Breaking John – ASW #136
This week, we welcome Andrei Serban, Co-Founder at Fuzzbuzz, to discuss Fuzz Testing! Fuzzing can be successful AppSec strategy for finding software bugs. And deploying a fuzzer no longer needs to be a cumbersome process. Find out how fuzzing can help secure software beyond just memory safety issues and what the future holds for making this strategy more effective for modern apps.
In the AppSec News, Significant source code leak from misconfigured repo, side-channel attack on hardware authentication keys, a third bug bounty for the U.S. Army, the cost of poor software quality, and the benefits of DevOps approaches to building systems!
Visit https://www.securityweekly.com/asw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly
Full Audio
Segments
1. Fuzz Testing – Andrei Serban – ASW #136
Fuzzing can be successful appsec strategy for finding software bugs. And deploying a fuzzer no longer needs to be a cumbersome process. Find out how fuzzing can help secure software beyond just memory safety issues and what the future holds for making this strategy more effective for modern apps.
Announcements
Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
Guest
Andrei is the CEO and co-founder of Fuzzbuzz, a security startup based in San Francisco, that builds fuzz testing tools and infrastructure to help developers find severe vulnerabilities and bugs in their code with minimal effort. Today, Fuzzbuzz works with some of the largest tech companies to reduce the number of vulnerabilities that make it into production by enabling teams to fuzz test as part of their DevSecOps pipeline, finding bugs as soon as they get introduced.
Andrei studied Computer Science at University of Waterloo before dropping out to start Fuzzbuzz and accept the Thiel Fellowship.
Hosts
2. Google 2FA Cloning, Speed vs. Security, & “Hack The Army” Bug Bounty 3.0 – ASW #136
Significant source code leak from misconfigured repo, side-channel attack on hardware authentication keys, a third bug bounty for the U.S. Army, the cost of poor software quality, the benefits of DevOps approaches to building systems.
Announcements
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!
Hosts
- 1. Nissan source code leaked online after Git repo misconfigurationAttackers siphon source due to a SaaS misconfiguration that not only allowed public repos, but used trivial credentials.
- 2. New side-channel attack can recover encryption keys from Google Titan security keysWell written research on hardware authentication keys that provides insights on improving security as well as placing the attack within perspective of practical threat models. Don't worry about the heavy presence of acronyms and check out the paper at https://ninjalab.io/wp-content/uploads/2021/01/a_side_journey_to_titan.pdf
- 3. Hack the Army bug bounty challenge asks hackers to find vulnerabilities in military networksAnnounced back in November 2020, the bounty program is now live and interesting to watch from the perspective of maturing a bug bounty approach to AppSec.
- 4. What is the cost of poor software quality in the U.S.?Another chance to talk about security budgets, metrics, and security as a dimension of quality. Related to this topic, two recent papers at the Workshop on the Economics of Information Security took an academic look at how breaches raise the cost of capital for companies (https://weis2020.econinfosec.org/wp-content/uploads/sites/8/2020/06/weis20-final14.pdf and https://weis2020.econinfosec.org/wp-content/uploads/sites/8/2020/06/weis20-final16.pdf)
- 5. 7 Trends Influencing DevOps and DevSecOps AdoptionWhether you take these as principles or prognostication, the type of engineering in these topics benefits from a DevOps approach to software and security.
- 6. Navigating the trade-off between development speed and securityRather than positioning speed and security as polar opposites, consider security as a guide to how fast you could and should be able to build systems.
- 1. Google’s 2FA tokens can be cloned within 10 hoursIf you lose a 2fa token, you should be able to have it disabled ASAP. For many, this might be a "oh I misplaced it" on a Saturday morning, and "I'll get to it on Monday." The takeaway that might be useful to corporations here is "a 2FA token can be cloned within 10 hours" which might give reason to create a policy saying "The misplacement/loss of a 2FA token MUST be reported ASAP and disabled within 10 hours." In reality, if I steal a 2fa token, I'd probably make sure I have the credentials first so I'm ready to roll when as soon as it's in my possession, so I don't fully get the value of this, but if it helps it helps.
