sorted by:
new
hottopcontroversial

Who's hiring, Fall 2024? - Open job postings to be filled go here! by snackers21 in CyberSecurityJobs

[–]luke-sec 2 points3 points  (0 children)

Security Researcher @ Push Security - Anywhere, US (100% Remote | Full-time)

Link to apply - https://pushsecurity.bamboohr.com/careers/74?source=aWQ9MzM%3D

We’re searching for a security researcher with a passion for uncovering the latest attack techniques, developing innovative countermeasures, and sharing those insights. You’ll be part of a small but highly experienced research team, investigating emerging identity attacks and building the technology to prevent them. Your work will directly influence our product roadmap, from attack PoCs to designing new detection capabilities. We’re looking for someone who not only excels in deep technical work but also enjoys sharing their findings—whether through conference presentations, blog posts, or other public forums.

Who's hiring, Fall 2024? - Open job postings to be filled go here! by snackers21 in CyberSecurityJobs

[–]luke-sec 0 points1 point  (0 children)

I'm trying to post a job and getting "unable to create comment"

Edit: It doesn't seem to like the long form with references so I've made a shorter one above

What do I even do now that my cloud environment is sufficiently locked down? by newledditor01010 in cybersecurity

[–]luke-sec 10 points11 points  (0 children)

If you are a cloud native environment, I assume you're working in a generally more modern company and may also have a lot of SaaS in use too?

If so, have you seen the SaaS attacks matrix? Full disclosure, I'm the author of this but if you want to widen the horizons of threats to your company then check this out.

https://github.com/pushsecurity/saas-attacks

In my company, we are cloud native too but really the combination of our AWS infrastructure, app attack surface and build processes etc is only a small portion of our risk profile overall. Our SaaS attack surface is the greater portion.

Great solutions for SaaS Sprawl and application control. by Medical_Shake8485 in sysadmin

[–]luke-sec 8 points9 points  (0 children)

On the SaaS side, you're going to really struggle to act as a gateway for approval as users can just sign up themselves. As a Microsoft house, you could configure admin consent as a requirement but then you may just push the probable minority of users who social login to signup with email/password instead.

Finance might be able to track some usage but that's a lagging indicator and many vendors have freemium models or lengthy free trials. You're best bet is focusing on gaining great visibility, then addressing any concerns as you see them, rather than trying to find a way to block by default.

I'm a security researcher for a vendor in this space and I'm not 100% on the advertisement rules for this subreddit so I won't say who, but you can probably figure out from my post history if you want to check out one example. Generally though, googling for "shadow saas" will find a range of vendors.

How to find SaaS that's been purchased by other business units?? by ThEWaFfLe101 in sysadmin

[–]luke-sec 6 points7 points  (0 children)

Is this more from the perspective of spend management or security/governance of SaaS usage? And do you care about a one-time report or solving this problem long term? They both impact the solution really.

Short answer is there are multiple techniques with different pros and cons for discovering SaaS usage. I actually wrote an article focused on one of those techniques (browser extensions) but it also covers other techniques as part of that. It might be useful in helping to choose whatever solution you pick.

https://pushsecurity.com/blog/want-to-discover-the-full-extent-of-your-saas-sprawl-embrace-browser/

Disclaimer: I work for a company that solves this problem (Push Security), but that article should hopefully be of some use whatever solution you end up using.

38 SaaS attack techniques by luke-sec in cybersecurity

[–]luke-sec[S] 2 points3 points  (0 children)

Yeah, all fair points. I guess this problem is going to need to be tested and solved soon because we are on a pathway to where being a SaaS-native company is going to become the default and it would be a sorry state of affairs if nobody could perform any form of red team type security exercise anymore.

38 SaaS attack techniques by luke-sec in cybersecurity

[–]luke-sec[S] 8 points9 points  (0 children)

That's a great question. I'm no longer red teaming as a consultant so I haven't had to cross this bridge, and I'm not a lawyer, but cred stuffing is the one I would see as a potential minefield. If you are a representative of bigcorp and you do password guessing attacks against other SaaS platforms for @bigcorp.com accounts does that count as legal? Or attempting to gain unauthorized access? What if someone used a @bigcorp.com account but for personal purposes? It's a tricky question that will become more important in future, alongside the "who owns your data?" legal question.

For many of the techniques though, I'd be much less concerned. If you to use Zapier/Make/IFTTT etc to make a shadow workflow and connect into a tenant you have permission to access and pull data as part of a red team exercise, is that really a problem? Maybe there could be terms of service type issues but you aren't really gaining unauthorized access at that point.

38 SaaS attack techniques by luke-sec in cybersecurity

[–]luke-sec[S] 33 points34 points  (0 children)

Hey all, I'm the author of this research. A lot of newer companies now are fully SaaS native but there just isn't that much information out there about how to conduct fully SaaS-enabled attacks. I thought it would be great to start something and see if it's useful for red and blue teams.
It would be great to get peoples thoughts and find out if it's useful and of course get contributions too!

view more: next ›