Application security, DevOps, Security awareness, Cloud security

The Sound of Silence – ASW #138

This week, we welcome John Delaroderie, Security Solutions Architect at Qualys, to discuss Groundhog Day - It's Time to Reset the Script on Vulnerabilities! In honor of the movie Groundhog Day, John will take a look at the top 10 most routinely exploited vulnerabilities through a web app security lens.

In the Application Security News, Sudo sure does, Libgcrypt flaw, iMessage demonstrates security by design, AWS Lambda shares a message on its design security, & more!

Visit https://securityweekly.com/qualys to learn more about them!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

View Show Index

Full Audio

Segments

1. Groundhog Day – It’s Time to Reset the Script on Vulnerabilities – John Delaroderie – ASW #138

In honor of the movie Groundhog Day, John will take a look at the top 10 most routinely exploited vulnerabilities through a web app security lens.

This segment is sponsored by Qualys.

Visit https://securityweekly.com/qualys to learn more about them!

Sponsored By

Qualys

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

  • Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

Guest

John Delaroderie
John Delaroderie
Security Solutions Architect at Qualys

John Delaroderie is a Security Solution Architect and Subject Matter Expert for Web Application Scanning. He has been with Qualys since early 2018, and prior to that he worked for a variety of government agencies and private organizations in the fields of cyber security, incident response, digital forensics, and systems integrations.

Hosts

Mike Shema
Mike Shema
Security Partner at Square
John Kinsella
John Kinsella
Co-founder & CTO at Cysense
Matt Alderman
Matt Alderman
Executive Director at CyberRisk Alliance

2. Sudo Vuln, Libgcrypt, BlastDoor on iMessage, & AWS Lambda security – ASW #138

This week in the Application Security News, Sudo sure does, Libgcrypt flaw, iMessage demonstrates security by design, AWS Lambda shares a message on its design security, & more!

Announcements

  • Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

  • If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!

Hosts

Mike Shema
Mike Shema
Security Partner at Square
  1. 1. CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit) - Sudo mishandles escaping command args to hand attackers a command for gaining root. Also check out the project's advisory at https://www.sudo.ws/alerts/unescape_overflow.html and see if you'd catch the near decade-old mistake in a code review of https://github.com/sudo-project/sudo/commit/8255ed69. Notably, testing the exploit led to discovering a different refactor that weakened a different security assumption.
  2. 2. Libgcrypt 1.9.1 relased - A two-year old flaw in libgcrypt could lead to heap buffer overflow during decryption and before signature validation. It's in a recent version that may not be deployed in many systems, but still highlights the importance of being able to enumerate your dependencies -- and hope this library isn't statically linked anywhere...
  3. 3. Apple iOS 14 Thwarts iMessage Attacks With BlastDoor System - Security by design is on display in recent iMessage architecture improvements. Project Zero shares their insights on what these changes imply for modern exploit chains, check out their write-up at https://googleprojectzero.blogspot.com/2021/01/a-look-at-imessage-in-ios-14.html
  4. 4. A deeper dive into our May 2019 security incident - The incident may be old, but the details are fresh -- and they include some "Advice to others" that's a good reminder about product security basics.
  5. 5. Security Overview of AWS Lambda - AWS updated their documentation about Lambda security. It includes an overview of the isolation model that makes sure the serverless part of Lambda runs on servers with security separation so customers can just focus on the "-less" part.
  6. 6. A Pragmatic Approach to DevSecOps - Familiar reminders for introducing security to DevOps processes by demonstrating the value of a security tool and enabling DevOps teams to benefit from it within their own workflows.
  7. 7. Cloud Native Predictions for 2021 and Beyond - More interesting for the themes of technology than whether they'll arise in 2021. Also a way to consider what your DevOps roadmap looks like for the year and how much security is a part of it.
John Kinsella
John Kinsella
Co-founder & CTO at Cysense
Matt Alderman
Matt Alderman
Executive Director at CyberRisk Alliance
prestitial ad