Encryption, DevOps, Bug bounties, Attack simulation, Deception

ASW #148

April 26, 2021



We start with the article about “Researchers Secretly Tried To Add Vulnerabilities to Linux Kernel, Ended Up Getting Banned” and explore its range of issues from ethics to securing huge, distributed software projects.
It’s hardly novel to point out that bad actors can attempt to introduce subtle and exploitable bugs. More generally, we’ve also seen impacts from package owners who have revoked their code, like NPM leftpad, or who transfer ownership to actors who later on abuse the package’s reputation, as we’ve seen in Chrome Plugins.
So, what could have been a better research focus? In the era of more pervasive fuzzing, how much should we continue to rely on people for security code review?

Read the research paper at https://github.com/QiushiWu/QiushiWu.github.io/blob/main/papers/OpenSourceInsecurity.pdf

For additional resources please visit:
Deceptive Diffs From Subversive Submitters – ASW #148 Featuring: John Kinsella (https://www.linkedin.com/in/jlkinsel), Mike Shema (https://www.linkedin.com/in/zombie). We start with the article about “Researchers Secretly Tried To Add Vulnerabilities to Linux Kernel, Ended Up Getting Banned” and explore its range of issues from ethics to securing huge, distributed software projects.

Read the research paper at https://github.com/QiushiWu/QiushiWu.github.io/blob/main/papers/OpenSourceInsecurity.pdf

For further details please visit:
https://securityweekly.com/asw148 Visit https://www.securityweekly.com/asw for all the latest episodes!

Full Episode Show Notes

Deceptive Diffs From Subversive Submitters

Hosts

John Kinsella

John Kinsella – Chief Architect at Accurics

@johnlkinsella

John Kinsella is the Chief Architect for Accurics

Mike Shema

Mike Shema – Product Security Lead at Square

@Codexatron

Mike Shema is the Product Security Lead of Square

Announcements

  • Security Weekly listeners save $100 on their RSA Conference 2021 All Access Pass! RSA Conference will be a fully virtual experience from May 17th-20th, 2021. Security Weekly will be live streaming Monday-Thursday in the virtual broadcast alley, interviewing some of the top sponsors and speakers for the event. To register using our discount code, please visit https://securityweekly.com/rsac2021 [securityweekly.com] and use the code 5U1CYBER! We hope to “see” you there!

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, join our Discord Server, and follow us on our newest live-streaming platform, Twitch!



This week in the AppSec News: Signal points out parsing problems, privacy preserving improvements to AirDrop, Homebrew disclosure, WhatsApp workflows, adversarial data ordering for ML, & more! Visit https://www.securityweekly.com/asw for all the latest episodes!

Full Episode Show Notes

Signal Aesthetics, AirDrop Privacy, Safety vs. Security, & Data Ordering Attacks

Hosts

John Kinsella

John Kinsella – Chief Architect at Accurics

@johnlkinsella

John Kinsella is the Chief Architect for Accurics

Mike Shema

Mike Shema – Product Security Lead at Square

@Codexatron

Mike Shema is the Product Security Lead of Square

Announcements

  • Our next live webcast will be on April 29th at 11am ET where you will learn how to prepare for & prevent modern ransomware attacks! Our next technical training will be on May 6th at 11am ET. This technical training webcast will explore common misconfigurations of NGINX, the damage they could do, and how to avoid them. Also join us May 13th at 11am ET for a technical training with Thycotic to see how attackers gain access to endpoints and learn defensive strategies to protect against those attacks. Visit https://securityweekly.com/webcasts to register now! If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand

prestitial ad