asw144

Application Security Weekly Episode #144 – March 22, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Approaching AppSec Like a Hacker – 12:30 PM-01:00 PM

Sponsored By

sponsor
Visit https://securityweekly.com/detectify for more information!

Announcements

  • If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!

  • Our next live webcast will be on April 29th at 11am ET where you will learn how to prepare for modern ransomware attacks! Visit https://securityweekly.com/webcasts to register now! If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand

Description

Security is struggling to keep up with securing modern web applications and the fast pace of wild web hacks. Detectify is building automated app scanners that can think like a hacker and shorten vulnerability detection time down to minutes and hours, whilst helping ethical hackers do bug bounty/disclosures in a scalable way.

This segment is sponsored by Detectify.

Visit https://securityweekly.com/detectify to learn more about them!

Guest(s)

Johanna Ydergard

Johanna Ydergard – VP of Detectify Crowdsource at Detectify

@ydergard

Johanna Ydergard, VP of Detectify Crowdsource, heads up the strategic direction and development of Detectify Crowdsource, the company’s ethical hacker community and vulnerability research platform. There are only a few thousand skilled ethical hackers in the world today, and her mission is to spread their knowledge through automation, broaden their impact, and put it into the hands of those who need it most to make the Internet a safer place. Previous to this, she worked at Bain & Company as a management consultant.

Roberto Giachetta

Roberto Giachetta – Engineering Manager at Detectify

Roberto Giachetta is currently the Engineering Manager of Scanning Engines at Detectify. He is leading the team to build new and innovative scanning technology to keep customers and the web secure.

Hosts

JohnKinsella

John Kinsella

@johnlkinsella

Chief Architect at Accurics

MikeShema

Mike Shema

@Codexatron

Product Security Lead at Square

2. Supply Chains in Azure SDK/Xcode, GitHub Sessions, & GCP VRP – 01:00 PM-01:30 PM

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, and join our Discord Server!

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

Description

In the AppSec News: Supply chain security in Azure SDK and macOS Xcode, GitHub’s postmortem on a session handling flaw, six GCP vulns from 2020, & information resources for hacking the cloud!

Hosts

JohnKinsella

John Kinsella

@johnlkinsella

Chief Architect at Accurics

  1. Microsoft’s Azure SDK site tricked into listing fake package – Another method of playing with the supply chain is found through presenting potentially malicious software that a bot would pick up and list as legitimate
MikeShema

Mike Shema

@Codexatron

Product Security Lead at Square

  1. New Old Bugs in the Linux Kernel – In theory, tracking down error-prone functions like sprintf() is no more difficult than using grep. In practice, fixing such code takes time and attention, which might explain why flaws can persist for close to 15 years.
  2. How we found and fixed a rare race condition in our session handling – A public postmortem on problematic threads. It’s an insight into handling a vuln that could serve as an example exercise in root cause analysis and decision making.
  3. Hacking the Cloud – Information and techniques for targeting and exploiting cloud environments. Highlighted in the recent [tl;dr sec] newsletter at https://tldrsec.com/blog/tldr-sec-075/
  4. New macOS malware XcodeSpy Targets Xcode Developers with EggShell Backdoor – When considering supply chain security, we must remember to be aware and build trust throughout each link that influences how software is built. Signing packages and checking signatures helps ensure their provenance, but we also need to have confidence in the security properties associated with how such packages are built. It’s a concept that goes back decades, most notably the paper by Ken Thompson on “Reflections on trusting trust” from 1984 (https://dl.acm.org/doi/10.1145/358198.358210).
  5. Announcing the winners of the 2020 GCP VRP Prize – Google looks back to the top 6 GCP vulns disclosed under its Vulnerability Reward Program. The rewards range from $130K to $1K, but they’re all well-written insights into the mindset and techniques for finding flaws. Even if you’re not using GCP, the write-ups are a great way to help instill more threat modeling in your appsec and DevOps teams.
  6. A Hacker Got All My Texts for $16 – Think of this as a variant on supply chain security, where one component that may be completely unknown to you and completely out of your control fails to enforce a security control, which in turn weakens the security properties you expected from SMS. Notably, this doesn’t exploit familiar SS7 protocol weaknesses, but highlights yet another way to use social engineering to exploit trust between companies. Even if attacks like this don’t scale well, the impact to those affected remains consequential and, as a targeted attack, it could be the first step towards an unexpected compromise.