Adopting Zero Trust

Catch this episode on YouTube, Apple, Spotify, Amazon, or Google. You can read the show notes here.

Every few weeks, and occasionally every few days, we hear report of a new novel technique or zero day. Those headlines often create an unnecessary level of fear for organizations, but battle-worn cybersecurity professionals know just because it’s on a headline doesn’t necessarily mean it will impact their environment. That is because emerging threats are just that, new and novel. While zero day threats can be interesting and something to be aware of, most threat actors stick to tried and true methods.

But how do we identify what is most impactful to our security posture, attack surface, or insert your other buzzy term? Threat intelligence and the collective defense. And for that, it’s time to introduce our two very equipped guests to navigate this conversation and our guest moderator:

This week on AZT, we have representatives from OWASP and MITRE, with Dr Zero Trust leading the charge.

The Guests

Special Guest Moderator

**Dr. Chase Cunningham - Dr. Zero Trust and Vice President of Security Market Research for G2**

**Avi Douglen - Chair of the Global Board of Directors for the OWASP Foundation and Founder and CEO of Bounce Security.**

Avi is a security architect and software developer, leading development teams in building secure products for over 20 years. As a systems developer and security consultant, over the years Avi has amassed much technical knowledge and understanding of the enterprise security needs at the business level. Avi currently serves on the OWASP Global Board of Directors, and leads the Israel chapter. He is the founder and leader of the the popular AppSecIL security conference, the OWASP Threat Modeling Project, and co-authored the Threat Modeling Manifesto. He is a community moderator on Security StackExchange, and a frequent speaker at industry conferences, recent ones can be seen here.

**Stanley Barr - Senior Principcal Cyber Researcher for MITRE**

Dr. Stanley Barr is a three time graduate of University of Massachusetts Lowell. He has a BS in Information Sciences, an MS in Mathematics, and a PhD in Computer Science. He has coauthored published papers in malware analysis, barrier coverage problems, expert systems for network security, and robotic manufacturing. He has spoken at MILCOM, RSA, Bsides Boston, and Defcon. He has been a panelist for conferences. Panels topics have included fighting through real world computer network attacks from both external and internal threats. Currently, he is a Senior Principal Scientist at The MITRE Corporation, a not-for-profit corporation that manages six federally funded research and development centers (FFRDCs).

Key Takeaways

• Emerging threats are interesting, but threat modeling and understanding how systems work to identify potential issues is more impactful

• AI can pose a threat due to its ability to remember and tailor information, as well as its scalability.

• The panel emphasized that basic security hygiene is often overlooked, such as enabling 2FA on all accounts.

• The OWASP Top 10 most common attack vectors are still a significant concern, but they should not be the only focus.

• The panel argued that responsibility for security breaches should extend beyond the CISO to the entire board and engineering organization.

• Cybersecurity is a people-centric challenge, and relying on people not to make mistakes is not a sustainable strategy.

• There is value in investing in proper security measures, as it can save organizations money in the long run.

Editor’s Note

Interested in learning more about Zero Trust directly? We’ve partnered with the Zero Trust Meet & Expo taking place on August 26-27 in Stamford, CT, where you’ll find several of our past speakers presenting. Take a look at the lineup here, and use the promo code AZT@ZTM24 to get $450 off the early bird rate. This is not a sponsored announcement, but we’re always happy to support the community and experts who will be speaking.

It’s Not Zero Day Threats You Need to Watch Out For

It’s not zero days that you need to worry about. For decades, social engineering and phishing remain the top threat vector. Why? It’s a heated debate, but there is no denying that the most effective cybersecurity threat, both due to impact and financial drain, is successful because abuses human psychology rather than just technology alone. Yes, we’re talking about good ole social engineering and phishing attacks.

On top of the basics, organizations like OWASP have identified common threat vectors, MITRE has their own take on TTPs with MITRE ATT&CK, and then there is the data lives within your own environment to bring it all home.

“We don't need to be chasing zero days, that's not we're going to get hacked,” said Avi Douglen, Chair of the Global Board of Directors for the OWASP Foundation and Founder and CEO of Bounce Security. “Injection has been in one form or another on the OWASP Top 10 since the very first version. For example threats like “SQL Injection and other versions of injection. It's trusting untrusted input to a trusted parser in an unfiltered way. It's still the same thing with a different model.”

Based on Avi’s perspective, this begs the question: how should organizations use these resources and prioritize their time? Cunningham has a very simple and direct answer.

“You have a space where the bad guys literally tell you what they're going to do and people wonder how do we stop it? You stop it where they say they're going to do the thing they're going to do. It's not rocket surgery. It can get complex, but if you make simple things hard, it's hard. This is the basics, the blocking and tackling the right way to approach the problem. It just makes a difference,” said Cunningham.

AI Threats or Repackaged Threats?

If AI prompt injections are the primary concern today, and we have seen similar issues with SQL and other platforms in the past, what do organizations need to be aware of today? Re-use of TTPs is certainly at the top, but there are actually emerging threats that are originating from the increasing availability of new technology that has yet to be placed between necessary guardrails.

First, imagine a threat actor that can remember every detail about you and your life and use it against you. Now, do that in a rapid fashion and with platforms that we willingly feed that data to.

“AI is problematic because it has a good recall. Anything that you put into the, anything you tell a stranger now, they can remember for a long period of time, right? So there's that recall, there's a tailoring,” said Barr.

While there are certainly concerns about phishing threat actors using things like GPT to create more conversational and realistic email lures, it’s not the lack of broken English you need to look out for.

“Once it starts learning what you want from all the interactions you give it, it can tailor that, it can be big, it can scale, it can be one person or 100 people or 20 people, it can operate 24/7, AI can then say, pressure release maintainers into giving up the maintenance of a repo to give someone else a chance bad things happen, I think these are the sort of things we have to worry about with AI,” said Barr.

For security teams, the question is less about users getting on the receiving end of these, but how can you reduce or prevent models from getting this data and scaling their efforts. To solve this, it means putting in policies about what information can be shared with LLMs, removing any potential proprietary details, and being intentional in general through the lens of privacy.

The Top 10 is Not the Top 10

Beyond AI, one of the more interesting elements to come from the conversation was Douglen’s reinforcement about what the OWASP Top 10 is and isn’t. Much like the vendors who abuse MITRE frameworks in their solutions rather than educating less mature teams about evaluating what is in their environment, the same goes for the Top 10.

“A lot of organizations follow the Top 10 and they have compliance with the Top 10 - and there's a huge amount, almost all the vendors have built their tools around the Top 10 - scan for the Top 10, building out compliance with the Top 10. The Top 10 is not a standard, it's an awareness document. It's basically, hey guys, security is important, here's a bunch of different things. If you're worried about the Top 10, I see this shirt all the time. I got popped by the OWASP Top 11 and the Top 25 and the 103. It doesn't matter. The Top 10 is just because they're easy to understand categories, right?”

While the Top 10 is widely accepted and used, its purpose is to alert people that security is a significant concern and highlight some common issues.

Douglen cautions against over-reliance on the Top 10. Just because a system is compliant doesn't mean it is entirely secure. Understanding the actual system is crucial to finding real issues.

He suggests that the Top 10 should be seen as the minimum security standard or table stakes for any software development. But he also points out that the Top 10 could have unintentionally done a disservice by creating too much focus on itself and not enough on other potential security issues.

For this reason, Douglen prefers to discuss threat modeling, a more comprehensive approach to understanding and addressing security risks.

Show Transcript

This transcript was automatically created and is undoubtedly filled with typos. As usual, we blame the machines for any errors.

Elliot (2): Hello there, and welcome back to Adopting Zero Trust. We are at RSA Conference 2024. And today, we're going to do a little bit something a little different. We're doing a crossover episode. Which means, I'm going to hand this over to Chase. You'll give me a little spiel. Maybe tell the world about Dr.

Zero Trust Podcast, and then we'll go from there.

Chase: Yeah, so I'm Chase Cunningham, Dr. Cunningham, Dr. Zero Trust, if you want to be I don't know, cool or whatever. I host my podcast, we break down the realities, and we talk about the actual stuff you need to worry about, so if you're looking for truth, come to Dr.

Zero Trust. Maybe a little bit

Elliot (2): too raw. Very clear, transparent, very raw. But fortunately, we have two wonderful guests who are also going to be joining in that. Now, I don't want to Get too far ahead of myself. So I'll be, maybe we can hear about who you are, your background and yeah, where you're at. So,

Avi: My name is Avi Duglin.

I'm currently the chair of the global board of the OWASP foundation. For those that don't know OWASP, it's a non profit global non profit dedicated to providing resources and information to be able to build and test and deploy secure applications. That's what it's all about. In my day job, I run a small.

Elliot (2): Clearly the guy got his messaging down right. But if you don't know, I feel like you probably are not listening to the right channel. You've been in Iraq for the last 20 years. I would be a little concerned. I would pull your cyber card. Yeah, a little bit. Alright, Stan, how about you, man?

Stan: I'm Dr.

Stan Barr, I'll go with the doctor thing. But I'm Dr. Deception, so don't believe anything I say. I work at MITRE, I work at the MITRE Corporation. And I have, I've been working for the last probably 10 years on Cyber Deception. I built MITRE's ENGAGE framework, which is about how we engage with adversaries.

And I'm interested in all things about how we protect ourselves from adversaries, how we learn about adversaries, and all the rest of it. I've done a lot of research and a lot of different things.

Elliot (2): Perfect. Alright, so we've got a little bit of balancing act between the organization that has the top I don't know, application threads, what people are probably very familiar with but correct me if I'm wrong, one of the two your organizations recently just released something about ai protecting its AI too.

All right. Oass did, I dunno. There you go. I got Mitre Also

Stan: do that. So Mitre has a a framework as well, but I'll let you

Avi: go

Stan: first. Sure.

Avi: So os actually has a set of projects and you can check it out@oasai.org and set a project both about how to build AI application. And there's also a really popular LLM top 10 when you're deploying applications built on that.

Now, it's really interesting that these projects, of course, everything is open source and volunteer driven, but it's getting real traction and it's working with the European Union CRA initiative right now. And OWASP is now setting the standards that are going in to the EU CRA regulations and soon become laws eventually about what AI should do.

Very

Elliot (2): cool. All right, Sam.

Stan: MITRE has just released a framework, or it's been out for a little while, called atlas. mitre. org. And Atlas is all about protecting large language models, protecting AI, and protecting them from threats. I'll just leave it at that.

Chase: We need more collaboration there.

AI in front of something, that means it's actually AI, right? That's all this AI stuff. It has to be real AI. That's what we should take away from this. These are all AIs? I heard. Okay, are

Stan: we non player characters? I don't know. Okay, we'll find that out. I'm in

Chase: the seventh

Elliot (2): circle of Dante's inferno.

Stan: We'll figure it out. I will say, I thought every

Elliot (2): single booth was going to have AIs slapped on there. It wasn't as bad as I was expecting. It wasn't, yeah. Alright as you can obviously tell, we've got a pretty great panel here, which means we're able to talk about something we have not really been able to touch on, which is emerging threats and being able to get in front of them.

AI is a big piece of it. A lot of organizations here at RSA conference are trying to tackle it in various different ways, different flavors. But let's just pivot from there. Chase, I'm going to throw this over to you. You've been in the world of Zero Trust more than most folks. You followed John.

So from emerging threats, from things that we're facing today, what do you see is the biggest challenge outside of, AI and some of the other stuff that's still killing us every day?

Chase: The biggest thing, in my opinion, is that we still are relying on people not to be people. Phishing training is a waste of money.

There I said it at RSA, stop wasting your money. It's just a bad, you're pissing it away. That's one. The other thing is, start. I can't understand why organizations that I talk to still sit around hemming and hawing about engaging in cyber and strategy and whatever. It's, you have decades of proof, you have billions of dollars it's just a matter of time and it's not a FUD thing, it's just a reality deal.

You're, death, taxes and cyber security. So start doing something and as far as emerging threats go and whatever else, if you really look at it and I think the Verizon, Dibber and Mandy and M Trends report and everything Mitre publishes are like biblical references to me. You have a space where the bad guys literally tell you what they're going to do and people wonder how do we stop it?

Like you stop it where they say they're going to do the thing they're going to do. It's not rocket surgery. It can get complex, but if you make simple things hard, it's hard. This is the basics, the blocking and tackling the right way to approach the problem. It just makes a difference.

Elliot (2): So I knew you were going to give the right answer, which is that emerging threats are just different layers on top of what has always been the issue. And it's a people centric. So you got

Chase: to. It's a new flavor, it's a

Elliot (2): new branding, that's it. But at the end of the day, it's about people and psychology, as much as the technology that goes around it, solving it, all that good stuff.

Between your two groups, you have I know you on the Engage side, but there are, obviously there's the attack framework. People have TTPs, they highlight the different ways that organizations get hit. You all have, through research and data, the biggest things that you need to resolve. Those are I don't know, the easiest entry points or the most common vectors of attack.

So I'd just love to maybe dig into a little bit of how you have seen AI and some of these other challenges hit the market. How you're dealing with people, especially on the federal government side. Yeah, how are your organizations communicating these different changes in the face of it's still a people centric challenge?

Do

Stan: I'm not going to comment on spearfishing or fishing training, but it's stranger danger, right? It's if you want to go back to yeah, it really is. And it's about us being what the fishing training is supposed to do.

What all these things need to help us do is be conscious of everything we do now. And that's what we need to be like, why are you answering these questions? Why are you reading this email? Why are you putting your credentials into this thing, right? This is what we need to do is we need people to be conscious of what's going on.

I think that, and going more specifically to your point, I think that AI is problematic because it has a good recall. Like anything that you put into the, anything you tell a stranger now, they can remember for a long period of time, right? So there's that recall, there's a tailoring.

Once it starts learning what you want from all the interactions you give it you need to, it can tailor that, it can be big, it can scale, it can be one person or 100 people or 20 people, it can operate 24 7, AI can then, say, pressure release maintainers into giving up, the maintenance of a repo to give someone else a chance bad things happen, I think these are the sort of things we have to worry about with AI, I don't think it's I don't want to fear monger, right?

Fear mongering is bad. It's stranger danger. Figure out what you need to tell people on the internet. Why are you putting this stuff in? Why are you leaving it laying around? So I think those are the kinds of things we need to worry about more than a lot of other things.

Chase: I don't disagree with you.

Like I think fishing training and education is good, but I think relying on people not to be people and click links. This is stupid because I was a red teamer and you could fish and train people and I'll come the next day and get them. If I send you a kitty picture, game over. That's just what it is.

So yeah, train them, educate them, understand. But we also have 10 years of analytic data that says fishing is the number one vector for 10 years straight. Why are we continuing to piss money away when it doesn't make a difference to us?

Stan: Also having people have the word password as their password.

Yeah, that too. Let's Yeah, if

Chase: creds and phishing is the number one vector for 10 years straight, there's no question to me about what you solve for first.

Stan: Exactly. Absolutely. I think that's Zero days are, they are problematic, and they exist, but, like, how many attacks are just brute force on random creds?

Yeah. That's worrying about a

Chase: sniper round when there's a nuclear weapon getting ready to go off.

Avi: Or these really advanced attacks called asking for the password. Oh yeah. Cause people will give it to you. Oh yeah. Oh yeah.

Chase: Yeah, it's what was the joke a long time ago? There was a cartoon that had an NSA and a CIA guy.

Yes. And the NSA says, we gotta crack the algorithm, whatever. The NSA guy says, give me a wrench. He'll just beat him until he tells me the password. I think it was the other way around. No, something like that. The CIA guy. So this is, no. It's, I agree, like testing and whatever. But. On top of that, when you throw in the AI side, like you've seen my deep fakes, good luck keeping up with that because I can get by deep fake all day long, and there's been examples of that too.

So we've commoditized exploitation just like we've commoditized defense and it's, it is a arms race that is going to continue going on as long as we're digital until fallout happens. We're going to be in this space. We shouldn't be unemployed, which is good, but it just is what it is.

Yeah.

Avi: Listen, the other aspect is, we don't need to be chasing, you said, zero days is a problem, but that's not, we're going to get hacked out.

Elliot (2): Yeah.

Avi: And the interesting thing is that with all these new technologies, everything old is new again, right? Even, brand new technology, AI and LLMs.

And we have the LLM top 10. And one of the most interesting new risks on that list is prompt injection.

Chase: Yeah.

Avi: Injection. Has been in one form or another, has been on the OS top 10 since the very first version. SQL Injection. SQL Injection. Yeah. And other versions of Injection. It's Injection. It's trusting untrusted input to a trusted parser in an unfiltered way.

It's still the same thing with a different model. Once you break it down I spend a lot of my time doing threat modeling. Which is basically trying to simplify the entire system, understanding how it really works. And then you understand what can go wrong. And it's a lot of the same stuff all the time.

The crazy thing is I think it was 1999 some Microsoft folks came up with a framework called Stride. Spoofing, tampering, predation, revisions, closure, dial up, server to server, it was really this. The crazy thing is you could apply this to an LLM system today. AI system today. You're not gonna find 100 percent of the issues.

You're gonna find a lot. You have to be flexible in your thinking, but it's still the same thing. So if you get the basics It's done right. If you pay attention to the fundamentals, then these emerging threats are just passing scenery. Absolutely. AI is a big change, but the basics still apply.

Elliot (2): So I'm so glad that you position it that way because I want to pivot a little bit and we'll probably roll back right to where we were.

But there is a media literacy component to this too. Now, it's not just media literacy as in the organizations that have to cover these like zero day attacks. new breaches instance, all that stuff. There's also organization vendors who do their research and they're trying to highlight new, I don't know, unique things.

So things that fall outside of TTPs, outside of the top 10 and they obviously get more attention because they're novel, they're unique, they draw attention. So in your perspective, do you feel like that is a problem? It is. It's an unhealthy scenario where organizations just keep chasing after those big things.

Avi: You touched on the top 10, so I'm going to start with that. A lot of organizations follow the top 10 and they have compliance with the top 10 and there's a huge amount, almost all the vendors have built their tools around the top 10, scan for the top 10, basically building out compliance with the top 10.

The top 10 is not a standard, it's an awareness document. It's basically, hey guys, security is important, here's a bunch of different things. If you're worried about the top 10, I see this shirt all the time. I got popped by the OWASP top 11 and the top 25 and the 103. It doesn't matter. The top 10 is just because they're easy to understand categories, right?

Elliot (2): Yeah,

Avi: that doesn't help you understand what the actual system is. That doesn't help you find the real issues. If you get hacked by something out of the top 10. That's negligence, in my opinion, unless it's something real extreme. It's basic hygiene. It's basic table stakes. This is not for extreme banking systems.

If you put a cat log on the web, on the internet, you gotta, you have to watch out for the top 10 because literally the table stakes of having any kind of software development anything past

Elliot: that,

Avi: yes, people ignore it. In some ways, the top ten has done a disservice in that way. Too much awareness of the top ten and not awareness of everything else.

Which is why I don't talk about the top ten often. I talk about threat modeling. I talk about things like the ASVS, the Application Security Verification Standard. That is a standard. And you got two hundred and ninety security requirements to build into your system. This is how to do security engineering.

How to do security by design, right? This is what you need.

Elliot (2): What you got?

Stan: I, the strep modeling I think is the important thing. It's what are your gazintas? What are your gazatas? And, what goes on inside there? I think it's like it's always going to be, I don't think you can just worry about the top ten.

It's all, and I think the biggest problem is, This is no, not enough people are doing hygiene, right? This is like, how is it that not everyone has 2FA on everything today, right? I use multiple I have my Microsoft indicator on all my personal accounts and everything. I don't even understand when organizations say they don't have 2FA.

It just it's a simple things like this that we just have to deal with. And we're not effectively as a community dealing with this yet. And it's you try and. I do a lot of research. I'm sure you guys do a lot of research and there's this, all this thing about how we defend against high end threats.

And then you've got people who like use password as password, right? It's I don't know what to do. So I think,

Chase: We built this, we built the system where the punitive measures do not outweigh the incentivization, right? Because we've got all these compliance standards. Find me a business that's violated compliance standards knowingly to egregiously that has gone out of business.

They're not there. PCI, HIPAA, HITRUST, whatever, you do it, it's the cost of business, they allocate money, they pay the fine and go on about their day, and then nothing changes. It's, if we built airplanes the way that we build digital infrastructure, there'd be eight of them out in front of the MOWASPone right now in heaping piles of rubble.

But nobody would be punished. It would just be like, Oops, sorry, we forgot to put the door on Boeing, so whoopsie, no big deal. Until we change the punitive measures for like negligence and other things that we have in other areas, it's not going to make a difference. And that I don't think until the legislation, until the leadership from top comes down and says, if you don't enable MFA for three years on an internet facing account, it's not a oopsie.

It's you're going to prison for a year. That will change things. You know what I mean? That's where we start to change stuff. We're having AK filings. We're having CISOs having to answer. For stuff, the golden parachutes are there, whatever else. But literally if this is a critical infrastructure space where people have died and I published, I read and published the research this year.

I've pirated some of the research really around that. There were, I think it was 86 humans died because they were unable to get medical care because of an outage. If a hundred Americans died from any other thing, it would light the world up and it would change stuff, but because it's cyber, because it's digital and nebulous, right?

He just go, where's the nerd? Somebody let the firewall open. Like it's not real. So in my opinion, we've architected the legalization, the compliance standards, everything else to be fraudulent. And until we change it and actually enforce it, nothing's going to actually change. All of this is great, but it doesn't change anything.

Avi: Can I jump on that with two comments? Number one I don't think it's the CISO that should be punished here. No, I think it's the whole board, the CEO, everybody. And. The engineering organization. Oh, sure. They're the ones who build the systems, they need to build it right. Yeah. CISO is a check, support system, whatever you want to call that.

But it's the engineers, I'm not saying every, programmer. Somewhere a developer right now is ah, geez. Listen, it's not the developers. Developers do what they're told, right? It's the entire engineering organization from the VPR& D and the CTO on, and up, right? But there's also a difference between

Chase: Misconfigurations that are done, whatever, and overt negligence.

Most of what we see that's egregious is overt negligence. I agree with you 100%. And it adds into the internet for years on end. You should be shot out of a cannon into the sun.

Avi: SQL injection on the login page, which still happens. Shot out of a cannon into the sun.

Chase: We should just build a giant trebuchet and just start launching people into the sun.

I'm sorry, I just, like

Avi: The other thing I want to touch on, you basically posed a formula here and say we need to increase the punitive. I can't disagree with that. That makes sense. But I'd rather focus on the other side of that. Because there is value to be had in actually doing it.

In doing it right. you. But

Chase: my point is, we've built a system where that doesn't equate. And we have plenty of research and plenty of publications that tell people unequivocally, data driven, if you do these basics right, it will save you money in the long run. Which all of us are here because money is a thing.

Like we've already changed that. The incentivization is there. The incentivization is not suck and not get pwned and whatever else. What we should do is implement a tax break for organizations that are cyber efficient is what we ought to do. That's not

Avi: bad. I like that idea. But saving money is not value.

What value is what businesses are. Businesses don't exist to save money. Sure. They exist to make money. Sure. And you can make money from security. From a secure product. I don't mean selling secure products. Now, nobody pays extra for security. You don't pay extra to have seatbelts in your car. But if you're buying a car that doesn't have seatbelts, you're going to either pay less or not buy it at all.

If it

Chase: was fishing training, they would tell you, look, we have a seatbelt, make sure you buckle it right before you get in a wreck.

Avi: My point is there is value to be had by doing things right. It is more efficient, as you say. There's a safe money, safe time, all that stuff. But you can actually generate, and I don't even mean for security products.

Oh, yeah, whatever it is you're selling. We protect your information, whether it's privacy, security, whatever you want to call that. However, you want to look at that there is value to be had. We need to be driven by that business value and not check the box compliance.

Chase: Totally. And I would love to see an experiment where if we came up with one line in the tax code that said, if we can validate your security posture and it's acceptable, you get a tax break.

The entire system would change in a month.

Avi: The interesting thing is that OWASP actually has a few projects in place to set that up, to do that verification, whether it's things like

Chase: legislators that listen to this, call OWASP. Whether it's things

Avi: like Cyclone DX and, software building materials with cryptographic attestations to what is built into that.

To things, to standards like ASVS and SAM. Yeah. If we have EPA

Chase: standards that you get a tax break on because your building is reflective and shiny. Yeah. Why can't we have a cyber security tax break? Love it.

Elliot (2): Makes sense. Maybe that's how you reduce insurance

Chase: premium. That would be my stomp is cyber tax something.

I don't know. That

Avi: was the first step in getting seatbelts and cars more, more safe. There you go. If you have this, then we will give you a discount and eventually became a requirement. Yeah.

Stan: One of the things we talked about, like compliance is yesterday's problem, right? It's just it's don't let this happen again. And it's where I just wonder, like, where's resilience in your guys has thought about building things that are resilient to attacks. And I think it goes to, this is I don't know how we move that incentive from this idea of let's not get honed by the same thing we did yesterday, but how do we start thinking about the architecture?

So we can be more, more resilient going forward. So we don't have to, but people should not be just worried about yesterday's and that's a problem. And that's. That's what I see all the time. It's just I followed exactly what I was supposed to be compliant and it happens. Case of rock is rock.

So how do we actually work towards getting more resilient? I wonder if you guys have any thoughts on that or

Avi: Yeah, let me just check that in there. I'll jump in on that because it's gonna sound like a broken record, right? There's three parts to this. What are you building soft?

This S. V. S. Gives you the security requirements. Do this right. If you build it according to this way, you're secure. Level 3 SVS, you don't need to worry about specific attacks, you're going to be resilient. You go, you build your software process using something like OASP SAM, Software Assurance Maturity Model, right?

You get, it covers the entire software development life cycle end to end, and it's a maturity model so you can build up over time in different, various different areas, and if you're doing things right, even if there are mistakes, you will catch it, because that's how the process works. And My third drum that I always bang on is threat modeling.

I've already said three times. But then you know how it's working. You understand the issues. You don't need to worry about what will happen because you know what will happen. That's what threat modeling does. It gives you that visibility and understanding how to build it right. Yeah.

Chase: Works for me. Now just make it a thing.

That's where we're at is weird. I think we're at a critical spot after we've gotten past COVID and everything else. And I, unfortunately, the military guy in me sees that until a substantial event and loss of human life occurs because of a cyber related event that is clearly tied to it, it's not going to make much difference.

Now, even though we know last year we lost nearly 100 Americans because of the cyber thing until, I don't know, cruise ship just. Falls over or something because they put all the water on the side where the people were not eating or something. I don't know. And it just tips or something, but until it's, until there's bodies, it's not real and that's a problem.

Yeah. Digital loss of money. So what digital loss of blah, blah, meh, but critical infrastructure. We can't go three days without a water system showing up without an electric grid. Like I, I don't know how much more it takes to finally say, let's do something different. We're in election year.

There's so much going on buy ammo because I know I can take care of me

By generators by ammo like that type of stuff. All right more centering

Elliot (2): That brings us to a time and not for any reason that you just give me no just kidding Avi Stan Thank you so much for chatting. And I, if anything, and I know we're preaching to the choir because both of our audiences that overlap them, this is about being defensive, proactive.

Yeah. We'll use the shift left conversation, but ultimately this still wraps back to zero trust. It is verify everything. No one, no inherent trust. And stop worrying about lists. That's a top 10 focuses on threat modeling.

That's the philosophy of it. It's not just, having fun in the back room with a hoodie on. That's not really how our space works. It's about empathy, people centric, and I think you all have definitely communicated that.

Chase: Agreed. Huge fans of everything you guys do love, love the stuff I read, Mitres everything.

It's just, you guys publish this amazing content.

Stan: Yeah. Thank you! Yeah, for all you do too.

Chase: Yeah.

Stan: All right.

Elliot (2): Thank you.

Announcer: Thank you for joining a Z T an independent series. Your hosts have been Elliot Volkman and Neil Dennis to learn more about zero. Go to adopting zero trust.com. Subscribe to our newsletter or join our slack community viewpoint express during the show did not reflect the brands, employers, or companies of our hosts, guests or potential sponsors.