Application security, DevOps

Breaking John – ASW #136

This week, we welcome Andrei Serban, Co-Founder at Fuzzbuzz, to discuss Fuzz Testing! Fuzzing can be successful AppSec strategy for finding software bugs. And deploying a fuzzer no longer needs to be a cumbersome process. Find out how fuzzing can help secure software beyond just memory safety issues and what the future holds for making this strategy more effective for modern apps.

In the AppSec News, Significant source code leak from misconfigured repo, side-channel attack on hardware authentication keys, a third bug bounty for the U.S. Army, the cost of poor software quality, and the benefits of DevOps approaches to building systems!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

View Show Index

Full Audio

Segments

1. Fuzz Testing – Andrei Serban – ASW #136

Fuzzing can be successful appsec strategy for finding software bugs. And deploying a fuzzer no longer needs to be a cumbersome process. Find out how fuzzing can help secure software beyond just memory safety issues and what the future holds for making this strategy more effective for modern apps.

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

  • Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

Guest

Andrei Serban
Andrei Serban
Co-Founder at Fuzzbuzz

Andrei is the CEO and co-founder of Fuzzbuzz, a security startup based in San Francisco, that builds fuzz testing tools and infrastructure to help developers find severe vulnerabilities and bugs in their code with minimal effort. Today, Fuzzbuzz works with some of the largest tech companies to reduce the number of vulnerabilities that make it into production by enabling teams to fuzz test as part of their DevSecOps pipeline, finding bugs as soon as they get introduced.

Andrei studied Computer Science at University of Waterloo before dropping out to start Fuzzbuzz and accept the Thiel Fellowship.

Hosts

Mike Shema
Mike Shema
Security Partner at Square
John Kinsella
John Kinsella
Co-founder & CTO at Cysense
Matt Alderman
Matt Alderman
Executive Director at CyberRisk Alliance

2. Google 2FA Cloning, Speed vs. Security, & “Hack The Army” Bug Bounty 3.0 – ASW #136

Significant source code leak from misconfigured repo, side-channel attack on hardware authentication keys, a third bug bounty for the U.S. Army, the cost of poor software quality, the benefits of DevOps approaches to building systems.

Announcements

  • Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

  • If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!

Hosts

Mike Shema
Mike Shema
Security Partner at Square
  1. 1. Nissan source code leaked online after Git repo misconfiguration - Attackers siphon source due to a SaaS misconfiguration that not only allowed public repos, but used trivial credentials.
  2. 2. New side-channel attack can recover encryption keys from Google Titan security keys - Well written research on hardware authentication keys that provides insights on improving security as well as placing the attack within perspective of practical threat models. Don't worry about the heavy presence of acronyms and check out the paper at https://ninjalab.io/wp-content/uploads/2021/01/a_side_journey_to_titan.pdf
  3. 3. Hack the Army bug bounty challenge asks hackers to find vulnerabilities in military networks - Announced back in November 2020, the bounty program is now live and interesting to watch from the perspective of maturing a bug bounty approach to AppSec.
  4. 4. What is the cost of poor software quality in the U.S.? - Another chance to talk about security budgets, metrics, and security as a dimension of quality. Related to this topic, two recent papers at the Workshop on the Economics of Information Security took an academic look at how breaches raise the cost of capital for companies (https://weis2020.econinfosec.org/wp-content/uploads/sites/8/2020/06/weis20-final14.pdf and https://weis2020.econinfosec.org/wp-content/uploads/sites/8/2020/06/weis20-final16.pdf)
  5. 5. 7 Trends Influencing DevOps and DevSecOps Adoption - Whether you take these as principles or prognostication, the type of engineering in these topics benefits from a DevOps approach to software and security.
  6. 6. Navigating the trade-off between development speed and security - Rather than positioning speed and security as polar opposites, consider security as a guide to how fast you could and should be able to build systems.
John Kinsella
John Kinsella
Co-founder & CTO at Cysense
  1. 1. Google’s 2FA tokens can be cloned within 10 hours - If you lose a 2fa token, you should be able to have it disabled ASAP. For many, this might be a "oh I misplaced it" on a Saturday morning, and "I'll get to it on Monday." The takeaway that might be useful to corporations here is "a 2FA token can be cloned within 10 hours" which might give reason to create a policy saying "The misplacement/loss of a 2FA token MUST be reported ASAP and disabled within 10 hours." In reality, if I steal a 2fa token, I'd probably make sure I have the credentials first so I'm ready to roll when as soon as it's in my possession, so I don't fully get the value of this, but if it helps it helps.
Matt Alderman
Matt Alderman
Executive Director at CyberRisk Alliance
prestitial ad