DevOps, Application security

Exchange RCE, Patching at Scale, DORA Metrics, USENIX Best Papers, Passkeys – ASW #214

Exchange RCE, bulk pull requests to patch at scale, metrics from DORA, best papers from USENIX, implementing passkeys

Full episode and show notes

Announcements

  • Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

Hosts

Mike Shema
Mike Shema
Security Partner at Square
  1. 1. Warning: New attack campaign utilized a new 0-day RCE vulnerability on Microsoft Exchange Server - An SSRF and RCE (which requires an authenticated user) were disclosed before Microsoft had a chance to prepare fixes. These are familiar classes of bugs and apparently related to the prior ProxyShell vuln, although details have yet to be shared. The broader appsec angle here is the choice of software -- running your own Exchange server -- and what tools you have to mitigate vulns when patches aren't available. Additional resources: - https://www.darkreading.com/application-security/microsoft-confirms-exchange-zero-days-no-patch - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
  2. 2. Are you an Elite DevOps performer? Find out with the Four Keys Project - https://cloud.google.com/devops/state-of-devops/
  3. 3. What the Securing Open Source Software Act does and what it misses - https://therecord.media/log4j-senators-introduce-bill-centered-on-cisa-open-source-security-efforts/
  4. 4. USENIX Best Papers - Highlights - "Attacks on Deidentification's Defenses" -- https://www.usenix.org/conference/usenixsecurity22/presentation/cohen - "Dos and Don'ts of Machine Learning in Computer Security" -- https://www.usenix.org/conference/usenixsecurity22/presentation/arp - "Provably-Safe Multilingual Software Sandboxing using WebAssembly" -- https://www.usenix.org/conference/usenixsecurity22/presentation/bosamiya - "Let’s Hash: Helping Developers with Password Security" -- https://www.usenix.org/conference/soups2022/presentation/geierhaas
  5. 5. Passkeys - Here's an article about implementing Passkeys that seemed like a good educational exercise. At the very least, it's a helpful way to understand the protocol through the text explanation and supplemental JavaScript and Python3 code. And, while it wouldn't be the recommended approach for a complete implementation for a production system, it'd be a good way to talk about a protocol, implement it, then conduct threat models on both the protocol's design and, importantly, it's implementation.
  6. 6. Patching common vulnerabilities at scale: project promises bulk pull requests - Picking up this talk from DEF CON and BSides Las Vegas about generating pull requests at scale to address vulns. In spirit, this feels like a more constructive and successful approach to dealing with vulns. After all, offering an applicable, mergable solution is a lot more helpful and efficient than adding to a chorus of, "You should fix this." It's a great version of "show, don't tell" in the vein of tools like Dependabot.
  7. 7. Rancher stored sensitive values in plaintext, exposed Kubernetes clusters to takeover - It's an unhelpful tautology to say secrets are supposed to be secret. Services often need to present secrets like API keys or service tokens to prove their identity. The challenge is in storing secrets so that access is restricted to only the service that needs it, which becomes difficult in complex systems. The advisory is at https://github.com/advisories/GHSA-g7j7-h4q8-8w2f
John Kinsella
John Kinsella
Co-founder & CTO at Cysense
  1. 1. Typescript 4.9 is more satisfying than ever - Typescript 4.9 introduces a satisfies operator to ensure an object has the type that a developer is expecting
prestitial ad