ASW #218 – Sandy Carielli, Martha Bennett
A critical OpenSSL vuln is coming this Tuesday, a SQLite vuln, Apple blogs about memory safety and bug bounties, determining a random shuffle
The Web3 ecosystem is chock full of applications and projects that have lost money (and their customers’ money) due to breaches, code flaws, or outright fraud. How can security teams do a better job of protecting Web3 apps? Web3 applications (including NFTs) aren’t just vulnerable to attack, they often present a broader attack surface (due to the distributed nature of blockchains) at the same time as being a desirable target because of the value association with tokens. Join us for a lively discussion about key threats to Web3 apps – both on-chain and off-chain - what we can do to mitigate them…and what we absolutely should not do.
Additional resources
- https://www.bloomberg.com/features/2022-the-crypto-story/
- https://web3isgoinggreat.com
- https://blog.trailofbits.com/2022/06/21/are-blockchains-decentralized/ Visit https://www.securityweekly.com/asw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly
Full Audio
Segments
1. Understanding Web3 Application Security – Sandy Carielli, Martha Bennett – ASW #218
The Web3 ecosystem is chock full of applications and projects that have lost money (and their customers’ money) due to breaches, code flaws, or outright fraud. How can security teams do a better job of protecting Web3 apps? Web3 applications (including NFTs) aren’t just vulnerable to attack, they often present a broader attack surface (due to the distributed nature of blockchains) at the same time as being a desirable target because of the value association with tokens. Join us for a lively discussion about key threats to Web3 apps – both on-chain and off-chain - what we can do to mitigate them…and what we absolutely should not do.
Additional resources
Announcements
You can now find us on Instagram! Follow us for highlight reels, giveaway announcements, and more at SecWeekly.
Guests
Sandy is a principal analyst at Forrester advising security and risk professionals on application security, with a particular emphasis on the collaboration among security and risk, application development, operations, and business teams. Her research covers topics such as proactive security design, security testing in the software delivery lifecycle, protection of applications in production environments, and remediation of hardware and software flaws.
Martha serves CIOs and other tech leaders, helping them understand the impact of emerging technologies on their business. She also provides best practice guidance on how to assess and introduce new and emerging technologies. Martha provides in-depth coverage of blockchain technology, Web3 and the metaverse.
Hosts
2. Critical OpenSSL Vuln, SQLite Vuln, Apple Security Blog, Randomness & Shuffling – ASW #218
A critical OpenSSL vuln is coming this Tuesday, a SQLite vuln, Apple blogs about memory safety and bug bounties, determining a random shuffle
Announcements
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
Hosts
- 1. Forthcoming OpenSSL Releases
The last critical advisory seems to have been from 2016 and Heartbleed is about eight years old. So, even though this Tuesday promises to be a headache for orgs running OpenSSL version 3.0+, it's nice to see that the work going into maturing the code base seems to be paying off.
OpenSSL 3.0 has been out for just over a year, having been released in September 2021.
What's more interesting will be to watch the upgrade path and rate of adoption since version 1.1.1 has less than a year of support left.
- 2. Stranger Strings: An exploitable flaw in SQLite | Trail of Bits Blog
SQLite has one of the most comprehensive and high coverage approaches to testing. So when we highlight a vuln in this relatively ubiquitous software, it's helpful to point out how rare the vulns tend to be and how much diligence the project puts into not only coverage of code, but the various types of testing it conducts. This vuln doesn't seem likely to lead to mass exploitation given the prerequisites for triggering it.
- 3. Juniper SSLVPN / JunOS RCE and Multiple Vulnerabilities
This one has path traversal (yay!) and a handful of other vulns that hit a bunch of the OWASP Top 10 items, which makes the list of CVEs stand out as impressive for modern software.
- 4. Towards the next generation of XNU memory safety: kalloc_type – Apple Security Research
A deep dive into hardening Apple's kernel against memory safety issues. Even if you're not interested in C or macOS internals, the article provides a great overview of a taxonomy of memory safety issues and how Apple has been thinking about countering this attack class.
- 5. Blog – Apple Security Bounty. Upgraded.
Apple joins the ranks of companies highlighting how much they've spent on identifying vulns through the efforts of communities of researchers. As with all of these types of articles, I'm always curious what the money spent to fix the vulns looks like.
- 6. How a magician-mathematician revealed a casino loophole – BBC Future
Another article that steps a little outside the usual software we focus on, but it touches on security testing for random number generators, adversarial users that make for fun threat models, and the impacts -- measurable in dollars in this case -- of insecure software.
- 1. Docker adds support for WASM
This could be interesting - Docker announced support for running WASM apps - without having to build a container, but instead use the WasmEdge runtime. Will this be the beginning of the end for containers? (hasn't happened to VMs yet...)
- 2. Multiple vulnerabilities found in Jupiter ssl VPN
- 3. Bringing the concepts of CALM for devops to the cloud
