- 1. TikTok vs Douyin — A Security and Privacy Analysis
A technical analysis of two social media apps that uses reverse engineering and traffic analysis to gather information on how well the apps handle privacy and security, as well as potential abuse for censorship. It's aimed at providing technical information to inform policy decisions. It also serves as a great template for analyzing and documenting privacy and security aspects of a mobile app, with methodologies that any appsec team could benefit from.
- 2. SolarWinds Experimenting With New Software Build System in Wake of Breach
SolarWinds serves as a good thought exercise for establishing a chain of trust throughout a CI/CD pipeline. We've mentioned reproducible builds and and signing deployed artifacts. The pressing security question is how do you gain confidence that the code your developers wrote was ultimately what produced the artifact you built? This raises more questions throughout the pipeline in terms of identity, access controls, and observability of every step that has the potential to influence how code is built and packaged.
- 3. SaltStack: further injection vulnerabilities
We sometimes see security patches that need patches -- situations where the original patch addressed a symptom, but missed an underlying design flaw or didn't go deep enough into understanding the original issue. While this particular vuln may not be that impactful, it shows how developers can still make subtle mistakes in the ubiquitous feature of parsing command-line arguments.
- 4. Un-bee-lievable Performance: Fast Coverage-guided Fuzzing with Honeybee and Intel Processor Trace
An insight into the engineering that went into turning Intel Processor Trace from performance penalty to advantageous assistant for coverage-guided fuzzing. It's a benefit that makes a lack of source code less of a liability when fuzzing for flaws.
- 5. Organizations rush to restrict new Slack Connect feature fearing security threats
Securing software against injection flaws and the types of vulns that show up in top 10 lists doesn't mean the software is secure for users. This is a good lesson in expanding threat models to how well your software secures the user experience, especially in apps designed for social interaction.
- 6. Secure containerized environments with updated threat matrix for Kubernetes
How do we communicate that "security is better" or convey the value that security can deliver? This is a brief article that focuses on a handful of k8s changes, from better defaults to new types of attack vectors. Yet it's grounded against a useful framework, MITRE ATT&CK, and only needs to make simple points to demonstrate where security teams might invest their efforts.
- 7. Analyzing attacks taking advantage of the Exchange Server vulnerabilities
In the time you've (hopefully!) saved by not running Exchange servers and hence having to go through the patch scramble, you could be running a "premortem" or tabletop exercise on how resilient your app environment might be to the types of post-exploitation activities documented in the Exchange server attacks. How well does your environment detect, prevent, or respond to arbitrary file writes, privilege escalation, arbitrary command execution, and data exfiltration?