Check Your Alibis – ASW #142
Full Audio
View Show IndexSegments
1. Privacy, Data Security & Compliance – Cynthia Burke – ASW #142
In most IT shops, privacy, data security and compliance often resided under the same umbrella of ownership. While all 50 States in the US have data breach notification laws, we are seeing a shift in focus on data privacy globally. Privacy and data security compliance are often used interchangeably but this misuse in terminology (and the associated requirements for all IT organizations) creates a lot of confusion in an already complicated industry. Cynthia will explore some of the key factors in 2021 as to and why we need to get it right.
This segment is sponsored by Capsule8.
Visit https://securityweekly.com/capsule8 to learn more about them!
Announcements
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!
Guest
Cynthia brings more than 15 years of IT and compliance experience to Capsule8. Prior to joining Capsule8 as Compliance Manager, Cynthia was an assistant director and program manager with KPMG‘s international audit division-leading projects to develop KPMGs audit-collaboration tools.
Hosts
2. Security Engineering, Evil Packages, Exchange SSRF, & Observability – ASW #142
Making security engineering successful, Go's supply chain, mitigating JSON interoperability flaws, automating the hunt for deserialization flaws, the importance of observability, and what to do about Exchange.
Announcements
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
Hosts
- 1. Microsoft: These Exchange Server zero-day flaws are being used by hackers, so update nowTake one pre-auth SSRF and one deserialization flaw to gain admin privileges and you're halfway to full Exchange compromise. The Nmap script provided by Microsoft to check for the flaw hints at the elegance of SSRF's simplicity and impact to resources on localhost. Check it out at https://github.com/microsoft/CSS-Exchange/blob/main/Security/http-vuln-cve2021-26855.nse. The write-up for CVE-2021-26855 at https://proxylogon.com mostly covers the disclosure timeline; we'll revisit it when the technical details behind the vuln are released.
- 2. Best Practices to Mitigate JSON Interoperability VulnerabilitiesA good companion to the JSON parsing article we covered in episode 141. This one takes a look at how to approach handling JSON from the perspective of a security-minded developer. It presents a clear, reasoned approach through different scenarios and highlights a Python tool, marshmallow, that would help with secure defaults. Check out that library at https://marshmallow.readthedocs.io/en/stable/
- 3. Open source tool SerialDetector speeds up discovery of .Net deserialization bugsEven if you're not dealing with .NET code, the principles behind deserialization attacks apply to several languages. The tool shows how to find the .NET code out there that remains vulnerable and the paper provides insight into building a tool to target a vulnerability class. Check out the repo at https://github.com/yuske/SerialDetector and the whitepaper at https://www.ndss-symposium.org/wp-content/uploads/ndss2021_3A-5_24550_paper.pdf
- 4. What was observability again?Being able to monitor system health, debug app issues, and reconstruct incidents are just a few things that fall under an umbrella of observability. It's become an important tenet of DevOps and SRE approaches to maintaining robust and resilient systems -- properties from which a secure system emerges. We also talked about observability as a key to securing Linux (and other systems) in the interview segment of episode 139.
- 5. BSidesSF ScheduleBSidesSF went virtual and retro this year, with a collection of past presentations followed up live discussion on reddit. The topics may have been recorded well before 2021, but they remain relevant to today's app security and privacy. Check out the replay of Clint Gibler's "How to 10X Your Security". We spoke with him about this back in episode 100. Another one of interest is Sarah Harvey's "Anti-Privacy Anti-Patterns" that shows a necessary privacy angle to complement appsec.
- 1. Shifting security engineering rightWe talk plenty about shifting security left to get security tools and concepts into the development process earlier. But what about getting security engineers "embedded" with dev teams so they learn more what it's like on the "other side?" This post lays out how to go about that.
- 2. Finding evil Go packagesWe've talked about supply chain security - while it's a little harder to fool golang code as the whole URL to an imported library is needed, Michael Henriksen wrote a tool to look for typosquatting attempts, and wrote a blog on the results