Finally there is a way to both see and stop vulnerabilities across your systems with built in...
Transcript, Static Systems: The Problems We Face And How To Break Free Of Them, With Hector Monsegur
Transcript:
[00:00:00] Daphna: Hello, thank you for tuning into this Fast chat on static systems, the problems we face and how to break free of them. My name is Daphna Krause today. I'm speaking with the one and only Hector Monsegur, a good friend and strategic advisor. Hector is the director of research at a Alacrinet. He is a brilliant cybersecurity researcher, and again, an expert advisor. Hector has a long history in the cyber world with a vast knowledge on the subject, as well as world renowned expertise. Thrilled to have you here, Hector
[00:00:30] Hector: I'm thrilled to be here as well. This is awesome. Looking forward to this chat.
[00:00:34] Daphna: Me too. So let's get started with static systems. What risk do they pose to the defense of business applications?
[00:00:41] Hector: Well, it's a great question. Right? So if we're talking about like static analysis and that's, that's really the topic, right? When we're looking at static analysis systems, there's systems that rely on, let's say a static, um, you know, rule sets. Or strings signatures. Um, anything that that'll, that'll trigger an event, right? Um, that's not dynamic. Um, that's a static analysis tool. Um, it could be as simple as using grep on a unix system to, uh, to comb through source code, looking for specific functions or use of functions. Um, and it can be much more complex, um, like using a static analysis tool by, by a vendor. That has probably millions of lines of different sorts of, I would say programming lines, uh, code snippets that may seem bad. And if triggered, if found in your source code would again trigger an alert. Um, it is a tool definitely. Uh, it's very similar to a dynamic analysis tool, um, or even more recently, uh, interactive dynamic analysis tool. The, the truth is that there's pros and cons to each. The big and major limitation is that since the, the pathway for a static analysis, uh, of a, a source code, a repository, anything is essentially looking for the knowns.
And if the knowns are found, then we trigger an event. It will not know about the unknowns and that's the biggest con right? It's the biggest negative for any static analysis.
[00:02:17] Daphna: So you were able to see a demo of Rampart in action and even check out the Rampart cyber range. First hand, how is this application solution different from a more traditional static system? Like you just talked about?
[00:02:30] Hector: Yeah, no, it was fun. It was fun for a security enthusiast and practitioner. It was fun to see because I love, I love when teams and researchers come up with new, um, new ideas or they're, they're taking, um, ideas that have been used before. And using em in a way that makes sense. When I got to see how, you know, Rampart, you know, AI did in a cyber range, I was, I was very impressed because I mean, it works very much like an interactive agent. It's able to identify anomalies on the fly, right? It doesn't rely on a database of strings or signatures to help trigger an event. And that's really the differentiator, you know, where it's a comparison of oranges and apples, right?
You have one system that static. You have another system that's interactive and that's a that's I would say that's the big positive for Rampart, um, over other systems that are static, for sure.
[00:03:26] Daphna: What do you think is like the biggest vulnerability businesses are facing now?
[00:03:31] Hector: Well, I think the biggest problem, and this goes beyond a single vulnerability, Daphna right.
Is a lot of companies have, uh, they don't have a solid like DevOps environment in place or policies in place. A lot of organizations that I've seen that I've done pentesting for don't even have like a DevOps security engineer or a DevOps security manager. I've seen those in the big boy companies, right? Those billion dollar companies that we all know and love.
I've seen DevOps managers there, but once you start going down the, uh, um, you know, the totem pole, you start to see that most companies are not in that position now, because they're not in that position. Right. There is little in terms of testing being done prior to deployment, right? So you may have designer QA, and you may have maybe function laterally QA in staging, you may even have some security testing, right? By means of static analysis tool, maybe dynamic. And that's a big maybe. Okay. But most of these companies do not have security built into their DevOps and continuous development cycle. That's problematic. That's the biggest problem I'm dealing with. So now when you take something like a Rampart, which acts as an interactive agent. You could deploy it literally in, during the continuous development cycle and pick up issues as you go, or even in the later stage, like production deployment, either way the, you know, the, uh, the agent will operate on any, on any, um, you know, any step.
Right. Really. So that's my opinion on how I feel, um, web app, or I would say providers, companies that are developing web apps. Um, you know, that kind of where they at, what they're dealing with, what their biggest issue is. Um, if you were to ask me the same question 10 years ago, right? It wouldn't be more of DevOps because back then DevOps was, um, even worse than it is now. I would say, well, user input, validation, SQL injections, stuff like that, the common vectors, those were so, I would say they were, they were, they were exploited at such, such a large volume, and it would've superseded my, uh, DevOps, uh, answer right now. Right. It's a big difference.
[00:05:52] Daphna: So the future of attacks and vulnerabilities, what do you see happening there?
[00:05:57] Hector: Yeah. Well, I mean, we need to continue it with what we're doing now. Uh, you know, this, I love looking at the industry in general on a timeline, right? So 10 years you would ask me the same. I would tell you, yeah. SQL injections, a user input is a problem. You know, you asked me today in 2022. Well, you know, I think DevOps or the lack of DevOps is a problem.
Okay. Um, so for the future, I think that we will have more DevOps. We will have more people in place. We will need to have more unit testing and QAing, and we need more people involved in identifying and training, not only their products, their developers. If they have Rampart great train Rampart to deal with, you know, their applications.
Um, but we really don't know how bad it's gonna be 10 years from now, because I know that some companies want to, they want to completely remove passwords. Okay. So maybe if you ask me the same question 10 years from now, maybe my problem will be more an authentication. We have a major authentication problem.
I'm not sure. It's hard to answer.
[00:07:01] Daphna: That's really good insight into that. So actually Hector, I have a bonus question for you.
[00:07:05] Hector: Oh yeah, let's go.
[00:07:06] Daphna: So you were able to hack into places and perform pen testing activities that take an unimaginable level of skill, critical thinking and let's face in talent. What got you interested in cybersecurity and more importantly, vulnerable systems to begin with.
[00:07:21] Hector: That's that's a fun question, Daphna, because, you know, we all go through the phase in our lives when we don't know what it is that we want to do. And so I'm not sure if you did this. I here's what I did. I sat in my house one day in my apartment say, okay, so am, am I good at drawing? No, not can I sing? No, I can't sing. Do I play any instruments? Well, I know how to play the bongo and the conga, but that's. I don't know any famous, like musicians from that. Okay. Well the computer stuff. Okay. Am I good with computers? Well, not really. Do I know how to program yah. Can I break things? Yes, I'm very good at breaking things ,analyzing and of course the critical thinking part. Absolutely. You're right. You touch ed the keyword there. It just so happens. And I'm not very artistic now, but for whatever reason, I'm good at, you know, looking at things objectively and critically. And it's allowed me to look at systems and software in a different way. When someone shows me the software, like for example, when you know, your team showed me rampart, you remember I was asking a bunch of questions. Well, how can we break rampart? How can we do this in rampart? Can we do X, Y, and Z?
Right. Um, that's the way I work. So that's what got me into hacking and all that. Good stuff.
[00:08:30] Daphna: Hector, thank you for chatting with me about static systems and the solution. It's been such a pleasure. For more information about Rampart AI's resilient application solution head to Rampart- ai.com. You can find more fast chat and thought leadership content there or on our Twitter and LinkedIn .To our listeners thank you for sticking around.
Until next time, stay secure.