Events

Modern Application Stacks & Security

I had the pleasure to give a presentation at the Security Interest Group Switzerland Technology Conference about modern application stacks and how they can be used to improve infrastructure and application security posture – the slides can be found here. Besides seeing a lot of old friends, I particularly enjoyed a round table discussion on security integration into CI/CD pipelines. There was a relevant exchange on approaches that actually work and were tested in environments beyond just recommending some container scanner (product). One participant had an interesting case study on how they enabled developers to maintain WAF policies in configuration files in their code repository including automated deployment to the WAF. He also emphasized that the environments with actual security benefits resulted from a close cooperation between development and security team (were domain knowledge was combined ūüėČ ).

 

Cheers,

Matthias

Continue reading
Events

Industrial IoT Overview & Case Studies

Stefan and I had the pleasure of joining a one-day closed workshop on Industrial IoT Security. As always, we ended up with plenty of new research ideas and great contacts. We hope of course to post on follow-up research, but in this short post we quickly want to publish our slides which contain our input for the workshop. We mainly presented on IT security challenges for modern IIoT environments and presented some case studies for successful hardening/protection of IIoT environments as well as security in IIoT product development.

You can find our slides here.

Continue reading
Building

Agile Development & Security

I‚Äôm a big fan of Chris Gates‚Äô publications on DevOops and From Low to Pwned. The content reflects a lot of issues that we also experience in many assessments in general and assessments in agile environments in particular. In addition, we were supporting several projects recently that were organized in an agile way. In this post, I want to summarize some thoughts on how security work can/should be integrated into agile projects. Continue reading “Agile Development & Security”

Continue reading
Events

Defending Democracy

I recently had the pleasure to attend two events organized by the Digital Society Institute, one was a workshop on software vulnerabilities and one was their annual conference. For both events I delivered input on the security of security products and their evaluation (slides can be found here). The DSI did a great job of assembling people from various areas (e.g. industry, academia, politics, and research) so there was a lot of input which is not covered by conferences I usually attend. The workshop I attended also resulted in a short policy recommendation when it comes to the security of security products which can be found here.

 

Thanks & so long,

Matthias

Continue reading
Misc

Introducing the Kernel Space Invaders

Today it is my pleasure to shortly introduce ERNW’s Capture the Flag team, the Kernel Space Invaders.¬†As a long-time CTF enthusiast, I’m really amazed how many of us make the time to tackle¬†IT security challenges also on the weekends or evenings. Even if we cannot participate in all CTFs out there (which would be challenging anyways given the large number of CTF events¬†happening¬†nowadays), we started to compile a repository of some of our write-ups — I hope some of you will enjoy!

 

Cheers,

KSI

Continue reading
Events

SIGS DC Day

Today I had to give the pleasure to give a keynote at the SIGS DC Day on the need to evaluate Cloud Service Providers in a way that looks behind (or at least tries to) security whitepapers and certification reports. The slides can be found here.

I also particularly enjoyed the following two talks:

Sean O’Tool from Swisscom AG covered challenges of an infrastructure to cloud migration. Even though he only briefly touched the topic, I enjoyed his description of their firewalling model: Seeing that centralized firewall operation (or more precisely, rule design and approval) is limited/challenged by the understanding of the application, they transferred control over firewall rule sets (beyond a basic set of infrastructure/ground rules) to the application teams (using of features like OpenStack’s security groups, where he also talked about limitations of those). They compensated the loss of “centralized enforcement by a security group” with rule reviews — an approach that will become way more relevant (and necessary) in the future.

Marc Holitscher from Microsoft covered their¬†“second line of defense”, which is a strong audit framework for controls they implement for their Azure/Office cloud environment. The relevant information (which was new for me too) was that they published a lot of audit information just recently. Details are described here.

Cheers,
Matthias

Continue reading
Building

ERNW Hardening Repository

Today we started publishing several of our hardening documents to a dedicated GitHub repository — and we’re quite excited about it! It took a while to develop a suitable markdown template to support all the requirements you have when you write a hardening guide, but we’re online now!

At the moment, only a few hardening guides are online, but that should continuously increase in the future.

Click here for the GitHub ERNW Hardening Repository!

Cheers,

Matthias

Continue reading
Building

Check your SAP landscape for default Solution Manager users

This is a guest post from Joris van de Vis @jvis,  on his upcoming Troopers talk. Additional credits go to: Robin Vleeschhouwer, and Fred van de Langenberg.


 

Picture1

As presented at Troopers this year, ERP-SEC research has uncovered a set of potential default accounts related to the use of SAP Solution Manager. These default accounts might pose a big risk to your SAP supported business as some of them have wide authorisations. It is therefore important to check if they exist in your landscape and change the default passwords.

Continue reading “Check your SAP landscape for default Solution Manager users”

Continue reading