Joshua Wells -- Application Security in the Age of Zero Trust Artwork

The Application Security Podcast

Chris Romeo and Robert Hurlbut dig into the tips, tricks, projects, and tactics that make various application security professionals successful. They cover all facets of application security, from threat modeling and OWASP to DevOps+security and security champions. They approach these stories in an educational light, explaining the details in a way those new to the discipline can understand. Chris Romeo is the CEO of Devici and a General Partner at Kerr Ventures, and Robert Hurlbut is a Principal Application Security Architect focused on Threat Modeling at Aquia.

All Episodes

The Application Security Podcast

Joshua Wells -- Application Security in the Age of Zero Trust

June 01, 2023 • Chris Romeo and Robert Hurlbut

What is zero trust, and how does it impact the world of applications and application security? We dive deep into zero trust with Joshua Wells, a seasoned cybersecurity expert with over ten years of experience. Joshua explores the intricacies of zero trust, a cybersecurity model that dictates no user or machine is trusted by default and must be authenticated every time.

Listen in as Joshua discusses his journey from aspiring to be an NFL player to becoming a leading voice in cybersecurity. He shares insights on how zero trust operates in different domains, including architectural security, endpoint detection, mobile device management, and risk assessment. He also touches on its implementation across various government bodies and private organizations.

Further, Joshua sheds light on the challenges of implementing zero trust, such as the need for a mix of different security tools and the stress of smaller teams when handling this robust framework. The episode also covers important considerations for Application Security (AppSec) professionals in a zero-trust environment and the role of attribute-based access control within this model.

Don't miss this enlightening discussion on cybersecurity's current landscape and future direction. Whether you're a cybersecurity professional, a tech enthusiast, or simply keen on understanding how your data is being kept secure, this episode will surely provide invaluable insights.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Joshua Wells -- Application Security in the Age of Zero Trust

[00:00:00] Chris Romeo: Joshua Wells is a seasoned cybersecurity expert with over 10 years of experience leading teams and organizations through intricate cybersecurity situations. His extensive background includes working with various government bodies and private sector organizations specializing in areas such as architectural security, endpoint detection, mobile device management, and risk assessment.

[00:00:22] In addition to his professional work, Joshua is a distinguished instructor of cybersecurity at several renowned universities, imparting valuable skills and expertise to students. He's currently pursuing his doctoral degree in cybersecurity and is also an active community volunteer in the Northern Virginia area.

[00:00:42] Joshua joins us to help understand the intersection. Between Zero Trust and AppSec. We talk about what Zero trust is, what are some of the challenges, what are the things that work well, and then we also dive into what is the role of the application and ultimately application security in Zero Trust. We hope you enjoy this episode with Joshua Wells.

[00:01:08] hey folks. Welcome to another episode of the Application Security podcast. This is Chris Romeo, c e o of Curve Ventures and co-host of said podcasts. Also joined by my good friend

[00:02:04] Robert. Hey, Robert.

[00:02:06] Robert Hurlbut: Hey, Chris. Yeah, Robert Hbi and I'm a principal application security architect at Aquia. Also focused on threat modeling. and always interested to talk about some interesting new topics in cybersecurity that we don't always touch on, and, and today is, is gonna be one of those days where it's a new, new topic for us.

[00:02:26] Chris Romeo: Yeah, new topic and, uh, let the record show that this is the first time I think I've ever worn a collar on the application security podcast. So for those people watching on YouTube, yes, I do have a shirt with a collar. I do own more than one, and I did in fact happen to be lucky enough to be wearing it. Today. So with that, let's, uh, welcome our guest, Joshua Wells and, and Josh, we just throw people in the deep end here. We don't believe in like, you know, a lot of warmup questions. There's no softballs here. Let's jump right into your security origin story. So how'd you get into

[00:02:59] security? Take, take us as far back into your history as you want to go.

[00:03:03] Joshua Wells: Oh man. Uh, first of all, it's definitely a pleasure to be here, Robert and Chris. Thank you guys so much for having me here. Um, woo. I'm trying to figure out how. How far back I actually wanna go. Uh, I'll start at high school. Um, I, I think that's a, a pretty good starting point. Um, so started in high school. I was a very, uh, dominant football player.

[00:03:23] Um, you know, not to brag on myself too much, but I did at one point lead the state of Virginia in rushing. Um, I've always been a football fan. Um, And I had aspirations of going to the N F L. Um, unfortunately, you know, through college, through injuries and certain scenarios that didn't pan out how I wanted it to pan out.

[00:03:43] Um, so at that point I was left. Um, Uh, with the fork in a road, right? In terms of, you know, making a new career for myself or just trying to still go the football route, which obviously you only know, you, you get a small window to actually make it to the next level. Um, so from there, I've always been interested in tech.

[00:04:02] Uh, I was that individual where in high school, you know, I would create websites and, you know, I would, you know, put my friends, I poke my friends on the website with some goofy hair. You know, goofy mask or et cetera. Um, but I've always had a passion. And from there, um, I had to make the decision to pivot.

[00:04:22] And now my, my wife now, but at the time, uh, she was my girlfriend, she definitely gave me the motivation and she gave me the backbone to really, um, dive into this space in terms of cybersecurity and especially just pivot in going to a new direction and something that I've always been passionate about.

[00:04:39] And a lot of the times you don't really understand how passionate about your, uh, that you are about something. Um, until. The number one thing you're passionate about is actually script from you. You know, so that really creates resilience, uh, pre perseverance and et cetera. So from there, I dived into cyber security.

[00:04:58] You know, I started off doing small contract jobs, it help desk it, you know, project coordinator jobs. And then from there, I, it was pretty much a self-study route. Like I, I would break down, you know, operating systems such as Windows, you know, Whether, whether it was a Dell, any type of pc, I just wanted to learn every component of it because I was the type of organ, I was the type of individual if where, if I'm going into a space, I wanna know what a hundred percent and I want to bring everything to the table as far as what I know and dive in there a hundred percent.

[00:05:31] So from there, uh, just really built up. I learned different types of processes, uh, methodologies, and I've always been big on security when it comes to securing devices, um, securing operating systems. And from there that's where I started to get into engineering. And then from engineering, I started to go into cyber security and then cyber security.

[00:05:49] I pretty much went through that intermediate level and worked up. Uh, to a director and then worked up to obviously lead positions and et cetera. So that's pretty much how I got started. Um, and honestly, just pivoting from football, I always had that hard work and that integrity to, to, you know, help me go forward, help myself go forward and really dive into a new,

[00:06:10] uh, career field.

[00:06:11] So, uh, that's pretty much me in a nutshell. And, uh, you know, here I am

[00:06:14] today, so,

[00:06:16] Chris Romeo: Yeah. And as we were talking before the interview, I have to add a question here that we didn't discuss, and that is, how'd you get the nickname Cyber Steve?

[00:06:26] Because that's a pretty cool nickname. And I, and I wanna know the, I wanna know

[00:06:29] the origin story of Cyber Steve.

[00:06:32] Joshua Wells: So the origin stories of Cyber Ste, I would say it probably happened about six years ago. So my wife, so I walk around the house and, you know, I'm, I'm a, I love to watch sports, I love to, you know, work out. I like to, you know, just, I like to do, I. Activities, like, you know, activity, outdoor activities. I like to do activities inside.

[00:06:51] Obviously I love being on my computer, but anytime on my , anytime when I'm on the computer and I have glasses on, she's like, man, you look like Cyber Steve. You look like you're about to hack somebody or something. And then from there it just turned into the whole nickname. But Cyber Steve. So when I take my glasses off, I'm me.

[00:07:08] But when I put these on, I'm in front of my

[00:07:10] computer. She calls me Cyber Steve. So

[00:07:12] that's a

[00:07:13] Chris Romeo: it's like

[00:07:13] the opposite of

[00:07:14] Joshua Wells: There we go.

[00:07:15] Chris Romeo: like Superman, what was his name? What's Superman's name? Not uh, Clark Kent. So Clark Kent, when he wears the glasses,

[00:07:23] he's not the superhero, but when he takes them off, that's when he becomes a superhero. So like you're the opposite though. You put them on and you become a cyber

[00:07:31] superhero.

[00:07:31] Joshua Wells: A hundred percent. A hundred percent. They're not ready for it. They're not ready for it. Anytime I'm, I'm on a meeting. I put these on, they already know what time it is, so.

[00:07:42] Oh man. Yeah. But that's the origins of it. For sure. For sure. So it's, it's uh, something that stuck around with me like throughout, um, the duration of my career

[00:07:51] to this point. So absolutely.

[00:07:54] Robert Hurlbut: Excellent. So Joshua, So thanks again for, for joining us today. Uh, you know, I, you and I got in touch and we reached out and, uh, one of the things I noticed is that you have a passion for zero trust, which is, as we mentioned a moment ago, is a topic we haven't talked about on. Our podcast. And so we, we wanna dig into that today, uh, for our listeners.

[00:08:16] So if you could help us, what is Zero Trust? How do you define it?

[00:08:22] Joshua Wells: So I would label zero Trust is. Trusting, but verifying. So a lot of the times when you're dealing with, uh, you know, information technology, and nowadays cybersecurity, we have different conditions in terms of whether we trust a specific person or a specific device to gain access to specific resources.

[00:08:41] Right? And zero trust pretty much eliminates all of that. So, for example, if I'm working or, or walking into an organization, if I wanna have access to this computer, I now obviously have to, um, authenticate, but I have to verify on every different level. I no longer have special permissions, right? So if a machine is on the network, that machine isn't granted access to a specific, uh, area or perimeter based off of its like history, right?

[00:09:12] considering everything a threat, and you have to successfully authenticate regardless of who you are, how long you've been here, or what you've run to the table or the primary use case. So pretty much in a nutshell, it's trusting, but verifying at the same time. A lot of the times when you're dealing with, uh, organizations or like, uh, organizations that pretty much have a legacy mindset they're dealing with.

[00:09:34] Individuals are d dealing with devices that maybe have conditional access depending on who they are, whether you're a system administrator, um, or whether you're a server. Okay, we don't have to put this server behind this firewall, or we have a firewall behind there, but this server communicates with this, uh, firewall communicates with this operating system.

[00:09:52] But no, it's on every, at, at every level. We're trusting, but we're verifying. So there's no longer any conditions. Um, In between that says, Hey, like I need to talk to this, or I need to gain access to this. Okay, you, we trust that you have the right intent, but we also need to understand and what that understanding comes authentication.

[00:10:13] So pretty much in a nutshell, that's what Zero Trust is and uh, it's becoming very, very big to a lot of Go government organizations. Um, and I think, uh, majority of them, if not all have to. Uh, follow that specific framework and guideline, and I think they have a deadline by the end of 2024. So you see a lot of these government agencies quickly adopting to that methodology.

[00:10:36] And I would say it's based off of a lot of the frameworks that I've worked with, whether it's ns, c i s, SOC two, et cetera. Um, this is definitely one of the dominant ones and it's taken me by surprise, and that's why I'm

[00:10:49] so passionate about it.

[00:10:52] Chris Romeo: so with zero trust then. I primarily think of network architecture is, is what, what conjures in my brain when I think zero trust? Do I have to throw out everything I have? Like does zero trust start from scratch or can I, can I, can I upgrade to zero trust without rebuilding my entire network from scratch?

[00:11:19] Joshua Wells: Yes, absolutely. That's a great question. So there's three phases you can take. There's a traditional and there's an advance and there's an optimal So, You know, as an architect, the first thing I would say is, let's see what's already existing in your environment, right? Um, if you have an antivirus solution, right?

[00:11:36] I, it's, is that something that we can leverage and automate to detect certain activity or detect, um, certain suspicious uh, behavior, right? Um, do we have a V P N is con, is that configurable? So really just assessing and seeing what we actually have in your. Infrastructure in tuning that and configuring that before we bring in more security tools.

[00:11:56] Right. Uh, based off of the traditional level, as I mentioned, there's three different levels. There's traditional, there's advance, and I think the last one, the most automated one is, um, uh, I think that's optimal at the moment. Um, But let's just say traditional is probably the easiest, right? So let's just say if it's something password based, password or multifactor authentication has to be there at a minimum, right?

[00:12:22] But let's just say, uh, on an optimal level, it has to be continuously evaluated. Maybe, uh, That information is logged into a sim, et cetera. It has to be more in an automated fashion, it has to have more eyes, more ears and et cetera. But I would say a lot of organizations just starting out, you do have the option of starting as a traditional, um, at a traditional level opposed to going more advanced or more optimal.

[00:12:45] So that's the benefit about it. And I think once they actually started, um, thinking about forming this whole, you know, methodology, . Um, I think they took that into consideration. And the, the funny part about it is a lot of organizations are maybe more compliant than what they think they are. Um, , you know, if you're working with Ns, if you're working with c i s, if you're working with all these different types of, uh, you know, regulations and methodologies, you have to have some type of structure in place, or you're probably a little bit more advanced than what you think you are, right?

[00:13:18] So if you're adhering to. You know, having VPNs and, you know, having a sim, you know, or having a SOAR where you're actually responding to certain security events in an automated fashion, you probably have a, a more advanced security approach than other organizations, or you're probably further aligned along that you actually.

[00:13:38] Thank you are. So I've worked with agencies where they're like, oh man, you know, we're probably about 85% compliant in this area and we didn't even know it. So that's what zero trust is meant to actually be. Sometimes it's just turning 'em on a button. Sometimes

[00:13:51] it's bringing in new technology. So it

[00:13:53] really all

[00:13:54] Chris Romeo: So they, so

[00:13:54] there's there's already, So there's, there's some of the pieces that I have, I likely can reuse and you can provide some other things on top of a foundational layer, assuming I haven't completely neglected security from end to end. Um, so

[00:14:10] I have something that, that it's, it's

[00:14:11] not gonna be a total tear out.

[00:14:13] So another, another, I want to,

[00:14:15] as somebody, you, you've thought about zero trust a lot more than I have, but. So I wanna get your take on this because I think I was, I think I've been confused about Zero Trust early on in the days of Zero Trust. I read this paper that Google had on Beyond Corp. which was their kind of zero trust enterprise architecture. And the thing that always caught me, and I think I accidentally attached this to all Zero trust and so I want to get your take on this, but, but Google's beyond corp. They're, they're, and this is what Google runs inside of their production in, inside of their offices and everything. Like it's how they do it. Everything is internet accessible, everything is public IP addressable. All the devices are so that like, and I p V six I believe as well. So like, So is that, does, does zero trust in, in the way that you think of it? Is that the same thing? Is zero trust equivalent to everything is on the public internet and has a public IP address, or is that just Google's flavor of zero trust?

[00:15:18] Joshua Wells: Maybe Google's flavor and there's a lot of, uh, nuances probably included with that. I would say, uh, Maybe they have a set of public servers that people need to quickly access, but maybe that the information on those servers are not as, Intense in terms of sensitive or maybe they have justifications in place for it.

[00:15:38] Because even from a traditional level all the way to an optimal level, again, the optimal level is more automated fashion. Uh, fashion. It's more advanced. It's more of, okay, we are tracking, we are authenticating everything we can, we are not letting anything get out of sight. Oppose to traditional, just showing that, okay, this is what we have in place.

[00:15:55] This is the best practices that we have with our security tools and this is what we're actually doing. Um, I think there's so many different ways to address zero trust, and even from, you know, having servers exposed to the internet. What's on those servers? Are those servers st. Right? Are we, are we in compliant with certain, you know, rules and regulations?

[00:16:16] As in terms of ns, does it cross over to like, ns, you know, 853, um, security controls, right? When dealing with privacy? So there's a lot of conditions that are actually involved, but, um, , you know, before the mandate. A lot of organizations probably practice zero trust, but if they're not doing business with the federal government or they're not man mandated to actually being compliant with Zero Trust, that's probably a completely

[00:16:41] different story in terms of that.

[00:16:43] So,

[00:16:43] Chris Romeo: And, and the more I'm thinking about it,

[00:16:45] the more I'm

[00:16:46] remembering like. When Google's Zero Trust This Beyond Corp stuff came out a long time ago. I don't remember what year it was, but it was really early in the Zero Trust conversation. And I'm remembering

[00:16:57] there was something called borderless Networks I think back in those days too. And so, cuz I think goo Google's idea was we wanna prove that we can put all these devices on the public internet for our employees to do their jobs and the nobody can get into it.

[00:17:14] Because it's, it's so solid and so locked

[00:17:16] down. But I think, I think what's happening though is I'm interpreting a little bit of what Google's doing as being the bare bone zero trust.

[00:17:26] And I think, I think I'm accidentally mixing a few things together here. Um, but you're helping me work

[00:17:32] it out.

[00:17:33] Joshua Wells: No. A hundred percent. A hundred. And and the thing is a lot of, you know, Google I would say is a creative organization. They love to pretty much, They, they love to adhere a certain, um, you know, r rules and regulations, but they also like to prove that they're actually capable of doing certain things at the same time.

[00:17:51] So I've noticed that, uh, with a lot of, you know, you know, different types of industries and maybe Google being one of them, where they're probably like, okay, we'll test zero trust, but maybe we'll stretch it out a little bit to see what we're able actually capable of doing. So very, very

[00:18:05] interesting

[00:18:06] Chris Romeo: Yeah. So back to the regularly, uh, regularly scheduled programming here. Um, when you think about Zero Trust, I heard you mention authentication as one piece. What are the, what are the other main pieces of Zero Trust outside of authentication?

[00:18:22] Joshua Wells: So I would say authentication is pretty much that's going to be at each level. So, I think they break down five models, uh, modules. I think it's, uh, identity device, network application and data. So data and transition, uh, data at rest. We wanna make sure that encryption is emphasized on each level and whoever needs to have access to that.

[00:18:45] Needs to successfully authenticate, whether that's a device or whether that's a actual person. Um, you know, when you're dealing with identity, you're dealing with, uh, IM controls. When you're dealing with device, you're dealing with, you know, probably, uh, mobile device management. Mobile application management.

[00:18:59] You're dealing with compliance of operating systems. Um, another example I can give with that is, um, bring your own device versus company owned, you know, cell phones. Right. Um, The, the biggest hurdle has been if I have my own device, how can organizations make sure that if I'm trying, if I'm attempting to get their resources, how am I actually remaining my compliance?

[00:19:25] A lot of that is through m a m, which is mobile application management, and that's a form of zero trust. Um, if I wanna have access to this container, let's just say it has Microsoft Word. Let's just say it has Microsoft Outlook. I need to make sure that my device is in compliant. Maybe that's password requirements.

[00:19:42] Let's just say, uh, you know, nine or 10 password, uh, characters with. Uppercase, lowercase, special character. Make sure that my, uh, based off of the operating system, let's just say I have regular iOS, uh, updates, maybe the latest updates, and let's just throw another. Restriction out there. Let's just say, uh, I gotta make sure Bluetooth is off.

[00:20:02] So make sure at a minimum if I'm gonna use this applications, I have to make sure that my phone is in the correct standing to actually access these resources opposed to, you know, organizations just managing my phone. So that really just shows the flexibility in between. How we can enforce zero trust with mobile application management versus mobile device management.

[00:20:24] So there's a lot of ways to deal with it. Um, but I, I really like CISs, uh, guidelines and that's pretty much how they break it down in terms of those five pillars, which is identity device, network, application, and, uh, data. So,

[00:20:41] Robert Hurlbut: So,

[00:20:41] so thinking through that, uh, a little bit, um, for, for an organization when they're, they've heard the mandate. Now, as you mentioned, government certainly has received a mandate from the executive order and, and, uh, and through certain, uh, agencies saying, we, we've gotta do this now. But for other organizations outside of the government, what are some of the advantages for them to take a look at and start taking a look at? um, zero trust for example. I've seen, uh, financial, uh, start to look at it. I've seen healthcare start to look at it as well, but what, what are some of the advantages?

[00:21:17] Joshua Wells: I would say, number one, staying ahead of the game. So for just even for business purposes, like, uh, If you're adhering to the latest methodology, whether you, you deem it as something that's, uh, efficient or not, um, you're staying ahead of the game in terms of business. You know, we, you see a lot of organizations, you'll say, okay, are you uh, certified in this, you know, ISO certified, you know, are you certified in these areas?

[00:21:41] And you just increase opportunities by making sure you're actually in compliant with these new rules and regulations. And number two, I would say, um, it's a, it's a very in-depth framework, you know, um, A lot of the times, um, organizations think that Zero Trust may just be accomplished by a security tool, but it's not a security tool.

[00:22:01] It's a mix of different security tools and it's a mix of processes all combined to one. You know, um, obviously one security tool can do more than the other. Like one is Zscaler, which is a very. Complex, robust, really, really great tool. And maybe that can accommodate for maybe 60% of your problems in terms of zero trust, but you still need other processes.

[00:22:22] You still need other security tools. But I would just say, um, in terms of that, it, it's, it's adaptable. You know, it's adaptable if you are zero trust, uh, I would say certified or compliant in that area. Majority of the time you're gonna be in compliant with ns. Uh, whether you find follow NS guidelines, ISO c I S, or whether you're just going through a SOC two audit or something, you're gonna have those, you're gonna have everything in place that you need to.

[00:22:47] So I would say even if you're just a new company looking to create a solid baseline, starting from the very, very top, um, my opinion was, was zero trust is, is really, really great. And, uh, you know, You would think I'm a a zero trust ambassador , but I'm not. But I, I, I really believe in that methodology and it's, uh, really, really a great approach to take, especially for business purposes.

[00:23:10] So,

[00:23:11] Chris Romeo: Mm-hmm. .All

[00:23:12] right. So,

[00:23:13] we talked about the positive side. I mean, we're security people. Let's just jump right to the negative. Like what's the, you know, what are the

[00:23:20] challenges here? Why my users are gonna hate this? I can already tell that's that's one challenge. I'm just guessing, because basically they're not gonna be able to get into stuff that they used to be able to get into, and I'm gonna have to teach them how to. get into new stuff using new procedures, and they're gonna hate that even more than the previous thing that they hated or whatever. So, but what, what else are, what else are the big challenges on your mind when you're thinking about a deployment of Zero Trust?

[00:23:45] Joshua Wells: No, I think you mentioned some great points, Chris, in terms of like testing and breaking things, that's always gonna be number one in terms of creating pilot, pilot, uh, A pilot environment or a pilot, um, account for users to actually test out some of these, uh, capabilities and features. Uh, but I'll also say number two is going through this, you realize what you actually don't have.

[00:24:06] So, , if you're going through this process, let's just say the first thing I like to do when going through a zero zero trust audit. Is to assess, um, what we currently have in our environment. And it, it's a eyeopener in terms of, man, we need more stuff, man. We need to really increase our processes. We really need to increase our, uh, the security tools that we actually have in place.

[00:24:25] So it's a eyeopener in terms of what you're actually probably not doing better. And, uh, just from my experience, just working with organizations that's really created a lot of, um, it, it's created a lot of. urgency in other areas. So maybe if we're working on Zero trust, they're like, okay, like I know that going through this process, it opened up my eyes to us needing, uh, maybe a different firewall over here.

[00:24:49] Let's go ahead and focus on this project. So it opens up a lot of areas in terms of if you don't have things existing, it, it may be really, really, um, Costly. You know, if you don't have security tools, turn turned on. But I've been, I've come across a lot of organizations where they have a lot of security tools in place.

[00:25:07] Some of 'em actually being redundant where it's just like, okay, this worked out to your advantage to actually use it and compile everything together. So I would just say the growing pains that I actually introduce, um, and I would say like the testing. Phases that come along with it are really, really big.

[00:25:23] And, uh, they can, they can really become exhausting, especially if we're working with a small team. Um, I've worked with, uh, small teams and large teams when it comes to implementing zero trust. Obviously the, the larger the team, the more you can get done. But the smaller the team, it can really create a lot of, uh, stress.

[00:25:40] It can create a lot of, um, You know, I would say just exhausting in terms of manpower and getting things done, especially on a day-to-day basis. So I would say that those are probably some of the biggest concerns when implementing a framework, uh,

[00:25:56] as robust as this.

[00:26:01] Robert Hurlbut: Yeah. And I've, I've seen similar, uh, and you probably have too in terms of, you know, this is a great idea, but it, it's It's tough.

[00:26:08] It, it, it's not, it's not, um, out the box

[00:26:11] type of, of easy thing that I can buy and implement, and it's done. type of thing. Uh, so one area that, you know, we're focused on application security, uh, here on, on the podcast, uh, we haven't heard a lot about zero trusts and the app, so AppSec side or application developer side.

[00:26:30] But, um, I wonder if you could, uh, help us understand from an application developer, what are some things that they might take away in terms of how will this impact their work? moving forward. Do you have some thoughts or ideas on that?

[00:26:45] Joshua Wells: Yeah, abs. Absolutely. Um, so even with dealing with the five pillars, I know we mentioned the device and, and the other ones well, application. Is actually one of them. And if you're a DevOps ops guy and you're working in, let's just say aws, you're working in gcp, you're managing some type of, um, application that's embedded on the container, you have to make sure that that application is secure.

[00:27:07] And a lot of that ties into zero trust. Um, so let's just say you have your own application that you've built. Um, it's, it's inside a gcp. A lot of that ties into zero trust in terms of monitoring. So if we're dealing with applications, a lot of the times we're probably dealing with brute force attacks, right?

[00:27:27] Somebody trying to, uh, compromise the, the, the system using, you know, certain credentials or somebody trying to, um, execute some code, right? So we need to make sure that we're actually monitoring that. And that's why I feel like to me, application security. Uh, tied with zero trust is probably one of the biggest areas, right?

[00:27:48] Um, Gcp, they have a lot of great security in terms of monitoring, but obviously, you know, we're working with Sims Nowaday, we're, we're working with Sims or we're working with sos. And if we can leverage that to actually monitor, to automate certain security alerts in a, in a certain fashion, that will definitely be great.

[00:28:05] But the more I see DevOps, Um, working on applications, depending on what organization I'm working with, the more I'm seeing the need of a sim, the more I'm seeing the need of security, whether it's code related, whether it is just the, the basic interface with just logging in the everything well-rounded ties in the zero trust in terms of, uh, application management, application security, and, uh, making sure that the correct, uh, cybersecurity hygiene of that application is, is being managed.

[00:28:37] So,

[00:28:41] Chris Romeo: So when we think about. Areas of focus that an AppSec person should look at. So let's, lemme give you an, let me give you a scenario and how would you advise someone as an AppSec person when they're coming into a zero trust? So let, let's imagine that, um, we did a zero trust implementation. Primarily NETWAY was network related.

[00:29:07] So we've got all the, all the pieces, we've got authentication, we've got authorization, we got logging, monitoring, all those types of things happening. And now we've got a new application that development wants to deploy new internal applications. So it's not, not on the public internet, but it's, it's an internal application that's part of our, our, our environment inside the company. What are the things that you would tell you would advise me as an AppSec person? That are specifically in the realm of zero trust. You know, like, so not, not things like owas top 10, a p i top 10, you know, looking at potential secure coding flaws or whatever. But from a zero trust perspective, what should I be investigating with with an a new application?

[00:29:52] Joshua Wells: A new application. I would just say at the ground level, can anybody get access to this? What are the potential connection points in terms of how is this application communicating? And from all of its communication points, is it secure? Right? Um, are we dealing with APIs? We dealing with certain access controls because everything pretty much ties back to encryption or authentication, you know, what's being encrypted.

[00:30:20] Is any information being encrypted from the application level, whether it's, you know, specific servers or, uh, in, within the outside world or, or whatever. I would say those are the main points we gotta touch on in terms of not everybody should be able to communicate with this application. Not everybody should be able to access this application.

[00:30:38] And how are we actually creating roadblocks where, okay, let's just say I've been out of the office for three months or something, right? And I wanna access this specific application. What, what rights does it give me to actually try to access this? Is it gonna successfully, uh, force me to authenticate, um, am I gonna be able to reach out to Joe to reset my password?

[00:31:02] All of these things that, these are all the things we should be thinking about in terms of application access. And even what our application is, is, is connected to, uh, let's just say it's, it's. It's a little bit more layer too. So we're not just securing the application, we're securing the GCP environment or the Azure environment,

[00:31:20] whatever is actually existing on.

[00:31:22] So it goes so deep into that in terms of we're securing it at the application level, we're securing at, at the hosting level, and we're making sure that whatever it's communicating to at every point, if, if it's connected by API and it's doing specific API calls, um, , where's that being detected at? That's being detected maybe by a sim unauthorized API calls UN or un, excuse me, unauthorized, um, activity by your APIs.

[00:31:51] So really just digging into each layer and asking those, um, those top related question in terms of. You know, if I'm dealing with an application, what, what is it communicating? Um, and who has access to the application itself? So just dealing with those questions, I would say, in a nutshell, would be the first thing we can approach opposed to even dealing with like mire frameworks or Owas top

[00:32:13] 10.

[00:32:13] So,

[00:32:14] Chris Romeo: Mm-hmm. .So,

[00:32:16] as I'm listening to you talk about applications in a zero trust environment, it's making me think that my favorite type of access control would be a good fit. Inside of a zero trust environment. So my favorite type of access control at attribute based access control, just because you mentioned that scenario where like somebody's been outta the office for three weeks and the system should know that the system should, should, flag a particular authentication slash authorization request if somebody's been away for a while. and that, so that becomes not the norm anymore, becomes this person's now outside of how the policy is. And so have you, I mean, have you had any. Any kind of interactions with attribute based access control in a zero trust environment where like I can set a policy that says, Hey, Robert should be able to access these applications from nine to five from these coordinates, which happened to be his office, for example, in a government agency somewhere, but as soon as five o'clock rolls around, that policy no longer lets Robert access a particular thing.

[00:33:26] So how does that play out in your world of, of zero

[00:33:29] trust?

[00:33:29] Joshua Wells: Yeah, absolutely. Um, so I've configured those settings in a sim and I've configured those settings through Microsoft. So for example, in Microsoft, you can set a specific threshold of if this person tries to access X amount of files, I wanna get an alert. I. And it's gonna alert me, it's probably gonna send it to my email or even just route that information over to a sim.

[00:33:50] But the beauty of it is a lot of the technologies that we leverage today already has a lot of these capabilities built inside of them, especially if you're dealing with the soar, which is more of a automation and response. If he were to touch that, it would automatically, automatically flag, and depending on the sim, it would automatically block him from, from actually trying to execute that.

[00:34:10] So there's so many different technologies that uh, actually block that very similar to maybe like D L P rules, um, where you can actually set certain permissions, cert set certain, you know, thresholds, so that individual. Um, let's just say he wanted to go on vacation and any time between, let's just say 5:00 PM tonight to next, uh, Monday, if there's any activity going on with his account, we need to be alerted.

[00:34:35] Um, we can even flag his account in, uh, our sim or our, so, so any suspicious activity or any activity as a whole will be alerting on there. So I would say there's many ways of doing that, which is leveraging different technologies and I've leveraged Microsoft to do that. I've leveraged even, uh, AV products to actually do that.

[00:34:54] Um, but the most seamless way for me, um, it was actually leveraging a semio, uh, whether it's log rhythm or whether it is, it was Sumo Logic, uh, which is one of the, um, better ones that I've utilized on the market, uh, today. So,

[00:35:11] Chris Romeo: So as we, uh, come towards the conclusion here of our, our. Dive into the deep end of the Zero Trust pool. Um, luckily we had you, Josh, as a, uh, lifeguard

[00:35:22] Joshua Wells: Thank

[00:35:23] you

[00:35:23] Chris Romeo: swim in the, in the deep end

[00:35:25] of the zero trust pool. What would you say are, is a key takeaway or let's do this, let's do, gimme a key takeaway first and then we're gonna come back around cause I got another question about call to action, but specifically key takeaway if, if you could only, if we could only. If folks are only gonna remember one thing coming outta this conversation, what's the thing you want our application security focused audience to remember?

[00:35:48] Joshua Wells: I would say adopt, uh, to the technology at hand. Um, Application security is so big to me because, uh, everything that we try to execute or everything that we leverage on a day-to-day basis includes applications. And a lot of the times we only see just the front interface of it in terms of what's going on.

[00:36:08] But there's so much that needs to be monitored on the back end. Um, You know, I always compare like Facebook or you know, Instagram, like, these are all great robust tools, but what are the security, uh, elements involved in there? Like, you know, just thinking from a DevOps perspective or security perspective, all of this ties into zero trust in terms of how are we protecting it?

[00:36:29] Um, you know, how are we getting notified on it? Um, alerting. And just all the different types of security components that go along with it. And I would just say my, my takeaway and my recommendation is don't be afraid to, you know, adjust with the times when it comes to security. Um, Security's forever changing.

[00:36:48] There's gonna be new tools, there's probably gonna be new tools next month to tomorrow, who knows new methodologies. And, uh, this stuff really, really excites me and my job is to really know the ins and out of every methodologies that's to release, to figure out how we can create a better world and, you know, secure our organizations and our most valuable asset, which is our data.

[00:37:10] You know, so that's definitely my takeaway

[00:37:12] and, uh, my recommendation.

[00:37:14] Chris Romeo: Okay. So as far as a call to action, so let's, let's just assume that most of our listeners are relatively new to Zero Trust. And they probably read some articles, but they haven't really done any deep dive into Zero Trust. Is there one place that you would send me as a newbie, zero Trust person, where would be a good place to start?

[00:37:36] Is there something I can read? Is there something I can watch, something I can listen to? Like what would be your, what would be the first reference, first thing you would send me to, to get me started in Zero Trust.

[00:37:48] Joshua Wells: So the first thing I will send you is I would definitely recommend going to C'S website in terms of scrubbing. Like their zero trust architecture is very detailed in terms of how they break it down. And, um, number two, I would send them to me, . Um, I also do consultation on the side in terms of, uh, helping people become aware of their ecosystem and organization and figure out ways to actually enhance their security posture.

[00:38:13] I. Um, as I mentioned before, at the very, very beginning, I, you know, I had a different route getting in, breaking into cybersecurity, um, and I want to help other people reach that same level of success of, of where I was able to, to reach and, you know, keep going even from there, you know, and, um, I would definitely recommend that they, uh, reach out to me.

[00:38:34] Uh, my website is actually called, uh, cyber vault solu cyber vault solutions, uh, dot com. And, uh, you can book a session with me if you have any, uh, zero trust questions, um, or just any consultation questions regarding anything cybersecurity architect related. Um, I would definitely be more than glad to, to sit down with you and, and talk with you, uh, about how we can actually, uh, break that down.

[00:39:01] Chris Romeo: Very good, Joshua, thank you, uh, for sharing your. Zero trust knowledge in helping us connect it to application security. Um, Joshua a k a Cyber. Steve,

[00:39:14] Joshua Wells: Thank you

[00:39:14] Chris Romeo: thank you for, uh, Thank you for

[00:39:16] taking the time here. We appreciate it. Um, definitely learn some stuff from you about, uh, how zero trust comes together. I'm gonna dive even deeper into it to try to. Try to learn more about the connection to the applications and the application security side, but you certainly gave us a good, good foundation to build off from right there. So thank you very much.

[00:39:35] Joshua Wells: Absolutely. Thank you guys. Thank you, Chris. Thank you, Robert. It's been a ultimate blessing being on here. Thank you so much for having me.