From Teenage Gamer to SaaS Security Guru: The Untold Journey of a Cybersecurity Pro Aaron Costello Artwork

Security Unfiltered

Cyber Security can be a difficult field to not only understand but to also navigate. Joe South is here to help with over a decade of experience across several domains of security. With this podcast I hope to help more people get into IT and Cyber Security as well as discussing modern day Cyber Security topics you may find in the daily news. Come join us as we learn and grow together!

All Episodes

Security Unfiltered

From Teenage Gamer to SaaS Security Guru: The Untold Journey of a Cybersecurity Pro Aaron Costello

March 10, 2025 • Joe South • Episode 185

Send us a text

Summary

In this conversation, Joe and Aaron discuss Aaron's journey into cybersecurity, highlighting the importance of curiosity, perseverance, and continuous learning in the field. Aaron shares his early experiences with hacking, his transition into professional security roles, and the unique challenges of pen testing SaaS applications. The discussion emphasizes the need for passion and dedication in overcoming obstacles and achieving success in cybersecurity. In this conversation, Joe and Aaron discuss the importance of sharing knowledge in the field of SaaS security, highlighting how personal initiatives like blogging can lead to unexpected career opportunities. They delve into the challenges organizations face regarding SaaS application risks, the significance of inventory management, and the shared responsibility model in security. The discussion also emphasizes the need for awareness of misconfigurations and reassures listeners that coding skills are not a prerequisite for entering the SaaS security space.

Chapters

00:00 Introduction and Personal Background
08:27 Journey into Cybersecurity
17:00 Perseverance in Learning and Growth
20:49 Pen Testing SaaS Applications
26:51 The Power of Sharing Knowledge
29:06 Discovering New Opportunities in SaaS Security
32:45 Understanding SaaS Application Risks
35:32 The Importance of SaaS Inventory Management
38:43 Shared Responsibility in SaaS Security
41:51 Misconfigurations and Security Awareness
45:01 Navigating SaaS Security Without Coding Skills

Support the show

Follow the Podcast on Social Media!

Tesla Referral Code: https://ts.la/joseph675128

YouTube: https://www.youtube.com/@securityunfilteredpodcast

Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast

Speaker 1: 0:54

How's it going, aaron? It's great to get you on the podcast. My life is a bit crazy right now. I have a second kid coming pretty soon here and trying to schedule everyone in, and you can see I got a bunch of home repair, home project materials above me that I very conveniently forgot to take out of the frame today. But you know how's it going I'm fantastic.

Speaker 2: 1:20

Thank you, um, and congratulations on that wonderful news yeah, yeah, thanks, it's um, it's fantastic.

Speaker 1: 1:28

I'm really excited. I love being a dad, I love being a parent, you know, and uh, it's like the best thing in the world if I, I could like quit everything and just do that 24 seven, I totally would Right, like only if my wife was like a lawyer or something like that.

Speaker 2: 1:43

Right, absolutely, yeah, that's it Well yeah, yeah, absolutely.

Speaker 1: 1:49

So. You know, aaron, why don't we, why don't we start with your background, right, what, what, right, what, what made you want to get into it? What made you want to go into, you know, security overall? Right, the reason why I started everyone there is because, you know, I remember when I was trying to get into security, right, and all I really wanted to hear was that someone else had that same passion, that same interest as me, maybe even came from a similar background as me, and it helped me mentally when I finally, you know, found that right to to know, like, oh okay, if they did it, maybe it's possible for me, right? So I always turn someone off there because you know there's probably someone listening that you know is in that same situation, right?

Speaker 2: 2:35

yeah, yeah. So, um, it's definitely an interesting one. So it started back when I was 15, maybe 16, 13, about 15 years ago now. So, like any teenage boy, a lot of gaming, console gaming, pc gaming. Um, one of my my accounts actually got compromised, um, and they took everything that I'd worked for. I was like how could someone, how could someone do this? Right, like, how is this possible? And so I started kind of digging into that and found this entire like hacking space.

Speaker 2: 3:13

Now my uncle at the time did work, um, in cyber security, more on the compliance side of things. So I knew a little bit, right, but not so much the actual technical hacking. And so I started digging around in forums. That kind of got me into game hacking, console hacking, right Like soldering consoles, like flashing them, selling custom firmware. So I could like do all these these crazy things. And the more I started to to look in these forums, the more my kind of eyes open to all these other areas. Right, like it's such a big, broad like industry and that kind of brought me to the, the web application side of cyber security and that really interested me because it was far more impactful than just hacking games. Right, like the game.

Speaker 2: 3:57

Hacking stuff was fun, but when you think about like actual impact and real world impact, that that really caught my attention. It caught my eye, started doing a ton of of research every day. I'd be bringing in notes from the night before into school like reading them throughout lunch. I learn and absorb all this information and it was all like your typical, like sequel, inject and like all of that, and wrapping my head around how all that works and really I wanted to just apply that knowledge. Right, that was the next thing, because the the only way to really solidify the thing as you're learning and naturally, just in a way or I thought at least at the time there was no way of me doing that like legally, you know.

Speaker 2: 4:40

I started doing a bit more research and asking questions on forums. I discovered like, oh, there are actually organizations that you can hack and they won't sue you and throw you into prison right through these vulnerable vulnerability disclosure programs, and some of them might even pay you. So I thought, wait, hang on a second, I'm a teenage boy that can hack things and potentially get paid. Like that to me was the dream, and so I started doing that in my spare time quite a lot and I went to university after school did my computer science degree didn't really touch on cybersecurity too much and from there went into your kind of typical security engineer a role at vmware. So things like threat modeling we're doing internal, like pen testing for applications that we were building.

Speaker 2: 5:25

But in parallel with that the entire time I was doing like bootlenty, so finding the same thing again, finding vulnerabilities in web applications and, in an authorized fashion, getting getting paid for it. And one of the things that became very apparent to me was I was spending quite a lot of time researching a single target that had built a single cookbook web application and the issue with that is the payout was not always worth the investment of time because that knowledge is not transferable to another organization. It built everything using a different language, different infrastructure and that's a whole different way of doing things. So that's how I found SaaS security. I had identified a way in okay, if I find something that isn't necessarily a vulnerability but a way to take advantage of a risky configuration made by a customer of Salesforce or ServiceNow, I'm talking about like a. If we actually look at the more well-known examples of like public AWS buckets, it's exactly that kind of thing of like that's just a repeatable method in which you can locate and exploit something and do it upscale, and so that's exactly what I wanted to apply to sass, because it was a very niche area, not a lot of research having done into sass, and that was just a goldmine for me, um, really, but from a career perspective I had to time figuratively, figuratively like a goldmine.

Speaker 2: 6:54

So I released my first article, which was a effectively a summary as to how one might exploit data exposure issues in sales for the situation from which customers accidentally expose data to the public internet and how one could defend against it but also identify, um, those risks and that kind of blew blew up the internet a little bit and it caught the attention of my current employer, app Omni, which is like a SSPM tool used to assist, or to date, with locking down and securing their SaaS posture.

Speaker 2: 7:30

So they reached out to me and said, hey, we saw this article, this is exactly the kind of thing that we're doing, and at that time I was actually unemployed and looking for my next role, so I was like, yeah, sure, we'll do like a paid, like joint article to talk about it.

Speaker 2: 7:46

So I jumped on a call and I was effectively ambushed because they were like why don't you just join us? We'll hire you and just give you a job if you're looking for one, and it seems like you know what you're talking about just give you a job if you're looking for one. And it seems like you know what you're talking about. And so I was employee number I think 28th at the company and the founding member of the App Omni Labs security research function of the company and as of current I'm the chief of security research over there and leading up that function. That's really my background, how I fell into the space in in the first place, really, and how it kind of developed into where I am yeah, it's, that's fascinating, you know, because you know hearing your, hearing your story just brings to mind, right, that curiosity that you have to have.

Speaker 1: 8:33

You know getting into security and you know having like having like that, that, that thirst that you can like never quench. You know, no matter how much research you do, no matter like how much you know pen testing or vulnerabilities, you find you're like always kind of looking for that next thing and that that was like the number one thing when I was trying to get into security. I got my bachelor's degree in criminal justice, fully intended on going into federal law enforcement, being sent overseas, whatever might be, and doing that whole thing for the rest of my life. I did IT literally in college. I was on the help desk team in college just for, like beer money, like that was that was it. You know like okay, this pays for my cell phone and my beer for the week.

Speaker 1: 9:24

You know like that's right, that's, that's all I needed. But I hated everything about that, you know, help desk job. I was like man, this is stupid, you know. And then right after college, I have these student loans. So it's like, okay, let's, let's get in the help desk, let's, you know, get some money coming in, right, because it takes forever to get into any federal agency Right.

Speaker 1: 9:48

And that's when I kind of discovered security. I never thought about it or anything like that, but someone introduced me to it and like I couldn't stop. You know, I started again to like wireless security and infrastructure security, vulnerability management, like that whole thing. You know I was so passionate about it. I mean I probably should have been fired like five different times from this job, right, but I like forced my way into handling all the vulnerability management for this company that didn't have any like whatsoever management for this company that didn't have any like whatsoever, you know. And I like had to sit down with these developers that had created this code from scratch that we had sold hundreds of times over and over and run through, you know, my open source vulnerability scans and being like, hey, guys, we have, we have 1500 high vulnerabilities. This, this is really bad.

Speaker 1: 10:38

When I go to these federal agencies, you know, and I'm on site, they're pen testing the app. Live in front of me, like that can't happen. This isn't even allowed to run in their environment. You know, and like, just thinking back, it's like man, I was so young and stupid I'm still pretty stupid, but less stupid, you know. And stupid, I'm still pretty stupid, but less stupid. You know, like I was so stupid and young at the time that like it was like man.

Speaker 1: 11:04

How did I even get through that, you know? But you start, you start doing so much research because I was researching at work, I was researching at home, I was sleeping and thinking about it. You know, like, like that's the kind of passion that you really need getting into security. One because there's so much to learn, right, but two because it's also so hard at times that, uh, that you need that, you need that passion, you need that drive to be like, yeah, it's difficult, but I still want to do it. You know, like I'm a terrible hacker with web app security. I mean, it's like man. Whenever I go to a new company, it's like I hope they have an AppSec guy, because I don't want to touch that, I don't want to think about that. I don't want to install Burp Suite on my computer Like end of story. You know, I don't even want to think about it, right?

Speaker 2: 11:59

right, give me every other facet of security app. Sec is the one I don't want to do. Well, everyone, everyone's got got their niche. And it's funny, like it just reminds me you saying that kind of that's thirst for knowledge like I, this is so, so bad. But I I used to not let myself go to bed until I could recite everything I learned that single day. Well, I would pace your pen, the dining room while my parents were asleep and basically just recite and ask myself questions about about what I learned. You know, I don't want to make it seem like when I talk about my background. It was such a streamlined process because there's so much that I left out right.

Speaker 2: 12:29

There was so many areas that I tried um with insecurity and just couldn't take to, and that could be for various reasons. Maybe it's too difficult for me. At the time I couldn't wrap my head around this um. I remember looking at like functional programming and thinking like, okay, I will never understand this.

Speaker 2: 12:48

Yeah, and there was so many times where I I did really kind of want to give up um because I was just struggling to understand all of these concepts and it's it is a slow and steady wins the race, like sometimes, yes, you can just pick something up and take to it naturally, as if it's second nature, but other things they do take time and effort and really it's like that's saying of which like good things, like take time right? Um, I've been doing this for so, so many years and I think when people read my research or speak to me about it, they forget that and they might think like, oh, you know so much about this. I was like, well, I've been doing social security now for like over four years, every single day in my spare time at work. It's not like I'm some natural porn genius. I'm really not. Like I'm a. I'm a trial and effort guy. I fail many, many times before I succeed yeah, you know it's.

Speaker 1: 13:45

Um, there's something very true about I think I heard, you know, maybe elon musk say this several years ago right is the industry. The industry. I guess right on this is that you need to get 10,000 hours in to really feel like you're excelling in an area or being an. You know, I wouldn't even call it an expert, but you know, to feel like you're competent in any you know principle or domain, whatever it might be right, principal or domain, whatever it might be right. And so when you say you struggled, you know, for that many years, right, you got to think about okay, well, I put in 100 hours this week of doing it at my day job, going home, doing it more like staying up late. You know you probably put in that time right, and the key there is getting through those 10,000 hours as quickly as possible. Because if you can get those 10,000 hours in, you know in a year when it takes other people five years, right, because that's, I think that's the actual like average nine to five like time span. Right, like that's how long it takes. It takes like five years or something like that. I can't remember what it is because once I learned it, I went after it and I hit it and I forgot about it, right. But if you can do that in one year, you know, you sat through and it's like, okay, I'm actually at year five in my brain. You know, let's, let's build off of this, you know, and maybe you dial things back a little bit, you know. So you have some like work-life balance and whatnot.

Speaker 1: 15:18

But you know, I remember, I remember when I was just getting started and I was in that that help desk job and uh, I, I mean I applied. I applied to somewhere between three and 500 different jobs, right Every single day I was applying and interviewing and I was employed, I was fully employed. At that time. I would literally go into our break room, take an interview, you know, get bomb it, go right back to work Like nothing ever happened, you know, and figure stuff out, right, but it's that constant knocking, Right I'm. I got to the point where I was like, okay, well, surely not every company in the world will say no to me. I just got to find one that says yes. That mentality is so helpful because you just got to break it down like that. I don't need everyone to say yes to me, I need one to say yes to me. How many companies are there? Millions, okay. Well, I just got to find one.

Speaker 2: 16:12

Yeah, that's exactly it. It's really the perseverance. I think that's exactly the word to describe how to go from being a complete newbie in security whatever domain that's in to becoming an expert. And it is just perseverance.

Speaker 1: 16:27

Yeah, yeah, yeah, that is man that is so critical. I remember when I was getting my master's degree in cybersecurity and it was a very hands-on program, right. So we're not just talking about you know theory all day, like we're literally you know hacking things and everything else like that, right, like you know, one day we're learning about wireless security on you know vpa and web and you know why you would want to stay away from web and you're doing an exploit to actually see why, right, and there was one, there was one project where they they said, okay, find a vulnerability exploded on a device and give me like a, like a report on it. Right, didn't realize that it was basically a pen test report. You know that, like, that's what you're putting together. And so I chose, of course, you know something, wireless, right, and so I didn't do very much with bluetooth, but I knew bluetooth was vulnerable to a lot of like basic things you know of, like you know naming, functions and stuff like that, right. So I figured, okay, let's uh, let's challenge myself a little bit here. I was probably stupid on it, let's, you know I procrastinate very well, right. So I'm, you know, 48 hours before I have to hand in this project.

Speaker 1: 17:36

Oh, yeah, yeah and uh, you know I'm I'm starting to try and exploit this Bluetooth vulnerability on an iPhone and, uh, it took me, you know, 24 hours I mean straight like I did not sleep. You know, my, my now life was like falling asleep, you know, in my bed, while I had, while I'm sitting at my desk, like working through this problem, and I gave up after 24 hours. I was like, all right, let's just go to Android. You know 24, you know a little bit longer, right, but I go to Android 20 minutes. I got root and I'm just sitting here like I'm a terrible hack. You know, like I'm like I'm so bad at this If I can get root on Android via Bluetooth hack, that should never. Like you should never be able to get root on any device via anything Bluetooth. Like Bluetooth and root do not go together. You know, in security, like those two things should not be happening.

Speaker 1: 18:29

If I'm so bad that I can get this on Android, you know, like what is really going on here, right, but like that talks about that perseverance where it's like it wasn't just the deadline that I had. It was like I was so frustrated that I couldn't get it to work on iPhone. I was so beyond mad that I just couldn't get this thing to work that I had switched to another platform to figure out if it was a platform architecture thing. And then, you know, sure enough, the next class I take is mobile security architecture, and we're talking about why basically that happened, you know yeah, it's, it's funny you're talking about your wife there.

Speaker 2: 19:07

Like I've, I've been testing SaaS applications for like weeks on end with nothing, right, I'm gaining knowledge of the platform, but in terms of findings, it's like nothing. And some reason it always seems to be when I'm not supposed to be doing it that I find something. So my girlfriend will literally be like you need to go to bed. I'll be like okay, just just five minutes, I promise. I'm like I'll go to bed and with like two minutes to spare, I'll find something crazy. And I'm like okay, well, hang on 10 more minutes because I think I just found something. And then, all of a sudden, two hours later, it's like a full exploit chain. I always think like that's, if I had gone to bed, I wouldn't have found that. It just always seems to be when I'm not just to actually be doing it, um, which is which is funny. But once again, perseverance.

Speaker 1: 19:57

Talk to me about what it's like pen testing a SaaS app. I would assume that it's probably a little bit different from pen testing a regular application, right that's maybe built on S3 or lives in S3 or something like that. How is it different? Are you limited in the techniques that you can use? Since it's technically a SaaS app, it's like a service offering in a cloud.

Speaker 2: 20:23

Yeah, that's a great question. So I like to look at this through two facets, right. So there's the vulnerability side of things generally what we've been talking about throughout this discussion and that is like your zero days, that is, exploits in the sas application itself that only the vendor can fix um right, like here's, like a sql injection in like the core platform and in the software itself. And then there is the misconfiguration side of things, in which there is no issue with the software. There's no inherent out of the-the-box vulnerability or zero-day at the fault of the vendor, but a customer of theirs has toyed around where they shouldn't, with configuration and security controls or a lack of playing with them, and that's resulted in some kind of exposure, like a data exposure issue. Throughout my work I mostly focus on that misconfiguration bucket that often uncovers zero days in the process, because I will see something that's a little janky and be like, oh, like, how does this play with another, another feature? But the biggest thing that's really helped me um kind of kind of understand platforms, even from a security perspective, is just becoming almost like a platform administrator, like having the same knowledge as a platform administrator or a platform developer. A lot of these platforms allow for custom application development through like some framework that they have. So I'll get myself certified as a platform developer. I'll take the exam. I'll learn all about the features and how they interact with each other, or stand alone. I'll learn the flavor of JavaScript, whatever they're using on the platform, as a certified developer. And that gives me a fantastic base to start off, because the mindset that I've always applied when it comes to web application hacking in general is looking at like, how do these various features interact with each other in a way that is potentially insecure, and just having an understanding of the product. I'm not one of these hackers. That's kind of like spray and pray. I like to really know what's going on under the hood wherever possible. I like to really know what's going on with the hood wherever possible.

Speaker 2: 22:49

I never review a SaaS application from a target perspective initiative. I view it from a learner's, beginner's perspective of what does this even do, what are people using it for, how can I implement this, and that I'll follow documentation. Sometimes there's none that's provided by the vendor. I'll use Stack Overflow. I'll learn what common problems people are having, um, and just to get that general knowledge and then from there I can actually have that attacker perspective of like okay, are there any areas that I've looked at that are having no security controls around, or are the security controls decentralized in a way that it managing them is potentially difficult? So I'm quite lucky working at AppOmni, because there's a couple reasons.

Speaker 2: 23:36

Number one getting access to these applications is not always easy. Servicenow and Salesforce it's great because you've got a free developer license. You can spin up an instance, your own personal instance, in like two minutes. Um, but often that's not the case and a license could be like 20k a month, right, so I have the the luxury and the privilege of having access to things that a lot of other research has done. So that's one requirement I always tell people like if you're like a book bounty hunter or hacker, like pool together with your friends, everyone, throw in a little bit of money, I get yourself an instance if you want to find like a lot of cool new things.

Speaker 2: 24:10

But also I have the luxury of anything I find that I believe may be exploitable. Um, like a misconfiguration, I can productize that, so I'll actually build a check or a scan flight in the product and see how many customers that it lights up and that kind of brings me into one of my most recent pieces of research, and that was part of it. I was able to productize what I found and I was like, okay, this is actually a big issue, this is a seriously big problem, and that kind of validates my findings and allows me to then start educating our customers, educating the vendor as to what's going on in their customer instances and then educating the security community and just platform administrators in general with a public disclosure.

Speaker 1: 25:06

So there's a lot there, but I want to circle back a little bit, just so I just so I personally remember it right, I had maybe I'm like a terrible podcast host. I take like no notes when we're talking. You know it's a conversation, right, but you know I want back. Right, because you said something earlier where, essentially, you made this post and AppOmni reached out and wanted to collaborate, right, and that's kind of how you got, you know, the current job and I want to highlight the importance of that. Right, because the normal person, the normal workflow, is saying I don't have anything unique here, I don't have anything really cool here, I'm not providing that much value to others. Why would I make a blog post about it? Why would I make a podcast about it? Or, you know, go anywhere and talk about it, right, like I'm not doing.

Speaker 1: 25:59

You know novel things, right, but you still, you know, thought that it was cool, you thought that it was interesting and you made that post about it with no intention of, hey, this is going to get me a job, you know, at AppOmni, being a security researcher in this space, that I love Right, and I want to highlight that because in security, or really just in the world overall.

Speaker 1: 26:25

Right, I feel like you have to find ways to stand out. You know, this podcast helps me stand out significantly, right, like when I, when I go into an interview or even a call internally at a company, right, and immediately people add some sort of value to what I'm saying just because I have a podcast. Right, not not knowing, like, hey, you know you could have a podcast too, but it brings a level of authenticity and you know, it almost like qualifies you without qualifying you for these different things, which is really important because and I bring it up too because I know a couple of people that are really struggling, trying to find work right now, and they're great, you know security practitioners, but they're having trouble finding work and I keep on telling them like, hey, go outside the box and do something, like make a blog post. You know, make make a website. Right, like, offer up different things, and it adds a lot of recognition to your brand without you having to do anything.

Speaker 2: 27:29

You know, and that's a really important thing that a lot of people miss, that's exactly it and it's so funny because I made the blog post, as you said one because it was interesting. I thought I found something like net new and novel, and I did. But the SaaS security space wasn't like my target audience necessarily. I was writing it well, firstly for anything curious, but mainly for, like red teamers, like the kind of de facto stereotypical people who would apply that methodology, um, and then also for organizations that protect themselves. So I really ended up in a space that I didn't even know existed. I didn't know SaaS security was a thing. I just saw this as like oh, misconfigurations being widely applied to SaaS instances, here's how you exploit them.

Speaker 2: 28:18

It's cool, it's novel and I just yeah, I just fell into it and I don't know where I would be if I hadn't made that blog post. I could be doing more standard web application stuff. Go back to the security engineering and the threat modeling. But yeah, it was nice. It was great validation that there is an entire space that found value from what I did and that's an entire space I did not exist in. So that was really cool.

Speaker 1: 28:47

Yeah, you know, um, it's fascinating what we do with like no intention, right, and then something good, you know, comes from it, like, you know, that's a really interesting situation, right. It's kind of like your passion. Your passion brought you to be the forefront of, you know, app Omni is it's a really important company, right, and I'll give you this example. You know, I was recently, you know, employed by one of the largest automotive manufacturers you know in the world, right, for their financial services arm. My CISO got on call it was internal to security only and he said, yeah, you know, we have three core SaaS applications. And I had to stop him right there, right, because I was recently, literally like that week, looking at our SaaS apps and talking to the developers that are, you know, working on these SaaS apps, and I said, no, that's wrong. We have seven and we're going to 10 at the end of the year. And he was like, what are they? And I had to, like list them out, you know, and he goes I didn't even know that that was a thing, right, and like how, how common is that, though? I mean, that's, that's extremely common If you ask, you know, any organization, right, if you took a poll across the globe and said what applications do you have in your environment, how many SaaS, how many natively run on EC2 or S3 or you know whatever that flavor is in Azure or GCP?

Speaker 1: 30:17

Maybe 1% would be able to tell you and actually answer that you know, and so you need a platform like AppOmni that comes in, gets plugged in and pulls in that information. Because, you know, as a security professional, not every company can have a team of 100, 200, 300 security professionals. I was at one company that had, I think, 250 people on the security team right that it wasn't that big of a company overall they were a global company, but they were like a credit bureau, right, so they had the funding. Like they would just write blank checks to these companies and spunk would be like, yeah, you're gonna pay us, you know two million in a year and my cso's, like you should have doubled it and writes the check for two million. You know, like, whatever it is, like he doesn't even care. Yeah, that's that, that's that environment.

Speaker 1: 31:08

But everywhere else, I mean, I've been one of three, you know one of five, now I'm one of one, yes, you know. And so people need these powerful tools to even have a chance at like telling the developers hey, you need to fix this, exactly like right here, this is how you fix it. This is what's going on and that's why you know app omni in particular. App omni is not sponsoring this podcast or anything like that. But I've looked at the platform a lot like unfortunately, maybe for myself. I've looked at the platform quite a lot and so I know it pretty well and it's like okay, I need this thing, you know, in-house, I need to be working with this immediately.

Speaker 2: 31:52

Yeah, it's interesting because, while you touched on at the beginning there, that sprawl is like everywhere, every organization seems to have this problem. You will have a department with multiple teams, even in a small organization, and these teams may be doing very similar work, but they'll have preference for one. One sass to fulfill one function and another team will use a different one to fulfill that same function. And you have this situation which all of a sudden, you've got. You're using hundreds right and you're granting different apps access to like god knows how much of your data, which is a massive problem. And if app omni was simply just an inventory tool to surface what sas apps are being across organization, that alone would be so valuable. But it's not all of these other fantastic features, but it's absolutely crucial to understand, just get a grip on that inventory in the first place, like how can you secure something if you don't even know you're using it? And while that's not the forefront of my research, it's the same underlying concept of, like the unknown to my.

Speaker 2: 33:09

In my opinion, the unknown is the biggest danger the unknown API endpoints that can do um, that can be exploited or leveraged by threat actor right, like unknown SAS object you're using that you have no idea what that is being stored there, um how it's being secured uh, unused? Is it being used responsibly and appropriately from a security perspective? So, yeah, I'm, I'm. It's definitely not new what I'm hearing from you. Um, every organization has it um, and that's why we're seeing a lot more um uptake and attention uh as well from from organizations. They are learning over time maybe hopefully as a result of my research and my blog posts, that this is an area to take seriously, because your most sensitive data is most likely sitting one of your SaaS apps and you may not even know it.

Speaker 1: 33:58

Yeah, that's a really good point. Actually, when I was at an employer the automotive manufacturer I was just talking to the Salesforce admin and my CCO kind of pointed me in that direction because he's like, look, we don't really ever look at this. We need someone with that cloud mindset to go in there and just look at what's going on, because we literally don't know. Look at what's going on, right, because we literally don't know. You know, I'm talking to him and it's interesting. I have a way of getting developers to tell me too much information or much more than what they should be telling me. You know, maybe I'm easy to talk to or something. But I was talking to him and he said, yeah, like we, you know, we store 100% of our customer data here and this part of the database is sending info over here and you know all this other stuff, right, and I'm just sitting here and I asked him one question. I said so if Salesforce ever got breached, you know what, what, what are we looking at? It was, oh no, that's everything. Yeah, I was like you don't understand what a breach is. You don't know what. I just asked. You know it's.

Speaker 1: 35:07

It's interesting because, as security, he didn't even know that it was that high of a risk. Right, we had some idea, like, yeah, there's some risk over there, but I think that we were so used to our risk being mitigated or accepted somewhere else in the business that we didn't realize hey, we're using a pretty critical to our business application. It has a lot of our data. We need to focus more time and resources on this and even beyond that. Our Salesforce environment was growing significantly and security didn't even know. We already had, I think it was, seven salesforce clouds, like cloud instances, right, and then we migrated that down to five and then down to three and that, like now it was going back up to five. Right, yeah, but that's a lot of data, that's a lot of cloud presence. You know, in a sas app that you probably didn't even realize was there and there's, you know, literally one guy at the company that knows, oh yeah, that's how it all works, that's what it is, right, literally you're lucky, it's one, um, yeah, nothing, zero, it's often zero.

Speaker 2: 36:21

And another thing that really I feel like contributes to a lot in organizations like this problem is the misunderstanding of that shared responsibility model. It's like, oh no, salesforce, like it's secure, like they have their own security team, they're securing it and it's like, okay, but they are not going to stop you from misconfiguring your access controls and just leaving everything wide open. Like that could be a business use case for you. They don't know, they don't care, it's not on their side of the shared responsibility model. And then, secondly, it's like who owns SaaS security in your organization? Like, whose responsibility is it?

Speaker 2: 36:57

Because you've got like your platform owners right, who aren't necessarily security-minded individuals far too much on their plate already. Right, they're managing thousands, potentially, of users and processes and making sure that the instance is functioning. And they'll be like well, we do pen tests on our own applications. This isn't our own application. Yes, we've purchased the product, but it's not really falling into our role. Plus, you know how it works, you're the platform owner, so why don't you deal with it?

Speaker 2: 37:34

And there's this friction and, as a result, nothing gets done because no one wants to take necessarily responsibility for it and that is changing wants to take necessarily responsibility for it and and that is changing. And that is once again why such a need for app omni because anyone can can learn to use the product very easily, the app product, and become like a sas security expert. Because my team is doing that net novel research for you. Like we're your sas security experts. If you've got salesforce service now netsv, whatever it might be, we know where the risks are, we're going to productize it, build in those scans. So when you log in you instantly see like okay, high critical medium, click into the finding, review it and you get your resolution guidance that we provide and all of a sudden you've just got rid of like five potential critical issues without not necessarily needing to fully understand the technicalities of that. So in that way it's extremely powerful because we're enabling anyone to become a SaaS security expert internally in the organization.

Speaker 1: 38:41

Yeah, that is. It's really fascinating. You know you bring up a really good point. So I have, you know, the CCSB certification.

Speaker 1: 38:51

Ccsk, right, specifically talks about the cloud and so you know SaaS falls into there, right, and when you're reviewing the material, they hardly even talk about misconfiguration within SACS apps. I mean, like they touch on it, like it's a line item, it's a bullet point, right, but they don't tell you. You know, hey, you need to really focus on this and pay attention to it. You know, because you can open yourself up to you know risks that you're not, you know accounting for that you don't even know are there and that's still a very big misconception with SaaS apps.

Speaker 1: 39:31

Overall, I'm finding which, you know, it took us, like what, five years, five plus years, to get over that misconception with the cloud. You know, like there was a huge misconception to think just the cloud, the cloud secures it, right, I mean aws would have to put out blog posts and videos and all that sort of stuff just to educate their customers that, hey, you still have security stuff that you have to do and if you don't do it, this bucket's going to be public, right, like I mean they, they used to have a public first. You know bucket configuration where, like, you would have to specifically say make this private. Now they switched it, of course, but it's really interesting because you know SaaS is a part of the cloud, right, it's bigger in the cloud than ever before, than any other area of the cloud. You know thinking about, like infrastructure and paths, as you know paths, right, like sas, is probably the biggest part of the cloud now and people are forgetting that they have to still do that security configurations within their, within their sas app.

Speaker 2: 40:37

You know it's it's interesting, it's it's funny. You mentioned the public default first right, because it passes the exact same thing. I've seen all of these big, powerful SaaS applications evolve with security over time, largely as a result of research, and it's situations like oh, when you create an access control, it's blank by default, like nothing gets added to it. Or if you write some custom code on top of the platform, if you don't specify explicitly that it should run in like user mode, it will run in system mode. So effectively anyone executing the code is running a system. It's like an instant privilege escalation.

Speaker 2: 41:19

And these are interesting developments because it's almost like we're not just educating the security community and the customers, but also the vendors, in a sense, on helping them improve their product. It's not just the customers that we're focusing on. Atfigurations are never hardened right out of the box. It's lucrative for you because you have a product, so then you're just going to keep finding criticals and everyone's going to want to buy you. But at the end of the day that just doesn't help anyone. It isn't the best feeling, hooking up like an M365 or a Salesforce instance and I now have to sit through multiple errors to walk through like 100 findings with the customer, but it's so overwhelming for them, right? So, yeah, I just want to get to a place in which we can assist the vendors while also assisting our customers in like the most frictionless way possible.

Speaker 1: 42:21

Yeah, that's probably, you know, the only path forward. Like, we need these vendors to kind of be to have their own. I mean, they probably do. I would certainly assume that they have their own like security research team, right. But you know, we, we need these vendors to kind of make it dummy proof, you know, for, for idiots, you know, know, like me, that are not developers, that you know may still be tasked with, like application security. Like, when I'm tasked with it, I'm immediately looking for, like tools and shortcuts and you know what, what tells me the most amount of information most accurately, and things like that. You know when, when, when you're you know pen testing a status app. Do you have to be a developer? Like, do you have to have that skill set? And I ask, because previously you mentioned how you know you don't like functions.

Speaker 1: 43:16

Functions are confusing, you know as they are for me, like functions are super confusing for me. That's where my python education like ends. Every single time I try to go down. It right is like as soon as I hit functions, I get the basic level of functions and then they like step it up to the advanced stuff and I'm just like, yeah, I'm done, like I don't, I don't want to look at this yeah, yeah, the, the functional programming I yeah, I'm never going to return to that.

Speaker 2: 43:40

I haven't whatsoever. Haskell is a no for me. Um, I mean, you don't have to have that knowledge, you don't have to be able to write code. There's a lot of security researchers and we're talking like de facto, like bug hunters or individual individuals who perform code auditing of open source projects that can't necessarily write the code, but they can understand it and read it and, depending on you, on the language that the code's written in, that can be easy or it can be hard. Right, it's very easy to read a Python script in comparison to assembly language, right, and so, while you don't necessarily need to be able to write it, for some types of issues, issues it can be very useful to be able to at least understand what's going on, and typically that's usually javascript. Um is is what I find on a lot of these powerful platforms uh, which isn't, it's not awful and it's not the worst thing to have to read um, but it's just, that's just like a small subset um of potential risk. Uh, the whole like custom development side of things. So, yeah, you don't need to necessarily come into soft security having, like all of this, this, this expert knowledge of programming languages. Um, the one of the benefits is, if you're looking for things like exploitable myth configurations, then you don't necessarily need to know about SQL injection, you don't necessarily need to know about XML external entity attacks. That's also a benefit, right? So, yeah, it takes a while to get used to.

Speaker 2: 45:25

A lot of the individuals who come into the, the sas security space from more of a traditional background and, like pen testing, do struggle quite a lot because it's a shift in mindset. So it's not just like, necessarily the skill set we're talking about, but it's also the mindset. Um, I have to explain to people, like, I'm not necessarily looking for zero is here, right, I'm looking for things that look suspicious, that look dangerous, and I'm seeing, okay, how can this be exploited? And sometimes I can't, right, and that's that's just just the case, but oftentimes it can. So, yeah, it's just just a couple, just some food for thought for anyone who wants to kind of get into the space. I don't want to put anyone off, but it takes a while to wrap your head around it for sure.

Speaker 1: 46:09

Yeah, it's interesting that you put it like that. You know, I can find I find myself with myself, at least, you know, starting from scratch and and coding it's really difficult for me, like just starting from scratch and trying to like piece it all together, right, like that's really difficult, but I can read it really well, right, so I understand what's going on. When I, you know, read a python script or javascript, whatever it is like, I typically understand it pretty well. And so now I'm actually like I'll use, you know, ai or you know grok, right, to write me the script and then I plug in everything that I need and, you know, adjust it to how it'll work and whatnot, right, you know, as I'm doing, right, like you're learning the different techniques and things like that. When you're reading through it, you know're learning how it operates.

Speaker 1: 47:04

But it's, it's really helpful, you know, to hear like, hey, you don't have to be a developer to get into the app sec space. You know, I think that's probably like the biggest hurdle that anyone you know looking at security and saying where do I want to focus my time? That's probably like the biggest hurdle for AppSec overall is people just saying, well, I don't want to be a developer. An application that sounds like developer, so why would I not have to be a developer to secure it? You know?

Speaker 2: 47:33

Yeah, yeah, absolutely. And you know, back when I was a security engineer I didn't do any development whatsoever, and even up on me today, any of the development that I do is just a new area for me that I wanted to explore. Like I enjoy productizing my own findings because I like seeing that end to end, like from finding the issue to building the scan and then seeing it benefit our customers in that sense. But I really don't have to be doing that. I could be. My role is purely security research. To be honest with you, and also you made a good point is purely security research. To be honest with you, and also you made a good point. I mean you could just throw these code snippets from these scripts that the vendors are putting on customer instances where customer-developed code from the Chops UBT, right, and you'll hopefully get some coherent explanation for it and in that sense you'll both learn how to better read it and also better understand it. So it's a good point yeah, yeah, absolutely.

Speaker 1: 48:28

well, you know, aaron, I'm very mindful, you know, of the time that I since I said for for podcasts, as I know everyone in this industry is so busy. But you know, before I let you go for one, you know this was a fantastic conversation. I absolutely want to have you back on. We'll connect, we'll maybe collaborate on a couple things, but it was a very fascinating conversation. Really enjoyed having you on.

Speaker 2: 48:54

Thank you so much. It's honestly fantastic to be on. I thoroughly enjoyed it. It's fantastic to learn about yourself and your background too, yeah.

Speaker 1: 49:03

Yeah, yeah, absolutely. Well, you know, before I let you go, I'll let you tell my audience you know where they could find you if they wanted to, you know, reach out or connect or maybe just see what you're posting out there and where they can find out about me and maybe a little bit about your, your research.

Speaker 2: 49:21

Yeah, so I mean to start from more of a kind of a personal perspective. My twitter is conspiracy proof, all one word. I made it when I was like 16. Don't judge me. Conspiracy proof on on twitter or x, uh, as that's not called. Um, you can find me on linkedin, rn costello. Um, I'm very, very active there as well, so give me a message on another platform. Um, I do have one of my own personal blog, that's enumeratedie, where I will, more so now backlink to the app omni blog. But my original research is is present there. So there's a couple articles and that are potentially too spicy right to to put on the work website, but a good, the. The biggest chunk of my research is on the appomnicom website. So we've got a section of our blog called app omni labs and that's where you'll really find a lot of my stuff. So you got white papers, blog posts, tons of different uh types of content that hopefully really useful to to awesome well, thanks, uh.

Speaker 1: 50:20

Thanks again, aaron, you know for coming on and you know everyone listening. Go ahead and check out Aaron's posts, the resources that he mentioned, and check out AppOmni. All right? Well, thanks everyone.

Speaker 2: 50:32

Hope you enjoyed this episode Cool.

People on this episode

Joe South

Host