- Cloud Control
- Posts
- Unpacking Contextual Security Analysis with DryRun Security's Ken Johnson
Unpacking Contextual Security Analysis with DryRun Security's Ken Johnson
Unpacking Contextual Security Analysis with DryRun Security's Ken Johnson
Hi Cloud Control Readersđź‘‹
Grab a coffee and settle in—I just had a fascinating chat with Ken Johnson, the brains behind DryRun Security (more formally known as the Co-Founder and Chief Technology Officer). Ken gave us an in-depth look at Contextual Security Analysis and its practical applications in today’s software development environments. We explored how this approach is reshaping traditional security testing and discussed strategies for weaving security more naturally into the developer’s daily workflow. If you’re keen on the latest in cybersecurity and application security, you’ll find plenty of valuable insights in our conversation. Keep reading for the full interview👇
P.S. Was this email forwarded to you? If so, sign up to receive Cloud Control interviews delivered to your email each week here.
Ken Johnson, Co-Founder and Chief Technology Officer of DryRun Security
Question 1 đź’
Ken, I’m excited to have you here! You started your career at GitHub on their Product Security Engineering team, and have now launched DryRun Security - which is incredible. What led you to pivot from leading internal security code reviews to launching a startup? What opportunities did you see that kicked you into action?
Answer 1 🎯
Great question! My career started almost 23 years ago when I joined the Navy as an IT. But, my first “real job”, in terms of application security, was at the Pentagon about 16 years ago. Since then, I’ve bounced between consulting, and internal defender positions at places like Fishnet Security, LivingSocial, and more.
You mentioned GitHub, and this was really the place that forged in my mind the need for a broader style of security analysis. At GitHub, we faced the same challenges as many other development organizations. One of those challenges was around how we tend to perform our due diligence in the initial launching of a product and we can say the application is fairly secure at that point in time. However, as code changes and the application evolves, issues get introduced. When that happens, in a best case scenario, we get reports from internal and external sources telling us about those issues. The incident response process starts, tickets get filed, etc. etc. But what’s the reason?
As I mentioned earlier, during initial delivery of a new application, humans perform many complex design and review tasks but when we talk about incremental code changes, the reality is that we security people just don’t tend to have the bandwidth to do this. Instead, we rely on tooling that most of the industry agrees is a “best effort” with many flaws in its results. We use SAST and SCA as our canaries in the coal mine and that’s about it. Two data points.
Some modern AppSec programs (like what Chime’s and Reddit’s teams are doing) have begun ingesting other data points like container scanning and custom rules from something like Semgrep and other tools but I have yet to see anyone bringing in more categories of information, some that might even be classified as “threat intel”.
The reality is, we have a lot of data available to us about who, what, and where things are changing that can be used in determining risk but those data points often go unused. Our goal, and one major reason I co-founded DryRun Security with James Wickett is to surface true risk using a multitude of factors. We call it Contextual Security Analysis (more on that later).
Question 2 đź’
Over the years, you've trained over 10,000 developers on security testing and code reviews. What are some common misconceptions about security you see across developers? What’s DryRun’s approach to tackling these misconceptions?
...you have to take a risk based approach and use a really disciplined approach both in your note-taking and following of the methodology. It is very common for folks to start searching for easy wins in the code base, maybe run a tool, maybe chase a few leads, end up with very little, and then wonder how they should spend the rest of their time.
Answer 2 🎯
Another fantastic question. Training people is my passion. Thankfully I’m still able to take time out of my CTO role to provide this training because it really is something near and dear to my heart. We’re not necessarily trying to solve this particular problem at DryRun Security but one misconception I see, especially with code reviews, is that we’re trying to catch EVERY vulnerability possible during a review. Granted, I’m sure there are times when we’re talking about a super narrowly-scoped, artisan-ally hand-crafted, incredibly high paying engagement where you can take all the time in the world to thoroughly review every line of code… I just haven’t been involved in one in 16 years of doing this.
So for all the rest of the reviews, which make up the vast majority of reviews any of us will ever do, you have finite time and finite resources to accomplish the engagement. In this case, you need to take a very risk based approach to your reviews…. Ok I take that back… maybe this is EXACTLY what we’re trying to solve over here at DryRun Security. Jokes aside, you have to take a risk based approach and use a really disciplined approach both in your note-taking and following of the methodology. It is very common for folks to start searching for easy wins in the code base, maybe run a tool, maybe chase a few leads, end up with very little, and then wonder how they should spend the rest of their time. I’ve been that person. It took years of doing code reviews to create this methodology/approach. We (my Co-Host of Absolute AppSec and close friend - Seth Law) train people in this very practical approach, based in real-world experience, so they don’t have to follow that same path.
Question 3 đź’
The concept of Contextual Security Analysis is quite new. Tell us how this approach differs from traditional security testing methodologies. Does it have any benefits - or drawbacks - for real-time code development environments?
Answer 3 🎯
Contextual Security Analysis utilizes a “SLIDE” methodology. Surface, Language, Intent, Detection, and Environment. The idea being, while SCA/SAST results are data points that tell us if the code change matches some pattern, those tools do very little to explain any other additional risk factors that might be important to us such as what is changing, who is changing it, and where they are making those changes.
Just as an example, imagine someone committing code that has never committed code to that repo before. Now imagine they are also touching sensitive authorization-related code paths, they’ve added new HTTP paths, and also introduced a security flaw according to the SAST results. To us, that seems like a risky code-change! You have to be careful to surface real risk and avoid inundating engineers and security people with noise. It is a challenge but I believe we’re perfectly positioned to solve it.
Question 4 đź’
DryRun Security's philosophy of integrating security analysis within the developer's workflow is new and exciting. Could you share how this philosophy has been received by developers and security professionals? Considering this changes the traditional dynamics of code reviews, security testing, and probably more.
Answer 4 🎯
So far, we’ve helped detect PHI/PII before being merged into a code base, detected flaws in code as we developed our own SAST tool backed w/ LLM technology using a proprietary approach that heavily relies on context about the application in tandem with our own knowledge base, discovered secrets in source code pre-merge, and been visible to the developers in their workflow when this happens which we’ve been told is incredibly helpful. We also are used by the DefectDojo project, primarily to protect against changes to any sensitive code paths by unauthorized authors. Developers and security teams find it useful if their tool only notifies them when there are actionable results and we’ve been accomplishing just that.
I think supply chain attacks and attacks against devops infrastructure is probably the biggest evolution that I’ve seen. When I started, software development and infrastructure management were two different disciplines but in today’s day and age it's not uncommon to see developers performing both roles. As a result, there may be some knowledge gaps in how to securely deploy tooling as well as manage cloud infrastructure.
Question 5 đź’
You have quite the background in web application hacking and security training. How has your perspective on the evolution of application security threats influenced the design and functionality of DryRun Security's solutions?
Answer 5 🎯
Thank you! I think supply chain attacks and attacks against devops infrastructure is probably the biggest evolution that I’ve seen. When I started, software development and infrastructure management were two different disciplines but in today’s day and age it's not uncommon to see developers performing both roles. As a result, there may be some knowledge gaps in how to securely deploy tooling as well as manage cloud infrastructure.
Supply chain attacks on the other hand have been fascinating to watch. The latest social engineering attack against xz (ssh) is a perfect example. When I worked at GitHub I had the pleasure to work with the team behind npm. They were incredible folks performing a difficult task and the engineering challenges they faced as a result of the very creative ways in which they were attacked was eye opening and impressive.
While we’re not focused on SCA, we do perform a different composition analysis of the applications we were tasked to help secure. With that information, I believe that at a minimum, we could alert on the highest/most critical packages your teams tell us they are concerned about and you could use our inventory (in a future state) to determine which of your applications are impacted.
Read the Full Q&A on Gomboc.ai
What’s New at Gomboc
In the magical land of Silicon Valley, where dreams and code converge, a tale is about to unfold…Imagine a sunny day in the Valley, with Kubernetes on the horizon, ready to set sail into production waters. But, as fate would have it, chaos ensues, and our beloved character, Streamline Willie, finds himself in the midst of a cloud conundrum 🚢💻
Watch Mickey as he goes on a rollercoaster of tech shenanigans, only to be saved by Gomboc đź’Ş
Latest AWS and Azure Updates You Don’t Want to Miss
AWS Systems Manager Parameter Store now supports cross-account sharing
Generate AWS CloudFormation templates and AWS CDK apps for existing AWS resources in minutes
AWS free tier now includes 750 hours of free public IPv4 addresses, as charges for public IPv4 begin
.Net Standard user-defined functions for Azure Stream Analytics will be retired on 30 September 2024
Top Articles and Resources of the Week
Articles
Resources
Federal Cyber Defense Skilling Academy: CISA’s Cyber Defense Skilling Academy provides federal employees an opportunity to focus on professional growth through an intense, full-time, three-month accelerated training program.‍
The Workforce Framework for Cybersecurity (NICE Framework): Learn more about the NICE Framework Categories, Work Roles, Competencies, and Task, Knowledge, and Skill (TKS) statements as well as the relationships between those elements in this downloadable PDF.‍
Workforce Management Guidebook - Cybersecurity is Everyone's Job: A publication that talks about cybersecurity from every business function and aspect of an organization’s operation. It is written for a general audience who may not be knowledgeable about cybersecurity and can be read as a complete guide or by each business function as standalone guides.
7 Popular Cloud Security Certifications for 2024: This article provides a comprehensive overview of the top cloud security certifications for 2024, essential for professionals seeking to enhance their skills and career prospects in the rapidly evolving cloud security landscape.
Cybrary.it: A platform for cybersecurity professionals at all levels, featuring free courses, certification training, and hands-on virtual labs designed to prepare users for the latest threats and vulnerabilities, making it a valuable resource for anyone looking to start or advance their cybersecurity career.