ASW #214 – Dean Agron
Full Audio
View Show IndexSegments
1. Critical Requirements for Cloud Native Application Security – Dean Agron – ASW #214
The core focus of this podcast is to provide the listeners with food for thoughts for what is required for releasing secured cloud native applications
Continuous, Multi-layer, and Multi-service analysis and focusing not only on the code, but also on the runtime and the infrastructure.
Focus on the vulnerabilities that matter. The critical, exploitable ones. Use Context.
Choose the right remediation forms. It may come in different shapes
Segment Resources: Oxeye Website for videos and content - www.oxeye.io
Announcements
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
Guest
Hosts
2. Exchange RCE, Patching at Scale, DORA Metrics, USENIX Best Papers, Passkeys – ASW #214
Exchange RCE, bulk pull requests to patch at scale, metrics from DORA, best papers from USENIX, implementing passkeys
Announcements
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
Hosts
- 1. Warning: New attack campaign utilized a new 0-day RCE vulnerability on Microsoft Exchange ServerAn SSRF and RCE (which requires an authenticated user) were disclosed before Microsoft had a chance to prepare fixes. These are familiar classes of bugs and apparently related to the prior ProxyShell vuln, although details have yet to be shared. The broader appsec angle here is the choice of software -- running your own Exchange server -- and what tools you have to mitigate vulns when patches aren't available. Additional resources: - https://www.darkreading.com/application-security/microsoft-confirms-exchange-zero-days-no-patch - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
- 2. Are you an Elite DevOps performer? Find out with the Four Keys Projecthttps://cloud.google.com/devops/state-of-devops/
- 3. What the Securing Open Source Software Act does and what it misseshttps://therecord.media/log4j-senators-introduce-bill-centered-on-cisa-open-source-security-efforts/
- 4. USENIX Best PapersHighlights - "Attacks on Deidentification's Defenses" -- https://www.usenix.org/conference/usenixsecurity22/presentation/cohen - "Dos and Don'ts of Machine Learning in Computer Security" -- https://www.usenix.org/conference/usenixsecurity22/presentation/arp - "Provably-Safe Multilingual Software Sandboxing using WebAssembly" -- https://www.usenix.org/conference/usenixsecurity22/presentation/bosamiya - "Let’s Hash: Helping Developers with Password Security" -- https://www.usenix.org/conference/soups2022/presentation/geierhaas
- 5. PasskeysHere's an article about implementing Passkeys that seemed like a good educational exercise. At the very least, it's a helpful way to understand the protocol through the text explanation and supplemental JavaScript and Python3 code. And, while it wouldn't be the recommended approach for a complete implementation for a production system, it'd be a good way to talk about a protocol, implement it, then conduct threat models on both the protocol's design and, importantly, it's implementation.
- 6. Patching common vulnerabilities at scale: project promises bulk pull requestsPicking up this talk from DEF CON and BSides Las Vegas about generating pull requests at scale to address vulns. In spirit, this feels like a more constructive and successful approach to dealing with vulns. After all, offering an applicable, mergable solution is a lot more helpful and efficient than adding to a chorus of, "You should fix this." It's a great version of "show, don't tell" in the vein of tools like Dependabot.
- 7. Rancher stored sensitive values in plaintext, exposed Kubernetes clusters to takeoverIt's an unhelpful tautology to say secrets are supposed to be secret. Services often need to present secrets like API keys or service tokens to prove their identity. The challenge is in storing secrets so that access is restricted to only the service that needs it, which becomes difficult in complex systems. The advisory is at https://github.com/advisories/GHSA-g7j7-h4q8-8w2f
- 1. Typescript 4.9 is more satisfying than everTypescript 4.9 introduces a satisfies operator to ensure an object has the type that a developer is expecting