Exchange RCE, Patching at Scale, DORA Metrics, USENIX Best Papers, Passkeys – ASW #214
Full episode and show notes
Exchange RCE, bulk pull requests to patch at scale, metrics from DORA, best papers from USENIX, implementing passkeys
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!
Tech Lead at Block
- 1. Warning: New attack campaign utilized a new 0-day RCE vulnerability on Microsoft Exchange ServerAn SSRF and RCE (which requires an authenticated user) were disclosed before Microsoft had a chance to prepare fixes. These are familiar classes of bugs and apparently related to the prior ProxyShell vuln, although details have yet to be shared. The broader appsec angle here is the choice of software -- running your own Exchange server -- and what tools you have to mitigate vulns when patches aren't available. Additional resources: - https://www.darkreading.com/application-security/microsoft-confirms-exchange-zero-days-no-patch - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
- 2. Are you an Elite DevOps performer? Find out with the Four Keys Projecthttps://cloud.google.com/devops/state-of-devops/
- 3. What the Securing Open Source Software Act does and what it misseshttps://therecord.media/log4j-senators-introduce-bill-centered-on-cisa-open-source-security-efforts/
- 4. USENIX Best PapersHighlights - "Attacks on Deidentification's Defenses" -- https://www.usenix.org/conference/usenixsecurity22/presentation/cohen - "Dos and Don'ts of Machine Learning in Computer Security" -- https://www.usenix.org/conference/usenixsecurity22/presentation/arp - "Provably-Safe Multilingual Software Sandboxing using WebAssembly" -- https://www.usenix.org/conference/usenixsecurity22/presentation/bosamiya - "Let’s Hash: Helping Developers with Password Security" -- https://www.usenix.org/conference/soups2022/presentation/geierhaas
- 6. Patching common vulnerabilities at scale: project promises bulk pull requestsPicking up this talk from DEF CON and BSides Las Vegas about generating pull requests at scale to address vulns. In spirit, this feels like a more constructive and successful approach to dealing with vulns. After all, offering an applicable, mergable solution is a lot more helpful and efficient than adding to a chorus of, "You should fix this." It's a great version of "show, don't tell" in the vein of tools like Dependabot.
- 7. Rancher stored sensitive values in plaintext, exposed Kubernetes clusters to takeoverIt's an unhelpful tautology to say secrets are supposed to be secret. Services often need to present secrets like API keys or service tokens to prove their identity. The challenge is in storing secrets so that access is restricted to only the service that needs it, which becomes difficult in complex systems. The advisory is at https://github.com/advisories/GHSA-g7j7-h4q8-8w2f
Co-founder & CTO at Cysense
- 1. Typescript 4.9 is more satisfying than everTypescript 4.9 introduces a satisfies operator to ensure an object has the type that a developer is expecting