asw155

Application Security Weekly Episode #155 – June 21, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Challenges of DAST Scanners / Adoption by Developers – 12:30 PM-01:00 PM

Sponsored By

sponsor
Visit https://securityweekly.com/probely for more information!

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, join our Discord Server, and follow us on our newest live-streaming platform, Twitch!

  • Join us June 24 at 11 AM ET to learn how web application firewalls can help mitigate exposure in a complex threat landscape. Then join us July 15 at 11 AM ET to learn how a thoughtful approach to SASE can improve security and enable scalability. Visit https://securityweekly.com/webcasts to register now! If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand

Description

What are some of the DAST scanners challenges, like coverage of modern apps, point & shoot, scan time, partial scans, or scanning at scale? What do developers look for in a DAST scanner?

This segment is sponsored by Probely.

Visit https://securityweekly.com/probely to learn more about them!

Guest(s)

Nuno Loureiro

Nuno Loureiro – CEO at Probely

@nunoloureiro

Nuno is a Co-Founder and the CEO of Probely. In the past, he led an Application Security team at a Telco Provider, where he provided training on secure coding, security guidance during the development lifecycle of projects, performed penetration testing, and implemented PCI-DSS across the organization.

He holds an MSc in Information Security from Carnegie Mellon University.

Tiago Mendo

Tiago Mendo – CTO at Probely

CTO and Co-founder of Probely, a cybersecurity startup that does web application security scanning as a service. He has 17+ years of experience in information security, builder of a web app security team, programmer, pentester, and father. Master in Information Technology/Information Security by the Carnegie Mellon University. Travel addicted.

Hosts

JohnKinsella

John Kinsella

@johnlkinsella

Chief Architect at Accurics

MikeShema

Mike Shema

@Codexatron

Product Security Lead at Square

2. Supply Chain Integrity, Format Strings, Systemd Bug, Instagram Bounty, & Refactoring – 01:00 PM-01:30 PM

Announcements

  • Security Weekly is more than happy to announce that we will be at InfoSec World 2021 IN PERSON October 25th-27th, 2021! This year, our annual partnership with InfoSec World is extra special, as we are both business units under the CyberRisk Alliance brand! What does that mean for Security Weekly listeners & InfoSec World attendees? You will get to see and hear from many of the Security Weekly team at the event AND you will save 20% off on your world pass! Visit https://securityweekly.com/isw2021 to register using our discount code!

  • Security Weekly is ecstatic to announce that Security Weekly Unlocked will be held IN PERSON this December 5-8 at the Hilton Lake Buena Vista! Call for presentations & early registration for Security Weekly listeners is open now! Visit securityweekly.com/unlocked to submit your presentation & register for the early registration price before it expires!

Description

This week in the AppSec Weekly News John and Mike discuss: SLSA framework for supply chain integrity, Wi-Fi network of doom for iPhones, seven-year old systemd privesc, $30K for an API call, Codecov refactors from Bash, using the AST to refactor Python, shifting left and right, and more!

Hosts

JohnKinsella

John Kinsella

@johnlkinsella

Chief Architect at Accurics

  1. Google releases supply chain integrity framework – I think my favorite part is the threat model. Wish it was more than “just” a framework…
MikeShema

Mike Shema

@Codexatron

Product Security Lead at Square

  1. iPhone bug breaks WiFi when you join hotspot with unusual name – When was the last time you had to remember which type fields represented void* pointers, null-terminated strings, and adding characters written to the stack? When was the last time you even used a printf() family of functions? A recent Wi-Fi bug in iOS dusted off the ancient class of format string vulns to demonstrate how the wrong sequence of percent-prefixed placeholders crashes the networking stack. Despite this disclosure, this class of bugs represents a (rare?) appsec success story — not only did programming languages introduce more secure versions of these functions, but developers largely adopted them. Of course, “more secure” doesn’t mean inoculated to vulns, it’s still possible to misuse them, but format string vulns haven’t had the staying power of memory safety issues like heap overflows and use-after-free.

    Additional resources:
    – https://blog.chichou.me/2021/06/20/quick-analysis-wifid/ — a quick reverse engineering of the error to demonstrate where the flaw originated
    – https://cs155.stanford.edu/papers/formatstring-1.2.pdf — an excellent introduction to format string vulns from 2001 when they first gained widespread attention as a new bug class

  2. Nasty Linux systemd root level security bug revealed and patched – We tend to see two values associated with vulns these days — their rating on the CVSS scale (boring) and how long they’ve lived before public disclosure (curious). In this case, it’s a privilege escalation in systemd that’s been lurking for seven years. What’s interesting about the age of vulns is whether we’ll see a spike in long-lived vulns as fuzzing and code analysis becomes better, followed by a drought of vulns as old code becomes vetted and new code needs attention. The other appsec challenge this vuln highlighted is figuring out if your system is vulnerable or not. Despite being an old bug, it was more recent distros that picked up the flaw.

    Check out the write-up at https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/

  3. Facebook awards $30,000 bounty for exploit exposing private Instagram content – A bug doesn’t have to be sophisticated to be valuable in a bug bounty program. In this case, it’s a simple bug (with a prerequisite for obtaining a token value) that bypasses an authorization barrier in a graphQL-backed API. The researcher bagged a nice $30K for a pretty simple four-step process. It’s a good reminder that moving to new design patterns like graphQL requires maintaining attention to threat models and secure implementations.

    Check out the write-up at https://fartademayur.medium.com/this-is-how-i-was-able-to-see-private-archived-posts-stories-of-users-on-instagram-without-de70ca39165c

  4. Abstract Syntax Tree for Patching Code and Assessing Code Quality – We’ve mentioned on a few episodes how being able to crawl an AST can give better context and accuracy for code scanning. An equally compelling use of the AST is dynamically patching a codebase. This article walks through an example of using the AST to modify a Python program. This kind of refactoring is pretty cool, but it has its limits. Even the article notes that quick patching can lose formatting and code comments unless considerations are taken to handle those nuances. Still, it’s an approach that’s been demonstrated across different languages and represents an effective way to refactor specific code problems. Plus, you have robust test cases to maintain confidence that the changes haven’t broken anything, right?
  5. Introducing Codecov’s New Uploader – Here’s a followup to the supply chain story we covered about Codecov’s bash uploader back in episode 147. Not only has Codecov refactored the uploader functionality from Bash to NodeJS, they document how this change is more beneficial from a software maintenance and security perspective. It’s a great way to see how a deciding on a programming language based on engineering principles and support for DevOps workflows is far more useful than sticking with something because it’s easy or just the cool thing to use.
  6. Why ‘Shift Left’ security has become a misnomer – We don’t need strict definitions of “shift left” or “DevOps” in order to discuss the shift in responsibility for security to dev teams. Nor do we need a lot of appsec navel-gazing about labels when fundamental principles like feedback loops and security testing are more important to discuss. This article highlights that we shouldn’t over-index on the security of the design and development stages for software. There’ll still be new vulns reported in dependencies and coding mistakes than make it past security controls. So, as much as you’re thinking about shifting left, keep the principles of observability and monitoring in mind when your app “shifts right” into deployment.