 All right so we're back at it again. So we're here to have a quick, well quick, 30 minutes Q&A regarding APSEC or any kind of related topic. Do we also have Vicky connected? All right awesome. Well hi Vicky. All right so how it's gonna work is that we'll, hi sorry, there might be a slight delay so we'll be careful about that. So before we start I'm curious I know Vicky your talk was specifically about how to write better technical duck. Are you guys writing some technical documentation, blogs or books or anything of some sort? I'm not but I probably should start. Okay. Yeah I released from time to time blog posts and I also talked in the session about the threat metrics which was quite a significant publication of us. So yeah and the tips in the session were definitely helpful. All right awesome. So this is supposed to be a conversation so Vicky if you also have questions for people on-prem or live with us please ask away. If not what I'll do is I'll go through some of the popular question on Slido. So we do have some. All right this one is very generic. So we're open to any tips and tricks but what kind of protection can we implement on database of the provider side to prevent an evil consumer from stealing data? Is using a different database an option? It's fine if you don't have the answer perhaps it's a question too generic question for our speaker. I mean I'm not a database guy but I have done a talk about basically finding unsecured NoSQL databases out there and it seemed like the biggest problem was people forgot to put authentication on it or they forgot and they left it open to the internet. I don't know that you could switch from say like elastic to Mongo. I'm pretty sure that there's very different data structures but basically security 101 is the only advice that I would give someone. All right sounds good. Vicky raise your hand if you have any additional comments to add on this question. All right follow-up question. Can we restrict unknown IP addresses with ACL in F5? If there is indeed an ACL in place how can we work our way around it? Again is that too generic? No. So the F5 is the only place you're going to be able to put an ACL on that's realistic is the management side of the network. So you can either you know ACL down the management IP or the self IPs. It's pretty robust though. You're not going to have an easy way of working your way around it because even using the exploit you won't be able to view that ACL list because it's going to just kick any request out that's not coming from a trusted network. That's actually how when we part of the when we secured them at Microsoft was we had a Microsoft as of course a very robust networking team. We had a network of full you know private address space that was only for management and every device before it was even plugged into the network had ACLs applied so only that trusted network could get to it. So yeah good luck. All right so the next question is specifically for Vicky. Any tips for people who aren't native English speaker on writing better technical content? Sure yeah that's a great question. I am not a native English speaker myself and I certainly struggled with writing and even speaking English right when I first moved to the United States and I think the most important tip that I have is to do intentional practices. So what does that mean right? Getting good and writing takes time and it's very very important to write a lot. Your first few pieces would probably suck but that's okay because you'll get gradually get better over time. But another thing to remember when you're practicing writing is that it's not enough just to write a lot. It's also really important to get feedback about your writing right. So when I first moved to the United States the way that I got better at writing is that I had a writing mentor that would take my pieces and tell me how she would improve the piece. But I do understand that I think that's the best way of actually improve your writing a lot in a short time frame but that is not available to everyone right. Another way that you can get feedback from your writing is through grammar checkers. So you can install one of those free grammar checking software and run your articles through that grammar checker and see what kind of feedback it's giving you and try to model correct grammar or good sentence structures from the recommendation you get back from grammar checkers. And another thing you can do is that you can find similar articles online that you think are well written that talks about the same topic that you are talking about and compare what makes your writing better than yours and what can you improve in your own writing and model how they're structuring their articles or structuring their sentences and their word choices as well. All right. Awesome tips and tricks. Maybe it can be useful for English speaker as well. All right. Let's do a question for you. It seems that all cases in all cases we rely on Kubernetes to be the IDP to the cloud IDP. That means trusting the configuration of the cloud providers, configuration and key management. Question mark. That's a well written question. Not sure that I understood it, but if it talks about the IDP, it talks about IDP. It does. Yeah. All right. So yeah, I just mentioned it in the world in the session. I didn't get into it, but what I tried to say, I mean, I didn't get into the details, but now cloud providers have the option to trust Kubernetes as an IDP. So service accounts from the cluster are trusted by the cloud provider and that's another way to authenticate your workloads, your pods with the cloud. You can read about, for example, in Azure, it's called Workload Identity Federation, I think, and in AWS, it's called RSA. So you can read about the whole flow, but generally it means that the cluster is trusted as an identity provider. All right. Thank you. This is more a generic question that maybe has nothing to do with your specific talk, but since we're here talking about application security, you all know that developer, it's hard for them to take security seriously. Does anyone has experience and maybe tips and tricks on how to, or has experience on how teaching developer to know when their stuff is broken? Well, I can say that I work in a product group at Microsoft and it's really important to be aware that as a developer, you should, I mean, I think we do it quite well at Microsoft is to really be with security in mind. And it could be with education just to show examples of how simple mistakes at code become vulnerabilities or misconfigurations. And so I think that the main thing is that you need to educate the devs to be with security in mind. It's a generic answer, but I think it's really important that that's the first step. And how do you do that with bribes and cookies? Well, I think that first show examples and to show, I mean, to show how sometimes simple, simple things that looks like just little bugs can cause to a serious vulnerability, to a serious security issue. I think it's helpful. And I think it's another thing is the organizational culture, I mean, to be aware of the security. So it's Microsoft, a big organization. It's obviously, it's obviously a thing. So everyone is aware of the security, but maybe in smaller dev groups, it's different and it's super important. So I think that's another thing. Absolutely, Nate. I feel like you have something to say about this. So in my experience, and this is this is not from the sort of developer side, but I have done I did another talk about the last five vulnerability in 2020. The interesting takeaway from that was the the 2020 CVE, the path traversal one, it was almost the exact same POC as a Citrix vulnerability from six months prior against their load balancing devices. Both of those used a technique that Orange Psy had talked about at Black Hat in 2018. So the advice that I would give is especially when you're using open source software, you need to be paying attention to the ecosystem, your developers and your security teams need to be looking at what the current attack surface is. Don't send them to Black Hat just so they can go to parties and drink, they need to be going and looking at these talks and saying, Hey, do we use these components in our product? If we do, you know, like quite literally Orange's his slides had the same POC dot dot semicolon forward slash that was used in both those attacks. So they had 18 months to look at their code and say, Hey, is this something that would affect us? Had they done that, they would have realized yes, it did. So by keeping abreast of the ecosystem and also looking at your competitors and seeing what types of vulnerabilities affect them. You know, in the load balancing world, like I said, they're very similar products. So had had someone from F5 said, Hey, Citrix just got whacked with this really bad vulnerability, we do almost the same thing, we should go take a look. You need to be cognizant of what's going on around you and not just head down, you know, writing new shiny features like securities boring, we get it, but new shiny is what's going to get you in trouble. Alright, thanks. So I'll relate a question to Vicky. Vicky, do you have any tips and tricks on how to on board dev into the security journey? Sure, I think I can share one of my experiences. That's sort of like my aha moment in security, right? Before I got into security, I was actually a developer, and I wrote lots of lots of code. And because I was a web developer, a lot of the vulnerabilities that I studied as a security person actually relates to the code that I wrote for my development job, right? So one of the great aha moments I had about security and how to teach developer security is I went back to one of the projects I made when I was developer. And I just started to find like all these different ways to exploit it, right? And that really showed me what the experience should be like when we're teaching developers security, it should be about contact, right? We should make it relevant to their work. We should make it understand this is exactly why this is bad. And this is what the attacker can do with your customers with your clients and with your data. I think grounding the security education in that sort of context is very important into making people actually care. Absolutely. Thank you for that, Vicky. Let's jump into a different topic. I believe this question's for Nate. For load balancers, would a honeypot based on your lab setup catch anything interesting you think? Oh, absolutely. I believe that Kevin Beaumont, who goes by gossy the dog on Twitter, set up a five honeypot shortly after this vulnerability came out. I know that people as soon as these as soon as these vulnerabilities have come out, different security groups have set up honeypots just to see what sorts of exploit payloads are coming in. So I guess you in theory, could set one up on your own internal network to sort of like maybe try to, you know, confuse an attacker. However, if I'm an attacker, if I'm playing around in your network, the first thing I'm going to do is see is this device actually interesting. And if I find it that it's just sitting there with no load balance configuration, or it's not passing any traffic, I'm going to either assume, okay, this is just a lab box, or maybe this is a honeypot. So yes, it could be it could work. I think it's more useful for sort of the the internet spray of attack payloads and sort of collecting and seeing what the TTPs are, you know, the IOCs of what's being dropped. All right. Awesome. And question regarding Kubernetes. For lateral movement, why? It moves. Sorry. Why were put security policies config mentioned, as it would allow escalating the not even faster? Maybe this is a trick question. Yeah, for Kubernetes lateral movement. So for you, why weren't pods security policies config mentioned? As security policies config mentioned, did you mention that in your talk? Yeah. Yeah. As it would allow escalating the not even faster. All right. The question is, which configurations of the podge can allow us to move to the node fast? We can take the question however we want. And make it your home. I can select another one. If you want. No, no worries. I'm not sure that I understood. But if the quest, if the question is about pod configurations, perhaps let's take it this way. Yeah. Okay. So I'm not sure that I'm answering the right question, but regarding pod configurations that may lead to lateral movement. So we talked about several in the talk. I mean, we mentioned it really briefly, but privilege container first have full access to the underlying node. We also talked about mounting files. So if we have a pod with the configuration of mounting file into it, so it also may lead to lateral movement. Then there is the whole topic of network king. So for example, you can specify that pod has has access to the host networking. So the bunch of configurations of pods that may lead to lateral movements, if it was the question. And if not, so you can ask me again, I'll answer. All right. If not, they can hit you up on Twitter and see the real answer for you. All right. For Nate, another question for you. Yeah, what do you think of asking for a software bill of material that lists all their dependencies and their version on those proprietary devices? I think it's a good idea. And at least in terms of F five, you can somewhat figure it out. There's one of the the reference links I had in my slides. They do list what operating system versions they use for the management side of things. So you could, you know, take a look and say, what is CentOS 7.3 running? What libraries does it have? Those operating systems are not updated the way that we would update our Linux servers. So I think it's during like major revs, like when they go from 11 to 12 or 12 to 13, they'll update to a degree. But your best I mean, you're not going to get much of a software bill of materials from them as far as I know. And that's of course, you're a big enough customer, and you pay them enough money, then that was one of the things that I would have done, which was to say, Okay, let me let me pull this for you. But yeah, and that's that's only going to be the Linux side of things. If you start asking about like supply chains of where their firmware is coming from the code that's running their ASICs or their FPGAs, you're going to have a non trivial time getting that out of them. All right. So Vicky, maybe a question that it's for you, but also for from one of the speakers that could not join us today. So it's kind of a in between or hybrid question. What do you think about web hooks? And would it be a good target for bug bounties program or any? I don't know if you've written any blogs or anything about it in your experience. So I've actually written about web hooks before. And I think they can potentially be a good target for bug bounties. But in reality, I haven't really hunted that much in bug bounty programs for web hook related bugs. So I don't really know the answer to that. I think potentially, I don't really know how prevalent it is though. Do we have any strong opinion? No. That sounds good. All right. So I'm reading the question that are remaining. They're quite similar to or uncomprehensive. I won't go through. I won't go give you any like, weird question anymore. All right. So thank you guys so much. Please ask them your question privately. If you do hit them on Twitter or yeah, we're just here to help. So please feel free to reach out.