- 1. Incident 2413 | Heroku Status
Heroku has provided more details on the breach, which gives us a chance to revisit an old topic -- communications -- and a new topic -- leaked password hashes. As with all these kinds of breaches, we don't have full Knowledge of events, but it's still very surprising to hear that a compromised OAuth token also lead to access of a database that contained hashed and salted passwords. That sounds like bad news for the app's architecture, encryption schemes, and authorization model.
Here's Heroku's reflection on their need to improve communications: https://blog.heroku.com/we-heard-your-feedback
Find more news coverage at
- 2. TLStorm 2.0
We first mentioned TLStorm back in episode 188 (https://securityweekly.com/asw188), so we'll skip a rehash of the vulns other than to use it as a reminder that handling error conditions correctly to "fail secure" is critical within any software that handles a security boundary or security state.
We'll use the updated notes on this flaw as an example of developing an appsec strategy around flaws identified from efforts like bug bounties and pentesting. It's always more effective to target a class of vulns -- like error handling for TLS connections -- than just fixing the flaws that a security test might have identified. Unfortunately, it's also more time intensive and requires more investment from appsec and DevOps teams.
- 3. Themes from Real World Crypto 2022
This is a great guide through different cryptographic topics presented at this year's RWC conference. But even if you're not implementing or analyzing crypto protocols, there's one takeaway that remains universal to software -- "Security tooling is still too difficult to use". It's great to see a shout out for compilers as a way to build in more security analysis and hardening, but there's clearly still a lot of work to do to get beyond security awareness and into security tools and compilers.
- 4. Path traversal flaw found in OWASP enterprise library of security controls
Yes, of course this is going to make the list. It mentions path traversal. But the discussion is more about building security libraries versus secure code. After all, even one of the project maintainers explains the trade-offs of using the ESAPI, with a conclusion to mostly avoid it. Yet a premise of modern security engineering is to create "paved roads" and "guardrails" and other metaphors that mean providing resources for DevOps teams to use rather than just giving them recommendations. This is a chance to talk about what paved roads should look like and whether the ESAPI matches that criteria.
Plus, there's a quote that sounds like a fundamental reason why we'll always have insecure code: "[this function] acts differently when a value for a directory is not ‘/’ terminated. I think that’s a bit unintuitive." Any code that can be referred to as unintuitive is likely at best being damned with faint praise and at worst laden with assumptions just waiting to become CVEs.
The PDF of the flaw is at https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/GHSL-2022-008_The_OWASP_Enterprise_Security_API.pdf
Check out the OWASP ESAPI project at https://owasp.org/www-project-enterprise-security-api/
- 5. White House Moves to Shore Up US Post-Quantum Cryptography Posture
The takeaway here is more about knowing that a software change will be necessary in years to come and enacting a concrete plan to make that change. A quote from the article illustrates this well, "...although the reality of a quantum-computing threat is likely 'years away,' the country needs to prepare now." Now think back to the pace of changes for software to move off MD5, SHA-1, RSA 512 bit keys, TLS 1.0, and similar items that still show up on secure coding checklists.
- 6. You didn’t leave enough space between ROSE and AND, and AND and CROWN
To rephrase Fermat's Last Theorem, "...someone discovered a truly marvelous proof of concept, which this margin is narrow enough to contain."
AND. AND. AND. AND. AND.
Yep, it's a real bug: https://support.google.com/docs/thread/162510194?hl=en&msgid=162543191