No Result
View All Result
SUBMIT YOUR ARTICLES
  • Login
Friday, July 17, 2026
TheAdviserMagazine.com
  • Home
  • Financial Planning
    • Financial Planning
    • Personal Finance
  • Market Research
    • Business
    • Investing
    • Money
    • Economy
    • Markets
    • Stocks
    • Trading
  • 401k Plans
  • College
  • IRS & Taxes
  • Estate Plans
  • Social Security
  • Medicare
  • Legal
  • Home
  • Financial Planning
    • Financial Planning
    • Personal Finance
  • Market Research
    • Business
    • Investing
    • Money
    • Economy
    • Markets
    • Stocks
    • Trading
  • 401k Plans
  • College
  • IRS & Taxes
  • Estate Plans
  • Social Security
  • Medicare
  • Legal
No Result
View All Result
TheAdviserMagazine.com
No Result
View All Result
Home Market Research Market Analysis

Is Zero Trust Canceled? Revisiting DEF CON Research

by TheAdviserMagazine
11 months ago
in Market Analysis
Reading Time: 4 mins read
A A
Is Zero Trust Canceled? Revisiting DEF CON Research
Share on FacebookShare on TwitterShare on LInkedIn


Cybersecurity presentations are known for having pithy titles (usually, the more provocative, the better). And nobody will lose any points for dunking on a concept or term with as much saturation — and overuse in marketing — as Zero Trust. On that score, AmberWolf’s talk at DEF CON 33, titled “Zero Trust, Total Bust: Breaking Into Thousands Of Cloud-Based VPNs With One Bug,” ticks all the boxes. But what about the substance of the critique? Did the research uncover fundamental flaws in Zero Trust? Although we think the research uncovered some significant issues, calling it a “total bust” is definitely overblown.

AmberWolf Identified Significant Flaws In Multiple Products

Over the course of seven months, AmberWolf researchers examined Zero Trust network access (ZTNA) products from security vendors Check Point, Netskope, and Zscaler, finding multiple security issues — more specifically, identity and access management (IAM) problems: user impersonation, authentication bypass, local privilege escalation, and access to an SFTP server containing client logs and authentication material. In short, they found the same sorts of vulnerabilities that routinely appear in other software.

The issue with security flaws in Zero Trust platforms themselves is that these platforms serve as foundational infrastructure and guardians responsible for access policy (authentication and authorization) enforcement to a wide variety and large number of enterprise resources instead of just one. These issues also highlight lingering implicit trust. We’ve made great strides in verifying users and endpoints, but we still rely on other systems to 1) implement and enforce policies reliably and 2) be trustworthy by virtue of being (mostly) free of critical, exploitable defects. The AmberWolf research demonstrates a breakdown in both.

Zero Trust Isn’t A Product

It bears repeating that Zero Trust isn’t a single thing (and it’s most definitely not a product). Zero Trust is a combination of things such as strong authentication (of users, devices, and apps/workloads), enforcement of least privilege, segmentation, data classification, and more.

Each of the Zero Trust domains is intended to work on its own and in concert with the others to ensure that a failure in one control doesn’t result in a catastrophic breach. The metaphorical purpose of the architecture, in other words, is to prevent fire or — barring that — contain its spread and limit the resulting damage. Depending on any one element to achieve that goal is a textbook example of a single point of failure and antithetical to the philosophy and goals of Zero Trust.

Product Security Problems Don’t Invalidate Architecture

The ZTNA products that AmberWolf examined are unfortunately not the first security products to have security flaws. It’s quite a leap, however, to say that flaws in security products mean that an underlying security architecture principle is flawed.

If building materials like cement and steel are defective, we don’t say that the design principles behind building a skyscraper are junk. Instead, we look at the root cause of the flaws in those materials and figure out how to avoid them in the future. If it’s a pervasive issue, it may mean a new approach to making and testing those materials; if it’s a couple of suppliers cutting corners, it may mean purchasing materials somewhere else next time.

One important way for vendors to ensure the security of their products is using and consistently upgrading robust, well-tested, standards-based packages such as OpenSSL, OpenSSH, OpenAM, and more. An important corollary to “don’t roll your own crypto” should be “don’t roll your own IAM libraries” to avoid precisely the issues identified by AmberWolf’s testing.

Like any software or hardware vendor, security vendors must incorporate product security principles throughout the product lifecycle to protect their customers and their brand. This starts early in the lifecycle, where security must identify strategic risks and potential threats, and continues with activities such as threat modeling, security training, pre-release application security testing, and post-deployment protections.

Critically, product security teams must also help product teams build in security and IAM features (like authentication), recommend secure default configurations, and make deployment and configuration guidance available to systems integrators that work with their customers. Through it all, close coordination with the product team is key.

It’s not unreasonable to hold security vendors to a higher standard when it comes to product security. CISA launched the Secure by Design pledge, with hundreds of enterprise software companies signing on and committing to building security into their products. If a vendor that you work with (security or otherwise) hasn’t signed the pledge, ask why not. If they have, ask them to share their progress against the goals.

Is Cloud Delivery Better, Worse, Or Just … Different?

A large and growing number of security capabilities are delivered at least partially via the cloud. That could be seen as a liability in this context. Despite the attention-grabbing claim about breaking into thousands of VPNs using a single bug, AmberWolf did no such thing — although its research clearly shows that an attack on that scale would have been possible. We say “would have been” because, although cloud delivery can sometimes result in new attack vectors, the cloud also offers benefits in terms of vulnerability remediation.

Zscaler responded to and fixed the vulnerability reported by AmberWolf the same day (although there was a brief regression several days later that was also quickly repaired). As with any case of security issues in security products, responsiveness and transparency matter. Contrast this with severe, exploited vulnerabilities in on-premises infrastructure that required federal law enforcement intervention or guidance that involved literally unplugging affected systems to remediate security issues — not to mention coordinated action on the part of hundreds or thousands of organizations, as opposed to just one.

Connect With Us

As always, Forrester clients can connect with Sandy for product security, Andras for identity, and me for Zero Trust by setting up a guidance session or inquiry.

We’ll also be in Austin, Texas, on November 5–7 with a host of our colleagues for the Forrester Security & Risk Summit. This year’s theme is “Master Risk, Conquer Chaos,” and the agenda includes a track focused on Zero Trust as well as a variety of keynotes, breakouts, workshops, roundtables, and special programs to help you master whatever chaos your teams are facing today. We hope to see you there!



Source link

Tags: canceledconDEFResearchRevisitingTrust
ShareTweetShare
Previous Post

Take This Quiz to Test If Your Retirement Knowledge Is Better Than Average

Next Post

10 Highest Yielding Kevin O’Leary Stocks Now

Related Posts

edit post
How to Look Strategic as a Channel Chief in 2026

How to Look Strategic as a Channel Chief in 2026

by TheAdviserMagazine
July 16, 2026
0

Why does the C-suite view some channel leaders as indispensable architects of growth while others are seen as mere administrators...

edit post
How AI Impacts The Customer Service Job Market

How AI Impacts The Customer Service Job Market

by TheAdviserMagazine
July 16, 2026
0

We know that companies right now are heavily investing in customer service technologies with embedded AI capabilities. Companies are using...

edit post
Meet Rick Geneva: Principal Analyst For Cloud-Native Development

Meet Rick Geneva: Principal Analyst For Cloud-Native Development

by TheAdviserMagazine
July 16, 2026
0

After three decades in IT, I’m now watching the fifth major innovation cycle of my career: I’ve seen PC networking,...

edit post
Europe Builds The Blueprint For Social Platform Accountability

Europe Builds The Blueprint For Social Platform Accountability

by TheAdviserMagazine
July 16, 2026
0

Following the UK’s move to tighten protections for minors online, the European Union is now considering its own youth social...

edit post
E-Waste Management Market Outlook: Opportunities and Emerging Trends

E-Waste Management Market Outlook: Opportunities and Emerging Trends

by TheAdviserMagazine
July 16, 2026
0

The E-Waste Management Market is expanding steadily as governments, manufacturers, and consumers prioritize responsible disposal of electronic products. Rising volumes...

edit post
Feeling in Control of Your Channel Budget: A 2026 Strategic Guide

Feeling in Control of Your Channel Budget: A 2026 Strategic Guide

by TheAdviserMagazine
July 15, 2026
0

Did you know that poor data quality costs the average business $12.9 million every year in wasted spend and missed...

Next Post
edit post
10 Highest Yielding Kevin O’Leary Stocks Now

10 Highest Yielding Kevin O'Leary Stocks Now

edit post
Updated for 2025: The ultimate couch potato portfolio guide

Updated for 2025: The ultimate couch potato portfolio guide

  • Trending
  • Comments
  • Latest
edit post
Mass Fraud in Massachusetts Committed by Illegal Immigrants Discovered

Mass Fraud in Massachusetts Committed by Illegal Immigrants Discovered

June 22, 2026
edit post
New York Seniors: 6 STAR Tax Relief Rules That Could Put a Bigger Check in Your Mailbox

New York Seniors: 6 STAR Tax Relief Rules That Could Put a Bigger Check in Your Mailbox

June 20, 2026
edit post
5 Pennsylvania Rebate Rules Seniors Should Check Before the Property Tax/Rent Deadline

5 Pennsylvania Rebate Rules Seniors Should Check Before the Property Tax/Rent Deadline

June 18, 2026
edit post
New Jersey Tax-Relief Events: Three July Dates Near Seniors

New Jersey Tax-Relief Events: Three July Dates Near Seniors

July 13, 2026
edit post
Bristlecone pines growing in the White Mountains of California germinated before the Great Pyramid was built, and the oldest one alive today, nicknamed Methuselah, has been quietly adding rings for 4,855 years in soil so poor almost nothing else survives beside it

Bristlecone pines growing in the White Mountains of California germinated before the Great Pyramid was built, and the oldest one alive today, nicknamed Methuselah, has been quietly adding rings for 4,855 years in soil so poor almost nothing else survives beside it

July 8, 2026
edit post
Retail giant exits U.S. fashion after multi-million-dollar scandal

Retail giant exits U.S. fashion after multi-million-dollar scandal

July 1, 2026
edit post
US stocks today: Nasdaq, S&P fall over 1%, end lower for week as chip selloff broadens

US stocks today: Nasdaq, S&P fall over 1%, end lower for week as chip selloff broadens

0
edit post
BPCON 2026: Your Complete Guide to Our Biggest Event of the Year

BPCON 2026: Your Complete Guide to Our Biggest Event of the Year

0
edit post
Clarity Act passing odds hit record lows as bill stalls in Senate (BTC-USD:Cryptocurrency)

Clarity Act passing odds hit record lows as bill stalls in Senate (BTC-USD:Cryptocurrency)

0
edit post
Researchers Just Unlocked AI’s Black Box

Researchers Just Unlocked AI’s Black Box

0
edit post
A World Cup Final Through Austrian Eyes

A World Cup Final Through Austrian Eyes

0
edit post
Bitcoin Traders Pull BTC Below K as Middle East Tensions Trigger Fresh Risk-Off Selling

Bitcoin Traders Pull BTC Below $63K as Middle East Tensions Trigger Fresh Risk-Off Selling

0
edit post
US stocks today: Nasdaq, S&P fall over 1%, end lower for week as chip selloff broadens

US stocks today: Nasdaq, S&P fall over 1%, end lower for week as chip selloff broadens

July 17, 2026
edit post
Clarity Act passing odds hit record lows as bill stalls in Senate (BTC-USD:Cryptocurrency)

Clarity Act passing odds hit record lows as bill stalls in Senate (BTC-USD:Cryptocurrency)

July 17, 2026
edit post
Bitcoin Traders Pull BTC Below K as Middle East Tensions Trigger Fresh Risk-Off Selling

Bitcoin Traders Pull BTC Below $63K as Middle East Tensions Trigger Fresh Risk-Off Selling

July 17, 2026
edit post
World Cup final is already the biggest ever prediction market as Kalshi bets top .27 billion—with Spain favored to beat Argentina

World Cup final is already the biggest ever prediction market as Kalshi bets top $1.27 billion—with Spain favored to beat Argentina

July 17, 2026
edit post
Researchers Just Unlocked AI’s Black Box

Researchers Just Unlocked AI’s Black Box

July 17, 2026
edit post
BPCON 2026: Your Complete Guide to Our Biggest Event of the Year

BPCON 2026: Your Complete Guide to Our Biggest Event of the Year

July 17, 2026
The Adviser Magazine

The first and only national digital and print magazine that connects individuals, families, and businesses to Fee-Only financial advisers, accountants, attorneys and college guidance counselors.

CATEGORIES

  • 401k Plans
  • Business
  • College
  • Cryptocurrency
  • Economy
  • Estate Plans
  • Financial Planning
  • Investing
  • IRS & Taxes
  • Legal
  • Market Analysis
  • Markets
  • Medicare
  • Money
  • Personal Finance
  • Social Security
  • Startups
  • Stock Market
  • Trading

LATEST UPDATES

  • US stocks today: Nasdaq, S&P fall over 1%, end lower for week as chip selloff broadens
  • Clarity Act passing odds hit record lows as bill stalls in Senate (BTC-USD:Cryptocurrency)
  • Bitcoin Traders Pull BTC Below $63K as Middle East Tensions Trigger Fresh Risk-Off Selling
  • Our Great Privacy Policy
  • Terms of Use, Legal Notices & Disclosures
  • Contact us
  • About Us

© Copyright 2024 All Rights Reserved
See articles for original source and related links to external sites.

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In
No Result
View All Result
  • Home
  • Financial Planning
    • Financial Planning
    • Personal Finance
  • Market Research
    • Business
    • Investing
    • Money
    • Economy
    • Markets
    • Stocks
    • Trading
  • 401k Plans
  • College
  • IRS & Taxes
  • Estate Plans
  • Social Security
  • Medicare
  • Legal

© Copyright 2024 All Rights Reserved
See articles for original source and related links to external sites.