AWS AppSync Vuln, Zero-Initialization, HTTP/3 Connections, Thinkst Quarterly – ASW #221
Crossing tenants with AWS AppSync, more zeros in C++ to defeat vulns, HTTP/3 connection contamination, Thinkst Quarterly review of research, building a research team
Announcements
Security Weekly listeners, we need to hear your voices! Leave us your feedback on Apple podcasts & submit a screenshot to our giveaway form for a chance to win a $100 gift card from Hacker Warehouse! This giveaway will be open until the end of the year. We appreciate your honest feedback so we can continue to make great content for our audience! Visit securityweekly.com/giveaway to enter!
Hosts
- 1. A Confused Deputy Vulnerability in AWS AppSync
Research from Datadog about tricking the AWS AppSync service to make calls on the attacker's behalf. It's a good example of why authorization controls are so critical to GraphQL calls designed to interact and collect data from a variety of sources.
- 2. P2723R0 Zero-initialize objects of automatic storage duration
A C++ standard proposal that claims (with references) how zero-initializing data could mitigate ~10% of vulns seen against codebases. It's already an opt-in feature in modern compilers, but security benefits much more from secure defaults and explicit opt-outs.
Even if you're not working on a C++ codebase, imagine your favorite language or system and what apparently simple change (like zeroing memory when it's initialized) could make for a more secure default. This hits a recurring rhetorical question of: Why do we invest so much effort in hardening guides as opposed to making the default more secure? Why haven't we switched to "unhardening" guides or "de-security" guides?
- 3. HTTP/3 connection contamination: an upcoming threat?
It took a decade and a half to get from HTTP/1 to HTTP/2. And a few more years to get to HTTP/3. Even if most sites still use HTTP/1, it's exciting to have new protocols to analyze and research. Both HTTP/2 and /3 benefit from more explicit security considerations, but that doesn't mean they're without flaws -- either in design or implementation. Research like this from James Kettle illuminates potentially creaky bits and shows how it's possible to find surprises (which are a bane of security) in "simple" protocols.
- 4. ThinkstScapes Quarterly | 2022.Q3
This quarter's security research roundup from Thinkst gets into very technical topics in AI/ML, cryptography, and software analysis. On a meta level, the list of papers they cover or the list of items they reviewed can inform what conferences you might want to attend next year.
- 5. So long and thanks for all the 0day
We've covered many articles from NCC group authored by Jennifer Fernick and her team. This is a farewell post as she moves on to a new role. It includes quite a long list of favorite projects and posts worth checking it. But it also starts with thoughts on leading a research team -- it's a great resource for building up a capability within your own org, whether it's for appsec research or generally growing a technical team.
- 1. Spotify’s open source vuln mgmt program
Just managing a list of vulnerabilities has become a Big Deal over the last few years, leading to many vendors selling products just to help with this. Spotify's open sourced their internal product, which some might find useful.
- 2. RCE In Spotify’s Backstage
Backstage - a platform to make developer's lives a little easier, was found to have a CVSS 9.8 RCE
- 3. Improving code review time at Meta
