Application security, DevOps

BBPLR, API Security Trends, Memory Unsafety, & Patching 0-Days – ASW #139

Funding bounties or finding bugs, how should we invest? Talks from Enigma Conference on memory unsafety and 0-days. Coming trends in API security and a review of research from 2020.

Full episode and show notes

Announcements

  • Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

  • Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

Hosts

Mike Shema
Mike Shema
Security Partner at Square
  1. 1. Bug Bounty Program of Last Resort - This paper answers what it might cost to fund bounties for critical open-source projects. Which also raises a question of what might it cost to fund code refactoring and hardening for critical open-source projects. It also references a paper from WEIS 2019 (https://weis2019.econinfosec.org/wp-content/uploads/sites/6/2019/05/WEIS_2019_paper_36.pdf). We talked about this conference and a few papers back in episode 136.
  2. 2. Google’s Payout to Bug Hunters Hits New High - As a bug bounty of first resort, Google pays quite a bit for software flaws in Android, Chrome, and its other properties. But it's nowhere near the scale suggested in the other article this week about the bounty of last resort.
  3. 3. API Security Trends - Another vendor state of security report, this time with a focus on what incidents have been hitting APIs. Read it along with their take on "OpenAPI Specification: Perception vs. Reality" (https://devops.com/openapi-specification-perception-vs-reality/) and how the industry might improve API security.
  4. 4. NCC Group’s 2020 Annual Research Report - A wealth of reading for research, tools, and presentations from 2020. Each item has helpful context so you can choose what appeals to your interests or what might be relevant to your organization.
  5. 5. Establishing a Scalable Collaboration Between Security and DevOps - A discussion of research on DevOps skillsets, what organizations are worried about, where containers fit within a DevOps strategy, and where Security sits among all this. And for bonus reading material, check out their other article about keeping Availability on the Security radar (https://capsule8.com/blog/bringing-your-a-game-availability-for-security-people-2/).
  6. 6. Quantifying Memory Unsafety and Reactions to It - A talk from Enigma 2021 that brings data to the journey of understanding the implications of C and C++. How much does programming language choice affect software security? How much _has_ programming language choice impacted the population of vulns?
  7. 7. The State of 0-Day in-the-Wild Exploitation - A talk from Enigma 2021 that brings data to the discussion of finding vulns and patching them. Check out the companion article on Project Zero at https://googleprojectzero.blogspot.com/2021/02/deja-vu-lnerability.html
  8. 8. Privacy and Security Nutrition Labels to Inform IoT Consumers - A talk from Enigma 2021 that brings visualization and communication of security and privacy issues in IoT to consumers. Find out more about these labels on their site at https://www.iotsecurityprivacy.org.
John Kinsella
John Kinsella
Co-founder & CTO at Cysense
  1. 1. Apple patches 28 code execution vulnerabilities - Apple released updated info about what was patched in last week's ios/watchos/tvos/macos updates. Quite a few bugs...
Matt Alderman
Matt Alderman
Executive Director at CyberRisk Alliance
prestitial ad