No Result
View All Result
SUBMIT YOUR ARTICLES
  • Login
Thursday, October 2, 2025
TheAdviserMagazine.com
  • Home
  • Financial Planning
    • Financial Planning
    • Personal Finance
  • Market Research
    • Business
    • Investing
    • Money
    • Economy
    • Markets
    • Stocks
    • Trading
  • 401k Plans
  • College
  • IRS & Taxes
  • Estate Plans
  • Social Security
  • Medicare
  • Legal
  • Home
  • Financial Planning
    • Financial Planning
    • Personal Finance
  • Market Research
    • Business
    • Investing
    • Money
    • Economy
    • Markets
    • Stocks
    • Trading
  • 401k Plans
  • College
  • IRS & Taxes
  • Estate Plans
  • Social Security
  • Medicare
  • Legal
No Result
View All Result
TheAdviserMagazine.com
No Result
View All Result
Home Market Research Market Analysis

Is Zero Trust Canceled? Revisiting DEF CON Research

by TheAdviserMagazine
4 weeks ago
in Market Analysis
Reading Time: 4 mins read
A A
Is Zero Trust Canceled? Revisiting DEF CON Research
Share on FacebookShare on TwitterShare on LInkedIn


Cybersecurity presentations are known for having pithy titles (usually, the more provocative, the better). And nobody will lose any points for dunking on a concept or term with as much saturation — and overuse in marketing — as Zero Trust. On that score, AmberWolf’s talk at DEF CON 33, titled “Zero Trust, Total Bust: Breaking Into Thousands Of Cloud-Based VPNs With One Bug,” ticks all the boxes. But what about the substance of the critique? Did the research uncover fundamental flaws in Zero Trust? Although we think the research uncovered some significant issues, calling it a “total bust” is definitely overblown.

AmberWolf Identified Significant Flaws In Multiple Products

Over the course of seven months, AmberWolf researchers examined Zero Trust network access (ZTNA) products from security vendors Check Point, Netskope, and Zscaler, finding multiple security issues — more specifically, identity and access management (IAM) problems: user impersonation, authentication bypass, local privilege escalation, and access to an SFTP server containing client logs and authentication material. In short, they found the same sorts of vulnerabilities that routinely appear in other software.

The issue with security flaws in Zero Trust platforms themselves is that these platforms serve as foundational infrastructure and guardians responsible for access policy (authentication and authorization) enforcement to a wide variety and large number of enterprise resources instead of just one. These issues also highlight lingering implicit trust. We’ve made great strides in verifying users and endpoints, but we still rely on other systems to 1) implement and enforce policies reliably and 2) be trustworthy by virtue of being (mostly) free of critical, exploitable defects. The AmberWolf research demonstrates a breakdown in both.

Zero Trust Isn’t A Product

It bears repeating that Zero Trust isn’t a single thing (and it’s most definitely not a product). Zero Trust is a combination of things such as strong authentication (of users, devices, and apps/workloads), enforcement of least privilege, segmentation, data classification, and more.

Each of the Zero Trust domains is intended to work on its own and in concert with the others to ensure that a failure in one control doesn’t result in a catastrophic breach. The metaphorical purpose of the architecture, in other words, is to prevent fire or — barring that — contain its spread and limit the resulting damage. Depending on any one element to achieve that goal is a textbook example of a single point of failure and antithetical to the philosophy and goals of Zero Trust.

Product Security Problems Don’t Invalidate Architecture

The ZTNA products that AmberWolf examined are unfortunately not the first security products to have security flaws. It’s quite a leap, however, to say that flaws in security products mean that an underlying security architecture principle is flawed.

If building materials like cement and steel are defective, we don’t say that the design principles behind building a skyscraper are junk. Instead, we look at the root cause of the flaws in those materials and figure out how to avoid them in the future. If it’s a pervasive issue, it may mean a new approach to making and testing those materials; if it’s a couple of suppliers cutting corners, it may mean purchasing materials somewhere else next time.

One important way for vendors to ensure the security of their products is using and consistently upgrading robust, well-tested, standards-based packages such as OpenSSL, OpenSSH, OpenAM, and more. An important corollary to “don’t roll your own crypto” should be “don’t roll your own IAM libraries” to avoid precisely the issues identified by AmberWolf’s testing.

Like any software or hardware vendor, security vendors must incorporate product security principles throughout the product lifecycle to protect their customers and their brand. This starts early in the lifecycle, where security must identify strategic risks and potential threats, and continues with activities such as threat modeling, security training, pre-release application security testing, and post-deployment protections.

Critically, product security teams must also help product teams build in security and IAM features (like authentication), recommend secure default configurations, and make deployment and configuration guidance available to systems integrators that work with their customers. Through it all, close coordination with the product team is key.

It’s not unreasonable to hold security vendors to a higher standard when it comes to product security. CISA launched the Secure by Design pledge, with hundreds of enterprise software companies signing on and committing to building security into their products. If a vendor that you work with (security or otherwise) hasn’t signed the pledge, ask why not. If they have, ask them to share their progress against the goals.

Is Cloud Delivery Better, Worse, Or Just … Different?

A large and growing number of security capabilities are delivered at least partially via the cloud. That could be seen as a liability in this context. Despite the attention-grabbing claim about breaking into thousands of VPNs using a single bug, AmberWolf did no such thing — although its research clearly shows that an attack on that scale would have been possible. We say “would have been” because, although cloud delivery can sometimes result in new attack vectors, the cloud also offers benefits in terms of vulnerability remediation.

Zscaler responded to and fixed the vulnerability reported by AmberWolf the same day (although there was a brief regression several days later that was also quickly repaired). As with any case of security issues in security products, responsiveness and transparency matter. Contrast this with severe, exploited vulnerabilities in on-premises infrastructure that required federal law enforcement intervention or guidance that involved literally unplugging affected systems to remediate security issues — not to mention coordinated action on the part of hundreds or thousands of organizations, as opposed to just one.

Connect With Us

As always, Forrester clients can connect with Sandy for product security, Andras for identity, and me for Zero Trust by setting up a guidance session or inquiry.

We’ll also be in Austin, Texas, on November 5–7 with a host of our colleagues for the Forrester Security & Risk Summit. This year’s theme is “Master Risk, Conquer Chaos,” and the agenda includes a track focused on Zero Trust as well as a variety of keynotes, breakouts, workshops, roundtables, and special programs to help you master whatever chaos your teams are facing today. We hope to see you there!



Source link

Tags: canceledconDEFResearchRevisitingTrust
ShareTweetShare
Previous Post

Take This Quiz to Test If Your Retirement Knowledge Is Better Than Average

Next Post

10 Highest Yielding Kevin O’Leary Stocks Now

Related Posts

edit post
Report: The Financial Landscape of Sub-Saharan Africa

Report: The Financial Landscape of Sub-Saharan Africa

by TheAdviserMagazine
October 2, 2025
0

GEOPOLL REPORT Banking, Borrowing, and Beyond:The Financial Landscape of Sub-Saharan Africa Financial services in Sub-Saharan Africa are undergoing rapid transformation,...

edit post
Agentic Commerce? Conversational Commerce? The Future Of Owned Digital Shopping Experiences

Agentic Commerce? Conversational Commerce? The Future Of Owned Digital Shopping Experiences

by TheAdviserMagazine
October 1, 2025
0

Current (early) genAI shopping assistants don’t create great experiences. The future isn’t just conversational or agentic commerce; it is genAI-augmented...

edit post
The 5 Best Gold Mining Stocks to Buy Now

The 5 Best Gold Mining Stocks to Buy Now

by TheAdviserMagazine
October 1, 2025
0

Gold mining stocks offer leveraged exposure to gold prices, amplifying returns as the precious metal rallies. With gold at $3,800...

edit post
Export Software

Export Software

by TheAdviserMagazine
October 1, 2025
0

Computer Market Research (CMR): The Ultimate Channel Management Compendium PART 1 Table of Contents for Part 1 Introduction to Channel...

edit post
How To Build AI Red Teams That Actually Work

How To Build AI Red Teams That Actually Work

by TheAdviserMagazine
September 30, 2025
0

Generative AI is everywhere. It’s in your customer support workflows, embedded in your analytics dashboards, and quietly powering your internal...

edit post
8 Large-Cap Tech Stocks With 40% Upside Potential for an Explosive Q4

8 Large-Cap Tech Stocks With 40% Upside Potential for an Explosive Q4

by TheAdviserMagazine
September 30, 2025
0

The past few weeks have seen technology stocks outperform. Over the past month (at Monday’s closing price), the and tech-heavy...

Next Post
edit post
10 Highest Yielding Kevin O’Leary Stocks Now

10 Highest Yielding Kevin O'Leary Stocks Now

edit post
Updated for 2025: The ultimate couch potato portfolio guide

Updated for 2025: The ultimate couch potato portfolio guide

  • Trending
  • Comments
  • Latest
edit post
What Happens If a Spouse Dies Without a Will in North Carolina?

What Happens If a Spouse Dies Without a Will in North Carolina?

September 14, 2025
edit post
California May Reimplement Mask Mandates

California May Reimplement Mask Mandates

September 5, 2025
edit post
Does a Will Need to Be Notarized in North Carolina?

Does a Will Need to Be Notarized in North Carolina?

September 8, 2025
edit post
Who Needs a Trust Instead of a Will in North Carolina?

Who Needs a Trust Instead of a Will in North Carolina?

September 1, 2025
edit post
DACA recipients no longer eligible for Marketplace health insurance and subsidies

DACA recipients no longer eligible for Marketplace health insurance and subsidies

September 11, 2025
edit post
‘Quiet luxury’ is coming for the housing market, The Corcoran Group CEO says. It’s not just the Hamptons, Aspen, and Miami anymore

‘Quiet luxury’ is coming for the housing market, The Corcoran Group CEO says. It’s not just the Hamptons, Aspen, and Miami anymore

September 9, 2025
edit post
Biden’s Florida legacy: An economic boom, a magnet for immigrants and a solidly conservative red state

Biden’s Florida legacy: An economic boom, a magnet for immigrants and a solidly conservative red state

0
edit post
Warren Buffett Berkshire Occidental Oxychem

Warren Buffett Berkshire Occidental Oxychem

0
edit post
Shekel gains sharply amid optimism on Trump plan

Shekel gains sharply amid optimism on Trump plan

0
edit post
James Comey Is Not an Innocent Victim of the Lawfare He Helped to Create

James Comey Is Not an Innocent Victim of the Lawfare He Helped to Create

0
edit post
XRP Falls 2.3% As Ripple CTO David Schwartz Exits

XRP Falls 2.3% As Ripple CTO David Schwartz Exits

0
edit post
Why American Workers Are ‘Coffee Badging’ Their Way Through Hybrid Jobs

Why American Workers Are ‘Coffee Badging’ Their Way Through Hybrid Jobs

0
edit post
Biden’s Florida legacy: An economic boom, a magnet for immigrants and a solidly conservative red state

Biden’s Florida legacy: An economic boom, a magnet for immigrants and a solidly conservative red state

October 2, 2025
edit post
James Comey Is Not an Innocent Victim of the Lawfare He Helped to Create

James Comey Is Not an Innocent Victim of the Lawfare He Helped to Create

October 2, 2025
edit post
Warren Buffett Berkshire Occidental Oxychem

Warren Buffett Berkshire Occidental Oxychem

October 2, 2025
edit post
PepsiCo’s new challenge: Making its chips and sodas colorful without artificial dyes

PepsiCo’s new challenge: Making its chips and sodas colorful without artificial dyes

October 2, 2025
edit post
What CEOs are saying about the government shutdown

What CEOs are saying about the government shutdown

October 2, 2025
edit post
Why American Workers Are ‘Coffee Badging’ Their Way Through Hybrid Jobs

Why American Workers Are ‘Coffee Badging’ Their Way Through Hybrid Jobs

October 2, 2025
The Adviser Magazine

The first and only national digital and print magazine that connects individuals, families, and businesses to Fee-Only financial advisers, accountants, attorneys and college guidance counselors.

CATEGORIES

  • 401k Plans
  • Business
  • College
  • Cryptocurrency
  • Economy
  • Estate Plans
  • Financial Planning
  • Investing
  • IRS & Taxes
  • Legal
  • Market Analysis
  • Markets
  • Medicare
  • Money
  • Personal Finance
  • Social Security
  • Startups
  • Stock Market
  • Trading

LATEST UPDATES

  • Biden’s Florida legacy: An economic boom, a magnet for immigrants and a solidly conservative red state
  • James Comey Is Not an Innocent Victim of the Lawfare He Helped to Create
  • Warren Buffett Berkshire Occidental Oxychem
  • Our Great Privacy Policy
  • Terms of Use, Legal Notices & Disclosures
  • Contact us
  • About Us

© Copyright 2024 All Rights Reserved
See articles for original source and related links to external sites.

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In
No Result
View All Result
  • Home
  • Financial Planning
    • Financial Planning
    • Personal Finance
  • Market Research
    • Business
    • Investing
    • Money
    • Economy
    • Markets
    • Stocks
    • Trading
  • 401k Plans
  • College
  • IRS & Taxes
  • Estate Plans
  • Social Security
  • Medicare
  • Legal

© Copyright 2024 All Rights Reserved
See articles for original source and related links to external sites.