asw136

Application Security Weekly Episode #136 – January 11, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Fuzz Testing – 12:30 PM-01:00 PM

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

  • Learn how to conquer cloud complexity in our first Security Weekly webcast of 2021 on January 28th @ 11am ET! Register at https://securityweekly.com/webcasts. If you missed any of our 2020 webcasts or technical trainings, they are available at https://securityweekly.com/ondemand

Description

Fuzzing can be successful appsec strategy for finding software bugs. And deploying a fuzzer no longer needs to be a cumbersome process. Find out how fuzzing can help secure software beyond just memory safety issues and what the future holds for making this strategy more effective for modern apps.

Guest(s)

Andrei Serban

Andrei Serban –

Co-Founder at Fuzzbuzz

Andrei is the CEO and co-founder of Fuzzbuzz, a security startup based in San Francisco, that builds fuzz testing tools and infrastructure to help developers find severe vulnerabilities and bugs in their code with minimal effort. Today, Fuzzbuzz works with some of the largest tech companies to reduce the number of vulnerabilities that make it into production by enabling teams to fuzz test as part of their DevSecOps pipeline, finding bugs as soon as they get introduced.

Andrei studied Computer Science at University of Waterloo before dropping out to start Fuzzbuzz and accept the Thiel Fellowship.

Hosts

JohnKinsella

John Kinsella –

Chief Architect at Accurics

MattAlderman

Matt Alderman –

Executive Director at CyberRisk Alliance

MikeShema

Mike Shema –

Product Security Lead at Square

2. Google 2FA Cloning, Speed vs. Security, & “Hack The Army” Bug Bounty 3.0 – 01:00 PM-01:30 PM

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, and join our Discord Server!

  • If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!

Description

Significant source code leak from misconfigured repo, side-channel attack on hardware authentication keys, a third bug bounty for the U.S. Army, the cost of poor software quality, the benefits of DevOps approaches to building systems.

Hosts

JohnKinsella

John Kinsella –

  1. Google’s 2FA tokens can be cloned within 10 hours – If you lose a 2fa token, you should be able to have it disabled ASAP. For many, this might be a “oh I misplaced it” on a Saturday morning, and “I’ll get to it on Monday.” The takeaway that might be useful to corporations here is “a 2FA token can be cloned within 10 hours” which might give reason to create a policy saying “The misplacement/loss of a 2FA token MUST be reported ASAP and disabled within 10 hours.”
    In reality, if I steal a 2fa token, I’d probably make sure I have the credentials first so I’m ready to roll when as soon as it’s in my possession, so I don’t fully get the value of this, but if it helps it helps.
MattAlderman

Matt Alderman –

MikeShema

Mike Shema –

  1. Nissan source code leaked online after Git repo misconfiguration – Attackers siphon source due to a SaaS misconfiguration that not only allowed public repos, but used trivial credentials.
  2. New side-channel attack can recover encryption keys from Google Titan security keys – Well written research on hardware authentication keys that provides insights on improving security as well as placing the attack within perspective of practical threat models. Don’t worry about the heavy presence of acronyms and check out the paper at https://ninjalab.io/wp-content/uploads/2021/01/a_side_journey_to_titan.pdf
  3. Hack the Army bug bounty challenge asks hackers to find vulnerabilities in military networks – Announced back in November 2020, the bounty program is now live and interesting to watch from the perspective of maturing a bug bounty approach to AppSec.
  4. What is the cost of poor software quality in the U.S.? – Another chance to talk about security budgets, metrics, and security as a dimension of quality. Related to this topic, two recent papers at the Workshop on the Economics of Information Security took an academic look at how breaches raise the cost of capital for companies (https://weis2020.econinfosec.org/wp-content/uploads/sites/8/2020/06/weis20-final14.pdf and https://weis2020.econinfosec.org/wp-content/uploads/sites/8/2020/06/weis20-final16.pdf)
  5. 7 Trends Influencing DevOps and DevSecOps Adoption – Whether you take these as principles or prognostication, the type of engineering in these topics benefits from a DevOps approach to software and security.
  6. Navigating the trade-off between development speed and security – Rather than positioning speed and security as polar opposites, consider security as a guide to how fast you could and should be able to build systems.