Application security, DevOps, Third-party risk, Security awareness

Tasty Beverage – ASW #184

Doug Kersten, CISO of Appfire, will discuss how the nature of vulnerabilities today makes it critical for developers to make sure they’re building projects in a secure manner in order to quickly mitigate vulnerabilities – or they risk being left scrambling to respond when a threat hits.

In the AppSec News: Docker and security boundaries, Google's year in vuln awards, 2021's year in web hacks, Apple AirTags and privacy, turning AIs onto RFCs for security, & facial recognition research!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

View Show Index

Full Audio

Segments

1. The Modern Developer Must be Security Minded, Too – Doug Kersten – ASW #184

In light of the far-reaching Log4j vulnerability, it’s become increasingly clear that the modern developer can’t operate without a solid level of security expertise.

Vulnerability management is not just about responding quickly but should be top-of-mind during all stages of software development from inception to delivery. Modern threats mean developers can’t assume security isn’t part of their job and push the burden of responsibility to their infrastructure teams.

Doug Kersten, CISO of Appfire, will discuss how the nature of vulnerabilities today makes it critical for developers to make sure they’re building projects in a secure manner in order to quickly mitigate vulnerabilities – or they risk being left scrambling to respond when a threat hits.

Announcements

  • The call for papers is now open for InfoSec World 2022! Featuring expert insights, enlightening keynotes, and interactive breakout sessions, this year's conference will take place on September 26-28 in Orlando. We're looking for experts and innovators to contribute their ideas, experiences, and perspectives to help shape the 2022 program. To submit your proposal, please visit: https://securityweekly.com/isw2022

  • Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

Guest

Doug Kersten
Doug Kersten
CISO at Appfire

Doug Kersten is Chief Information Security Officer at Appfire. He is an industry veteran and strategic, tactical, and hands-on leader who has been instrumental in instilling a positive security culture within fast-paced organizations. Kersten brings more than two decades of security leadership experience to his role, having led IT and security programs for some of the world’s top financial institutions and law firms. Kersten is helping Appfire continue to lead the way in Cloud security for the Atlassian ecosystem and software developer community at large.

Hosts

Mike Shema
Mike Shema
Security Partner at Square
John Kinsella
John Kinsella
Co-founder & CTO at Cysense

2. Docker Boundaries, Google Bounties, 2021’s Top Web Hacks, Apple AirTags, AI vs. RFCs – ASW #184

In the AppSec News: Docker and security boundaries, Google's year in vuln awards, 2021's year in web hacks, Apple AirTags and privacy, turning AIs onto RFCs for security, & facial recognition research!

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

  • Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

Hosts

Mike Shema
Mike Shema
Security Partner at Square
  1. 1. State of Software Security v12 - February seems to be the month when everyone's reflecting on appsec in 2021. The first article in this vein is the new State of Software Security report from Veracode. As the report notes, scanning of one form or another (SAST, DAST, SCA) has shifted frequency from two to three times a year per app to a majority of apps being scanned three times a week. So, there's a positive step in the adoption of security tools. Of course, just using a tool doesn't create a security culture, but tools can contribute to the practices around securing apps. The report also points out that the half-life in third-party flaws (i.e. time to close 50% of flaws) has shrunk from 2017. Unfortunately, that half-life has gone from about three years to about one -- so maybe it's a mixed success. Heads up that this is one of those PDF reports that's behind a registration wall.
  2. 2. Top 10 web hacking techniques of 2021 - James Kettle and the folks at Portswigger look back on their favorite web hacking techniques of 2021. No surprise that HTTP Request Smuggling is on the list (deservedly so), with the twist that 2021 saw research into how HTTP/2 and HTTP/3 implementations may be susceptible when they downgrade to HTTP/1 to deal with backend servers that haven't yet upgraded. Cache poisoning and OAuth attack vectors are two other items that stand out. In fact, even though XSS is on the list, it's quite refreshing to see something that doesn't look like a rehash of the OWASP Top 10. (Of course, many of them could still map into that list.) There are some interesting new attack surfaces being discovered within Exchange and, as we've see in the request smuggling, still plenty of implementation details and edge cases to poke at for flaws.
  3. 3. Vulnerability Reward Program: 2021 Year in Review - Google has released some numbers around the activity of their vulnerability reward program for 2021. Overall, paying out $8.7 million seems like a good investment to keep widely used apps like Android and Chrome secure. They've only published total payouts and participants, which points to average payouts in Android of around $25K and close to $29K for Chrome. It'd be interesting to know the median reward since the highest payout was $157K. One neat aspect is seeing the Chrome Fuzzing program get attention and success, with one report earning $16K. Being Google, this got lots of news coverage (obviously from us as well!). Here are some more articles about it: - https://www.zdnet.com/article/google-vendors-took-an-average-of-52-days-to-fix-reported-security-vulnerabilities/ - https://www.zdnet.com/article/google-says-9-million-given-out-in-2021-vulnerability-rewards/ - https://therecord.media/google-awarded-8-7-million-to-security-researchers-in-2021/ - https://portswigger.net/daily-swig/google-project-zero-hails-dramatic-acceleration-in-security-bug-remediation
  4. 4. Apple plans to make finding unwanted AirTags easier - Apple understandably received a lot of scrutiny for its AirTags when they were first released. While the underlying concept predated Apple, the scale of devices that enabled the tracking was an immense leap. And even if iPhones tracked the AirTags in a privacy preserving manner -- that privacy was focused on the owner of the tag. This also meant that threat models for AirTags needed to consider stalking or unwanted tracking. On the technical side, it also touches on hardware (anti-tampering), software (interoperability for users outside of the Apple device ecosystem), and notification design (sound, on-device alerts). The primary concern is here is individuals being tracked without their knowledge. But there can be other unexpected uses of AirTags. Back in January, there was an article about an activist who used an AirTag to attempt to identity offices associated with a German intelligence agency -- they mailed it to one address and tracked all the points where the package was being handled. It's not clear how successful and correct the end results were for that specific instance, but the idea has a sound principle to it. Check out the article, with links to the activist's blog (in German) at https://appleinsider.com/articles/22/01/25/apples-airtag-uncovers-a-secret-german-intelligence-agency Read Apple's update on AirTags at https://www.apple.com/newsroom/2022/02/an-update-on-airtag-and-unwanted-tracking/ You can find more resources on concerns, countermeasures, and policy around hardware and software tracking at https://stopstalkerware.org
  5. 5. Automated attack synthesis by extracting protocol FSMs from RFCs - We're diving into quite a different type of article with this one. It has state machines, which we talked about a bit in episode 182, and AI, which we haven't really talked about other than to question whether the form of AI involved regexes or if statements. Yet here we have some pretty cool research that uses Natural Language Processing (NLP) to analyze a protocol's RFC in order to create an implementation of that protocol (it's state machine) in order to fuzz the protocol for security flaws. The concept is clever and, despite a description like "NLP on an RFC to create an FSM for Korg", it looks like a worthy investment. The approach still hasn't earned its first bounty and it still relies on humans to correct the RFC to state machine translation. But a tool that leads to clearer documentation and reasoning about a protocol is already useful. And one that can turn text into code into "attacker simulation" is one that's going to get better over time. Plus, as fans of synthwave, we don't want to miss any reference to Korg -- especially when the open source tool "is named after the KORG MicroKorg synthesizer, which has a dedicated attack knob. References: - https://github.com/RFCNLP/RFCNLP/blob/main/tutorials/attacker.synthesis.md - https://github.com/RFCNLP/RFCNLP/blob/main/rfcnlp.pdf - https://github.com/maxvonhippel/AttackerSynthesis
  6. 6. Attacking JavaScript Engines in 2022 - The summer cons (BlackHat, DEF CON) tend to draw lots of media attention. But there are security cons of various sizes throughout the year and throughout the globe. Here's an appsec presentation on JavaScript engines from OffensiveCon (https://www.offensivecon.org/). The first section likely won't be too informative unless you're familiar with browser engines. Instead, skip to the “Exploitation & Mitigations” section for a nice summary and observations on the past and future of exploits and hardening that browsers have been doing over the years. The con posts recordings, so we'll bring you an update once this one appears. In the meantime, check out these two presentations from 2020. - Keynote from Halvar Flake, https://youtu.be/8QRnOpjmneo - Talk from Maddie Stone, https://youtu.be/TAwQ4ezgEIo
  7. 7. Biometric Hacking: Face Authentication Systems - This hacking is particularly fun to read about because of how physical the test harness is -- pictures, 3D printing, good lighting, and lots of clamps to hold everything in place. It's quite a different world from URLs and dropping alert() popups everywhere. Both those worlds have an important place in appsec, but we tend to not talk about the hardware side of things as much. It's also a chance to revisit threat models and talk about the appropriate times to balance security and convenience, putting choices into informed users hands, and realizing different people have different threat models. For once we have a PDF that isn't behind a registration wall. Check out the blog and if you're curious about the details, read the report at https://act-on.ioactive.com/acton/attachment/34793/f-3ddfff76-d7d8-47e6-8b07-e4d4ee841008/0/-/-/-/-/IOA-wp-FacialRecognition.pdf
John Kinsella
John Kinsella
Co-founder & CTO at Cysense
  1. 1. How Docker Made Me More Capable and the Host Less Secure - Repeat after us: Docker containers are (still) not a security construct. But - in this instance, having docker around actually decreases the security of the system. Great writeup.
  2. 2. Several bugs in IOT/OT mangement software cause Bad Day - While the ThreatPost title points the finger at MQTT, IMHO the issue here is more around how it's used.
  3. 3. Twitter switches 2fa providers after claims of surveillance
prestitial ad