asw142

Application Security Weekly Episode #142 – March 08, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Privacy, Data Security & Compliance – 12:30 PM-01:00 PM

Sponsored By

sponsor
Visit https://securityweekly.com/capsule8 for more information!

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, and join our Discord Server!

  • If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!

Description

In most IT shops, privacy, data security and compliance often resided under the same umbrella of ownership. While all 50 States in the US have data breach notification laws, we are seeing a shift in focus on data privacy globally. Privacy and data security compliance are often used interchangeably but this misuse in terminology (and the associated requirements for all IT organizations) creates a lot of confusion in an already complicated industry. Cynthia will explore some of the key factors in 2021 as to and why we need to get it right.

This segment is sponsored by Capsule8.

Visit https://securityweekly.com/capsule8 to learn more about them!

Resources
https://csrc.nist.gov/Projects/devsecops
https://www.nist.gov/privacy-framework
https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final

Guest(s)

Cynthia Burke

Cynthia Burke –

Compliance Manager at Capsule8

Cynthia brings more than 15 years of IT and compliance experience to Capsule8. Prior to joining Capsule8 as Compliance Manager, Cynthia was an assistant director and program manager with KPMG‘s international audit division-leading projects to develop KPMGs audit-collaboration tools.

Hosts

JohnKinsella

John Kinsella –

Chief Architect at Accurics

MikeShema

Mike Shema –

Product Security Lead at Square

2. Security Engineering, Evil Packages, Exchange SSRF, & Observability – 01:00 PM-01:30 PM

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

  • Our next live webcast will be on March 18th at 11am ET where you will learn how to Prepare Linux Hosts for Unexpected Threats! Visit https://securityweekly.com/webcasts to register now! If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand

Description

Making security engineering successful, Go’s supply chain, mitigating JSON interoperability flaws, automating the hunt for deserialization flaws, the importance of observability, and what to do about Exchange.

Hosts

JohnKinsella

John Kinsella –

Chief Architect at Accurics

  1. Shifting security engineering right – We talk plenty about shifting security left to get security tools and concepts into the development process earlier. But what about getting security engineers “embedded” with dev teams so they learn more what it’s like on the “other side?” This post lays out how to go about that.
  2. Finding evil Go packages – We’ve talked about supply chain security – while it’s a little harder to fool golang code as the whole URL to an imported library is needed, Michael Henriksen wrote a tool to look for typosquatting attempts, and wrote a blog on the results
MikeShema

Mike Shema –

Product Security Lead at Square

  1. Best Practices to Mitigate JSON Interoperability Vulnerabilities – A good companion to the JSON parsing article we covered in episode 141. This one takes a look at how to approach handling JSON from the perspective of a security-minded developer. It presents a clear, reasoned approach through different scenarios and highlights a Python tool, marshmallow, that would help with secure defaults. Check out that library at https://marshmallow.readthedocs.io/en/stable/
  2. Open source tool SerialDetector speeds up discovery of .Net deserialization bugs – Even if you’re not dealing with .NET code, the principles behind deserialization attacks apply to several languages. The tool shows how to find the .NET code out there that remains vulnerable and the paper provides insight into building a tool to target a vulnerability class. Check out the repo at https://github.com/yuske/SerialDetector and the whitepaper at https://www.ndss-symposium.org/wp-content/uploads/ndss2021_3A-5_24550_paper.pdf
  3. BSidesSF Schedule – BSidesSF went virtual and retro this year, with a collection of past presentations followed up live discussion on reddit. The topics may have been recorded well before 2021, but they remain relevant to today’s app security and privacy. Check out the replay of Clint Gibler’s “How to 10X Your Security”. We spoke with him about this back in episode 100. Another one of interest is Sarah Harvey’s “Anti-Privacy Anti-Patterns” that shows a necessary privacy angle to complement appsec.
  4. What was observability again? – Being able to monitor system health, debug app issues, and reconstruct incidents are just a few things that fall under an umbrella of observability. It’s become an important tenet of DevOps and SRE approaches to maintaining robust and resilient systems — properties from which a secure system emerges. We also talked about observability as a key to securing Linux (and other systems) in the interview segment of episode 139.
  5. Microsoft: These Exchange Server zero-day flaws are being used by hackers, so update now – Take one pre-auth SSRF and one deserialization flaw to gain admin privileges and you’re halfway to full Exchange compromise. The Nmap script provided by Microsoft to check for the flaw hints at the elegance of SSRF’s simplicity and impact to resources on localhost. Check it out at https://github.com/microsoft/CSS-Exchange/blob/main/Security/http-vuln-cve2021-26855.nse. The write-up for CVE-2021-26855 at https://proxylogon.com mostly covers the disclosure timeline; we’ll revisit it when the technical details behind the vuln are released.