asw143

Application Security Weekly Episode #143 – March 15, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Cloud Native Security Platforms – 12:30 PM-01:00 PM

Sponsored By

sponsor
Visit https://securityweekly.com/prismacloud for more information!

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, and join our Discord Server!

  • If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!

Description

Modern appsec demonstrates the importance of a cloud native strategy for enterprise security and how much that strategy must integrate with DevOps tools and workflows. Security solutions need to come from a cohesive platform that addresses the problems DevOps teams face in how they’re building apps today.

This segment is sponsored by Prisma Cloud/ Palo Alto Networks. Visit https://securityweekly.com/prismacloud to learn more about them!

Guest(s)

John Morello

John Morello – VP of Product at Palo Alto Networks

John Morello is the VP of Product at Palo Alto Networks and the former Chief Technology Officer at Twistlock. Prior to that John was a CISO at a Fortune 500 global chemical company. Before that he spent 14 years at Microsoft, in both Microsoft Consulting Services and product teams. He ran feature teams that shipped security technologies in Windows, Azure, and Office 365 and was the lead consultant on several security projects at the White House. John lives in Louisiana with his wife and two young sons. A passionate fisherman and scuba diver, he’s also a long time board member of the Coalition to Restore Coastal Louisiana.

Hosts

AdrianSanabria

Adrian Sanabria

@sawaba

Senior Research Engineer at CyberRisk Alliance

MikeShema

Mike Shema

@Codexatron

Product Security Lead at Square

2. Unauth’d RCE, “Regexploits”, Post-Spectre Web, & SigStore Signing – 01:00 PM-01:30 PM

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

  • Our next live webcast will be on March 18th at 11am ET where you will learn how to Prepare Linux Hosts for Unexpected Threats! Visit https://securityweekly.com/webcasts to register now! If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand

Description

Software safety to mitigate the impact of unauthenticated RCEs, exploding regex patterns, web and browser security in the face of Spectre side-channels, signing software artifacts, 8 roles for today’s security teams.

Hosts

AdrianSanabria

Adrian Sanabria

@sawaba

Senior Research Engineer at CyberRisk Alliance

JohnKinsella

John Kinsella

@johnlkinsella

Chief Architect at Accurics

  1. Regexploit: DoS-able Regular Expressions – When we work with regular expressions, it’s easy to assume the thing works as we (westerners) think – processing left to right. In reality it’s quite complex, and usually more power than we need. As is often the case, that combination leads to potential for misuse…
MikeShema

Mike Shema

@Codexatron

Product Security Lead at Square

  1. F5 issues BIG-IP patches to tackle unauthenticated remote code execution, critical flaws – Unauthenticated RCE are two words that combine for about the worst case possible in an app vuln. As many have noted, the code has been compiled without support for ASLR or stack cookies, which would have been two things to make exploitation more difficult. Check out these two bug reports for additional insight into related flaws in how the app fails to correctly handle HTTP headers and IPv6 hostnames, https://bugs.chromium.org/p/project-zero/issues/detail?id=2126 and https://bugs.chromium.org/p/project-zero/issues/detail?id=2132. In other words, a simple parsing task turned into a familiar security flaw. We’ve mentioned Cyber ITL (https://cyber-itl.org) in the past; the safety features they call attention to should be enabled for any compiled software.
  2. Why Eve and Mallory Still Love Android: Revisiting TLS (In)Security in Android Applications – Platform provider creates a configuration-based approach to increase custom certificate validation logic security, developers fail to adopt it correctly or ignore it altogether, and users are stuck with apps that are missing common hardening steps. Even though the details in this case are exposure to intermediation attacks, the underlying challenge of turning security recommendations into security implementations applies to many DevOps situations.
  3. Post-Spectre Web Development – In the era of CPU side-channels, browser and web security may boil down to a difficult principle: “Your data must not unexpectedly enter an attacker’s process.” The threat of Spectre-style attacks remains relevant and imminent to browsers, with recent blog posts from Google (https://security.googleblog.com/2021/03/a-spectre-proof-of-concept-for-spectre.html) and research from academics (https://orenlab.sise.bgu.ac.il/p/PP0) highlighting new work that shows attacks getting better. While there are response headers that apps can set to mitigate some of the danger in terms of what might leak through a side-channel, the underlying problem hasn’t been fixed.
  4. Linux Foundation Debuts Sigstore Project for Software Signing – Taking a page out of the Certificate Transparency playbook, the SigStore (https://sigstore.dev/what_is_sigstore/) project is looking to create a sort of supply chain of custody that attests to the provenance of software artifacts. Like the Reproducible Builds (https://reproducible-builds.org) we’ve mentioned in past episodes, this is a step towards ensuring the apps we deploy are what we think they are based on the code we think they built from.
  5. 8 new roles today’s security team needs – Two of the roles are ancient and not a surprising part of a modern security team, but take a look at the others and consider how much engineering your security team is doing vs. how much it should be doing — and what types of problems might be best to prioritize.