well All the stuff we've talked about is kind of. The function of the app, literally the functions and, and what it's doing. And there's also the configuration of the environment
Jim Manico: and,
Sean Martin: and the, the actual business logic, it may, the functions may be perfect.
But allows weird crap to [00:28:00] happen at the logic level that
Jim Manico: I'm on with you. Let's go configuration, right? Configuration. That's I'm most concerned about configuration when it comes to like cloud services. So there's tools like Aqua. My buddy's at Rad Security is something something I'm a big fan of. These are things that are like you give them like a read only admin token and they'll go verify your Amazon set up, your Kubernetes set up in detail and see how well your infrastructure is configured.
I think that's another essential tool. I'm not sure where it best fits in the life cycle, but that is absolutely an essential tool. The cloud, the new cloud security scanners last couple of years and Well, and then, and then when it comes to business logic and access control, that's really about manual pen testing.
Still, I need to understand your business. I need to verify it manually. I rarely see good automation that handles access control because of business logic issue or just your proprietary logic. Pen testing is still important. Sean. For those kind of security areas, because again, automation has its limits.
And I [00:29:00] see even more problems in those areas because of an over reliance on automation for security. We still need, even in the DevOps world, we still need some pen testing for certain security areas of your app.
Sean Martin: It's easy to get, I mean, I'm, I'm a huge fan of automation. I automate, if I can automate it, I will, but, uh, I'll always look that, uh, I need to stay in the loop on that stuff.
I can't, can't turn a blind eye to once it's set, can't set and forget it. Um, I'm not talking about coding stuff. Cause it's been years since I've done that. I should come, I should come to your, your training and, uh, and get back into the coding of things.
Jim Manico: I'm gonna make sure I got the right one. Yeah, I'm doing a, I'm doing, um, application security training with Jim Manico. Three days, three days, I'm just, I'm just running through my whole course.
This is a developer training. That's what I'm up to.
Sean Martin: Yep. No, my, uh, my air, the, the name and the title were right there next to each other [00:30:00] and I didn't see the split three days of goodness with Mr. Look at that core modules. They were going to standards UI. I am crypto, all this stuff you mentioned process, which is always fun stuff for me and, uh, lots of labs, lots of good stuff.
Well, of course. So there's no confusion. I'll put the link in to the session in the notes. Everybody can grab that.
And,
uh, one, one of many trainings, uh, good friend, uh, Adam show stacks can be there as well. So shout out to Adam, lots of, uh, lots of fun stuff. And then of course the. The, uh, speaking sessions from loads of great folks, which I'm thrilled to be speaking with few of them this week as well.
So a lot, lots coming to you for me, uh, for OWASP AppSec Global. I don't, Lisbon, are you going to be in San Fran as well, Jim?
Jim Manico: I'm not, not sure. I'm not sure. I'm, uh, I'm based in Europe right now. I'm based in, I know, [00:31:00]
so I'm a, a lot of Europe from Copen, .
And you know what, I, I'm also just like a booked, a booked really solid.
I'm just booked super solid, doing a lot of just in the classroom, teaching one team at a time. So I'm a busy boy, but I'm excited to go to Lisbon. I'll be there. I'll be there.
Sean Martin: Yep. Absolutely. All right. Well Jim, thank you so much for this and uh, again, looking forward to see you. Seeing you in Lisbon and the rest of the OWASP crew and everybody, please stay tuned for more coverage of the event coming to you here from ITSB magazine.
Thanks, everybody.
Jim Manico: Great talking to you, Sean. Thanks for having me on the show.
Sean Martin: My question.