Actual Secrets – ASW #172
This week, we welcome Peter Klimek, Director of Technology, Office of the CTO at Imperva! Peter will talk to the challenges he's hearing from customers and partners about managing the security of APIs and what considerations organizations need to make in 2022 to better protect these growing ecosystems.
In the AppSec News, Mike & John talk: Discourse SNS webhook RCE, a checklist for a Minimum Viable Secure Product, WhatsApp security assessment, privacy engineering specialties, & DevOps presentations!
Visit https://securityweekly.com/imperva to learn more about them!
Visit https://www.securityweekly.com/asw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
Peter will talk to the challenges he's hearing from customers and partners about managing the security of APIs and what considerations organizations need to make in 2022 to better protect these growing ecosystems.
This segment is sponsored by Imperva.
Visit https://securityweekly.com/imperva to learn more about them!
InfoSec World 2021 is proud to announce its keynote lineup for this year’s event! Hear from Robert Herjavec plus heads of security at the NFL, TikTok, U.S. Department of Homeland Security, Stanford University, and more… Plus, Security Weekly listeners save 20% on Digital Pass registration! Visit https://securityweekly.com/isw2021 to register now!
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
Peter Klimek is Director of Technology within the Office of the CTO at Imperva, a market leader in edge, application and data security. Klimek helps global customers protect their applications, data and websites from security threats through all stages of their digital journey. Prior to Imperva, Klimek held roles at Kaspersky, TransUnion and Zebra Technologies as a solutions architect, security analyst and engineer.
This week in the AppSec News, Mike & John talk: Discourse SNS webhook RCE, a checklist for a Minimum Viable Secure Product, WhatsApp security assessment, privacy engineering specialties, & DevOps presentations!
In an overabundance of caution, we have decided to flip this year’s SW Unlocked to a virtual format. The safety of our listeners and hosts is our number one priority. We will miss seeing you all in person, but we hope you can still join us at Security Weekly Unlocked Virtual! The event will now take place on Thursday, Dec 16 from 9am-6pm ET. You can still register for free at https://securityweekly.com/unlocked.
- 1. Discourse SNS webhook RCE - CISA posted a recent warning about an RCE vuln in Discourse. It's notable due to the prevalence of the software and the impact of the relatively easily exploited vuln. It's a neat vuln to read about because of how cleverly it goes about manipulating signed requests to achieve an RCE. The researcher starts with a simple premise -- how to inject an arbitrary path into a call to Ruby's open() -- and the hurdles they overcame in order to bypass what seemed like decent security checks. Read the Discourse advisory at https://github.com/discourse/discourse/security/advisories/GHSA-jcjx-pvpc-qgwq Read the CISA advisory at https://us-cert.cisa.gov/ncas/current-activity/2021/10/24/critical-rce-vulnerability-discourse
- 2. Minimum Viable Secure Product - This is one of those articles that catches my eye as well as John's, hence the two-for-one-special in the articles of the week. It's a mix of high-level and detailed security controls for software. Think of it as a more prescriptive method of a vendor security checklist. One of the items, SSO, is important to enterprises -- but it's also often a premium (if supported at all). Hopefully the future of SaaS will see SSO as an ubiquitous, free default in the same way we expect HTTPS Only. One of the best checks on this list is the push for security libraries in the application design controls. Using ORM and UI frameworks to get rid of classes of vulnerabilities might mean we'll one day have SQL injection and cross-site scripting be the relics they should have been a decade (or more) ago. You can find more about it from the Google security blog at https://security.googleblog.com/2021/10/launching-collaborative-minimum.html
- 3. Public Report – WhatsApp End-to-End Encrypted Backups Security Assessment - Reading about threat models and security assessments written by others is a great way to improve your own. Here's a detailed writeup by NCC Group about their security assessment of WhatsApp. It may have some inspiration on system design if you're dealing with passwords, encrypted communications, or privacy by design. Or it may be an inspiration for additional threats to consider when reviewing other types of systems. And even if the specific details seem less relevant, you can always look at it from the perspective of how to communicate security findings and recommendations. Unrelated to this report, but related to OPAQUE protocol it refers to, is this research blog from Cloudflare that provides a great overview of Password-Authenticated Key Exchange (PAKE) at https://blog.cloudflare.com/research-directions-in-password-security/ Check out AWS 145 for info on a similar analysis of TikTok by Citizen Lab. You can find the show notes at https://securityweekly.com/asw145
- 4. Privacy Engineering Superheroes - Privacy engineering has distinct requirements and objectives that separate it from appsec, but you have to have a secure foundation in order to create privacy-by-design on top of it. While the article describes specialities that these engineering teams could dive into, many of them also represent opportunities for security engineering teams to improve software for their users -- whether it's tooling and dashboards for DevOps teams or attention to the user experience (UX) for DevOps and end users alike.
- 5. All Day DevOps - The latest All Day DevOps was help on October 28th, 2021 and, being all day and six tracks of presentations, it had a massive amount of material. In fact, a little too much to get through for this week's show. Instead, we wanted to highlight this resource for you and, if there's a favorite session you come across, let us know why it grabbed your attention and what others could learn from it!
- 1. Latest checklist: Mininum Viable Secure Product - Google, Salesforce, Okta, Slack and others put together a checklist for what they want to see at minimum in a product prior to purchase. Mostly standard items, the 72 hour incident notification catches my eye. Some of the password requirements are interesting, as well...
- 2. Trojan Source allows unicode comments to take over the world - *scary music* News broke Monday morning of a new vulnerability that's had coordinated disclosure across several different languages. The basic idea is a unicode string has the ability to inform the unicode renderer if it should be left-to-right or right-to-left. This provides the ability for a comment to look like a comment, but actually affect code outside what's actually the comment. The interesting thing here is this appears to be the first vulnerability that's not specific to a particular programming language. (h/t https://krebsonsecurity.com/2021/11/trojan-source-bug-threatens-the-security-of-all-code/)