Application Security Weekly

With the increased interest and use of AI such as GTP 3/4, ChatGPT, GitHub Copilot, and internal modeling, there comes an array of use cases and examples for increased efficiency, but also inherent security risks that organizations should consider. In this talk, Invicti’s CTO & Head of Security Research Frank Catucci discusses potential use cases and talks through real-life examples of using AI in production environments. Frank delves into benefits, as well as security implications, touching on a number of security aspects to consider, including security from the supply chain perspective, SBOMs, licensing, as well as risk mitigation, and risk assessment. Frank also covers some of the types of attacks that might happen as a result of utilizing AI-generated code, like intellectual property leaking via a prompt injection attack, data poisoning, etc. And lastly, Frank shares the Invicti security team's real-life experience of utilizing AI, including early successes and failures.

Segment Resources:

• On-demand webinar on the topic of generative AI - https://www.scmagazine.com/cybercast/generative-ai-understanding-the-appsec-risks-and-how-dast-can-mitigate-them
• Invicti Research - https://www.invicti.com/blog/web-security/analyzing-security-github-copilot-suggestions/
• https://github.com/svenmorgenrothio/Prompt-Injection-Playground

This segment is sponsored by Invicti. Visit https://securityweekly.com/invicti to learn more about them!

Ferrari refuses ransomware, OpenAI deals with security issues from cacheing, video killed a crypto ATM, GitHub rotates their RSA SSH key, bypassing CloudTrail, terms and techniques for measuring AI security and safety

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly

Static analysis is the art of scrutinizing your code without building or running it. Common static analysis tools are formatters (which change whitespace and other trivia), linters (which detect likely best practice and style issues), and type checkers (which detect likely bugs). Each of these can aid in improving application security by detecting real issues at development-time.

Segment Resources:

• https://typescript-eslint.io
• https://eslint.org
• https://blog.joshuakgoldberg.com

Outlook can leak NTLM hashes, potential RCE in a chipset for Wi-Fi calling in phones (and autos!?), the design of OpenSSH's sandboxes, more on the direction of OWASP, celebrating 25 years of Curl.

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly

In this segment, Josh will talk about the OWASP ASVS project which he co-leads. He will talk a little about its background and in particular how it is starting to be used within the security industry.

We will also discuss some of the practicalities and pitfalls of trying to get development teams to include security activities and considerations in their day-to-day work and examples of how Josh has seen this “in the wild”.

Segment Resources:

• Josh's personal website, https://joshcgrossman.com
• Josh's mastodon handle, https://infosec.exchange/@JoshCGrossman
• OWASP ASVS site, https://owasp.org/asvs
• More detailed talk about ASVS v4.0.3, https://www.youtube.com/watch?v=zqj4YuoAlcA
• The most recent, stable version of the standard (v4.0.3), https://github.com/OWASP/ASVS/tree/v4.0.3/4.0
• The “bleeding edge”/in-progress version, https://github.com/OWASP/ASVS/tree/master/5.0

Loom provides transparency on mishandling cookies, GitHub moves to require 2FA, TPM reference implementation includes a buffer overflow, Dropbox shares their security engineer ladder, multiple flaws in a smart intercom

In this episode, Neatsun Ziv, co-founder and CEO of Ox security takes a deep dive into supply chain security. He focuses on the new Open Software Supply Chain Attack Reference (OSC&R), a consortium of leading cybersecurity leaders. OSC&R the first and only open framework for understanding and evaluating existing threats to entire software supply chain security.

Segment Resources: - https://pbom.dev/ - https://github.com/pbom-dev/OSCAR

WebSocket hijack that leads to a full workspace takeover in a cloud IDE, malicious packages flood public repos, side-channel attack on a post-quantum algorithm, looking at OWASP's evolution, OAuth misconfigs lead to account takeover, AI risk management framework, Zed Attack Proxy

Join us for this segment with Lina Lau to learn lessons from real incident response engagements covering types of attacks leveraged against the cloud, war stories from supply chain breaches seen in the last 1-2 years, and how defenders and enterprises can better protect and proactively defend against these attacks.

Segment Resources: Attacking and Defending the Cloud (Training) https://training.xintra.org/

Blackhat Singapore 2023 Training ADVANCED APT THREAT HUNTING & INCIDENT RESPONSE (VIRTUAL) https://www.blackhat.com/asia-23/training/schedule/index.html#advanced-apt-threat-hunting--incident-response-virtual-29792

Blackhat USA 2023 Training ADVANCED APT THREAT HUNTING & INCIDENT RESPONSE (IN-PERSON) https://www.blackhat.com/us-23/training/schedule/#advanced-apt-threat-hunting--incident-response-30558

Twitter 2FA goes away, safe testing for server-side prototype pollution, OWASP's guide on AI security & privacy, Adobe's approach to smarter security testing, a fast web fuzzer

Organizations spend hundreds of work hours to build applications and services that will benefit customers and employees alike. Whether the application/service is externally facing or for internal use only, it is mandatory to identify and understand the scope of potential cyber risks and threats it poses to the organization. But where and how do you start with an accurate threat model? Nick can discuss how to approach this and create a model that's useful to security and developers alike.

Segment Resources

• https://github.com/trailofbits/publications/blob/master/reviews/2022-12-curl-threatmodel.pdf

Reddit's breach disclosure, simple vulns in Toyota's web portals, OpenSSL vulns, voting results for Portswigger's top 10 web hacking techniques of 2022, tiny IoT cryptography implementations, real world migration of a million lines of code

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly

Most of the myths and lies in InfoSec take hold because they seem correct or sound logical. Similar cognitive biases make it possible for even the most preposterous conspiracy theories to become commonly accepted in some groups.

This is a talk about the importance of critical thinking and checking sources in InfoSec. Our industry is relatively new and constantly changing. Too often, we operate more off faith and hope than fact or results. Exhausted and overworked defenders often don't have the time to seek direct evidence for claims, question sources, or test theories for themselves.

Resources

• https://www.usenix.org/conference/enigma2023/presentation/sanabria
• https://www.usenix.org/sites/default/files/conference/protected-files/enigma2023slidessanabria.pdf
• https://yourbias.is
• Discuss: What Makes a Good Breach Response? - ESW #303: https://www.youtube.com/watch?v=5RpZiVu3xEs

The aviation equivalent of ASCII art, a memory safety issue in OpenSSH that might not be terrible, a format string in F5 that might be terrible, a new MITRE framework for supply chain security, programming languages and secure code

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly

A $10M ransom demand to Riot Games, a DoS in BIND and why there's no version 10, an unexpected refactor at Twilio, insights in Rust from the git security audit, SQL Slammer 20 years later, the SQLMap tool

Segment Resources: white paper: https://www.reveal.security/lp/white-paper/ Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly

Breach disclosures from T-Mobile and PayPal, SSRF in Azure services, Google Threat Horizons report, integer overflows and more, Rust in Chromium, ML for web scanning, Top 10 web hacking techniques of 2022

Developers write code. Ideally, secure code. But what do we mean by secure code? What should secure code training look like? Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly

Exposed secrets from CircleCI, web hackers target the auto industry, $100K bounty for making Google smart speakers listen, inspiration from Office Space, AWS making better defaults for S3, resources for learning Rust

This segment will discuss options for protecting your APIs.

First, why protect them?

Second, what are the options and the tradeoffs.

Segment Resources:

• https://stackoverflow.blog/2022/04/11/the-complete-guide-to-protecting-your-apis-with-oauth2/
• https://fusionauth.io/learn/expert-advice/
• https://fusionauth.io/learn/expert-advice/oauth/modern-guide-to-oauth
• https://oauth.net/2/
• https://tools.ietf.org/html/rfc6749
• https://datatracker.ietf.org/doc/id/draft-ietf-oauth-v2-1-07.html
• https://paseto.io
• https://securityboulevard.com/2021/11/biggest-api-security-attacks-of-2021-so-far/ Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly