Security Weekly
Application Security WeeklySubscribe
Application security

Supply Chains in Azure SDK/Xcode, GitHub Sessions, & GCP VRP – ASW #144

In the AppSec News: Supply chain security in Azure SDK and macOS Xcode, GitHub's postmortem on a session handling flaw, six GCP vulns from 2020, & information resources for hacking the cloud!

Full episode and show notes

Announcements

  • Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

  • We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!

Hosts

Mike Shema
Mike Shema
Tech Lead at Block
  1. 1. New Old Bugs in the Linux Kernel
    In theory, tracking down error-prone functions like sprintf() is no more difficult than using grep. In practice, fixing such code takes time and attention, which might explain why flaws can persist for close to 15 years.
  2. 2. How we found and fixed a rare race condition in our session handling
    A public postmortem on problematic threads. It's an insight into handling a vuln that could serve as an example exercise in root cause analysis and decision making.
  3. 3. Hacking the Cloud
    Information and techniques for targeting and exploiting cloud environments. Highlighted in the recent [tl;dr sec] newsletter at https://tldrsec.com/blog/tldr-sec-075/
  4. 4. New macOS malware XcodeSpy Targets Xcode Developers with EggShell Backdoor
    When considering supply chain security, we must remember to be aware and build trust throughout each link that influences how software is built. Signing packages and checking signatures helps ensure their provenance, but we also need to have confidence in the security properties associated with how such packages are built. It's a concept that goes back decades, most notably the paper by Ken Thompson on "Reflections on trusting trust" from 1984 (https://dl.acm.org/doi/10.1145/358198.358210).
  5. 5. Announcing the winners of the 2020 GCP VRP Prize
    Google looks back to the top 6 GCP vulns disclosed under its Vulnerability Reward Program. The rewards range from $130K to $1K, but they're all well-written insights into the mindset and techniques for finding flaws. Even if you're not using GCP, the write-ups are a great way to help instill more threat modeling in your appsec and DevOps teams.
  6. 6. A Hacker Got All My Texts for $16
    Think of this as a variant on supply chain security, where one component that may be completely unknown to you and completely out of your control fails to enforce a security control, which in turn weakens the security properties you expected from SMS. Notably, this doesn't exploit familiar SS7 protocol weaknesses, but highlights yet another way to use social engineering to exploit trust between companies. Even if attacks like this don't scale well, the impact to those affected remains consequential and, as a targeted attack, it could be the first step towards an unexpected compromise.
John Kinsella
John Kinsella
Co-founder & CTO at Cysense
  1. 1. Microsoft’s Azure SDK site tricked into listing fake package
    Another method of playing with the supply chain is found through presenting potentially malicious software that a bot would pick up and list as legitimate

Related

All the News — Just Six Months Later – ASW #265

We cover appsec news on a weekly basis, but sometimes that news is merely about the start of a new project, sometimes it's yet another example of a vuln class, and sometimes it's a topic we hope doesn't become a trend. So, what themes have we seen and where do we see them going? Here are a few headline topics that have alternately generated yays a...