ASW #197 – Brian Glas
This week, in the first segment, Brian Glas answers the questions surrounding the next generations of AppSec professionals: What does it look like to try teaching cybersecurity at an undergraduate level? What are the goals and challenges faced when trying to help future generations learn what they need to know to contribute to this industry? Then, in the AppSec News: Typosquatting spreads to Rust, curl fixes flaws in mishandling dots and slashes, OpenSSF invests in a mobilization plan for open source, &interesting appsec from Black Hat Asia!
Visit https://www.securityweekly.com/asw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/secweekly
Like us on Facebook: https://www.facebook.com/secweekly
What does it look like to try teaching cybersecurity at an undergraduate level? What are the goals and challenges faced when trying to help future generations learn what they need to know to contribute to this industry?
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Join us June 29th for a webcast with Tyler Robinson and Beau Bullock to learn how to pivot into the world of Crypto security. Visit https://securityweekly.com/webcasts to register with only your name and email! Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
Brian has over 20 years of experience in various roles in IT and over a decade and a half of that in application development and security. His day job is serving as an Assistant Professor teaching a full load of Computer Science and Cybersecurity classes at Union University. He helped build FedEx’s AppSec team, worked on the Trustworthy Computing team at Microsoft, consulted on software security for years, and served as a project lead and active contributor for SAMM v1.1-2.0+ and OWASP Top 10 2017 and 2021. Brian is a contributor to the RABET-V Pilot Program for election related technology. He holds several Cybersecurity and IT certifications and is currently working on his Doctor of Computer Science in Cybersecurity and Information Assurance.
This week in the AppSec News: Typosquatting spreads to Rust, curl fixes flaws in mishandling dots and slashes, OpenSSF invests in a mobilization plan for open source, interesting appsec from Black Hat Asia.
Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!
- 1. Security advisory: malicious crate rustdecimal - There's surely a maturity model somewhere for software projects that receive their first vuln report, first cryptographic implementation mistake, and first attack against their package management system. This typosquatting attack against Rust had little impact and on its own is mostly a curiosity. But it does point to the larger problem of managing dependencies and how attestation of packages is a problem that's agnostic to programming languages.
- 2. Serious Security: Learning from curl’s latest bug update - Two of the flaws reported to curl are fun examples of simple syntax gone wrong. One involves mishandling %2f in hostnames and the other involves mishandling cookie scopes in domains with a trailing dot. They're the kinds of bugs that look obvious in hindsight, yet understandably creep into code due to the nuances and complexity of normalizing data before operating on it. Curl is also an interesting project that has been a C implementation for decades and likely will remain that way for decades to come. The project's owner, Daniel Stenberg, has created not only one of the most useful web utilities, but also created a model for curating an open source project. Even though we're using some security flaws to talk about curl, it's not a project that's consistently plagued by flaws. Yet it could always use assistance and sponsorship to add new features and maintain the code. Find more details at https://curl.se/sponsors.html Read more about reporting security bugs in curl at https://curl.se/dev/secprocess.html
- 3. Linux, OpenSSF Champion Plan to Improve Open Source Security - This 10 point plan, backed by financial investment to make it happen, is welcome news to the open source community. The points would also be great references for any appsec team looking to build or improve an internal secure SDLC program. Read more details at https://openssf.org/oss-security-mobilization-plan/, which also links to a PDF of the plan.
- 4. A FREE comprehensive reverse engineering tutorial covering x86, x64, 32-bit ARM & 64-bit ARM architectures. - Returning to the topic of home labs and learning new security domains, here's a resource of information on reverse engineering.
- 5. CISO Shares Top Strategies to Communicate Security’s Value to the Biz - We're always on the lookout for recommendations on how to build a narrative within security, whether it's pitching DevOps teams on what taking more responsibility for security means or gaining support and investment from leadership to grow security programs. Here's a summary of one of the keynotes from Black Hat Asia. We'll revisit this once the recording is available for everyone. But we also wanted to use this as a chance to ask our listeners what recent conference presentations have you seen that changed your mind on a subject? Or that inspired you to approach a problem differently and that led to success? Or even just a presentation you found insightful and entertaining?
- 6. Known macOS Vulnerabilities Led Researcher to Root Out New Flaws - Another summary of a presentation from Black Hat Asia. This one is about taking an attacker mindset -- a topic we like to highlight -- to previous vulns within a system in order to look for patterns or architecture weaknesses where new vulns might be found. The presentation whitepaper and slides are already available at - https://i.blackhat.com/Asia-22/Friday-Materials/AS-22-Fitzl-macOS-vulnerabilities-hiding-in-plain-sight-wp.pdf - https://i.blackhat.com/Asia-22/Friday-Materials/AS-22-Fitzl-macOS-vulnerabilities-hiding-in-plain-sight.pdf
- 7. Vulnerability Analysis – CVE-2022-1388 – Randori - This authentication bypass in F5 came out a few weeks ago. It's a flaw that falls into the "dead simple" category -- use a Basic Authentication header with a request that causes F5's state machine for handling user vs. admin authentication to be confused. The underlying flaw seems surprising in modern app design. Of course, this particular software stack may not be modern, but that leads to additional questions about how to migrate software architectures over time.
- 1. Don’t try this at home: Sometimes you can be too realistic in your testing - First responders recently were head scratching about a malicious package distributed via npm. After several days, it was discovered to be part of a penetration test a security company was doing, and that in order to be "as realistic as possible," an intern at the company uploaded the package with hopes that the pentest customer would download it. Realism is great, but how can we do this in a manner that doesn't send people into panic-response mode?
- 2. Researchers figure out path to misuse low-power mode iphone features - Modern iPhones continue to power bluetooth NFC, and ultra-wideband radios when the phone is turned "off," to enable "find my phone" and some payment capabilities. But...it turns out the bluetooth firmware is not signed, and there's an ability to use these radios for purposes other than intended.