HackedIN: I See Dev People
Jamieson O'Reilly
Founder @ Dvuln. Hacker. T?h?i?n?k?i?n?g? Doing outside the box. Redteaming, Pentesting, DevSecOps.
As someone who gets paid to break into companies legally - I've learned to take a step back and look at the whole picture.
Why?
It's simple.
The bigger the picture, the more options you have to break in.
The Open Sores of Open Source
Online platforms like Stack Overflow have revolutionised the way developers work.
On the one hand, they enable real-time knowledge sharing and problem-solving, while on the other, the ease of access to this information poses new challenges for orgs safeguarding their data.
According to estimates, 70-90% of any modern software stack comprises at least one open-source component.
This makes the odds increasingly favourable for attackers.
As developers turn to online communities like Stack Overflow for assistance, attackers naturally follow suit.
Blurring the security boundaries
Ask any experienced security team or CISO what to lock down, and they'll have a long list of things to share.
Whether it's employee device security, external attack surface, or cloud infra, the lines were, for the most part clearly defined.
However, the rise of online communities where developers share information has complicated these boundaries, making security a more intricate puzzle.
Don't wander too far outside the castle walls
When you think about it, it makes sense for attackers to leverage communities like Stack Overflow.
As the castle walls of companies grow thicker, attackers are forced to change tactics.
In turn, the goalposts shift from breaking through the castle walls to waiting for the occupants to venture out and attack them.
With Stack Overflow boasting more than 20 million registered users, it's received over 24 million questions and 35 million answers.
领英推荐
That's a lot of data.
Given the volume, there's bound to be information that shouldn't be there.
Smart attackers know this.
Examples
One doesn't have to venture far to find exposure after exposure.
Here are but a few.
Don't worry - It's just "a test account"
Gigaflaw
OK-TAke-my-access
The Takeaway
In essence, companies can secure all of their internal and external assets as much as they want, but in today's landscape, the very definition of "external assets" can change quicker than you think.
Now, more than ever, organisations must focus on educating their employees to be vigilant.
This involves recognising the risks associated with sharing information in online communities and treating every external party as a potential threat.
Penetration Tester | Ethical Hacker
1 年This is so true, just take a look what happend to 3CX a couple of months back (Don't wander too far outside the castle walls). Thanks for the great read Jamieson