Securing the Open-source Future

01/12/24 • 58 min

Cryptography, Trust, and Open-Source with Filippo Valsorda

Throughout this episode, Filippo offers a comprehensive view of his professional journey in the field, from his initial intrigue with cryptographic algorithms during his high school years to his pivotal role in the Go Team at Google. Key discussion points include:

Key milestones in web cryptography include HTTPS, WebPKI, and the impact of messaging protocols like Signal and WhatsApp on end-to-end encryption.
Looking to the future, Filippo discusses the importance of transparency mechanisms in cryptography and highlights the need for accountability.
Filippo advises against rolling one's own crypto but encourages collaboration and learning with experienced individuals to build a feedback loop for secure implementations.
Filippo shares his thoughts on the current state of Certificate Authorities (CAs).
Filippo explains the accountability established by transparency in open source and compares it to closed-source software.
Security patching is addressed, highlighting the need for a balance between stability and urgency when applying patches.
Filippo explains the potential threats posed by quantum computers and the ongoing efforts to implement post-quantum key exchanges in protocols like SSH and TLS.
Cryptographic concerns in cloud computing are discussed, focusing on the importance of trust in cloud platforms while acknowledging the shared responsibility model.
In a practical piece of advice for improving security, Filippo recommends being deliberate in trimming dependency trees to reduce vulnerabilities.

Cryptography, Trust, and Open-Source with Filippo Valsorda

Key milestones in web cryptography include HTTPS, WebPKI, and the impact of messaging protocols like Signal and WhatsApp on end-to-end encryption.
Looking to the future, Filippo discusses the importance of transparency mechanisms in cryptography and highlights the need for accountability.
Filippo advises against rolling one's own crypto but encourages collaboration and learning with experienced individuals to build a feedback loop for secure implementations.
Filippo shares his thoughts on the current state of Certificate Authorities (CAs).
Filippo explains the accountability established by transparency in open source and compares it to closed-source software.
Security patching is addressed, highlighting the need for a balance between stability and urgency when applying patches.
Filippo explains the potential threats posed by quantum computers and the ongoing efforts to implement post-quantum key exchanges in protocols like SSH and TLS.
Cryptographic concerns in cloud computing are discussed, focusing on the importance of trust in cloud platforms while acknowledging the shared responsibility model.
In a practical piece of advice for improving security, Filippo recommends being deliberate in trimming dependency trees to reduce vulnerabilities.

Previous Episode

From Orange Book to Identity-Native

Access Evolution with Ev Kontsevoy

Access Control Podcast: Episode 20 - From Orange Book to Identity-Native

Access control consists of four technical components: Authentication, Connectivity, Authorization, and Audit.
Multics, an advanced operating system, serves as inspiration for Teleport's approach to scaling access control. Multics introduced the concept of a reference monitor as a central point for policy evaluation and enforcement.
The Trusted Computer System Evaluation Criteria (TCSEC), known as the Orange Book, set basic requirements for assessing the effectiveness of computer security controls.
The CIA triad (Confidentiality, Integrity, and Availability) is presented as the foundation of trustworthiness in computing systems.
Teleport provides identity-native infrastructure access to servers, cloud applications, and web applications. Teleport's implementation of zero trust involves technical aspects like reverse tunnels to establish connectivity behind firewalls.
The concept of true identity should be differentiated from the common practice of associating identity with electronic records or aliases.
The use of shared credentials or shared identities across various systems is a common anti-pattern.
The state of authorization in current systems is broken, and it's difficult to synchronize role-based access control (RBAC) rules across different layers of technology.
The discussion challenges the current emphasis on visibility and audit logs, suggesting that once authorization is properly solved, the importance of observability will decrease.
A collaborative and trust-building approach between security teams and engineers is critical. Security measures should not hinder productivity but should be designed to work seamlessly with the broader computing ecosystem.

Next Episode

Security as a Service

Interview with Rob Picard, CEO of Observa, a company that can build and run your security program.

Access Control Podcast: Episode 22 - Security as a Service Rob Picard, CEO of Observa

Outsourcing security to a provider like Observa can be beneficial for early-stage companies that don't have the budget or need for a full-time in-house security team. It allows the company to focus on their core business while getting the security expertise they need.
When starting an engagement, Observa focuses on three key things: addressing urgent goals (like getting SOC 2 certification), creating a plan for the longer-term security program maturity, and managing the ongoing operational work.
Common security mistakes Observa sees include companies making decisions based on fear, uncertainty, and doubt rather than facts; agreeing to overly restrictive security requirements from customers; and having a cynical "everything is a dumpster fire" attitude rather than a pragmatic approach to security.
SOC 2 is an important compliance framework, but its primary purpose is to provide a way for companies to make statements about their security practices and have them audited, not necessarily to improve security itself. However, going through the SOC 2 process can lead to security improvements.
When educating auditors, it's important to help them understand how new technologies and architectures (like containerization, passwordless authentication, etc.) change the risk profile compared to traditional IT environments.
The security team's role should be to enable the business to make informed risk decisions, not just to say "no" to everything. Security should be a partner, not a gatekeeper, and the team should avoid glorifying a "no" culture.