Black Hat 2022: from cyberwarfare to the rise of RCE

Black Hat 2022 is coming to a close, and we’re leaving the conference with fresh industry insights, new contacts, and ideas for the future of DevSecOps. While we couldn’t see it all, we did manage to catch a few sessions – and even held some of our own to dig into essential topics like security debt and the worrying rise of direct-impact vulnerabilities.

Another great Black Hat is wrapped up, and there was no shortage of exciting sessions and topics around application security (AppSec) to absorb. If you had a chance to stop by the Invicti booth, you might’ve seen our special machines that guests could scan and fix for prizes. You may have even caught a presentation by Invicti’s Distinguished Architect Dan Murphy – and if you didn’t, we have a recap below. We hope you had a chance to say hi and chat with us about everything AppSec!

Just like last year, we could see some recurring themes bubble to the surface. Notably, there was a lot of talk about cyberwarfare, the human element of AppSec, and the dire need for modernization if we want to keep up with the bad guys. As threat actors pick up the pace of their attacks and cyberwarfare becomes the new weapon of choice in geopolitics, there’s never been a more critical time to get your security program working as a well-oiled DevSecOps machine.

Improving security posture on the digital battlefield

With directives and executive orders on cybersecurity coming from the Biden administration, government agencies are starting to make serious changes to their security efforts. Cybersecurity becoming a staple of modern warfare was certainly a hot topic at BlackHat and beyond. In fact, in a recent Forbes Technology Council article, Invicti’s Chief Product Officer Sonali Shah outlined the dangers and warnings of cyberwarfare. “Cyberwar has completely changed the battlefield,” she noted. “It is cheaper to execute and harder to attribute than physical warfare. Cyberwar levels the playing field.”

BlackHat participants agreed that in this new normal, cyberwar, disinformation, and politics go hand in hand. This makes good cybersecurity practices in government a must to not only modernize security tools but also implement zero trust concepts to reduce sensitive data exposure. Identity and access management plays a vital role, and David Treece, Director of Solutions Architecture at Yubico, held a session on why mandates around phishing-resistant multi-factor authentication (MFA) are coming from the government. Organizations with legacy MFA systems and processes are easier to attack, and if government agencies don’t take these mandates seriously, they’re at great risk. 

Underscoring that cyberwar is very much real, Principal Threat Researcher Juan Andres Guerrero-Saade and Senior Threat Researcher Tom Hegel from SentinelOne discussed the cyber struggle playing out every day in the conflict between Russia and Ukraine. Since the beginning of 2022, Ukraine has been experiencing intense malware attacks, many specifically targeting satellite modems and other critical infrastructure. Because similar attacks were relatively rare prior to the war, it’s worrisome that these threats are on the rise – especially as cyberattacks can so easily become global.

Keeping the human element front and center of AppSec

There’s no way around it: you simply cannot remove human expertise from the AppSec equation. While automation and integrations can (and should) remove a lot of the manual work around security, especially in an effective DevSecOps process, at the end of the day, there is no automatic substitute for thoughtfulness, intuition, and good judgment. The pressures that cybersecurity professionals face are mounting daily, too, putting ever more strain on the human element of AppSec. 

We know the skills gap in cybersecurity contributes to an increase in unnecessary risk and even burnout. Adam Shostack, President of Shostack & Associates, led a session (A Fully Trained Jedi, You Are Not) which shed light on the topic of training in AppSec and better preparing developers for dealing with security issues. It’s a problem the industry has been facing for a while, with over 4 million unfilled cybersecurity jobs only exasperating the issue. Shostack discussed how the cost and time of developer security training can increase pressure across the organization. His suggested solution is a structured and compassionate approach to learning that complements the security tools DevSecOps professionals rely on every day to relieve some of that pressure. 

In a related session, Kyle Tobener, VP and Head of Security and IT at Copado, stressed the need for compassion and empathy when addressing the human element as a security risk. In his session, Harm Reduction: A Framework for Effective & Compassionate Security Guidance, Tobener delved into how cybersecurity professionals can apply harm reduction and why a compassionate approach can be more effective than prohibitive rules. High-risk behaviors like clicking on links in phishing emails are going to happen regardless of how many security protocols you have in place simply because human beings are in the mix. Programs that focus on abstinence-based security guidance may actually increase risk, so it’s critical to provide thoughtful guidance that factors in a range of possible entry points. 

Tackling risk reduction and security debt with Invicti

Invicti CPO Sonali Shah took to the stage for a session on the trends and best practices in AppSec, leading a discussion about just how dire the situation is for many organizations. Web apps and APIs continue to present major risks (did you know two of every five breaches originate in a web app?), and organizations are struggling to keep up with the pressures of building security into the development process. 

In her session, Shah outlined the top five AppSec risks that every organization should have on its radar, as well as best practices for improving your security posture. Key takeaways: organizations should focus on implementing full coverage by continuously scanning apps in development and production, maximizing automation by integrating security into CI/CD pipelines, and opting for tools built on accuracy to reduce wasted time. 

Shah also participated in a session with Ean Meyer, Associate Director of Security Testing and Assurance at Marriott Vacations Worldwide, where they chatted about security debt and how organizations can turn it into a more positive business experience. Meyer and Shah discussed that the cost of not doing anything about lingering security debt can outweigh the price tag of implementing any level of application security.

Down the road, organizations can discover that they are spending more time and money on fixing problems resulting from accumulated security debt than they would have spent on implementing a solid AppSec program in the first place. To begin paying down that debt, it’s important to define the current security posture, triage issues, integrate and automate continuous security testing, and then make incremental improvements over time to avoid introducing new debt as more applications are deployed.

The battle is on to remediate RCE in the wild

A runaway attendance success across several sessions at our booth, Invicti’s own Distinguished Architect Dan Murphy delivered a presentation on the rise of remote code execution (RCE) and how you can fortify your defenses to protect yourself against these attacks. Murphy highlighted that cases of RCE jumped 18% year over year. Because RCE is a direct-impact vulnerability that can lead to further attacks if left unchecked, even a single RCE weakness in a production environment puts the organization at risk of total system compromise.

Although RCE isn’t a new problem in the world of software development, it is causing some pretty big headaches (remember Log4Shell?) that result in expensive migraines. Left unremediated, code execution vulnerabilities are a ticking bomb in your systems, and it’s only a matter of time before an attacker triggers it. But we know from our Log4Shell scan data there is a strong correlation between the frequency of security testing and the time to fix code execution vulnerabilities. Especially critical, Murphy noted, is including dynamic application security testing (DAST) in regular scans to probe your applications with realistic attack payloads and quickly show which systems are the most vulnerable to code execution attacks.

Didn’t catch us at Black Hat? Don’t worry – we’ve got you covered with a recap video:

And that’s a wrap! See you at next year’s Black Hat conference!