Application security, DevOps, Security awareness, Vulnerability management

Skills & Knowledge – ASW #167

This week, we welcome Anita D'Amico, VP, Market Development at Synopsys, and Patrick Carey, Senior Director of Product Marketing at Synopsys, to discuss AppSec Orchestration/Correlation & DevSecOps Efficiency! In the AppSec News: The Great Leak flaw in Exchange's auto discover feature, common flaws in VMware and Nagios, memory issues and SSRF in Apache's HTTP server, Chrome's plans for memory safety, State of DevOps report, OWASP's 20th anniversary, & more!

Visit https://securityweekly.com/synopsys to learn more about them!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

View Show Index

Full Audio

Segments

1. AppSec Orchestration/Correlation & DevSecOps Efficiency – Anita D’Amico, Patrick Carey – ASW #167

In its 2019 Hype Cycle for Application Security report, Gartner revealed a new, “high-priority” category called Application Security Orchestration and Correlation (ASOC). ASOC delivers three primary benefits to the AppSec process within organizations: efficiency, scalability, and accountability. We will take a closer look at these benefits and discuss it can help your DevSecOps team function better.

This segment is sponsored by Synopsys.

Visit https://securityweekly.com/synopsys to learn more about them!

Sponsored By

Synopsys

Announcements

  • InfoSec World 2021 is proud to announce its keynote lineup for this year’s event! Hear from Robert Herjavec plus heads of security at the NFL, TikTok, U.S. Department of Homeland Security, Stanford University, and more… Plus, Security Weekly listeners save 20% on Digital Pass registration! Visit https://securityweekly.com/isw2021 to register now!

  • In an overabundance of caution, we have decided to flip this year’s SW Unlocked to a virtual format. The safety of our listeners and hosts is our number one priority. We will miss seeing you all in person, but we hope you can still join us at Security Weekly Unlocked Virtual! The event will now take place on Thursday, Dec 16 from 9am-6pm ET. You can still register for free at https://securityweekly.com/unlocked.

Guests

Anita D'Amico
Anita D'Amico
VP, Market Development at Synopsys

Anita D’Amico, PhD is the former CEO of Code Dx, Inc. an Application Security Orchestration and Correlation company recently acquired by Synopsys. She currently serves as the Vice President of Market Development in the Synopsys Software Integrity Group. Her roots are in experimental psychology and human factors, and she has built a career of leading technology development to enhance human performance. More recently she has focused her attention on enhancing the decisions and work processes of software developers and AppSec analysts to make code more secure. Anita was named as one of “100 Fascinating Females Fighting Cybercrime” in the 2019 book “Women Know Cyber.”

Patrick  Carey
Patrick Carey
Senior Director of Product Marketing at Synopsys

Patrick Carey is Senior Director of Product Marketing for Synopsys Software Integrity Group, where he manages go-to-market analysis and strategy for Synopsys’ portfolio of application security solutions. Patrick’s 30-year includes leadership roles in software development, product management, consulting, and marketing in a wide-range of companies, from early-stage start-ups to large companies including Citrix and Accenture. Patrick is based in Burlington, MA.

Hosts

Mike Shema
Mike Shema
Security Partner at Square
Tyler Robinson
Tyler Robinson
Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element

2. Exchange’s Great Leak, RCE in VMware, IoT Bug in MQTT, & Chrome’s Memory Safety Nets – ASW #167

This week in the AppSec News: The Great Leak flaw in Exchange's auto discover feature, common flaws in VMware and Nagios, memory issues and SSRF in Apache's HTTP server, Chrome's plans for memory safety, State of DevOps report, OWASP's 20th anniversary, & more!

Announcements

  • Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

  • Join us June 29th for a webcast with Tyler Robinson and Beau Bullock to learn how to pivot into the world of Crypto security. Visit https://securityweekly.com/webcasts to register with only your name and email! Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

Hosts

Mike Shema
Mike Shema
Security Partner at Square
  1. 1. Autodiscovering the Great Leak - In a series of unfortunate events, researchers discovered how to gather plaintext credentials from an Exchange autodiscover mechanism. The autodiscover begins with a design intended to improve usability, its documentation offers familiar cautions against misuse or mistakes, and yet it still suffers from dangerous failure modes and a lack of controls to make that misuse more difficult. Consequently, insecure clients end up connecting to attacker-controlled domains and following downgrade attacks to expose credentials instead of OAuth tokens. It's a good lesson for appsec teams who solely rely on written guidance or standards to elevate security -- you need something to inspect code and configurations to ensure that guidance is being met. As an industry, we have to do better than just saying, “Before you send a request to a candidate, make sure it is trustworthy."
  2. 2. RCE is back: VMware details file upload vulnerability in vCenter Server - This article covers vulns in two different apps: VMware's vCenter Server and Nagios. What stands out is how simple they are in terms of bring well known bug classes with high impacts. The vCenter Server suffers from a file upload vuln, path traversal (yesss!), and even a DoS via XXE. On the Nagios side the list includes command injection and, shockingly for modern app design, a SQL injection as well. A challenge here would be identifying what part of a secure SDLC failed, from tools to identify these kinds of vulns, to a design phase to make them harder to introduce, to using frameworks that make them near-impossible to introduce. More details at: - https://core.vmware.com/vmsa-2021-0020-questions-answers-faq - https://claroty.com/2021/09/21/blog-research-securing-network-management-systems-nagios-xi/
  3. 3. 100M IoT Devices Exposed By Zero-Day Bug - Here's a dead-simple bug that can be triggered by a relatively simple payload that's in a software component likely present in millions of IoT devices. While the potential impact might not be so dramatic as the article states, a flaw this easy to exploit in devices with notoriously poor patching practices is likely going to be around for a long time. It's the kind of thing that will show up on a CISA top vulns list in a few years. On the technical appsec side, it's a simple example of signed vs. unsigned type mismatches. It's also the type of flaw that we'd hope a compiler would warn about or a fuzzer would be able to discover (after all, user-influenceable payload lengths are a fruitful attack vector). And of those two tools, seeing compiler warnings about this type of flaw and being able to correctly identify it as a potential vuln would be a huge time saver. Fuzzing would be a great next step, but that requires more time investment to set up and maintain, whereas DevOps teams work with compilers on a daily basis. Additional links - https://github.com/nanomq/nanomq/issues/203?fbclid=IwAR0dfQrgHknG6ZsEv5WDJnpzaxyjUdQ-BtLC0ON4RkJHQm6dnB1HA4Bu1w8 -- for the brief writeup - https://mqtt.org/ -- for background on MQTT
  4. 4. Developers fix multitude of vulnerabilities in Apache HTTP Server - Nothing too exciting about this article other than how uncommon it's been to see high risk vulns in Apache HTTP Server. The point releases continue to have handfuls of low to moderate items and demonstrate the kinds of memory safety flaws you'd expect from a C-based project. What might be interesting is doing an analysis to see how the risk has gone down over time or to measure whether these vulns are coming from newly written code (as in, are developers still making mistakes?) or newly discovered in old code (as in, are analysis tools getting better?). It's also cool to see ClusterFuzz show up in the acknowledgements. Even if the vuln it identified was low risk, it's nice to know that automation is demonstrating value. You can find more details from the security release notes at https://httpd.apache.org/security/vulnerabilities_24.html.
  5. 5. An update on Memory Safety in Chrome - A clear theme this week is compiled code, its consequences, and its chances for better controls. And, of course, that means we drag out the magic phrase of "memory safety" -- the bane of C and C++. The Chrome developers know this, having seen this in roughly 70% of their severe security bugs last year. This article shows how they're thinking about addressing the class of bugs that fall under this memory safety umbrella. They've settled on two options: further harden how raw pointers are manipulated throughout the code base and re-implement parts of the code base into another language like Rust. For a complex and large code base like Chrome, neither of the approaches is trivial and neither comes without costs. but the cost of insecure software can be even higher, especially for software as ubiquitous as Chrome. So it's also educational to see how they're approaching both the performance costs of hardened pointers and the operational costs to developers for dealing with even more complexity or a completely new programming language. Check out more details at: - https://chromium.googlesource.com/chromium/src/+/ddc017f9569973a731a574be4199d8400616f5a5/base/memory/raw_ptr.md - https://www.chromium.org/Home/chromium-security/memory-safety/rust-and-c-interoperability
  6. 6. 2021 Accelerate State of DevOps report addresses burnout, team performance - Here's another article from Google about their report this year on DevOps Research and Assessment. It's a review of the maturity of DevOps practices within orgs and how that maturity positively impacts software quality -- and therefore security. There's a section on security. It involves a lot of security reviews in a lot of SDLC phases. It also states that "teams with high-quality documentation were 3.8 times as likely to integrate security throughout their development process." So that's a win for documentation, but likely also requires followup practices and controls like linters, scanners, or other means of automating security recommendations rather than just relying on manual reviews.
  7. 7. OWASP’s 20th Anniversary Celebration - OWASP turned 20 this month and celebrated with a free streaming conference. While recordings aren't yet available, it's always a good time to check out their dozens of projects and cheatsheets -- find one you'd like to participate in! Find them at - https://owasp.org - https://www.youtube.com/c/OWASPGLOBAL/featured
  8. 8. HackerOne expands Internet Bug Bounty project to tackle open source bugs - Open source projects can always benefit from attention, participation, and budgets for security. Seeing more opportunities to reward researchers for bugs discovered in open source software is good, but it also brings us back to the discussion of where to prioritize security investments. Sometimes we don't need to be reminded how prevalent software flaws are, sometimes we need more assistance in designing and rearchitecting software so those flaws are harder to introduce or less impactful overall.
Tyler Robinson
Tyler Robinson
Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element
prestitial ad