asw137

Application Security Weekly Episode #137 – January 25, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Reading Industry Analyst Tea Leaves To Predict The Future – 12:30 PM-01:00 PM

Sponsored By

sponsor
Visit https://securityweekly.com/GitLab for more information!

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, and join our Discord Server!

  • Learn how to conquer cloud complexity in our first webcast of 2021, this Thurs, Jan 28th 11am ET! Next Thurs, Feb 4th 11am ET, in our first technical training of 2021, you’ll Learn How to Manage Insider Risks in the Work-from-Anywhere World! Register at https://securityweekly.com/webcasts. If you missed any of our 2020 webcasts or technical trainings, they are available at https://securityweekly.com/ondemand

Description

It’s analyst season with the new Forrester Wave on SAST recently published as well as Gartner’s Application Security Testing Magic Quadrant publishing in April. We’ll talk about what are analyst reports, how should you use them, and how should you interpret placement on them as as I like to call it, reading the analyst tea leaves.

This segment is sponsored by GitLab.

Visit https://securityweekly.com/GitLab to learn more about them!

GitLab’s List of Security Analyst Reports – https://about.gitlab.com/direction/secure/static-analysis/sast/#analyst-landscape

2021 Forrester Wave – https://www.forrester.com/report/The+Forrester+Wave+Static+Application+Security+Testing+Q1+2021/-/E-RES162015
– 2020 Gartner AST Magic Quadrant – https://about.gitlab.com/resources/report-gartner-mq-ast/
– GigaOm 2020 DevSecOps Tool Radar Report – https://gigaom.com/report/gigaom-radar-for-evaluating-devsecops-tools/
– G2 Peer Reviews Quadrant – https://www.g2.com/categories/static-application-security-testing-sast#grid

Guest(s)

Taylor McCaslin

Taylor McCaslin –

Sr. Product Manager – Secure at GitLab

Taylor McCaslin (he/him) is a multi-disciplinary Investor, Product Manager, and Technologist living in Austin, Texas. Taylor works as a Senior Product Manager at GitLab focused on Security products. He is also the Founder of Product Trust Investments, an angel fund focused on impact investing with companies that build ethical products that customers trust. Since 2012 he has worked at enterprise-scale, hyper-growth technology companies including: New Knowledge, Duo Security, WP Engine, Indeed.com, Bazaarvoice. Taylor can be found geeking out with the latest Apple gadget, skiing, or enjoying the expansive Austin art scene. He also enjoys volunteering with local human rights and LGBTQ organizations around central Texas as well as mentoring young technologists looking to start careers in the tech.

Hosts

JohnKinsella

John Kinsella –

Chief Architect at Accurics

MikeShema

Mike Shema –

Product Security Lead at Square

2. KindleDrip, State of Messaging State Machines, DoH, & Data Security Strategies – 01:00 PM-01:30 PM

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

  • If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!

Description

An overflow and a flawed regex paint an RCE picture for Kindle, messaging apps miss the message on secure state machines, three pillars of a data security strategy for the cloud, where DoH might fit into appsec, and all the things that can go wrong when you give up root in your Kubernetes pod.

Hosts

JohnKinsella

John Kinsella –

Chief Architect at Accurics

  1. Reliance on cloud, APIs create confusion and introduce risk into software development – Radware did a study (PDF link in the article) on appsec and API security. Some interesting takeaways and stats, sometimes they’re taking existing data and making you think about it a different way – eg 71% of respondents mostly/completely trust the level of security offered by their CSPs – but this translates to “71% mostly trust that their customer data won’t be compromised by a bad actor”

    “API security will be first area of investment” for 2021 – security expertise is #3.

    Interesting predictions, including “The mad dash to the cloud will undermine application security in 2021” and “Human errors will become more frequent and more costly”

    Also a reminder to go back and watch Mike’s great api security panel from securityweekly unlocked!

MikeShema

Mike Shema –

Product Security Lead at Square

  1. KindleDrip — From Your Kindle’s Email Address to Using Your Credit Card – A researcher pokes around Kindle’s firmware, finds an image decoding library with an overflow flaw, and paints a picture of RCE. And for extra credit, the researcher also found a flaw in a regex intended to prevent injection attacks.
  2. The State of State Machines – Project Zero picks apart the protocol implementations for several messaging apps and discovers that most of their state machines can be confused into leaking audio or video to unauthenticated users. It’s also a good overview of WebRTC and protocol analysis in general. We even touched on state machines and fuzzing in the previous episode 136, https://securityweekly.com/asw136.
  3. Bad Pods: Kubernetes Pod Privilege Escalation – A nice overview of Kubernetes pod security assumptions and what happens when a lack of least privilege turns into mostly accessed.
  4. NSA Recommends How Enterprises Can Securely Adopt Encrypted DNS – You might not be in charge of your org’s shift to DNS over HTTPs (DoH), but it does present a chance to apply threat modeling exercises to where you’ll gain or lose visibility in the security of your DevOps endpoints and the network connections being made throughout the CI/CD pipeline. You can find the report at https://media.defense.gov/2021/Jan/14/2002564889/-1/-1/0/CSI_ADOPTING_ENCRYPTED_DNS_U_OO_102904_21.PDF
  5. Designing and deploying a data security strategy with Google Cloud – You can skip over the specific references to Google Cloud products and still gain a good understanding of how to approach a data security program for your own environment regardless of cloud service provider. You can find the paper at https://services.google.com/fh/files/misc/designing_and_deploying_data_security_strategy.pdf
  6. Real World Crypto 2021 – Real World Crypto ran from January 11th through the 14th. Two sessions in particular are relevant to areas we’ve touched on in the podcast, one talks in more detail about the end-to-end encryption for Zoom and the other talks about the importance of understanding user needs in designing systems.
    – “E2E Encryption and Identity Properties for Zoom Meetings” with slides (https://iacr.org/submit/files/slides/2021/rwc/rwc2021/91/slides.pdf) and video (https://youtu.be/jeQvDLPQsuw?t=1814)
    – “Mental Models of Cryptographic Protocols – Understanding Users to Improve Security” with slides (https://iacr.org/submit/files/slides/2021/rwc/rwc2021/95/slides.pdf) and video (https://youtu.be/-mBlQVEXcB8?t=3)
  7. Firefox fails to load favicon from HTTP cache – What sounds at first like an innocuous bug report turns into an interesting situation on vuln research, disclosure, and ethics. And it’s something that could generalize to bug bounty and other vuln disclosure programs.