Security Weekly
Application Security WeeklySubscribe
Application security, Zero trust, DevSecOps

ASW #192 – William Morgan

The zero trust approach can be applied to almost every technology choice in the modern enterprise, and Kubernetes is no exception. For Kubernetes network security particularly, adopting a zero trust model involves some radical changes, including moving from a security perimeter defined by firewalls, IP addresses, and cluster boundaries to a granular approach that treats the network itself as adversarial and moves the security boundary down to the pod level. William will discuss why the zero trust approach is increasingly necessary for comprehensive Kubernetes security, the dos and don’ts when adopting Kubernetes, the implications for operators and security teams, and where tooling like service mesh plays a role. In the Application Security News: SSRF at a FinTech leads to admin account takeover, Zoom's bounty payouts for 2021, SLSA demonstrates Build Provenance, Go's supply chain philosophy, Raspberry Pi credentials, & more!

Segment Resources: - https://github.com/linkerd - https://linkerd.io/ - https://buoyant.io/mtls-guide/ - https://buoyant.io/service-mesh-academy/

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

View Show Index

Full Audio

Segments

1. Service Mesh & Zero Trust Kubernetes Security – William Morgan – ASW #192

The zero trust approach can be applied to almost every technology choice in the modern enterprise, and Kubernetes is no exception. For Kubernetes network security particularly, adopting a zero trust model involves some radical changes, including moving from a security perimeter defined by firewalls, IP addresses, and cluster boundaries to a granular approach that treats the network itself as adversarial and moves the security boundary down to the pod level. William will discuss why the zero trust approach is increasingly necessary for comprehensive Kubernetes security, the dos and don’ts when adopting Kubernetes, the implications for operators and security teams, and where tooling like service mesh plays a role.

Segment Resources:

- https://github.com/linkerd

- https://linkerd.io/

- https://buoyant.io/mtls-guide/

- https://buoyant.io/service-mesh-academy/

Announcements

  • Security Weekly listeners, save $100 on your RSA Conference 2022 Full Conference Pass! RSA Conference will be live in San Francisco June 6th-9th, 2022. Security Weekly will be there in full force, delivering real-time, live coverage and interviewing some of the event’s top speakers and sponsors. To register using our discount code, please visit https://securityweekly.com/rsac2022 and use the code 52UCYBER. We hope to see you there!

  • Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

Guest

William Morgan
CEO & Co-Founder at Buoyant

William Morgan is the CEO and Co-founder of Buoyant, as well as the creator of Linkerd, the pioneer of the service mesh category. He was previously an infrastructure engineer at Twitter, where he ran several teams building product-facing backend infrastructure. He has worked at Powerset, Microsoft, adap.tv, and MITRE Corp, and has been contributing to open source for over 20 years.

Hosts

Mike Shema
Mike Shema
Tech Lead at Block
John Kinsella
John Kinsella
Co-founder & CTO at Cysense

2. SSRF at a FinTech, Zoom’s Bounties, SLSA Build Provenance, & Raspberry Pi Credentials – ASW #192

In the Application Security News: SSRF at a FinTech leads to admin account takeover, Zoom's bounty payouts for 2021, SLSA demonstrates Build Provenance, Go's supply chain philosophy, Raspberry Pi credentials, & more!

Announcements

  • We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!

  • Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

Hosts

Mike Shema
Mike Shema
Tech Lead at Block
  1. 1. API Threat Research: Server-side Request Forgery on FinTech Platform Enabled Administrative Account Takeover
    Well-written description of discovering an SSRF flaw that leaked a JWT with admin credentials, which could then be used to extract sensitive data. It's a good example of the danger of making mistakes in mutual authentication between services (especially when there may be dozens of microservices) and the pitfalls of leaked security tokens. JWTs have their own drawbacks, including far-too-easy mistakes in cryptographic algorithms and a reliance on statelessness that makes revocation and rotation more difficult. For some additional information on JWT weaknesses and suggested alternatives, check out https://paseto.io.
  2. 2. Popular Ruby Asciidoc toolkit patched against critical vuln – get the update now!
    Markdown strikes again! Well, a markdown extension. But it's still an interesting flaw that shares a theme with a pair of markdown issues we covered back in episode 187 (give it a listen at https://securityweekly.com/asw187). The exploit for this falls into the "dead simple" category and relies on a backslash and line break to fool a URI validator. The payload delivers a pipe to a command, which the server dutifully executes. It's also a useful patch that's easy to read even if you're not familiar with Ruby. And it'd make for a good exercise in threat modeling, secure coding, and reasoning through input validation. You can find the patch at https://github.com/jirutka/asciidoctor-include-ext/commit/c7ea001a597c7033575342c51483dab7b87ae155
  3. 3. Zoom awarded $1.8 million in bug bounty rewards over 2021
    We take a quick look at yet another company talking about its bounty awards and follow it up with one comment and one question. The comment is an observation on the cost of security when an app gets popular (and consequently receives more scrutiny) -- security is expensive (not to mention FTC consent orders). The question goes back to one we've asked before for these kinds of articles: Bounty awards give us a sense of the cost of finding flaws, what's the cost of fixing them? Presumably these are all tracked with metadata like time to remediate, lines of code changed, and probably long comment threads among DevOps and Security teams on triage and resolutions. It'd be interesting to see if there's a rough multiplier between a bounty and the developer+security hours to fix it.
  4. 4. Improving software supply chain security with tamper-proof builds
    It's encouraging to see SLSA continue to receive investment and demonstrations of how the framework can be implemented. This article describes a demonstration of establishing build provenance in order to gain confidence that the build hasn't been tampered with. Keep your threat models in mind as you read this -- it focuses on providing evidence of the build process and assertions that the build wasn't tampered with. The source itself is another matter (you can have a non-tampered build of tampered software). The article notes this, and SLSA itself is about the entire source-to-artifact process, so we'll highlight more articles as they come out.
  5. 5. How Go Mitigates Supply Chain Attacks
    This article is from the end of March and pairs nicely with the SLSA article on build provenance. The thing that stood out the most to me was the motto of, “A little copying is better than a little dependency”. Carrying this motto over to the world of NPM, it would be interesting to see what complexity or maintenance burden might diminish by applying this to popular packages like isarray or how the NPM ecosystem might have fared differently during the left-pad incident. To be fair, there's a difference between a potentially unnecessary package and avoiding the adverse actions of a package owner. But both situations can be mitigated by reducing the dependency graph.
  6. 6. PIPEFAIL: How a missing shell option slowed Cloudflare down
    This hits the appsec radar because availability is part of security and we don't talk about the A in CIA very often. It's also a good exercise in transparency, which provides a counterpoint to the Okta situation we covered in episode 190 (https://securityweekly.com/asw190). Finally, it gives us a second article this week that involves a pipe command and shells. In fact, it's the shell aspect that grabbed my attention. Bash programming is both concise and arcane. It's easy to pipe various utilities together and use Bash constructs to run a series of commands. But Bash can also be inscrutable, or at least carry a lot of mental cost even for those used to it. And its appeal as a "quick script" to accomplish a task can come with consequences for error handling and debugging. All of which is to say -- at what point do you replace a Bash script with something else and what criteria do you rely on to identify that point?
  7. 7. An update to Raspberry Pi OS Bullseye
    A small change in the default way Raspberry Pi's setup wizard handles the initial user account creation workflow. It's nice to see this change, however small it may seem, because it takes what might be a hardening checklist item (don't use default credentials) and makes the workflow reflect desired behavior (use non-default credentials, use a non-default user name). Small changes in large ecosystems can have significant positive impacts.
John Kinsella
John Kinsella
Co-founder & CTO at Cysense
  1. 1. The first Lambda malware?
    Cado's claiming to have discovered the first malware targeted to AWS Lambda. Several years into Lambda's existence, this sounds a little hard to believe, but let's review what they've figured out...
  2. 2. Build your own TPM server module
    On the hardware side, many servers don't come with TPM modules by default. If you're the type to pick up a cheap used server on ebay (or just want to understand TPM better), this post might be of help.
  3. 3. GitHub’s Dependency Review action checks for supply chain bugs at time of pull request
  4. 4. Adobe’s client-side node install doesn’t validate code signatures

Related

All the News — Just Six Months Later – ASW #265

We cover appsec news on a weekly basis, but sometimes that news is merely about the start of a new project, sometimes it's yet another example of a vuln class, and sometimes it's a topic we hope doesn't become a trend. So, what themes have we seen and where do we see them going? Here are a few headline topics that have alternately generated yays a...