Contortions – ASW #146
This week, we welcome Leif Dreizler - Engineering Manager, Product Security - Segment, to talk about Shifting Right: What Security Engineers Can Learn From DevSecOps!
In the AppSec News, PHP deals with two malicious commits, SSO and OAuth attack vectors to remember for your threat models, zines for your DevSecOps education!
Segment Resources:
https://segment.com/blog/shifting-engineering-right/
Visit https://www.securityweekly.com/asw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
Full Audio
Segments
1. Shifting Right: What Security Engineers Can Learn From DevSecOps – Leif Dreizler – ASW #146
The security industry generally agrees on the value of enabling developers in an agile environment—although we don't agree on what to call it… “Shifting Left,” “Creating a Paved Path,” “DevSecOps.” Regardless of the name, we tend to focus on teaching developers how to Sec, but there’s less focus on security engineers learning how to Dev.
This segment will focus on how to create a meaningful partnership between security and software engineers.
Segment Resources:
Announcements
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
Guest
Leif manages the Product Security team at Segment. The ProdSec Team is focused on partnering with software engineering teams to design and implement security features for the Segment product. Leif got his start in the security industry at Redspin doing security consulting work, and was later an early employee at Bugcrowd. He helps organize the Bay Area OWASP Chapter, the AppSec California Conference and LocoMocoSec.
2. Malicious PHP Commits, OAuth Attacks & XML Injection, & Zines For DevSecOps – ASW #146
PHP deals with two malicious commits, SSO and OAuth attack vectors to remember for your threat models, zines for your DevSecOps education!
Announcements
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!
Hosts
- 1. PHP releases on holdLast week PHP admins noticed two malicious commits pushed to the php-src repo (https://news-web.php.net/php.internals/113838). The team noticed this quickly and put releases on hold out of caution. None of this is unique to PHP; it's a departure point for discussing infrastructure security, signing commits, identity, and the attack surface of a CI/CD pipeline. It takes budget to use SaaS infrastructure, discipline to manage certs, and threat models to understand which controls address which types of attacks.
- 2. Pair of Apex Legends Players Banned for DDoS Server AttacksAnother example of why application defenses and threat models should worry less about motivations or "who" of an attack and more about the means of an attack. Resiliency and uptime are important requirements for modern apps, and a reminder that availability of the CIA triad remains an important security concern.
- 3. How to execute an object file: Part 2A well-written article about the journey from source code to executable binary. It's a nice reference whether you're interested in getting into reverse engineering or designing controls to harden execution environments like containers. It can be a helpful primer to better understand concepts like ASLR, return-oriented programming in exploits, and even syscall filtering. Be sure to check out part 1 at https://blog.cloudflare.com/how-to-execute-an-object-file-part-1/
- 4. Wizard Zines Collection!We talk a lot about the importance of communicating security and engineering concepts well. Julia Evans has approached this with a wonderful combination of art and text in the zine format. You'll find everything from a refresher on command-line arguments you might already know to tips and tricks that might make your command-line skills more effective. Check out her blog at https://jvns.ca
- 5. Hidden OAuth attack vectorsOAuth, SAML 2.0, and OpenID Connect are modern ways to delegate authentication so that apps can focus on protecting tokens and trust relationships instead of protecting passwords. Yet it's still a design pattern that carries some misconfiguration minefields. So make sure you're considering all of these attacks in your threat model and, of course, remember that there's a big difference between authentication that says who you are and authorization that says what you can do.
- 6. SAML XML InjectionA good companion to the Portswigger article on Hidden OAuth Attack Vectors, this describes potential issues in the assertions and attributes in the XML that composes SAML. Delegated authentication and SSO remains a recommended design pattern, just make sure your implementation doesn't fall victim to this attack category.
- 7. Approaches for authenticating external applications in a machine-to-machine scenarioAlthough this is focused on AWS, the background and reasoning on different mutual authentication scenarios can be applied to many environments. As an article oriented towards engineering, its "Use X when Y" formulation is a good demonstration of tradeoffs and design considerations.
