asw135

Application Security Weekly Episode #135 – January 04, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Security By Design – 12:30 PM-01:00 PM

Announcements

Description

A premise of adding security to DevOps is we can “shift left” AppSec responsibilities, one of which is building apps so they’re secure by design. Yet what resources does the AppSec community provide for this approach to design? We take a look at the OWASP Top 10, Web Security Testing Guide, and Application Security Verification Standard to find a way forward for DevOps teams.

Hosts

JohnKinsella

John Kinsella –

Chief Architect at Accurics

MikeShema

Mike Shema –

Product Security Lead at Square

2. Kubernetes Clusters, Microsoft Solarigate, & Apple’s Security DIY – 01:00 PM-01:30 PM

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

  • If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!

Description

Microsoft purges malicious SolarWinds presence and highlights a threat model around their source code, the tl;drsec crew provides a hardening guide for Kubernetes, Apples provides a user guide for hardening accounts, Firefox provides a new storage system to defeat side channel abuse.

Hosts

JohnKinsella

John Kinsella –

MikeShema

Mike Shema –

  1. Microsoft Internal Solorigate Investigation Update – Microsoft searches for supply chain fallout from SolarWinds, cleans out malicious binaries, and finds a compromised account accessed source code — but their threat models already considered an attacker’s knowledge of source. Plus, with the ability to reverse engineer binary security patches, how important is source code anyway?
  2. Risk8s Business: Risk Analysis of Kubernetes Clusters – Even if you’re not maintaining your own Kubernetes clusters, this is a good example of building up a threat model to assess the risk of a system and take steps towards hardening it against attacks and misconfigurations.
  3. Apple: Here’s how to secure an iPhone or Apple ID ‘when personal safety is at risk’ – Apple describes threats to iPhones and Apple IDs for different populations of users in a way that sets aside security jargon and focuses on how to help users make informed decisions. You can download the manual directly from https://manuals.info.apple.com/MANUALS/1000/MA1976/en_US/device-and-data-access-when-personal-safety-is-at-risk.pdf
  4. Firefox to ship ‘network partitioning’ as a new anti-tracking defense – Firefox takes a security-by-design approach to address the abuse of side channels in browsers, from timing attacks to cache hits. You can read more about Client-Side Storage Partitioning at https://github.com/privacycg/storage-partitioning
  5. 3 Metrics That Will Indicate We’re Taking Security Seriously – While these aren’t intended to be prescriptive metrics, the underlying discussion is a step towards the distinction between “What are the consequences of insecure software” and “What ought to be the consequences”.
  6. Python is dead. Long live Python! – We covered this one year ago on episode 90. So…is Python 2 still part of your CI/CD pipeline? Is it in use in production systems? Did you migrate off it using a process that you’ll be able to repeat for the next end-of-life software component?
  7. 6 Security Team Goals for DevSecOps in 2020 – We covered this one year ago on episode 90. So…did you make any progress towards these goals? What’s left to do? What do you still want to improve on?