Security Weekly listeners, save $100 on your RSA Conference 2022 Full Conference Pass! RSA Conference will be live in San Francisco June 6th-9th, 2022. Security Weekly will be there in full force, delivering real-time, live coverage and interviewing some of the event’s top speakers and sponsors. To register using our discount code, please visit https://securityweekly.com/rsac2022 and use the code 52UCYBER. We hope to see you there!
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
Valid credentials are the best backdoor into any system. Attackers managed to obtain OAuth tokens and abuse that access to download repo information -- likely searching for even more instances of hard-coded secrets.
GitHub also discussed a security issue in Git that primarily affects Windows users, which is unrelated to the stolen token issue. It's not exactly a path traversal flaw in the sense of breaking out of a subdirectory, but it does touch on nuances of traversing directories and desired behavior when ownership changes. Check it at out https://github.blog/2022-04-12-git-security-vulnerability-announced/
If you like crypto (the useful math kind that solves problems), then you'll enjoy the deep dives of this article and the series that follows.
For others, even if the details seem incomprehensible, the article raises some good points that apply more generally to application development. For example, one of the observations on how these flaws occur "comes down to a combination of ambiguous descriptions in academic papers and a general lack of guidance around these protocols." The easy summary of that is "needs more documentation", but the more effective summary is "needs clear communication for developers" -- and that's a topic we revisit on lots of episodes.
Ah, medical droids -- 21-B fixed up Luke in "Empire Strikes Back", GERTY kept an eye on Sam in "Moon", and one of my recent favorites is David from "Prometheus" (and Weyland's advertisement for that series of android, https://youtu.be/qgJs7uluwlU).
But closer to 2022, IoT in the medical space still has flaws related to XSS, passwords stored as MD5 hashes (!?), and an overall lack of strong authentication. Kudos to Cynerio for a nice write-up that explains the flaws without overhyping them *and* provides a more detailed PDF without requiring a signup to a marketing list first. Check it out at https://www.cynerio.com/blog/cynerio-discovers-and-discloses-jekyllbot-5-a-series-of-critical-zero-day-vulnerabilities-allowing-attackers-to-remotely-control-hospital-robots
ASN parsing is notoriously prone to error and abuse that leads to security issues. This article actually covers a flaw from 2021, but its appeal is in the type of questions it poses rather than merely a technical review of the flawed code. One question is whether or how fuzzing could have found this issue. Another question relates to the wisdom of forking code and the kinds of flaws or missed patches that can creep into forks, even well-maintained ones.
This article walks through the creation of metrics that inform teams about a security topic followed by a set of concrete actions those teams can take to improve their scores against the metrics. It's nice to see a team talking about metrics in a way that keeps them simple and ties them to things a team can influence.
OpenSSH is switching to "post-quantum" Streamlined NTRU Prime + x25519 key exchange, in hopes to prevent attackers who sniff/store data now, with hopes to decrypt at some point in the future when quantum computers realize the ability to decrypt public key cryptography.
More info on NTRU Prime is available at https://ntruprime.cr.yp.to/
Farshad Abasi joins us again to talk about creating a new OWASP project, the Secure Pipeline Verification Standard. (Bonus points for not being a top ten list!) We talk about what it takes to pitch a new project and the problems that this new project is trying to solve. For this kind of project to be successful -- as in making a positive impact to ...
Panoptica, Cisco’s cloud application security solution, was born out of Outshift, Cisco's incubation engine. Shibu George, Engineering Product Manager at Outshift, joins Business Security Weekly to discuss his transition from application performance monitoring to application security and how Panoptica was born.
This segment is sponsored by Panopt...
Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on Dec 13, 2022.
Threat modeling is an important part of a security program, but as companies grow you will choose which features you want to threat model or become a bottleneck. What if I told you, you can have your cake and eat...