Security Weekly
Application Security WeeklySubscribe
Cloud Security, Application security, Security Staff Acquisition & Development

ASW #198 – Matias Madou

This week in the AppSec News: OWASP Top 10 for Kubernetes, Firefox improves security with process isolation, CNCF releases guidance on Secure Software Factories and Cloud Native Security, & the DOJ clarifies its policy on CFAA!

Developers want bug-free code -- it frees up their time and is easier to maintain. They want secure code for the same reasons. We'll talk about how the definition of secure coding varies among developers and appsec teams, why it's important to understand those perspectives, and how training is just one step towards building a security culture.

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly

View Show Index

Full Audio

Segments

1. The Psychology of Training – Matias Madou – ASW #198

Developers want bug-free code -- it frees up their time and is easier to maintain. They want secure code for the same reasons. We'll talk about how the definition of secure coding varies among developers and appsec teams, why it's important to understand those perspectives, and how training is just one step towards building a security culture.

Announcements

  • Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

Guest

Matias Madou
Matias Madou
Co-Founder and CTO at Secure Code Warrior

Matias is the co-founder and CTO of Secure Code Warrior. SCW provides a fully hands-on gamified experience with metrics, leaderboards and badging that enables developers to master secure coding in different development languages and frameworks. Our customers are able track their skills and progress, and benchmark different teams, including assessing potential suppliers and new recruits. SCW is truly the first global platform developers want to learn on and allows you to ensure a minimum baseline of security skills in your organization.

Matias has over a decade of hands-on software security experience. From the research to improve existing solutions to scoping and building new solutions. A dozen patents and a bunch of papers are the result of his research that eventually led to a hand full of commercial products.

Matias holds a Ph.D. in computer engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application. With his Ph.D. in application security, he joined Fortify as an intern and moved up to being the research architect of all runtime solutions within crossing Fortify and ArcSight within HP. He presented at conferences including RSA Conference, BlackHat and DefCon.

Hosts

Mike Shema
Mike Shema
Tech Lead at Block
John Kinsella
John Kinsella
Co-founder & CTO at Cysense

2. OWASP Top 10 for K8s, Firefox Process Isolation, Secure Software Factory, CFAA Policy – ASW #198

This week in the AppSec News: OWASP Top 10 for Kubernetes, Firefox improves security with process isolation, CNCF releases guidance on Secure Software Factories and Cloud Native Security, & the DOJ clarifies its policy on CFAA!

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

  • Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

Hosts

Mike Shema
Mike Shema
Tech Lead at Block
  1. 1. Ruby Vulnerabilities: Exploiting Dangerous Open, Send and Deserialization Operations
    Here's a well-written walkthrough of various RCE and deserialization attacks against Ruby on Rails. One of the things that stood out to me was the inclusion of references to prior work on various attack techniques, which provides the opportunity to dive deeper into any of these items as well as showing how the security community works best when it acknowledges and builds upon techniques.
  2. 2. Firefox debuts improved process isolation to reduce browser attack surface
    Mozilla released Firefox 100 earlier this month. An appsec aspect worth highlighting is the process isolation they improved for Windows in this release. We talk a lot about choice of programming languages and refactoring memory unsafe code (which is the nice way to refer to C and C++). Here's a good example of adjusting an app architecture in order to improve security. As with any refactor, tests can bring surprises -- in this case, crashes when encounter line endings. Check out more details on the Mozilla blog at https://hacks.mozilla.org/2022/05/improved-process-isolation-in-firefox-100/
  3. 3. Announcing the Secure Software Factory Reference Architecture Paper
    CNCF's Technical Advisory Group - Security (STAG) has released their guidance on how to design and implement security for a build pipeline. It comes out of the larger supply chain work that CNCF, and just about everyone in infosec this past year, has been investing in. Having a reference architecture with security guidance is an important evolution from the more generic recommendations of "have a secure pipeline". Grab the PDF of the paper at https://github.com/cncf/tag-security/blob/main/supply-chain-security/secure-software-factory/Secure_Software_Factory_Whitepaper.pdf As a point of comparison, Solarwinds described their approach to building a hardened software factory (aka CI/CD pipeline) in a whitepaper at https://www.solarwinds.com/resources/whitepaper/setting-the-new-standard-in-secure-software-development-the-solarwinds-next-generation-build-system/delivery. Their approach is understandably informed by the type of attack they suffered -- ephemeral systems to inhibit attacker dwell time, parallel builds to reach consensus on provenance and trustworthiness. It's interesting to see how organizations respond to attacks and how the changes they make take into account different scenarios.
  4. 4. Announcing the Refreshed Cloud Native Security Whitepaper
    Cloud native is an easy term to capture the idea of building, deploying, and running apps within the cloud. And it's one of those easy terms to use that hides a lot of complexity and effort needed to ensure a secure environment. CNCF first released this whitepaper back in 2020 and now they've updated content for sections like Security Assurances, Security Principles and Compliance. They've also included commentary and processes on the feedback process, which is an important way to engage the community -- check it out and share ways you think it could be further improved. For those of you following NIST's SP 800-218 Secure Software Development Framework (SSDF) -- we know it's an exciting topic -- the whitepaper now includes a mapping to SSDF practices. Grab the PDF of the paper at https://github.com/cncf/tag-security/tree/main/security-whitepaper
  5. 5. DOJ Announces It Won’t Prosecute White Hat Security Researchers
    Welcome news for security researchers, pentesters, bug bounty researchers, and others "who root out vulnerabilities for the common good". It's not a change in law behind the CFAA, but it does clarify DOJ's policy on enforcing it.
  6. 6. One Fuzzing Strategy to Rule Them All
    More fuzzing! We don't need to go into detail on this one -- it's likely for a narrow audience who are already running fuzzers. But we'll leave you with the insights and links to other resources from a Twitter thread by Caroline Lemieux at https://twitter.com/cestlemieux/status/1524438583184138240
John Kinsella
John Kinsella
Co-founder & CTO at Cysense
  1. 1. There’s now a OWASP top 10 for kubernetes
    It sounds good at first glance, but I have to wonder - is having separate top ten lists for various parts of your stack a good thing? I thought there was at least one other besides the main top 10, but I'm only seeing the 2 mentioned on the website at the moment. (OK I see an "interpretation" for serverless...maybe that's what I thought of)
  2. 2. Researchers use a BLE relay to open and drive a Tesla
    One thing I like about this article is that it's out in the "real world," not another post on a security blog...
  3. 3. Rust Supply-Chain Attack Infects Cloud CI Pipelines with…Go Malware
    While the mention of golang here feels like a distraction, it's still interesting to consider the various tools and code that an attacker will use. Anyways, core point here not too exciting - typo squatting on an rust crate, which then has a multi-stage attack looking for a gitlab CI server and installing a go-based executable
  4. 4. High severity bug found in google’s oauth Java client

Related

Cloud Security
2024 Security Planning with Forrester – Merritt Maxim – ESW #332

Forrester Research releases a few annual reoccurring cybersecurity reports, but one of the biggest that covers the most ground is the Security Risk Planning Guide, which was recently released for 2024. One of the report's 17 authors, and research director, Merritt Maxim, will walk us through the report's most interesting insights and highlights. Th...
Cloud Security
Broadening What We Call AppSec – Christien Rioux – ASW Vault

Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on January 10, 2022. There's an understandable focus on "shift left" in modern DevOps and appsec discussions. So what does it take to broaden what we call appsec into something effective for modern apps, whether they're on the we...