Application security, Cloud security, DevOps

Always Interesting – ASW #143

This week, we welcome John Morello, VP of Product at Palo Alto Networks, joins us to talk about Cloud Native Security Platforms! Modern appsec demonstrates the importance of a cloud native strategy for enterprise security and how much that strategy must integrate with DevOps tools and workflows. Security solutions need to come from a cohesive platform that addresses the problems DevOps teams face in how they're building apps today.

In the AppSec News, Software safety to mitigate the impact of unauthenticated RCEs, exploding regex patterns, web and browser security in the face of Spectre side-channels, signing software artifacts, 8 roles for today's security teams.

This segment is sponsored by Prisma Cloud/ Palo Alto Networks. Visit https://securityweekly.com/prismacloud to learn more about them!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

View Show Index

Full Audio

Segments

1. Cloud Native Security Platforms – John Morello – ASW #143

Modern appsec demonstrates the importance of a cloud native strategy for enterprise security and how much that strategy must integrate with DevOps tools and workflows. Security solutions need to come from a cohesive platform that addresses the problems DevOps teams face in how they're building apps today.

This segment is sponsored by Prisma Cloud/ Palo Alto Networks. Visit https://securityweekly.com/prismacloud to learn more about them!

Sponsored By

Prisma Cloud/ Palo Alto Networks

Announcements

  • Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

  • If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!

Guest

John Morello
John Morello
VP of Product at Palo Alto Networks

John Morello is the VP of Product at Palo Alto Networks and the former Chief Technology Officer at Twistlock. Prior to that John was a CISO at a Fortune 500 global chemical company. Before that he spent 14 years at Microsoft, in both Microsoft Consulting Services and product teams. He ran feature teams that shipped security technologies in Windows, Azure, and Office 365 and was the lead consultant on several security projects at the White House. John lives in Louisiana with his wife and two young sons. A passionate fisherman and scuba diver, he’s also a long time board member of the Coalition to Restore Coastal Louisiana.

Hosts

Mike Shema
Mike Shema
Security Partner at Square
Adrian Sanabria
Adrian Sanabria
Director of Product Management at Tenchi Security

2. Unauth’d RCE, “Regexploits”, Post-Spectre Web, & SigStore Signing – ASW #143

Software safety to mitigate the impact of unauthenticated RCEs, exploding regex patterns, web and browser security in the face of Spectre side-channels, signing software artifacts, 8 roles for today's security teams.

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

  • Join us June 29th for a webcast with Tyler Robinson and Beau Bullock to learn how to pivot into the world of Crypto security. Visit https://securityweekly.com/webcasts to register with only your name and email! Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

Hosts

Mike Shema
Mike Shema
Security Partner at Square
  1. 1. F5 issues BIG-IP patches to tackle unauthenticated remote code execution, critical flaws - Unauthenticated RCE are two words that combine for about the worst case possible in an app vuln. As many have noted, the code has been compiled without support for ASLR or stack cookies, which would have been two things to make exploitation more difficult. Check out these two bug reports for additional insight into related flaws in how the app fails to correctly handle HTTP headers and IPv6 hostnames, https://bugs.chromium.org/p/project-zero/issues/detail?id=2126 and https://bugs.chromium.org/p/project-zero/issues/detail?id=2132. In other words, a simple parsing task turned into a familiar security flaw. We've mentioned Cyber ITL (https://cyber-itl.org) in the past; the safety features they call attention to should be enabled for any compiled software.
  2. 2. Why Eve and Mallory Still Love Android: Revisiting TLS (In)Security in Android Applications - Platform provider creates a configuration-based approach to increase custom certificate validation logic security, developers fail to adopt it correctly or ignore it altogether, and users are stuck with apps that are missing common hardening steps. Even though the details in this case are exposure to intermediation attacks, the underlying challenge of turning security recommendations into security implementations applies to many DevOps situations.
  3. 3. Post-Spectre Web Development - In the era of CPU side-channels, browser and web security may boil down to a difficult principle: "Your data must not unexpectedly enter an attacker’s process." The threat of Spectre-style attacks remains relevant and imminent to browsers, with recent blog posts from Google (https://security.googleblog.com/2021/03/a-spectre-proof-of-concept-for-spectre.html) and research from academics (https://orenlab.sise.bgu.ac.il/p/PP0) highlighting new work that shows attacks getting better. While there are response headers that apps can set to mitigate some of the danger in terms of what might leak through a side-channel, the underlying problem hasn't been fixed.
  4. 4. Linux Foundation Debuts Sigstore Project for Software Signing - Taking a page out of the Certificate Transparency playbook, the SigStore (https://sigstore.dev/what_is_sigstore/) project is looking to create a sort of supply chain of custody that attests to the provenance of software artifacts. Like the Reproducible Builds (https://reproducible-builds.org) we've mentioned in past episodes, this is a step towards ensuring the apps we deploy are what we think they are based on the code we think they built from.
  5. 5. 8 new roles today’s security team needs - Two of the roles are ancient and not a surprising part of a modern security team, but take a look at the others and consider how much engineering your security team is doing vs. how much it should be doing -- and what types of problems might be best to prioritize.
Adrian Sanabria
Adrian Sanabria
Director of Product Management at Tenchi Security
John Kinsella
John Kinsella
Co-founder & CTO at Cysense
  1. 1. Regexploit: DoS-able Regular Expressions - When we work with regular expressions, it's easy to assume the thing works as we (westerners) think - processing left to right. In reality it's quite complex, and usually more power than we need. As is often the case, that combination leads to potential for misuse...
prestitial ad