Coding for Security with Chris Ayers
.NET Rocks! Podcast Recap
Published:
Guests: Chris Ayers
What Happened
Chris Ayers, an expert in Azure reliability at Microsoft, dives into the intricate world of cybersecurity by focusing on the MITRE ATT&CK framework. This framework is essential for understanding adversarial tactics and techniques, helping organizations think from an attacker's perspective. Ayers stresses the critical need to apply patches immediately due to threats from AI and state actors.
Ayers explains how 90% of security attacks are based on social engineering, such as phishing or deceptive phone calls. Once inside a system, attackers might append extra strings to logs or fill up disk space to conceal their presence. He highlights the importance of monitoring user behavior for anomalies, like unusual login patterns or data exfiltration, to safeguard against such threats.
The episode also discusses the OWASP Top 10 for 2025, noting a shift in vulnerabilities. Injection vulnerabilities have decreased but access control and certificate issues have become more prominent. Ayers emphasizes multi-layered defenses, suggesting tools like Dependabot and CVEs to secure supply chains and software pipelines.
Supply chain attacks are a growing concern, as evidenced by a notable incident where an attacker embedded malicious code into an open-source project over two years. Ayers underscores the importance of defense in depth and monitoring CVEs to prevent similar breaches. He also advocates for generating Software Bill of Materials (SBoMs) to track software dependencies and vulnerabilities.
The use of AI tools like Copilot and CLAUDE in security is discussed, although Ayers warns against granting them too much autonomy. Instead, he suggests using AI for rate limiting, which can serve as a security measure to detect anomalous data requests. Conditional access in Azure is enhanced by fingerprinting and escalating unusual behaviors to improve security.
Ayers concludes by asserting that security is everyone's responsibility and should be part of regular discussions and planning. He introduces tools like Aspire and OTEL that help integrate security measures into cloud software development, ensuring that resiliency is maintained as vulnerabilities can lead to system downtimes.
Key Insights
- Chris Ayers highlights that 90% of security attacks stem from social engineering tactics, such as phishing. These methods are prevalent because they exploit human psychology, making them difficult to counter without proper awareness and training.
- The OWASP Top 10 for 2025 shows a shift in cybersecurity focus. Injection vulnerabilities have dropped to fifth place, while access control and certificate issues have gained prominence, reflecting changes in how attackers exploit systems.
- Ayers emphasizes the importance of defense in depth, illustrated by a two-year-long supply chain attack. An attacker became a maintainer of an open-source project, embedding malicious code into major distributions, underscoring the need for vigilant monitoring of open-source dependencies.
- Conditional access improvements in Azure involve sophisticated fingerprinting and escalating unusual user behaviors. This method enhances security by identifying and responding to anomalies that could indicate potential breaches.