asw138

Application Security Weekly Episode #138 – February 01, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Groundhog Day – It’s Time to Reset the Script on Vulnerabilities – 12:30 PM-01:00 PM

Sponsored By

sponsor
Visit https://securityweekly.com/qualys for more information!

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

  • Next Thurs, Feb 4th @ 11am ET, in our first technical training of 2021, you’ll Learn How to Manage Insider Risks in the Work-from-Anywhere World! Register at https://securityweekly.com/webcasts. If you missed any of our 2020 webcasts or technical trainings, they are available at https://securityweekly.com/ondemand

Description

In honor of the movie Groundhog Day, John will take a look at the top 10 most routinely exploited vulnerabilities through a web app security lens.

This segment is sponsored by Qualys.

Visit https://securityweekly.com/qualys to learn more about them!

Guest(s)

John Delaroderie

John Delaroderie –

Security Solutions Architect at Qualys

John Delaroderie is a Security Solution Architect and Subject Matter Expert for Web Application Scanning. He has been with Qualys since early 2018, and prior to that he worked for a variety of government agencies and private organizations in the fields of cyber security, incident response, digital forensics, and systems integrations.

Hosts

JohnKinsella

John Kinsella –

Chief Architect at Accurics

MattAlderman

Matt Alderman –

Executive Director at CyberRisk Alliance

MikeShema

Mike Shema –

Product Security Lead at Square

2. Sudo Vuln, Libgcrypt, BlastDoor on iMessage, & AWS Lambda security – 01:00 PM-01:30 PM

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, and join our Discord Server!

  • If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!

Description

This week in the Application Security News, Sudo sure does, Libgcrypt flaw, iMessage demonstrates security by design, AWS Lambda shares a message on its design security, & more!

Sudo sure does, libgcrypt flaw, iMessage demonstrates security by design, AWS Lambda shares a message on its design security

Hosts

JohnKinsella

John Kinsella –

Chief Architect at Accurics

MattAlderman

Matt Alderman –

Executive Director at CyberRisk Alliance

MikeShema

Mike Shema –

Product Security Lead at Square

  1. CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit) – Sudo mishandles escaping command args to hand attackers a command for gaining root. Also check out the project’s advisory at https://www.sudo.ws/alerts/unescape_overflow.html and see if you’d catch the near decade-old mistake in a code review of https://github.com/sudo-project/sudo/commit/8255ed69. Notably, testing the exploit led to discovering a different refactor that weakened a different security assumption.
  2. Libgcrypt 1.9.1 relased – A two-year old flaw in libgcrypt could lead to heap buffer overflow during decryption and before signature validation. It’s in a recent version that may not be deployed in many systems, but still highlights the importance of being able to enumerate your dependencies — and hope this library isn’t statically linked anywhere…
  3. Apple iOS 14 Thwarts iMessage Attacks With BlastDoor System – Security by design is on display in recent iMessage architecture improvements. Project Zero shares their insights on what these changes imply for modern exploit chains, check out their write-up at https://googleprojectzero.blogspot.com/2021/01/a-look-at-imessage-in-ios-14.html
  4. A deeper dive into our May 2019 security incident – The incident may be old, but the details are fresh — and they include some “Advice to others” that’s a good reminder about product security basics.
  5. Security Overview of AWS Lambda – AWS updated their documentation about Lambda security. It includes an overview of the isolation model that makes sure the serverless part of Lambda runs on servers with security separation so customers can just focus on the “-less” part.
  6. A Pragmatic Approach to DevSecOps – Familiar reminders for introducing security to DevOps processes by demonstrating the value of a security tool and enabling DevOps teams to benefit from it within their own workflows.
  7. Cloud Native Predictions for 2021 and Beyond – More interesting for the themes of technology than whether they’ll arise in 2021. Also a way to consider what your DevOps roadmap looks like for the year and how much security is a part of it.