Typosquatting, Curl’s Security Update, & OpenSSF’s 10 Point Mobilization Plan – ASW #197
This week in the AppSec News: Typosquatting spreads to Rust, curl fixes flaws in mishandling dots and slashes, OpenSSF invests in a mobilization plan for open source, interesting appsec from Black Hat Asia.
Security Weekly listeners, save $100 on your RSA Conference 2022 Full Conference Pass! RSA Conference will be live in San Francisco June 6th-9th, 2022. Security Weekly will be there in full force, delivering real-time, live coverage and interviewing some of the event’s top speakers and sponsors. To register using our discount code, please visit https://securityweekly.com/rsac2022 and use the code 52UCYBER. We hope to see you there!
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
There's surely a maturity model somewhere for software projects that receive their first vuln report, first cryptographic implementation mistake, and first attack against their package management system. This typosquatting attack against Rust had little impact and on its own is mostly a curiosity. But it does point to the larger problem of managing dependencies and how attestation of packages is a problem that's agnostic to programming languages.
Two of the flaws reported to curl are fun examples of simple syntax gone wrong. One involves mishandling %2f in hostnames and the other involves mishandling cookie scopes in domains with a trailing dot. They're the kinds of bugs that look obvious in hindsight, yet understandably creep into code due to the nuances and complexity of normalizing data before operating on it.
Curl is also an interesting project that has been a C implementation for decades and likely will remain that way for decades to come. The project's owner, Daniel Stenberg, has created not only one of the most useful web utilities, but also created a model for curating an open source project. Even though we're using some security flaws to talk about curl, it's not a project that's consistently plagued by flaws. Yet it could always use assistance and sponsorship to add new features and maintain the code. Find more details at https://curl.se/sponsors.html
Read more about reporting security bugs in curl at https://curl.se/dev/secprocess.html
This 10 point plan, backed by financial investment to make it happen, is welcome news to the open source community. The points would also be great references for any appsec team looking to build or improve an internal secure SDLC program.
Read more details at https://openssf.org/oss-security-mobilization-plan/, which also links to a PDF of the plan.
We're always on the lookout for recommendations on how to build a narrative within security, whether it's pitching DevOps teams on what taking more responsibility for security means or gaining support and investment from leadership to grow security programs. Here's a summary of one of the keynotes from Black Hat Asia.
We'll revisit this once the recording is available for everyone. But we also wanted to use this as a chance to ask our listeners what recent conference presentations have you seen that changed your mind on a subject? Or that inspired you to approach a problem differently and that led to success? Or even just a presentation you found insightful and entertaining?
Another summary of a presentation from Black Hat Asia. This one is about taking an attacker mindset -- a topic we like to highlight -- to previous vulns within a system in order to look for patterns or architecture weaknesses where new vulns might be found.
The presentation whitepaper and slides are already available at
This authentication bypass in F5 came out a few weeks ago. It's a flaw that falls into the "dead simple" category -- use a Basic Authentication header with a request that causes F5's state machine for handling user vs. admin authentication to be confused. The underlying flaw seems surprising in modern app design. Of course, this particular software stack may not be modern, but that leads to additional questions about how to migrate software architectures over time.
First responders recently were head scratching about a malicious package distributed via npm. After several days, it was discovered to be part of a penetration test a security company was doing, and that in order to be "as realistic as possible," an intern at the company uploaded the package with hopes that the pentest customer would download it.
Realism is great, but how can we do this in a manner that doesn't send people into panic-response mode?
Modern iPhones continue to power bluetooth NFC, and ultra-wideband radios when the phone is turned "off," to enable "find my phone" and some payment capabilities.
But...it turns out the bluetooth firmware is not signed, and there's an ability to use these radios for purposes other than intended.
This year we've talked about vulns, clouds, breaches, presentations, and all the variations of Dev, Sec, and Ops. As we end the year, let's talk about starting things -- like starting an appsec program or an appsec career. But is there still a need for an appsec team? Or has it turned into specializations for areas like cloud security and bug bount...
Firmware security is complex and continues to be an industry challenge. In this podcast we'll talk about the reasons firmware security remains a challenge and some best practices around platform security.