Grab A Sword – ASW #145
This week, we welcome Andrew van der Stock, Executive Director at OWASP Foundation, to talk about the OWASP Top 10 of 2021! The OWASP Top 10 2021 is in development. A public survey has just been released. We have finished collecting data. I would like to discuss what the plans are for the OWASP Top 10 2021, and when it will be released, and how you can get involved.
In the AppSec News, Security and privacy technical analysis of TikTok, subtle parsing problems, chain of trust through a CI/CD pipeline, faster fuzzing even without source code, interplay of application security and application safety!
Visit https://www.securityweekly.com/asw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
1. OWASP Top 10 of 2021 – Andrew van der Stock – ASW #145
The OWASP Top 10 2021 is in development. A public survey has just been released. We have finished collecting data. I would like to discuss what the plans are for the OWASP Top 10 2021, and when it will be released, and how you can get involved.
Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!
If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!
Andrew is a seasoned web application security specialist and enterprise security architect. He is the Executive Director at OWASP, taking the Foundation through organizational change and taking our mission to the next level. Andrew has worked in the IT industry for over 25 years. Andrew has researched and developed the web application security and architecture fields since 1998. He is a Lifetime member of OWASP, former Director, and co-leads the OWASP Application Security Verification Standard and OWASP Top 10 projects. An Australian ex-pat of Melbourne and Sydney, he currently lives in the USA with his family.
2. TikTok Analysis, Patching Patches, CI/CD Integrity, Faster Fuzzing, & Slack Safety – ASW #145
Security and privacy technical analysis of TikTok, subtle parsing problems, chain of trust through a CI/CD pipeline, faster fuzzing even without source code, interplay of application security and application safety!
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
- 1. TikTok vs Douyin — A Security and Privacy AnalysisA technical analysis of two social media apps that uses reverse engineering and traffic analysis to gather information on how well the apps handle privacy and security, as well as potential abuse for censorship. It's aimed at providing technical information to inform policy decisions. It also serves as a great template for analyzing and documenting privacy and security aspects of a mobile app, with methodologies that any appsec team could benefit from.
- 2. SolarWinds Experimenting With New Software Build System in Wake of BreachSolarWinds serves as a good thought exercise for establishing a chain of trust throughout a CI/CD pipeline. We've mentioned reproducible builds and and signing deployed artifacts. The pressing security question is how do you gain confidence that the code your developers wrote was ultimately what produced the artifact you built? This raises more questions throughout the pipeline in terms of identity, access controls, and observability of every step that has the potential to influence how code is built and packaged.
- 3. SaltStack: further injection vulnerabilitiesWe sometimes see security patches that need patches -- situations where the original patch addressed a symptom, but missed an underlying design flaw or didn't go deep enough into understanding the original issue. While this particular vuln may not be that impactful, it shows how developers can still make subtle mistakes in the ubiquitous feature of parsing command-line arguments.
- 4. Un-bee-lievable Performance: Fast Coverage-guided Fuzzing with Honeybee and Intel Processor TraceAn insight into the engineering that went into turning Intel Processor Trace from performance penalty to advantageous assistant for coverage-guided fuzzing. It's a benefit that makes a lack of source code less of a liability when fuzzing for flaws.
- 5. Organizations rush to restrict new Slack Connect feature fearing security threatsSecuring software against injection flaws and the types of vulns that show up in top 10 lists doesn't mean the software is secure for users. This is a good lesson in expanding threat models to how well your software secures the user experience, especially in apps designed for social interaction.
- 6. Secure containerized environments with updated threat matrix for KubernetesHow do we communicate that "security is better" or convey the value that security can deliver? This is a brief article that focuses on a handful of k8s changes, from better defaults to new types of attack vectors. Yet it's grounded against a useful framework, MITRE ATT&CK, and only needs to make simple points to demonstrate where security teams might invest their efforts.
- 7. Analyzing attacks taking advantage of the Exchange Server vulnerabilitiesIn the time you've (hopefully!) saved by not running Exchange servers and hence having to go through the patch scramble, you could be running a "premortem" or tabletop exercise on how resilient your app environment might be to the types of post-exploitation activities documented in the Exchange server attacks. How well does your environment detect, prevent, or respond to arbitrary file writes, privilege escalation, arbitrary command execution, and data exfiltration?
- 1. Netmask npm library incorrectly parses octal IPsIt turns out web browsers and such will parse an IP address with a leading 0 as octal. The netmask library doesn't, which could lead to SSRF and other interesting attacks
- 2. Finding undocumented x86 instructions on modern processorsBack in The Day, one could iterate through instruction codes, looking for undocumented cpu instructions. Nowadays that's a painful process that can cause crashes, lockups, etc. Here's a way to leverage speculative execution to make the search easier