Malicious PHP Commits, OAuth Attacks & XML Injection, & Zines For DevSecOps – ASW #146

Last week PHP admins noticed two malicious commits pushed to the php-src repo (https://news-web.php.net/php.internals/113838). The team noticed this quickly and put releases on hold out of caution. None of this is unique to PHP; it's a departure point for discussing infrastructure security, signing commits, identity, and the attack surface of a CI/CD pipeline. It takes budget to use SaaS infrastructure, discipline to manage certs, and threat models to understand which controls address which types of attacks.

Another example of why application defenses and threat models should worry less about motivations or "who" of an attack and more about the means of an attack. Resiliency and uptime are important requirements for modern apps, and a reminder that availability of the CIA triad remains an important security concern.

A well-written article about the journey from source code to executable binary. It's a nice reference whether you're interested in getting into reverse engineering or designing controls to harden execution environments like containers. It can be a helpful primer to better understand concepts like ASLR, return-oriented programming in exploits, and even syscall filtering. Be sure to check out part 1 at https://blog.cloudflare.com/how-to-execute-an-object-file-part-1/

We talk a lot about the importance of communicating security and engineering concepts well. Julia Evans has approached this with a wonderful combination of art and text in the zine format. You'll find everything from a refresher on command-line arguments you might already know to tips and tricks that might make your command-line skills more effective. Check out her blog at https://jvns.ca

OAuth, SAML 2.0, and OpenID Connect are modern ways to delegate authentication so that apps can focus on protecting tokens and trust relationships instead of protecting passwords. Yet it's still a design pattern that carries some misconfiguration minefields. So make sure you're considering all of these attacks in your threat model and, of course, remember that there's a big difference between authentication that says who you are and authorization that says what you can do.

A good companion to the Portswigger article on Hidden OAuth Attack Vectors, this describes potential issues in the assertions and attributes in the XML that composes SAML. Delegated authentication and SSO remains a recommended design pattern, just make sure your implementation doesn't fall victim to this attack category.

Although this is focused on AWS, the background and reasoning on different mutual authentication scenarios can be applied to many environments. As an article oriented towards engineering, its "Use X when Y" formulation is a good demonstration of tradeoffs and design considerations.