Always Interesting – ASW #143
Full Audio
View Show IndexSegments
1. Cloud Native Security Platforms – John Morello – ASW #143
Modern appsec demonstrates the importance of a cloud native strategy for enterprise security and how much that strategy must integrate with DevOps tools and workflows. Security solutions need to come from a cohesive platform that addresses the problems DevOps teams face in how they're building apps today.
This segment is sponsored by Prisma Cloud/ Palo Alto Networks. Visit https://securityweekly.com/prismacloud to learn more about them!
Sponsored By
Announcements
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!
Hosts
2. Unauth’d RCE, “Regexploits”, Post-Spectre Web, & SigStore Signing – ASW #143
Software safety to mitigate the impact of unauthenticated RCEs, exploding regex patterns, web and browser security in the face of Spectre side-channels, signing software artifacts, 8 roles for today's security teams.
Announcements
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
Hosts
- 1. F5 issues BIG-IP patches to tackle unauthenticated remote code execution, critical flawsUnauthenticated RCE are two words that combine for about the worst case possible in an app vuln. As many have noted, the code has been compiled without support for ASLR or stack cookies, which would have been two things to make exploitation more difficult. Check out these two bug reports for additional insight into related flaws in how the app fails to correctly handle HTTP headers and IPv6 hostnames, https://bugs.chromium.org/p/project-zero/issues/detail?id=2126 and https://bugs.chromium.org/p/project-zero/issues/detail?id=2132. In other words, a simple parsing task turned into a familiar security flaw. We've mentioned Cyber ITL (https://cyber-itl.org) in the past; the safety features they call attention to should be enabled for any compiled software.
- 2. Why Eve and Mallory Still Love Android: Revisiting TLS (In)Security in Android ApplicationsPlatform provider creates a configuration-based approach to increase custom certificate validation logic security, developers fail to adopt it correctly or ignore it altogether, and users are stuck with apps that are missing common hardening steps. Even though the details in this case are exposure to intermediation attacks, the underlying challenge of turning security recommendations into security implementations applies to many DevOps situations.
- 3. Post-Spectre Web DevelopmentIn the era of CPU side-channels, browser and web security may boil down to a difficult principle: "Your data must not unexpectedly enter an attacker’s process." The threat of Spectre-style attacks remains relevant and imminent to browsers, with recent blog posts from Google (https://security.googleblog.com/2021/03/a-spectre-proof-of-concept-for-spectre.html) and research from academics (https://orenlab.sise.bgu.ac.il/p/PP0) highlighting new work that shows attacks getting better. While there are response headers that apps can set to mitigate some of the danger in terms of what might leak through a side-channel, the underlying problem hasn't been fixed.
- 4. Linux Foundation Debuts Sigstore Project for Software SigningTaking a page out of the Certificate Transparency playbook, the SigStore (https://sigstore.dev/what_is_sigstore/) project is looking to create a sort of supply chain of custody that attests to the provenance of software artifacts. Like the Reproducible Builds (https://reproducible-builds.org) we've mentioned in past episodes, this is a step towards ensuring the apps we deploy are what we think they are based on the code we think they built from.
- 5. 8 new roles today’s security team needsTwo of the roles are ancient and not a surprising part of a modern security team, but take a look at the others and consider how much engineering your security team is doing vs. how much it should be doing -- and what types of problems might be best to prioritize.
- 1. Regexploit: DoS-able Regular ExpressionsWhen we work with regular expressions, it's easy to assume the thing works as we (westerners) think - processing left to right. In reality it's quite complex, and usually more power than we need. As is often the case, that combination leads to potential for misuse...
