Security Weekly
Application Security WeeklySubscribe
Application security, Security Staff Acquisition & Development, DevSecOps, Identity, Threat Management

Contortions – ASW #146

Full Audio

View Show Index

Segments

1. Shifting Right: What Security Engineers Can Learn From DevSecOps – Leif Dreizler – ASW #146

The security industry generally agrees on the value of enabling developers in an agile environment—although we don't agree on what to call it… “Shifting Left,” “Creating a Paved Path,” “DevSecOps.” Regardless of the name, we tend to focus on teaching developers how to Sec, but there’s less focus on security engineers learning how to Dev.

This segment will focus on how to create a meaningful partnership between security and software engineers.

Segment Resources:
https://segment.com/blog/shifting-engineering-right/

Announcements

  • Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

Guest

Leif Dreizler
Engineering Manager, Product Security at Segment

Leif manages the Product Security team at Segment. The ProdSec Team is focused on partnering with software engineering teams to design and implement security features for the Segment product. Leif got his start in the security industry at Redspin doing security consulting work, and was later an early employee at Bugcrowd. He helps organize the Bay Area OWASP Chapter, the AppSec California Conference and LocoMocoSec.

Hosts

Tech Lead at Block
Senior Engineering Leader at AWS

2. Malicious PHP Commits, OAuth Attacks & XML Injection, & Zines For DevSecOps – ASW #146

PHP deals with two malicious commits, SSO and OAuth attack vectors to remember for your threat models, zines for your DevSecOps education!

Announcements

  • Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

  • We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!

Hosts

Tech Lead at Block
  1. 1. PHP releases on hold
    Last week PHP admins noticed two malicious commits pushed to the php-src repo (https://news-web.php.net/php.internals/113838). The team noticed this quickly and put releases on hold out of caution. None of this is unique to PHP; it's a departure point for discussing infrastructure security, signing commits, identity, and the attack surface of a CI/CD pipeline. It takes budget to use SaaS infrastructure, discipline to manage certs, and threat models to understand which controls address which types of attacks.
  2. 2. Pair of Apex Legends Players Banned for DDoS Server Attacks
    Another example of why application defenses and threat models should worry less about motivations or "who" of an attack and more about the means of an attack. Resiliency and uptime are important requirements for modern apps, and a reminder that availability of the CIA triad remains an important security concern.
  3. 3. How to execute an object file: Part 2
    A well-written article about the journey from source code to executable binary. It's a nice reference whether you're interested in getting into reverse engineering or designing controls to harden execution environments like containers. It can be a helpful primer to better understand concepts like ASLR, return-oriented programming in exploits, and even syscall filtering. Be sure to check out part 1 at https://blog.cloudflare.com/how-to-execute-an-object-file-part-1/
  4. 4. Wizard Zines Collection!
    We talk a lot about the importance of communicating security and engineering concepts well. Julia Evans has approached this with a wonderful combination of art and text in the zine format. You'll find everything from a refresher on command-line arguments you might already know to tips and tricks that might make your command-line skills more effective. Check out her blog at https://jvns.ca
  5. 5. Hidden OAuth attack vectors
    OAuth, SAML 2.0, and OpenID Connect are modern ways to delegate authentication so that apps can focus on protecting tokens and trust relationships instead of protecting passwords. Yet it's still a design pattern that carries some misconfiguration minefields. So make sure you're considering all of these attacks in your threat model and, of course, remember that there's a big difference between authentication that says who you are and authorization that says what you can do.
  6. 6. SAML XML Injection
    A good companion to the Portswigger article on Hidden OAuth Attack Vectors, this describes potential issues in the assertions and attributes in the XML that composes SAML. Delegated authentication and SSO remains a recommended design pattern, just make sure your implementation doesn't fall victim to this attack category.
  7. 7. Approaches for authenticating external applications in a machine-to-machine scenario
    Although this is focused on AWS, the background and reasoning on different mutual authentication scenarios can be applied to many environments. As an article oriented towards engineering, its "Use X when Y" formulation is a good demonstration of tradeoffs and design considerations.
Senior Engineering Leader at AWS

Related