ASW #221 – Kenn White
Crossing tenants with AWS AppSync, more zeros in C++ to defeat vulns, HTTP/3 connection contamination, Thinkst Quarterly review of research, building a research team
MongoDB recently announced the industry’s first encrypted search scheme using breakthrough cryptography engineering called Queryable Encryption.
This technology gives developers the ability to query encrypted sensitive data in a simple and intuitive way without impacting performance, with zero cryptography experience required. Data remains encrypted at all times on the database, including in memory and in the CPU; keys never leave the application and cannot be accessed by the database server.
While adoption of cloud computing continues to increase, many organizations across healthcare, financial services, and government are still risk-averse. They don’t want to entrust another provider with sensitive workloads. This encryption capability removes the need to ever trust an outside party with your data.
This end-to-end client-side encryption uses novel encrypted index data structures in such a way that for the first time, developers can run expressive queries on fully encrypted confidential workloads.
Queryable Encryption is based on well-tested and established standard NIST cryptographic primitives to provide strong protection from attacks against the database, including insider threats, highly privileged administrators and cloud infrastructure staff. So even another Capital One type breach is not possible.
Segment Resources:
- https://www.mongodb.com/products/queryable-encryption
- https://www.wired.com/story/mongodb-queryable-encryption-databases/
- https://www.youtube.com/watch?v=mDKfZlQJO3k
- https://thenewstack.io/mongodb-6-0-offers-client-side-end-to-end-encryption/ Visit https://www.securityweekly.com/asw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly
Full Audio
Segments
1. Searching on Encrypted Data: MongoDB’s Queryable Encryption – Kenn White – ASW #221
MongoDB recently announced the industry’s first encrypted search scheme using breakthrough cryptography engineering called Queryable Encryption.
This technology gives developers the ability to query encrypted sensitive data in a simple and intuitive way without impacting performance, with zero cryptography experience required. Data remains encrypted at all times on the database, including in memory and in the CPU; keys never leave the application and cannot be accessed by the database server.
While adoption of cloud computing continues to increase, many organizations across healthcare, financial services, and government are still risk-averse. They don’t want to entrust another provider with sensitive workloads. This encryption capability removes the need to ever trust an outside party with your data.
This end-to-end client-side encryption uses novel encrypted index data structures in such a way that for the first time, developers can run expressive queries on fully encrypted confidential workloads.
Queryable Encryption is based on well-tested and established standard NIST cryptographic primitives to provide strong protection from attacks against the database, including insider threats, highly privileged administrators and cloud infrastructure staff. So even another Capital One type breach is not possible.
Segment Resources:
Announcements
Join our Discord channel to chat with our hosts, ask questions, customize livestream alerts, and more! Visit securityweekly.com/discord to receive an invite.
Guest
Kenneth White is a security engineer whose work focuses on networks and global systems. He currently leads applied encryption engineering in MongoDB’s global product group. He is co-founder and Director of the Open Crypto Audit Project and led formal security reviews on TrueCrypt and OpenSSL. He has directed R&D and security Ops in organizations ranging from startups to nonprofits to defense agencies to the Fortune 50. His work on applied signal analysis has been published in the Proceedings of the National Academy of Sciences. He created software powering the largest clinical trial & cardiac safety research networks in the world. His work on network security and forensics has been cited by the Wall Street Journal, Reuters, Wired, and the BBC.
Hosts
2. AWS AppSync Vuln, Zero-Initialization, HTTP/3 Connections, Thinkst Quarterly – ASW #221
Crossing tenants with AWS AppSync, more zeros in C++ to defeat vulns, HTTP/3 connection contamination, Thinkst Quarterly review of research, building a research team
Announcements
Security Weekly listeners, we need to hear your voices! Leave us your feedback on Apple podcasts & submit a screenshot to our giveaway form for a chance to win a $100 gift card from Hacker Warehouse! This giveaway will be open until the end of the year. We appreciate your honest feedback so we can continue to make great content for our audience! Visit securityweekly.com/giveaway to enter!
Hosts
- 1. A Confused Deputy Vulnerability in AWS AppSync
Research from Datadog about tricking the AWS AppSync service to make calls on the attacker's behalf. It's a good example of why authorization controls are so critical to GraphQL calls designed to interact and collect data from a variety of sources.
- 2. P2723R0 Zero-initialize objects of automatic storage duration
A C++ standard proposal that claims (with references) how zero-initializing data could mitigate ~10% of vulns seen against codebases. It's already an opt-in feature in modern compilers, but security benefits much more from secure defaults and explicit opt-outs.
Even if you're not working on a C++ codebase, imagine your favorite language or system and what apparently simple change (like zeroing memory when it's initialized) could make for a more secure default. This hits a recurring rhetorical question of: Why do we invest so much effort in hardening guides as opposed to making the default more secure? Why haven't we switched to "unhardening" guides or "de-security" guides?
- 3. HTTP/3 connection contamination: an upcoming threat?
It took a decade and a half to get from HTTP/1 to HTTP/2. And a few more years to get to HTTP/3. Even if most sites still use HTTP/1, it's exciting to have new protocols to analyze and research. Both HTTP/2 and /3 benefit from more explicit security considerations, but that doesn't mean they're without flaws -- either in design or implementation. Research like this from James Kettle illuminates potentially creaky bits and shows how it's possible to find surprises (which are a bane of security) in "simple" protocols.
- 4. ThinkstScapes Quarterly | 2022.Q3
This quarter's security research roundup from Thinkst gets into very technical topics in AI/ML, cryptography, and software analysis. On a meta level, the list of papers they cover or the list of items they reviewed can inform what conferences you might want to attend next year.
- 5. So long and thanks for all the 0day
We've covered many articles from NCC group authored by Jennifer Fernick and her team. This is a farewell post as she moves on to a new role. It includes quite a long list of favorite projects and posts worth checking it. But it also starts with thoughts on leading a research team -- it's a great resource for building up a capability within your own org, whether it's for appsec research or generally growing a technical team.
- 1. Spotify’s open source vuln mgmt program
Just managing a list of vulnerabilities has become a Big Deal over the last few years, leading to many vendors selling products just to help with this. Spotify's open sourced their internal product, which some might find useful.
- 2. RCE In Spotify’s Backstage
Backstage - a platform to make developer's lives a little easier, was found to have a CVSS 9.8 RCE
- 3. Improving code review time at Meta
