Application Security Weekly
SubscribeSustainable Funding of Open Source Tools – Mark Curphey, Simon Bennetts – ASW #282
How can open source projects find a funding model that works for them? What are the implications with different sources of funding? Simon Bennetts talks about his stewardship of Zed Attack Proxy and its journey from OWASP to OpenSSF to an Open Source Fellowship with Crash Override. Mark Curphy adds how his experience with OWASP and the appsec community motivated him to create Crash Override and help projects like ZAP gain the support they deserve.
Segment resources:
- https://crashoverride.com/blog/welcome-zap-to-the-open-source-fellowship
- https://www.zaproxy.org
- https://crashoverride.com/blog/are-there-too-many-bubbles-of-similar-security-efforts
CISA chimes in on the XZ Utils backdoor, PuTTY's private keys and maintaining a secure design, LeakyCLI and maintaining secure secrets in CSPs, LLMs and exploit generation, and more!
Visit https://www.securityweekly.com/asw for all the latest episodes!
Segments
Sustainable Funding of Open Source Tools – Simon Bennetts, Mark Curphey – ASW #282
XZ & Open Source, PuTTY’s Private Keys, LeakyCLI, LLMs Writing Exploits – ASW #282
Demystifying Security Engineering Career Tracks – Karan Dwivedi – ASW #281
There are as many paths into infosec as there are disciplines within infosec to specialize in. Karan Dwivedi talks about the recent book he and co-author Raaghav Srinivasan wrote about security engineering. There's an appealing future to security taking on engineering roles and creating solutions to problems that orgs face. We talk about the breadth and depth of security engineering and ways to build the skills that will help you in your appsec career.
Segment resources:
A Rust advisory highlights the perils of parsing and problems of inconsistent approaches, D-Link (sort of) deals with end of life hardware, CSRB recommends practices and processes for Microsoft, Chrome’s V8 Sandbox increases defense, and more!
Visit https://www.securityweekly.com/asw for all the latest episodes!
Segments
Demystifying Security Engineering Career Tracks – Karan Dwivedi – ASW #281
Arg Parsing in Rust, End of Life Hardware, CSRB & MS, Chrome’s V8 Sandbox – ASW #281
Lessons That The XZ Utils Backdoor Spells Out – Farshad Abasi – ASW #280
We look into the supply chain saga of the XZ Utils backdoor. It's a wild story of a carefully planned long con to add malicious code to a commonly used package that many SSH connections rely on. It hits themes from social engineering and abuse of trust to obscuring the changes and suppressing warnings. It also has a few lessons about software development, the social and economic dynamics of open source, and strategies for patching software.
It's an exciting topic partially because so much other appsec is boring. And that boring stuff is important to get right first. We also talk about what parts of this that orgs should be worried about and what types of threats they should be prioritizing instead.
Segment Resources:
- https://tukaani.org/xz-backdoor/
- https://news.risky.biz/risky-biz-news-supply-chain-attack-in-linuxland/
- https://www.zdnet.com/article/this-backdoor-almost-infected-linux-everywhere-the-xz-utils-close-call/#ftag=RSSbaffb68
- https://therecord.media/malicious-backdoor-code-linux-red-hat-cisa
- https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094
- https://duo.com/decipher/carefully-crafted-campaign-led-to-xz-utils-backdoor
- https://boehs.org/node/everything-i-know-about-the-xz-backdoor
OWASP leaks resumes, defining different types of prompt injection, a secure design example in device-bound sessions, turning an ASVS requirement into practice, Ivanti has its 2000s-era Microsoft moment, HTTP/2 CONTINUATION flood, and more!
Visit https://www.securityweekly.com/asw for all the latest episodes!
Segments
Lessons That The XZ Utils Backdoor Spells Out – Farshad Abasi – ASW #280
OWASP Breach, Types of Prompt Injection, Device-Bound Sessions, ASVS & APIs – ASW #280
Infosec Myths, Mistakes, and Misconceptions – Adrian Sanabria – ASW #279
Sometimes infosec problems can be summarized succinctly, like "patching is hard". Sometimes a succinct summary sounds convincing, but is based on old data, irrelevant data, or made up data. Adrian Sanabria walks through some of the archeological work he's done to dig up the source of some myths. We talk about some of our favorite (as in most disliked) myths to point out how oversimplified slogans and oversimplified threat models lead to bad advice -- and why bad advice can make users less secure.
Segment resources:
The OWASP Top 10 gets its first update after a year, Metasploit gets its first rewrite (but it's still in Perl), PHP adds support for prepared statements, RSA Conference puts passwords on notice while patching remains hard, and more!
Visit https://www.securityweekly.com/asw for all the latest episodes!
Segments
Infosec Myths, Mistakes, and Misconceptions – Adrian Sanabria – ASW #279
Top 10’s First Update, Metasploit’s Second Update, PHP Prepares Statements, RSA & MS – ASW #279
Successful Security Needs a Streamlined UX – Benedek Gagyi – ASW #278
One of the biggest failures in appsec is an attitude that blames users for security problems. A lot of processes and workflows break down because of an insecure design or insecure defaults. Benedek Gagyi chats with us about the impact of the user experience (UX) on security and why it's not only important to understand how to make a user's life easier, but in defining who that user is in the first place.
Segment resources:
The GoFetch side channel in Apple CPUs, OpenSSF's plan for secure software developer education, fuzzing vs. formal verification as a security strategy, hard problems in InfoSec (and AppSec), and more!
Visit https://www.securityweekly.com/asw for all the latest episodes!
Segments
Successful Security Needs a Streamlined UX – Benedek Gagyi – ASW #278
GoFetch Side Channel, OpenSSF & Security Education, Fuzzing vs. Formal Verification – ASW #278
Figuring Out Where Appsec Fits When Starting a Cybersecurity Program – Tyler VonMoll – ASW #277
Lots of companies need cybersecurity programs, as do non-profits. Tyler Von Moll talks about how to get small organizations started on security and how to prioritize initial investments. While an appsec program likely isn't going to be one of the first steps, it's going to be an early one. What decisions can you make at the start that will benefit the program in the years that follow? What does an appsec program look like at a small scale?
Segment Resources:
- "Cybersecurity for Nonprofits", https://docs.google.com/presentation/d/18HuKtwgwGMtEJ87CgkMqHp1JDVRUXPP--zptjMpF0/edit?usp=sharing
- https://www.verizon.com/business/resources/reports/dbir/2023/master-guide/
Insecure defaults and insecure design in smart locks, FCC adopts Cyber Trust Mark labels for IoT devices, the ZAP project gets a new home, and more!
Visit https://www.securityweekly.com/asw for all the latest episodes!
Segments
Figuring Out Where Appsec Fits When Starting a Cybersecurity Program – Tyler VonMoll – ASW #277
Vulns in Smart Locks, FCC labels for IoT, ZAP’s New Home – ASW #277
More API Calls, More Problems: The State of API Security in 2024 – Lebin Cheng – ASW #276
A majority of internet traffic now originates from APIs, and cybercriminals are taking advantage. Increasingly, APIs are used as a common attack vector because they’re a direct pathway to access sensitive data. In this discussion, Lebin Cheng shares what API attack trends Imperva, a Thales Company has observed over the past year, and what steps organizations can take to protect their APIs.
This segment is sponsored by Imperva. Visit https://www.securityweekly.com/imperva to learn more about them!
The trivial tweaks to bypass authentication in TeamCity, ArtPrompt attacks use ASCII art against LLMs, annoying developers with low quality vuln reports, removing dependencies as part of secure by design, removing overhead with secure by design, and more!
Visit https://www.securityweekly.com/asw for all the latest episodes!
Segments
More API Calls, More Problems: The State of API Security in 2024 – Lebin Cheng – ASW #276
TeamCity Authn Bypass, ArtPrompt Attacks, Low Quality Vuln Reports, Secure by Design – ASW #276
The Simple Mistakes and Complex Seeds of a Vulnerability Management Program – Emily Fox – ASW #275
The need for vuln management programs has been around since the first bugs -- but lots of programs remain stuck in the past. We talk about the traps to avoid in VM programs, the easy-to-say yet hard-to-do foundations that VM programs need, and smarter ways to approach vulns based in modern app development. We also explore the ecosystem of acronyms around vulns and figure out what's useful (if anything) in CVSS, SSVC, EPSS, and more.
Segment resources:
- https://www.redhat.com/en/blog/patch-management-needs-a-revolution-part-1
- https://next.redhat.com/blog/
- https://www.first.org/cvss/v4-0/
- https://www.first.org/epss/
- https://deadliestwebattacks.com/appsec/2010/02/19/primordial-cross-site-scripting-xss-exploits -- For a bit of history, one of the earliest "bugs bounty" from 1995.
A SilverSAML example similar to the GoldenSAML attack technique, more about serializing AI models for Hugging Face, OWASP releases 1.0 of the IoT Security Testing Guide, the White House releases more encouragement to move to memory-safe languages, and more!
Visit https://www.securityweekly.com/asw for all the latest episodes!
Segments
The Simple Mistakes and Complex Seeds of a Vulnerability Management Program – Emily Fox – ASW #275
SAML & Secrets, Serializing AI Models, OWASP ISTG, More Memory Safety – ASW #275
Creating the Secure Pipeline Verification Standard – Farshad Abasi – ASW #274
Farshad Abasi joins us again to talk about creating a new OWASP project, the Secure Pipeline Verification Standard. (Bonus points for not being a top ten list!) We talk about what it takes to pitch a new project and the problems that this new project is trying to solve. For this kind of project to be successful -- as in making a positive impact to how software is built -- it's important to not only identify the right audience, but craft guidance in a way that's understandable and achievable for that audience. This is also a chance to learn more about a project in its early days and the opportunities for participating in its development!
Segment resources
PrintListener recreates fingerprints, iMessage updates key handling for a PQ3 rating, Silent Sabotage shows supply chain subterfuge against AI models, 2023 Rust survey results, the ways genAI might help developers, and more!
Visit https://www.securityweekly.com/asw for all the latest episodes!
Segments
Creating the Secure Pipeline Verification Standard – Farshad Abasi – ASW #274
PrintListener, Post-Quantum Crypto in iMessage, Silent Sabotage, Rust Survey Results – ASW #274
Redefining Threat Modeling – Security Team Goes on Vacation – Jeevan Singh – ASW Vault
Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on Dec 13, 2022.
Threat modeling is an important part of a security program, but as companies grow you will choose which features you want to threat model or become a bottleneck. What if I told you, you can have your cake and eat it too. It is possible to scale your program and deliver higher quality threat models.
Segment Resources: - Original blog: https://segment.com/blog/redefining-threat-modeling/ - Open Sourced slides: https://github.com/segmentio/threat-modeling-training