asw146

Application Security Weekly Episode #146 – April 05, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Shifting Right: What Security Engineers Can Learn From DevSecOps – 12:30 PM-01:00 PM

Announcements

Description

The security industry generally agrees on the value of enabling developers in an agile environment—although we don’t agree on what to call it… “Shifting Left,” “Creating a Paved Path,” “DevSecOps.” Regardless of the name, we tend to focus on teaching developers how to Sec, but there’s less focus on security engineers learning how to Dev.

This segment will focus on how to create a meaningful partnership between security and software engineers.

Segment Resources:
https://segment.com/blog/shifting-engineering-right/

Guest(s)

Leif Dreizler

Leif Dreizler – Engineering Manager, Product Security at Segment

@leifdreizler

Leif manages the Product Security team at Segment. The ProdSec Team is focused on partnering with software engineering teams to design and implement security features for the Segment product. Leif got his start in the security industry at Redspin doing security consulting work, and was later an early employee at Bugcrowd. He helps organize the Bay Area OWASP Chapter, the AppSec California Conference and LocoMocoSec.

Hosts

JohnKinsella

John Kinsella

@johnlkinsella

Chief Architect at Accurics

MikeShema

Mike Shema

@Codexatron

Product Security Lead at Square

2. Malicious PHP Commits, OAuth Attacks & XML Injection, & Zines For DevSecOps – 01:00 PM-01:30 PM

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, join our Discord Server, and follow us on our newest live-streaming platform, Twitch!

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

Description

PHP deals with two malicious commits, SSO and OAuth attack vectors to remember for your threat models, zines for your DevSecOps education!

Hosts

JohnKinsella

John Kinsella

@johnlkinsella

Chief Architect at Accurics

MikeShema

Mike Shema

@Codexatron

Product Security Lead at Square

  1. PHP releases on hold – Last week PHP admins noticed two malicious commits pushed to the php-src repo (https://news-web.php.net/php.internals/113838). The team noticed this quickly and put releases on hold out of caution. None of this is unique to PHP; it’s a departure point for discussing infrastructure security, signing commits, identity, and the attack surface of a CI/CD pipeline. It takes budget to use SaaS infrastructure, discipline to manage certs, and threat models to understand which controls address which types of attacks.
  2. Pair of Apex Legends Players Banned for DDoS Server Attacks – Another example of why application defenses and threat models should worry less about motivations or “who” of an attack and more about the means of an attack. Resiliency and uptime are important requirements for modern apps, and a reminder that availability of the CIA triad remains an important security concern.
  3. How to execute an object file: Part 2 – A well-written article about the journey from source code to executable binary. It’s a nice reference whether you’re interested in getting into reverse engineering or designing controls to harden execution environments like containers. It can be a helpful primer to better understand concepts like ASLR, return-oriented programming in exploits, and even syscall filtering.

    Be sure to check out part 1 at https://blog.cloudflare.com/how-to-execute-an-object-file-part-1/

  4. Wizard Zines Collection! – We talk a lot about the importance of communicating security and engineering concepts well. Julia Evans has approached this with a wonderful combination of art and text in the zine format. You’ll find everything from a refresher on command-line arguments you might already know to tips and tricks that might make your command-line skills more effective. Check out her blog at https://jvns.ca
  5. Hidden OAuth attack vectors – OAuth, SAML 2.0, and OpenID Connect are modern ways to delegate authentication so that apps can focus on protecting tokens and trust relationships instead of protecting passwords. Yet it’s still a design pattern that carries some misconfiguration minefields. So make sure you’re considering all of these attacks in your threat model and, of course, remember that there’s a big difference between authentication that says who you are and authorization that says what you can do.
  6. SAML XML Injection – A good companion to the Portswigger article on Hidden OAuth Attack Vectors, this describes potential issues in the assertions and attributes in the XML that composes SAML. Delegated authentication and SSO remains a recommended design pattern, just make sure your implementation doesn’t fall victim to this attack category.
  7. Approaches for authenticating external applications in a machine-to-machine scenario – Although this is focused on AWS, the background and reasoning on different mutual authentication scenarios can be applied to many environments. As an article oriented towards engineering, its “Use X when Y” formulation is a good demonstration of tradeoffs and design considerations.