In this episode of AppSec Builders, Jb is joined by Security Architect, Sarah Young, to discuss Cloud Security, its evolution, and its increased presence within Cloud Vendor solutions and platforms.
Sarah Young is a security architect based in Melbourne, Australia who has previously worked in New Zealand and Europe and has a wealth of experience in technology working across a range of industry sectors. With a background in network and infrastructure engineering, Sarah brings deep technical knowledge to her work. She also has a penchant for cloud native technologies.
Sarah is an experienced public speaker and has presented on a range of IT security and technology topics at industry events both nationally and internationally (BSides Las Vegas, The Diana Initiative, Kiwicon, PyCon AU, Container Camp AU/London, BSides Ottawa, BSides Perth, DevSecCon Boston, CHCon, KubeCon, BSides San Francisco). She is an active supporter of both local and international security and cloud native communities.
[00:00:02] Welcome to AppSec Builders, the podcast for Practitioners Building Modern AppSec hosted by Jb Aviat.
Jb Aviat: [00:00:14] Welcome to this episode of AppSec Builders, I'm Jb Aviat and today I'm thankful to welcome Sarah Young, who is a senior program manager in Azure security. Sarah, you're very prolific in this security space which conferences, the Azure security podcast your also CNCF - Cloud Native Computing Foundation Ambassador. Sarah, I'd love to hear more about this.
Sarah Young: [00:00:38] Thanks! And thank you for having me. Yeah! So many things I could say. So, yeah, I worked for Microsoft. So of course, every day I work with Azure and do Azure security as one would expect. But I've been working in security for oh. Like specifically focusing on security for the last eight or nine years now. Before I joined Microsoft, I worked with other clouds and so I got a fair bit of experience there. But with regards to CNCF I am, as you said, an ambassador and although I'm certainly not a developer, I certainly find the security aspect of cloud native stuff really, really interesting. And that's what I enjoy talking to people about.
Jb Aviat: [00:01:20] Alright. And so one thing you seem to be prolific about is Kubernetes and Kubernetes is definitely something that has gone through an amazing popularity over the past years and also got a lot of security exposure because it's notoriously a complex and difficult to use in the secure way. Do you have any specific thought about that?
Sarah Young: [00:01:42] Yeah, the of specifics we could go into here and I guess watching Kubernetes over the past two or three years has been really interesting because obviously there are new releases and every time there's a new release, there are updates and improvements made to it. Obviously, I focused more on that for me. I'm more interested in the security side of it. But it's really interesting if you go from the early days of Kubernetes through to now, how much it's improved. I mean, what are we on now? I think we're on twenty, twenty one or something like that. I forget the exact version. We're up to for releases at the moment. But if you go back to the early days or two, three years ago, there was some major, major security holes and Kubernetes. So there were things I mean, it didn't support RBAC or role based access control. So if you don't have roads, access control, you literally can't give people permissions, like everyone just has everything, which is a security person's nightmare. So it's been really good to actually see how it's developed over the years and how the community have addressed those things.
Sarah Young: [00:02:46] Now, I'm not saying it's perfect yet, because to be honest with you, let's be honest, like no software, no hardware, nothing is perfect security wise. And and that's what partly why I have a job, because whenever people create things, there will be security holes or things that it doesn't do ideally. So it's been really good to see how the community has really focused in on security more the last few years, because I think in this super, super early days, Kubernetes was just being built more from a traditional developer perspective. People were thinking about the features and what it could do and not the potential security gap. But now that's changed a lot. There are some great people out there in the community who are doing security work. They now have, because this week, while the week we're recording this, it is KubeCon EU and KubeCon's now got Cloud Native Security Day. And there's also the special interest group in the community for security. So certainly it's been really great to see how that has grown over the past few years because they'll always be things to address for sure.
Jb Aviat: [00:03:50] Of course. Of course. And so that is very interesting. And how even that's community driven project. How is the decision to prioritize security features made over the decision to prioritize the thousands of the features that are in the.
Sarah Young: [00:04:08] I wouldn't say it's an interesting question, because this comes back to a thing that the endless battle that security professionals have is the when you are developing any kind of system, not just Kubernetes, any kind of system or product in I.T., the main priority, of course, is to have the functionality that it needs to do to fulfill whatever business need or functional need that the product needs to do. And security is great, but you can't have security will never win out as a priority over costs, delivery date, and functionality. And there are some there are different trains of thought on this. But I think having worked in delivery as well before, I kind of became more purely focused on security role. When you're trying to deliver something and get something running, you know, you're building a new application, you're building a new micro service, whatever. You know, if you've got a deadline and a budget, you have to meet that because probably your business is paying for it, your project is paying for it, whatever. Security is great. And I think that most devs and security people want to do it. But security is never going to win out over those competing priorities, but pretty much never. Now, I'm sure there might be some better examples out there.
Sarah Young: [00:05:27] So really, what we've needed to do in security is security need to be made easier, because if it's not made easier to do and ideally in built into a product, it won't win out over other priorities. And there are some security people who just want to try and really push people saying, no, you know, you've just got to prioritize it. But the fact is that it won't win out over delivering budget and things like that. So we have to make security easier and more straightforward. And I think it's great that the community has embraced. And that's why let's take Kubernetes. It's got now a lot more inbuilt security features. They rather than you having to use a third party Add-On to integrate, say, role based access control or key storage or whatever, like a lot of those things have been fixed. So when you start up the product, that security issue is already largely taken care of. All you do a tiny bit of configuration. And so it's great that the community have actually addressed that because yeah as I said, I wouldn't say I think there's been more focus on it because, of course, you know, if you have a security breach or something is known as being insecure, like a piece of software, people don't want to use it.
Sarah Young: [00:06:41] But as I said, as a business, there are other priorities. But another great thing an old boss of mine told me a few jobs ago was and I really, really like this, we're not competitors when it comes to security. Now, what that means, because I was working for a financial services organization at the time, is that when we talk about security, right. If there's a vulnerability in something that's widely used, it's worth fixing. And even if you're fixing it for your company and it helps your competitor, then that's OK. Because at the end of the day, if you look at the cost to security breaches, although, say, I'd say you're an organization in your your main competitor gets owned and like you might be like, yeah, that's amazing. But it's not really because at the end of the day, we all lose out on security breaches always at the end of the day. So it's within everyone's interest to work together to make the overall environment more secure. And of course, there are different ways of doing that. But I really strongly believe in that phrase that my old boss taught me, which was, yeah, we're not competitors when it comes to security. And so we should help each other out.
Jb Aviat: [00:07:55] Yeah, that's an interesting point of view. And that's great that each time there is breach the overall trust is touched and impacted. And so that can indeed be hurtful for the overall space or industry. Interesting, yes, and to get back to a Kubernetes. And it isn't the way it evolves and has evolved from a security standpoint over the years where all the security efforts pushed by the community or there's some kind of more global governance done by maybe the CNCF
Sarah Young: [00:08:30] Well, there is the special interest group, this SIG security. And so that sort of drives a lot of the security discussions and see CNCF And there are some fabulous, fabulous people in there who really know their stuff, because if you take Ian Coldwater, for example, they are a really, really, really talented penetration tester. And they are absolutely yeah. I have a lot of respect because I am not a penetration tester. I understand the principles of it, but I know that they have really, really, really done some great work, found some really interesting vulnerabilities and. There's also people like Liz Rice, who's been a huge cornerstone of the CNCF security scene for a long time. There's so many names, I'll just chuck a couple of names out there. But there are some amazing individuals who are very talented, really know what they're doing, who've been driving that for a number of years. And it's really, really good to see
Jb Aviat: [00:09:30] Yes this is super interesting thanks for the considerations of Kubernetes. And so since you know very well just area, what are the main evolutions that you've seen over Kubernetes over the past year from the offensive standpoint and security research? I've seen lots of interest of articles and tools around everything from the operator and the Kubernetes implementor standpoint. Do you really think that the situation is much better today out of the box than it was maybe 10 years than just five years ago?
Sarah Young: [00:10:05] Yeah, it's like I don't know if you've seen this. It makes me think of the job adverts where people have said you've got to have 10 years experience in Kubernetes. And I know that was going there was someone posted one of those on Twitter a while ago. It made me laugh anyway. Oh, there's no doubt that it has improved massively since the early days. I mean, there's no doubt, like I said, I mean, some of the ones that really gaping holes that I can think of, things like I have no role based access control, one that people may remember is the admin page, the admin console of Kubernetes used to be accessible with no authentication. So as long as you knew that URL, you could go to it and do things which you don't have to be a security expert to know that is not good. And so, I mean, that that's the one that I always think of. And there were a couple of relatively at the time, high profile hacks and breaches around that. I also tried that myself, actually, in an experiment to see if I could get someone to own it. But I don't know if mine looks so obvious. Nobody wanted it looked so obvious. It looked like a honeypot. And for those of you who don't know what a honeypot is, that's just basically trying to attract people to attack your thing. But no one ever attacked it, which I was really surprised about that or I didn't pick it up, could have gone either way, I guess. So it's like there's no doubt it's improved hugely over the last few years.
Sarah Young: [00:11:36] Absolutely. But as is the case with everything, you still need to know what you're doing. But we're getting loads better at that. So obviously, the general skill level as Kubernetes has been around for longer, there are more people available who are skilled in it and understand what's going on. Also, we've got things like the CIS standard, so the Center for Internet Security benchmark that people can work through. There's also a lot of managed services out there. Now, I'm not shouting out to anyone in particular. There's quite a few providers offering managed Kubernetes clusters. And I think I'm a big fan of if you're not super comfortable with them or it's something you're still learning, then there's nothing wrong with going to a managed cluster, because then a degree of the configuration element, whether it's security or something else, is taken away because that will be done by the provider. And again, if we look at it from a pure security professional perspective, you know, you want to look at reducing your risk and reducing the likelihood something happens. And if you don't have the in-house skills yet or you're still building them up, but you want to use Kubernetes, that is that is a good way to go. There's also other advantages, particularly around integration, because most of the all the major cloud providers offer a managed Kubernetes service. And, you know, depending on where you've thrown your lot in with, it might make sense just from an easier integration perspective as well.
Jb Aviat: [00:13:02] Of course, differently agree here, which is a nice transition to my next question, Sara. So, yes, using managed services puts a lot of the security burden away. What are the other tools that you would recommend from a security standpoint to people using the cloud? So I know that's a broad question. It's the past years the security offering of the cloud vendors grew and maybe grew more that many of them along the lines of offering. And so I'd be super interested to know how you would choose in this growth and what other flagship products that you would recommend to anyone in the cloud.
Sarah Young: [00:13:45] Yeah, so it's a really tricky one because as you said, there's many, many products out there, so many products, and it can be difficult to know where to start. I think, particularly if you say a lot of organizations that have decided to go cloud first. So they'll like, OK, I'm going to put everything in cloud now. Although having said that, a lot of organizations will always have a bit of. An on premise footprint, it's unless you were born in cloud, say, in the last five years, it's actually quite hard to purely put everything in the cloud for various different reasons. So that's not realistic. So I always look at it. What I've been advising people, because there's so many things out there, you need to start right at the very beginning. More from a capability perspective. So what I mean is, rather than immediately picking a specific product that you like, look at it more from, I need this capability. I need this capability. And you may need I need this capability and I need it to run across, say, two clouds to commercial cloud and on premise. And so that starts to help you narrow down what tools you actually need. So how I look at it is you need I mean, this is what I do every day, but so this is what I love to talk about.
Sarah Young: [00:15:04] But you need a SIEM or SIEM or if you're from the US, it depends where you're from as to how you pronounce this. But SIEM, they say SIEM I say SIEM, but it is SIEM, which is security information and event management. Now, it's not a new technology. It's been around for a while. But now, of course, it is moving into cloud. So you can have on prem offerings and you have cloud. What I found and this is from me working more closely in cloud for about the last four or five years is the organizations seem to struggle to integrate cloud with some products. Now that's changing, as in a lot of the more modern cloud based SIEM's a much easier to integrate. But the traditional on premise ones have always been quite tricky for various different reasons. And again, I'm not even talking about a particular product or a particular type of cloud. It's something a problem I've seen across multiple different platforms. So what we see is people start putting things in cloud, but they're not monitoring it because the integration of the logs is tricky. And so we might have an organization that have got everything on premise monitored, but the cloud isn't monitored. And obviously that's a huge big black hole. So for sure, your visibility, if there's one thing you need to do, make sure you've got some visibility of what's going on.
Sarah Young: [00:16:26] And I think that's one of the most important things. So the other one is EDR or endpoint detection and response. So of course, I think everybody knows about antivirus and antivirus is still important. You should definitely have antivirus. But antivirus is very static. It just looks for signatures on things. It will look for signatures on files and things like that. And if it sees a match, it will give you an alert. Now, attack. We know that antivirus has been around a long time as attackers know how to get around that nowadays. And so EDR is more looking at general overall behaviors on an endpoint and an endpoint. I do mean, of course, like a desktop or laptop or whatever, but you can also use this on your server infrastructure as well, your VM's if you're still using VM's. And the fact is a lot of people still are. So I think it's wrong to I know we've been talking a lot about cloud native, but the fact is people still have VM's and Edwards much smarter at being able to pick up patterns of behavior as opposed to just a static signature. And so I really think it's important that people have a look at having some kind of EDR capability and of course, that can feed into your monitoring.
Sarah Young: [00:17:39] Then I guess more specifically, I'll finish on most actually. Now, two more for Kubernetes. I could go on forever, to be fair, but I'll leave it at these two for Kubernetes and containerized environments. So if you're using any other orchestrator, of course, you need some tools to be able to monitor the behavior of your orchestrator and your containers. Now, that one's trickier because traditional security tools don't always understand the containerized environment and are able to pick up on things. So it is. I know there are some products out there that are you should definitely be using a container registry. Please use a container registry. You put your container images in a secure registry and don't use random things if you can contain a runtime stuff is really good. There are different products out there. They are usually quite pricey, but contain a runtime, of course, depending on what your running might be, something you want to look out for your very important containers and workloads. And then probably last very last one that I'll talk about is identity. Now, it's really and again, I'll only talk about it super briefly. But please remember, you've probably heard it before. People say identity is the new perimeter. And that's true because it used to be when everything was on prem and just contained within someone's data center, you could just block it all off with firewalls and everyone focused on the network side.
Sarah Young: [00:19:03] But nowadays, organizations have things on premise. They have stuff in a cloud. They might have stuff in most. Of course, you can't use firewalls to protect all your data or you can't just use firewalls, the only way you can have a consistent security boundary is using identity. So please make your identity. Again, it doesn't matter what provider you're using. This is still the same. Whatever you're using, make sure your user accounts, your identities are rock solid from a security perspective. So that means not giving people more privilege than they need. The principle of least privilege. It means using MFA. Please use MFA. Oh my goodness. Apparently there's some research that shows that something like eighty five percent of security breaches wouldn't have happened had the users had MFA seriously. But that's how prolific that problem is. And a lot of people now, a lot of identity providers are giving away. It used to be MFA was a cool extra and you have to pay for it. Many people are giving MFA away for free now because they accept it's so important that they don't even charge for it because it's just a baseline, which I think is a really cool thing that's only happened in the last couple of years.
Jb Aviat: [00:20:20] Yeah, I agree that also because users start to value security, security start to be to be thing.
Sarah Young: [00:20:27] Yeah, I could go on about all of these for a very long time. But in short, those are the I think they are also your main four or five points that you should be focusing on.
Jb Aviat: [00:20:36] All right. Amazing. Thank you so much, Sarah. So that's very interesting. I appreciate the fact that you mention, EDR, I'm not aware of EDR implementation of any cloud vendor, but again, those things evolve so fast. I didn't finish my email of the so maybe there is something. But that's here. When you want to implement something from a security standpoint and you are a cloud native, you can use the cloud vendor's tools. Right. So they have on the shelf. I don't know IDS, WAF , but as soon as you company expands in go multi cloud, you have there to learn again the security tools of the new cloud vendor. So their own ideas, their own WAF, or you have the alternative to be using an external vendor that is cloud agnostic. So there is always a tradeoff because it's easier to use what's coming from your cloud vendor, but at some point it may not suit your needs. What do you recommend?
Sarah Young: [00:21:39] Oh, it's a really tough one. It is a really tough one. So I think there's no right or wrong way to do this, to be honest with you. Certainly, as you said, there are third party tools that are vendor agnostic that you can use consistently across site on premise, multi clouds and different clouds. But there's obviously advantages to using the inbuilt tools, looking at the pros and cons. So using cloud vendors in those tools, usually they're very, very easy to set up. They're often more driven as code, which is nice for CI / CD pipelines. They obviously integrate very easily into the rest of things. If we if we look at Azure, then as an example. So of course, any of the inbuilt security products are obviously they're already integrated into AD and things like that, which is nice. But at the end of the day, I think the choice is going to have to be made by the individual organization, because, as you said, if you've got the skills, I think it's going to depend on a number of things like cost, skill set, precisely what you're trying to do, the features required. So it might be that if you're going to use multiple clouds and you've got multiple different environments, ideally you want to try and make them consistent. But almost by using two different clouds, it's almost impossible to make them consistent, per say, as you might and say to traditional data centers. So I think it's just sort of part of the process you have to go through, which is to decide and probably do pros and cons. So it'll probably be, you know, pros. This one is I speak very generally, but I think that it's already included in your cloud cost if you're using cloud vendor tools.
Sarah Young: [00:23:16] But if you've got to pay for additional licenses for a third party, I think you've just got to see what works. This is something that we talk about a lot in security, which is benchmarking, and it's not done well enough. Traditionally, it's never been. We talked about it for a long time, but it's never done well enough. So by that, what I mean is actually properly assessed products see what works for the business and for the devs and for security. Because what is often happened in the past is that a dev team or business team will have picked a product they want to use without consulting security and security will have been like, oh well, this doesn't do X, Y, Z or the other way around. Security will have picked a tool and the devs or the business unit don't like it and there's just a clash there. So I think what's really important is that businesses sit down when they're doing architecture and designing. These things and actually decide what works for everybody, it's something that no one's been very good at in the past because there's no right or wrong answer, because it's so contextual on different businesses. It can be budget, it can be in-house ability, it can be overheads. Like there's so many things that will sway the decision that you just need to make sure you have all your stakeholders around and so you can make the best decision at that time for the Org. So, yeah, I'm kind of on the fence. I don't have a right or wrong for this one.
Jb Aviat: [00:24:39] Yeah, that was a tough one. You're right. And I agree with you. It depends a lot on the context. But thanks for giving some pointers, Sarah, now that I know you're a cloud security specialist. So I'm wondering, how do you see the philosophy of the cloud vendors evolving from a security standpoint, do you see the focusing more of their development on new features? On new products? On new security capabilities? Do you see the interest evolving here? What's your take on the cloud vendor space evolution from a security standpoint?
Sarah Young: [00:25:15] Oh, yeah. I mean, you just have to look I mean, obviously I work for one of them, so I certainly like Microsoft spends billions of dollars. Again, this is no big secret developing security products and doing security research. And I know that it's a priority for all the cloud vendors to keep their security posture up. Of course, what's nice is I've been in security long enough that a couple of years, one before I started in security, security randomly actually started to become cool. Well, it wasn't cool when I started it. It was security, which is known as the "no" people. You know, they'd be like, no, you can't do that. No, you can't do that. And they weren't super popular in a in an organization because my dad said the. Oh, yeah, you're the business prevention offices because you just say no to everything. And I can see why security did have that reputation. But if I look at since I joined security, there have been a number of well have been many high profile breaches and both organizational and personal security has become much, much more of a focus point in people's minds with the state sponsored attacks and the sort of big criminal things. And obviously people getting their personal banking or whatever their identity stolen. So I think that it's become much more prevalent.
Sarah Young: [00:26:35] People have become much more aware of it just in their everyday lives, which means it's rolled up to at an executive level, companies being much more aware that this is a problem and that they do need to focus on it. And in terms of what that means for cloud vendors is, of course, they know that customers will be asking questions about it and saying, what do you do to manage this? We saw this high profile breach. What are you doing about that? How is that not going to happen on your system? And so because of that, cloud vendors obviously are understandably very focused on it. I mean, they always have been. But now I think over the last three or four years, they're getting a lot more tough questions from customers and every customer because they used to be industries that were particularly focused on security, which would be financial services and government, which isn't a big surprise. But nowadays it doesn't matter. Obviously, financial services and government are very security focused, as they always have been, but all other industries as well, all industries now are very focused on security and asking those questions. So cloud vendors have to step up and provide what customers want. So, yeah, I mean, it's definitely a big, important priority for them. Absolutely.
Jb Aviat: [00:27:50] And so with all that in mind and the how the things evolved over the past years, let's assume you have a new customer coming at Azure and they want to start a brand new architecture. What would you recommend them to use? In an ideal security standpoint? I'm thinking of, for instance, Microsoft has some very, very cool products, such as Azure Sentinel, for instance. And so I'm wondering if you have other in mind that I may not know.
Sarah Young: [00:28:18] Oh, so, yeah, Azure Sentinel. Is for anyone not listening? Who doesn't know? Azure Sentinel is Microsoft's cloud based SIEM. It's not just for Azure. We call it Azure Sentinel because it runs in Azure. Of course, SIEM is supposed to bring in things from everywhere. So Azure Sentinel is a really good option for your SIEM solution. But also in Azure, we have something called Azure Security Center, Azure Security Center is free to use, which means you have no excuse not to use it if you're using Azure. And what it does is it gives security hygiene recommendations. And what I mean by security hygiene is so if you've missed configured something that is not ideal from a security perspective, it will tell you. So, for example, you don't have MFA configured. This virtual machine needs patching. It tells you those things. Now, they're not particularly sexy or trendy or anything like that, but the fact is, is that we also know that security hygiene is really important and misconfiguration of basic things, like not patching, like not having MFA. They account for a lot of breaches, a good proportion of breaches start or continued through misconfiguration of environments. And so there's no reason not to use Azure Security Center. It does have an additional bit to it called Azure Defender, which is EDR for Servers and for some of the past services we have in Azure and AKS the Azure Kubernetes offering. But yeah, there's a ton of stuff in Microsoft. And again, we could go for a long time on that. But if nothing else, go and have a play with Sentinel because you can like you can turn it on for 31 days for free as long as you don't go over a five gig ingestion and you can have a play around with it. So I recommend doing that. And Azure Security Center is free and it gives you all those good hygiene recommendations. So you should no excuse not to use that. Good.
Jb Aviat: [00:30:13] Thank you, Sarah. I'm grateful to see so many cool features available on the shelf for everyone using Cloud Vendors. Thank you so much of the record, Sarah. Is there anything you'd like to add or share. I don't know. Specific, podcast? conference? And Book or anything.
Sarah Young: [00:30:33] Oh, so I'll have to do a shameless plug. Well, if your interest is specifically Azure Security, then I do with three of my colleagues, the Azure Security podcast every couple of weeks. So we talk to lots of people at Microsoft about various different bits of their security work. The other podcasts that I really enjoy listening to the Darknet diaries, they're very, very interesting talks about security and the cyber stuff. Just to use the buzz word. I mean, anything that if you're particularly interested in cloud native security, I know I already namedrop them, but anything any material or talks by Liz Rice or Ian Coldwater are all amazing. Definitely. Go check those out. As for conferences, of course. In fact, it's actually just happened overnight. My time, the day we're recording this, there was the cloud native security day. So if you didn't attend it virtually, then look out for the talks online later on because they I believe they normally get posted on YouTube. There's also some ones for private cloud native security days. And yeah, that's probably enough to get you going. But I mean, this is so much out there. And my one piece of advice to people is if you're wanting to up skill and security, no matter what cloud vendor it is, no matter what system it is, by and large, there is a lot of material out there online, whether it's YouTube talks, podcasts, etc. There's a lot of like free material. And I know there are lots of people wanting to get into security because security became cool when used to be and because it's now cool. There are lots of people interested in a career in security. So I'd strongly suggest don't go and spend hundreds and thousands of dollars on material if you're just starting out. There is a lot of stuff out there that you can get involved with for free and contribute to and read up on. So yeah, try and do that. Don't break the bank.
Jb Aviat: [00:32:30] Yeah. Thank you so much for those thoughts, Sara. I really, really appreciate. Thanks a lot for joining us today for this episode of AppSec Builders. I really appreciate having you here I think the cloud vendors are playing a really big role in the evolution of security that we are seeing today. So thank you. Thank you so much, Sarah.
Sarah Young: [00:32:51] No, thanks. Thanks for having me. It's been great.
Jb Aviat: [00:32:55] So as Sarah would put it, another shameless plug, I don't usually share company updates, but I have a very special one. Sqreen was acquired by Datadog that was announced a few weeks ago. And we are thrilled to bring application security there integrating with the Datadog APM. So we are sharing more about this integration and our vision of the future of application security. At the RSA conference happening this week, feel free to visit our virtual booth there offer to participate in a very cool CTF that our team built. You can find out more on datadog.com/ctf.
[00:33:40] Thanks for listening to this episode of AppSec Builders. You can find all the resources discussed during this show on www.appsecbuilders.com Be sure to subscribe to our podcast to get updates on our upcoming episodes.