Application Security Weekly Subscribe

Application security

ASW #189 – Alvaro Muñoz

March 21, 2022

This week in the AppSec News: A great escape isn't always as great as it sounds, Solana cryptocurrency logic isn't always as great as intended, some people's idea of "peace" isn't that great at all, and some great security suggestions for package maintainers.

- Past research such as JNDI Injection, Unsafe deserialization, Struts RCEs

- OSS security: CodeQL, Dependabot, collaboration between researchers and developers, OWASP Top Ten Proactive Controls, CVD for OSS

Segment Resources:

- [Write more secure code with the OWASP Top 10 Proactive Controls](https://github.blog/2021-12-06-write-more-secure-code-owasp-top-10-proactive-controls/)

- [An analysis on developer-security researcher interactions in the vulnerability disclosure process](https://github.blog/2021-09-09-analysis-developer-security-researcher-interactions-vulnerability-disclosure/)

- [Building security researcher and developer collaboration](https://www.securitymagazine.com/articles/97066-how-to-build-security-researcher-and-software-developer-collaboration)

- [Coordinated vulnerability disclosure (CVD) for open source projects](https://github.blog/2022-02-09-coordinated-vulnerability-disclosure-cvd-open-source-projects/)

- [GitHub Advisory Database now open to community contributions](https://github.blog/2022-02-22-github-advisory-database-now-open-to-community-contributions/)

- [Blue-teaming for Exiv2: creating a security advisory process](https://github.blog/2021-11-02-blue-teaming-create-security-advisory-process/)

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

View Show Index

Full Audio

Segments

1. Helping Secure OSS Software – Alvaro Munoz – ASW #189

- Past research such as JNDI Injection, Unsafe deserialization, Struts RCEs

- OSS security: CodeQL, Dependabot, collaboration between researchers and developers, OWASP Top Ten Proactive Controls, CVD for OSS

Segment Resources:

- [Write more secure code with the OWASP Top 10 Proactive Controls](https://github.blog/2021-12-06-write-more-secure-code-owasp-top-10-proactive-controls/)

- [An analysis on developer-security researcher interactions in the vulnerability disclosure process](https://github.blog/2021-09-09-analysis-developer-security-researcher-interactions-vulnerability-disclosure/)

- [Building security researcher and developer collaboration](https://www.securitymagazine.com/articles/97066-how-to-build-security-researcher-and-software-developer-collaboration)

- [Coordinated vulnerability disclosure (CVD) for open source projects](https://github.blog/2022-02-09-coordinated-vulnerability-disclosure-cvd-open-source-projects/)

- [GitHub Advisory Database now open to community contributions](https://github.blog/2022-02-22-github-advisory-database-now-open-to-community-contributions/)

- [Blue-teaming for Exiv2: creating a security advisory process](https://github.blog/2021-11-02-blue-teaming-create-security-advisory-process/)

Announcements

Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

Guest

Alvaro Munoz

Principal Security Researcher at GitHub

Alvaro Muñoz works as Principal Security Researcher with GitHub Security Lab team. Previously he worked as an Application Security Consultant helping top enterprises to deploy their application security programs. He is passionate about Web Application security where he has focused most of his research. Muñoz has presented at many Security conferences including BlackHat, DEFCON, RSA, OWASP AppSec EU and US, JavaOne, etc, and holds several infosec certifications, including OSCP, GWAPT, and CISSP.

Hosts

John Kinsella

John Kinsella

Co-founder & CTO at Cysense

Lee Neely

Lee Neely

Information Assurance APL at Lawrence Livermore National Laboratory

2. A Great Escape, Peace Not War, & How to Burp Good – ASW #189

This week in the AppSec News: A great escape isn't always as great as it sounds, Solana cryptocurrency logic isn't always as great as intended, some people's idea of "peace" isn't that great at all, and some great security suggestions for package maintainers.

Announcements

Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

Hosts

John Kinsella

John Kinsella

Co-founder & CTO at Cysense

1. Solana vulnerability ELI5
Often with crypto currencies, things are so complex that it can be difficult to unravel exactly what a vulnerability is, and how it's exploited - especially to those of us who are not really into crypto. Here's a simple Reddit post that plainly describes a recently vuln on Solana
2. Openssl bug could result in client DOS
A bug in function for doing modular square roots in openssl could result in a client-side DOS for elliptic curve public keys crafted with invalid parameters. Of note, this function is used to provide functionality for supporting elliptic curve keys of arbitrary length.
3. Security for package maintainers
We talk about open source supply chain security, but here's a post talking through what that means to a maintainer of python packages
4. How to burp good
At least for me, when I use Burp Suite I'm almost always just using a tiny fraction of it's capabilities. While several years old, here's a post with some good suggestions on how to get more out of Burp. (h/t tl;drsec)
5. Peacenotwar module brings not-peace to vue community
A developer decided to protest the war in Ukraine by modifying a npm package he maintains to target systems in Russia that attempt to use the package. What can node do about this? Should maintainers lose all privileges when they pull a stunt like this?
6. Cr8escape vulnerability in cri-o comes from new functionality
In version 1.19 of cri-o - one of the container runtimes used with kubernetes - functionality was added to allow a user to pass sysctl settings when creating a container. With this feature, any sysctl options were taken without filtering or validation. As a POC, the researchers show modifying the kernel configuration on what to do during a core dump (run malicious program).

Lee Neely

Lee Neely

Information Assurance APL at Lawrence Livermore National Laboratory

Related

Managed services

Generative AI Security Implications, Protecting Web Applications – Liam Mayron – PSW #786

May 24, 2023

Liam Mayron from Fastly comes on the show to talk about his unique path into information security, the security implications of generative AI, advances in technologies to protect web applications, detecting bots, and enabling better MSP services! This segment is sponsored by Fastly. Visit https://securityweekly.com/fastly to learn more about them!...

Managed services

Are MSSPs Snubbing Web Security? Why Websites Take a Back Seat to Network Needs – CFH #22

May 23, 2023

It's understandable why many organizations' cyber investments heavily concentrate on protecting core networks and data centers from breaches and ransomware attacks. But let's not overlook the importance of ensuring that your website remains operational, especially when it directly drives revenue through sales or advertisements. Threats such as DDoS...

New TLDs Zip By, eBPF Fuzzer, Microsoft Rocks Rust, Unwanted Tracking Spec – ASW #242

May 22, 2023

New TLDs are already old news, fuzzing eBPF validators, Microsoft sets to kill bug classes, draft RFC to track location trackers, a top ten list with directory traversal on it, conference videos from Real World Crypto and BSidesSF, and an attack tree generator from markdown.