EP 48 — Chaotic Good’s Johnathan Kuskos on Testing for Functionality, Priorities, and Better Incident Response

In this special episode of the Future of Application Security, recorded at the Developers & Security are Friends Day, Eric speaks with Johnathan Kuskos, Founder of Chaotic Good Information Security, a boutique professional services company. They discuss what it’s like to be a pen tester, some of the unusual things found during testing, and how the 15 Minutes Rule helps you not waste time during your testing. They also talk about the tradeoffs of security when it comes to “good, fast, or cheap,” simple ways to determine priorities, and how to strengthen relationships between security and developers.

Topics discussed:

• How security and developers can close divides through better communication and more forward thinking.
• Why security can’t necessarily have an approach that’s good, fast, and cheap, but how they make compromises to have a bit of all three.
• How to determine your security priorities, and how to perform a smoke test to see where security overlaps with other departments to identify those priorities.
• Some of the stranger things found during pen testing, including a git folder on a website. 
• Why vulnerability and exploitability are two different things, and how to assess both.
• How the 15 Minutes Rules can help you assess as much functionality as possible, and why it sometimes exposes more gaps in playbooks and incident response than intended.

Guest Quotes: 

“The thing that makes me accomplish my goals might be a friction point for them and that’s a little bit more of a diplomatic and political conversation than anything else. Do you have a leader in the engineering department who also agrees with my goals? And if not, why is there a disconnect? That is not a technology problem, that’s a diplomacy problem. That’s agreeing on the same principle. That’s being on the same page.” (11:34–11:56)

“The more that you can get the point across that investing in security is a worthy investment — it raises the value of your business, it allows you to have a more mature product — your customers are going to give their trust, whether you’re worthy of it or not.” (14:42)

“It doesn’t help with the divide between security and developers. The main reason we’re having this conference today is about bringing those things together. … We need to get back to diplomacy and figuring out how to communicate more effectively in a way that doesn’t create enemies for us later on.” (3:53)

“There’s no one size solution out there that is both good and fast and cheap. … But I do think that there’s compromises that we can make in some areas of running an internal SOC or providing security assurance guidance to teams that lets us approach center.” (5:22)

“If you’re doing a time-boxed assessment, it is good enough to say, ‘Hey, this is behaving weird.’ Message your point of contact for who you’re performing the assessment for. … The whole point is to identify problems and make them known. And that’s more of a partnership than anything else.” (21:36)