Hot Potato – ASW #151

Sponsored By

Announcements

• Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

• Security Weekly is more than happy to announce that we will be at InfoSec World 2021 IN PERSON October 25th-27th, 2021! This year, our annual partnership with InfoSec World is extra special, as we are both business units under the CyberRisk Alliance brand! What does that mean for Security Weekly listeners & InfoSec World attendees? You will get to see and hear from many of the Security Weekly team at the event AND you will save 20% off on your world pass! Visit https://securityweekly.com/isw2021 to register using our discount code!

Hosts

Mike Shema

Tech Lead at Block

John Kinsella

Co-founder & CTO at Cysense

Matt Alderman

VP, Product at Living Security

Announcements

• Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

• Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

Hosts

Mike Shema

Tech Lead at Block

1. 1. Is Complexity the Enemy of Security?
   This article makes a case that bad design -- whether in interfaces, software architectures, or processes -- can be a better way to frame security challenges than merely attributing complexity as a trade-off with security. What's particularly nice about this article is that it doesn't just swap out terms, it presents examples and guidance on how to achieve good design. Plus, these design goals have direct ties to application security, from building apps with opinionated defaults and declarative configurations to using the "5 Whys" and blame-free postmortems.
2. 2. WiFi devices going back to 1997 vulnerable to new Frag Attacks
   Cool research that digs into the attack surface of WiFi standards and demonstrates how design flaws have far-reaching consequences across implementations and, in this case, across decades. We've seen fragmentation-style attacks before, most recently as part of the SAD DNS flaw back in November 2020. This research is also a great example of good documentation and well-described threat scenarios. As the researcher notes, aspects of this problem were known as far back as 2007. What makes this interesting is the journey from a known-but-difficult-to-exploit flaw to addressing the flaw across multiple implementations. It touches on familiar aspects of prioritizing development efforts, dealing with backwards compatibility, and revisiting flaws when new information comes to light. Check out the research at https://www.fragattacks.com
3. 3. Sending webhooks securely
   Webhooks have become a common design pattern for handling events between web applications. This article shares insights on mistakes to avoid in implementing them, from exposing cloud resources to SSRF to ensuring they have some form of authentication. For another example of request signing, check out the documentation on "Signing AWS API requests" at https://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html. Also check out the [tl;dr sec] newsletter that had this and other articles at https://tldrsec.com/blog/tldr-sec-083/
4. 4. Fintech Startup Offers $500 for Payroll Passwords
   This isn't about bounties for bugs, it's essentially bounties for credentialed access to a third-party app. Not only does this access pattern create a grey area in the meaning of "authorized access" and set an expectation for sharing credentials that runs counter to all security recommendations, it expands the types of risks app developers need to be aware of. This type of access pattern isn't unheard of -- it's exactly the sort of problem that OAuth was intended to address. App developers have long deal with account takeovers and inauthentic behavior (like bots). So, what happens with apparently authentic behavior in an account shared with another app that's been implicitly approved by a user? Here's a related article about Plaid conducting a similar effort, https://www.vice.com/en_us/article/bvzzqa/plaid-paid-500-dollars-workplace-logins
5. 5. Integrating Rust Into the Android Open Source Project
   We talked about the "why" of adopting a language like Rust in a project back in episode 147 -- defeat a class of vulns like unsafe memory handling and parsing malicious media files. This article gives a good insight on the "how". In other words, the dev toolchain and integration with build processes have to be just as robust for a new language. You can't just say, "Write more secure code" in a different language without providing the means to make that language a viable choice. It's the same principle as offering up security tools to a DevOps team; make the tools work natively in their environment and the adoption will be far more successful.

John Kinsella

Co-founder & CTO at Cysense

1. 1. RCE in terraform’s plan command
   Most people think of "terraform plan" as a way to check their terraform configuration before executing it, or to generate a full plan with variables interperted (used for IAC scanners, gitops, or other tools). Turns out there's some scenarios where the plan command may execute code...
2. 2. CNCF releases supply chain security whitepaper
   CNCF's Security TAG just published their whitepaper on supply chain security. I like how it provides guidance for different assurance and risk levels. The whitepaper's a meaty 45 pages, but a link off the announcement blog has a framework "cliff notes" version.

Matt Alderman

VP, Product at Living Security

1. 1. WhiteHat Security Allies with Bit Discovery on Vulnerability Intelligence – DevOps.com
2. 2. Vdoo Announces New Integrations to Simplify Product Security Throughout the Software Development Lifecycle – DevOps.com
3. 3. Anchore advances marketplace security with Business Intelligence
4. 4. Google and Mozilla Develop an API for HTML Sanitization