asw151

Application Security Weekly Episode #151 – May 17, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Third Party Software Risk on the Web – 07:00 PM-07:30 PM

Sponsored By

sponsor
Visit https://securityweekly.com/talasecurity for more information!

Announcements

  • Security Weekly is more than happy to announce that we will be at InfoSec World 2021 IN PERSON October 25th-27th, 2021! This year, our annual partnership with InfoSec World is extra special, as we are both business units under the CyberRisk Alliance brand! What does that mean for Security Weekly listeners & InfoSec World attendees? You will get to see and hear from many of the Security Weekly team at the event AND you will save 20% off on your world pass! Visit https://securityweekly.com/isw2021 to register using our discount code!

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

Description

Web applications are highly dependent on third party content and JavaScript. This creates a significant set of vulnerabilities that attackers are exploiting. How do you prevent a Solarwinds type hack on your website?

https://go.talasecurity.io/blog/data-in-the-browser-is-data-at-risk

https://www.talasecurity.io/protect/#how

https://go.talasecurity.io/blog/how-i-hacked-your-website

This segment is sponsored by Tala Security.

Visit https://securityweekly.com/talasecurity to learn more about them!

Guest(s)

Aanand Krishnan

Aanand Krishnan – CEO at Tala Security, Inc.

Aanand Krishnan is the CEO and Founder of Tala Security. Prior to Tala, Aanand was most recently a senior director of product management at Symantec where he built Symantec’s first big data security analytics platform and led key strategy projects that helped establish the company’s vision and strategic focus.

Aanand spent several years in investment banking at and mergers and acquisitions at Morgan Stanley and Dolby Labs and acted as an adviser to leading security software, semiconductor and clean tech companies. He started his career building high-speed optical networking products at Agilent Technologies. Aanand holds an MBA from Berkeley where he was a recipient of CJ White Fellowship, a Masters in Photonics and Optoelectronics from UC Santa Barbara where he was a QUEST Fellow and a Bachelors in Electrical Engineering with Honors from BITS, Pilani.

Hosts

JohnKinsella

John Kinsella

@johnlkinsella

Chief Architect at Accurics

MattAlderman

Matt Alderman

@maldermania

Executive Director at CyberRisk Alliance

MikeShema

Mike Shema

@Codexatron

Product Security Lead at Square

2. CNCF Supply Chain, Frag Attacks, Securing Webhooks, & Complexity vs. Security – 07:30 PM-08:00 PM

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, join our Discord Server, and follow us on our newest live-streaming platform, Twitch!

  • In our May 27th webcast at 11am ET, we’ll explore the latest attacks against DNS and the latest techniques that make it possible to discover and disrupt attacks. In our June 3 webcast at 11am ET, you will learn about pen testing tools and why every organization should be using them regularly. Visit https://securityweekly.com/webcasts to register now! If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand

Description

CNCF releases a whitepaper on supply chain security, Frag attacks against WiFi devices, security webhooks, trusting terraform plans, shared credentials and app access, complexity vs. security vs. design.

Hosts

JohnKinsella

John Kinsella

@johnlkinsella

Chief Architect at Accurics

  1. RCE in terraform’s plan command – Most people think of “terraform plan” as a way to check their terraform configuration before executing it, or to generate a full plan with variables interperted (used for IAC scanners, gitops, or other tools). Turns out there’s some scenarios where the plan command may execute code…
  2. CNCF releases supply chain security whitepaper – CNCF’s Security TAG just published their whitepaper on supply chain security. I like how it provides guidance for different assurance and risk levels. The whitepaper’s a meaty 45 pages, but a link off the announcement blog has a framework “cliff notes” version.
MattAlderman

Matt Alderman

@maldermania

Executive Director at CyberRisk Alliance

  1. WhiteHat Security Allies with Bit Discovery on Vulnerability Intelligence – DevOps.com
  2. Vdoo Announces New Integrations to Simplify Product Security Throughout the Software Development Lifecycle – DevOps.com
  3. Anchore advances marketplace security with Business Intelligence
  4. Google and Mozilla Develop an API for HTML Sanitization
MikeShema

Mike Shema

@Codexatron

Product Security Lead at Square

  1. Is Complexity the Enemy of Security? – This article makes a case that bad design — whether in interfaces, software architectures, or processes — can be a better way to frame security challenges than merely attributing complexity as a trade-off with security. What’s particularly nice about this article is that it doesn’t just swap out terms, it presents examples and guidance on how to achieve good design. Plus, these design goals have direct ties to application security, from building apps with opinionated defaults and declarative configurations to using the “5 Whys” and blame-free postmortems.
  2. WiFi devices going back to 1997 vulnerable to new Frag Attacks – Cool research that digs into the attack surface of WiFi standards and demonstrates how design flaws have far-reaching consequences across implementations and, in this case, across decades. We’ve seen fragmentation-style attacks before, most recently as part of the SAD DNS flaw back in November 2020. This research is also a great example of good documentation and well-described threat scenarios. As the researcher notes, aspects of this problem were known as far back as 2007. What makes this interesting is the journey from a known-but-difficult-to-exploit flaw to addressing the flaw across multiple implementations. It touches on familiar aspects of prioritizing development efforts, dealing with backwards compatibility, and revisiting flaws when new information comes to light.
    Check out the research at https://www.fragattacks.com
  3. Sending webhooks securely – Webhooks have become a common design pattern for handling events between web applications. This article shares insights on mistakes to avoid in implementing them, from exposing cloud resources to SSRF to ensuring they have some form of authentication. For another example of request signing, check out the documentation on “Signing AWS API requests” at https://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html.

    Also check out the [tl;dr sec] newsletter that had this and other articles at https://tldrsec.com/blog/tldr-sec-083/

  4. Fintech Startup Offers $500 for Payroll Passwords – This isn’t about bounties for bugs, it’s essentially bounties for credentialed access to a third-party app. Not only does this access pattern create a grey area in the meaning of “authorized access” and set an expectation for sharing credentials that runs counter to all security recommendations, it expands the types of risks app developers need to be aware of. This type of access pattern isn’t unheard of — it’s exactly the sort of problem that OAuth was intended to address. App developers have long deal with account takeovers and inauthentic behavior (like bots). So, what happens with apparently authentic behavior in an account shared with another app that’s been implicitly approved by a user?

    Here’s a related article about Plaid conducting a similar effort, https://www.vice.com/en_us/article/bvzzqa/plaid-paid-500-dollars-workplace-logins

  5. Integrating Rust Into the Android Open Source Project – We talked about the “why” of adopting a language like Rust in a project back in episode 147 — defeat a class of vulns like unsafe memory handling and parsing malicious media files. This article gives a good insight on the “how”. In other words, the dev toolchain and integration with build processes have to be just as robust for a new language. You can’t just say, “Write more secure code” in a different language without providing the means to make that language a viable choice. It’s the same principle as offering up security tools to a DevOps team; make the tools work natively in their environment and the adoption will be far more successful.