Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
An SSRF and RCE (which requires an authenticated user) were disclosed before Microsoft had a chance to prepare fixes. These are familiar classes of bugs and apparently related to the prior ProxyShell vuln, although details have yet to be shared.
The broader appsec angle here is the choice of software -- running your own Exchange server -- and what tools you have to mitigate vulns when patches aren't available.
Picking up this talk from DEF CON and BSides Las Vegas about generating pull requests at scale to address vulns. In spirit, this feels like a more constructive and successful approach to dealing with vulns. After all, offering an applicable, mergable solution is a lot more helpful and efficient than adding to a chorus of, "You should fix this." It's a great version of "show, don't tell" in the vein of tools like Dependabot.
It's an unhelpful tautology to say secrets are supposed to be secret. Services often need to present secrets like API keys or service tokens to prove their identity. The challenge is in storing secrets so that access is restricted to only the service that needs it, which becomes difficult in complex systems.
The advisory is at https://github.com/advisories/GHSA-g7j7-h4q8-8w2f
Farshad Abasi joins us again to talk about creating a new OWASP project, the Secure Pipeline Verification Standard. (Bonus points for not being a top ten list!) We talk about what it takes to pitch a new project and the problems that this new project is trying to solve. For this kind of project to be successful -- as in making a positive impact to ...
Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on Dec 13, 2022.
Threat modeling is an important part of a security program, but as companies grow you will choose which features you want to threat model or become a bottleneck. What if I told you, you can have your cake and eat...
We've been scanning code for decades. Sometimes scanning works well -- it finds meaningful flaws to fix. Sometimes it distracts us with false positives. Sometimes it burdens us with too many issues. We talk about finding a scanning strategy that works well and what the definition of "works well" should even be.