[Interview] Jesper Larsson, Assured & Cure53: The most frequent cause of data leaks today by far is misconfiguration in conjunction with poorly written code

Cyber Security Awareness Month is a good time to reflect on how much organizations invest in cybersecurity and how they apply basic security measures to keep everything safe.
As challenging as it may seem with the rise of sophisticated online threats, it all boils down to one goal: to have the best defense and protect their employees and (customer) data from all cyber attacks.
And this can be achieved by adding cybersecurity culture to the management plan, focusing more on educating employees to have a security-first mindset, and dedicating resources to better secure infrastructure.
During this process, top management and decision-makers play important roles in bringing these resources to the table and managing assets efficiently.  
Knowing it is an important issue many companies are facing these days, we couldn’t have missed the opportunity to talk about this with someone with a lot of experience in working with complex infrastructure solutions worldwide.
Jesper Larsson is an infrastructure security specialist and vulnerability researcher with several years’ experience working for international companies. His knowledge and passion also extend to other topics, like penetration testing, embedded systems or architectural assessments.
He will be on DefCamp stage in a few weeks and will teach us about the most common security pitfalls in script-able infrastructure pipelines.  
Until then, let’s find out what he thinks it is required to persuade top management to allocate more resources to securing infrastructure.

I would recommend, threat-modeling by quantifying IT-security risks attached to the actual business model and divide the threats into worst-case scenarios based on potential financial loss.

When we think of the current business landscape, we can all agree that there is no easy way of managing complex infrastructure and securing the environment. Also, we know it’s not easy to keep a balance between flexibility and securing in managing it without having the right skills and knowledge.
Jesper told us that it is needed to have a” complete understanding of the all components attached to the development lifecycle ie. stack, services, frameworks, middleware.”

I would say that before any production environment gets deployed, it should have surpassed the “just get it to work”-phase a long time ago. All in all, I think this boils down to knowing each and every part of the infrastructure. Why it’s there, what it’s function is, etc.

Organizations deal with a lot of stress when it comes to addressing security vulnerabilities and threats. And that’s because cybercriminals move at a rapid pace by constantly evolving to exploit them.
But, what do widespread vulnerabilities have in common and why do they happen? We know Jesper is a vulnerability researcher, so we asked him to explain it in plain terms, so regular Internet users can understand it.

I would argue that the increasing complexity throughout the entire development stack makes it hard for any maintainer to foresee the security consequences associated with the entire security posture of a product.
For example, a frontend developer could make a mistake that is impossible to exploit in its current place but that presents an attack vector which could be used to exploit another part of the infrastructure.  

To avoid these mistakes that Jesper is talking about, businesses need to identify the pain points in their organization and have a solid strategy, backed by decision-makers. They are the key people who need to make sure everything is in place, and they have a set of practical tools and approaches to manage risks more effectively.
We were curious to find out how can decision-makers within an organization be persuaded to provide teams with enough resources to build new tests, set up new platforms or other tasks that keep the infrastructure pipeline operational?
In Jesper’s opinion:

This needs to be addressed on multiple fronts, threat-modeling and SLA requirements would be a good place to start.

Probably one of the main challenges organizations are struggling with today is preventing data leakage and its impact. Recent findings of the Breach Level Index revealed that “945 data breaches led to 4.5 billion data records being compromised worldwide in the first half of 2018”.
Regardless of the most frequent causes that can make infrastructure pipeline leak data, Jesper shared with us his thoughts:

I would argue the most frequent cause of data leaks today by far is misconfiguration in conjunction with poorly written code. For example, developers don’t have enough knowledge about the security implications attached to the code/configuration they write.

If you found this interview useful and want to learn more about modern infrastructure from companies and their approach to security, don’t miss Jesper’s presentation next month!
Meet us at DefCamp#9 on November 8-9 for a unique experience and ask our speakers everything you want to learn.
This interview was made by Ioana Rijnetu. You can get in touch with her on LinkedIn or say hello on Twitter.
DefCamp is powered by Orange Romania and it’s organized by the Association “Research Center for Information Security in Romania” (CCSIR).
DefCamp 2018 is sponsored by Ixia, Keysight Business, SecureWorks and Intralinks as Platinum Partners and it’s supported by IPSX, Bit Sentinel, TAD Group, Enevo, Crowdstrike, CryptoCoin.pro, Siemens, Alef, UiPath, Atos and Kaspersky Lab.

    Related articles​

    Securing the cloud: insights on threats, ..

    BY Adina Harabagiu
    There is no mystery that everything nowadays has a digital component. A growing number of companies are ..

    Striking a balance between security updates, ..

    BY Adina Harabagiu
    The world of cybersecurity is fast paced, there’s no denying it. Innovation is constant and threats are ..

    Pentesting: a tool for empowering – not ..

    BY Adina Harabagiu
    You’ve likely caught wind of this rising tide – offensive security, pentesting, and #RedTeams are not ..