1. Password Mismanager, Trusted Types vs. DOM XSS, PrintNightmare, & Fault Injections – 12:30 PM-01:00 PM
Security Weekly Unlocked will be held IN PERSON this December 5-8 at the Hilton Lake Buena Vista! Our Call For Presentations Deadline has been extended through July 23rd at 11:59 pm ET! Visit securityweekly.com/unlocked to submit your presentation!
In our July 14th democast at 11 AM ET, learn how to reveal and protect your entire attack surface. Then join us July 15 at 11 AM ET to learn how a thoughtful approach to SASE can improve security and enable scalability. Finally, in our July 22nd technical training at 11 AM ET, learn how Guided-SaaS NDR Enables Rapid Response. Visit https://securityweekly.com/webcasts to register now! If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand
In the AppSec news, a password manager makes predictable mistakes, Trusted Types terminate DOMXSS, waking up from PrintNightmare, understanding hardware fault injections.
Chief Architect at Accurics
RPM’s been doing minimal certificate validation – Some security is better than no security, but as we’ve seen before, complex security results often in just “some” security. The RPM code wasn’t checking revocation lists or cert expiration.
Looking at the issue on github, they’re agreeing that proper use of OpenPGP includes “complexity of a full implementation” and are considering alternatives like signify.
OSSF Security Scorecard version 2 is out – Google released version 2 of their security scorecard project. Basically it scans a software project (and git repo configuration, if you’re a project admin) and checks for code review processes, if fuzzers/SAST are used, build system security, bad dependencies.
Product Security Lead at Square
Kaspersky Password Manager: All your passwords are belong to us – Password managers are an overwhelmingly good choice of tool to assist users in managing their credentials. One reason is that it discourages password reuse across sites and can create better passwords that humans don’t need to memorize. Unfortunately, this security benefit breaks down when the password manager tries to be too clever about generating random passwords and ends up generating apparently random passwords in a decidedly predictable manner.
Trusted Types – mid 2021 report – Getting rid of a vuln class can be the most effective appsec investment, but doing so often has a steep initial barrier that can seem impossible to overcome. Hence, appsec teams may opt for scanning, WAFs, or other approaches that manage the risk of vulns present in code. This write up from Google demonstrates how well they eliminated DOM-based XSS from their codebases by adopting Trusted Types. Of course, it also helps to have the time and software development budgets to take on such as significant refactoring task. Even so, the results are not only encouraging, but elevate the codebase to be more consistently secure as it continues to grow.
Read more about trusted types in their spec at https://github.com/w3c/webappsec-trusted-types
D3FEND – A knowledge graph of cybersecurity countermeasures – Following MITRE’s punctuation-adorned ATT&CK framework comes its counterpart for defenders with the numerically named D3FEND. It’s not a prescriptive set of application protections — it’s a way to build a shared vocabulary of different strategies for protecting apps, their users, and their data. (And it’s also a chance for the appsec community to get ahead of any “D3FEND-compliant” marketing in the way that “OWASP Top 10 compliant” became a designation empty of meaning.)
Check out the ATT&CK framework at https://attack.mitre.org. Plus, John and Adrian talked more about it in last week’s episode 156 — so check that out, too!
And as an important addendum for any font geeks out there who might be giving the current D3FEND logo a side-eye, check out the “Typeset in the Future” blog for a fun and informative history of sci-fi typography and design. You can find it at https://typesetinthefuture.com
How we prevented subdomain takeovers and saved $000s – This is the type of approach that demonstrates when and how to use a bug bounty for your applications. If you don’t have an appsec program or your appsec program is just starting, your bounty program is likely going to subsidize lots of researchers who are running the same simple tools you could be running yourself. In this case, the team addressed this class of vulns by building a well-designed mechanism to scan for insecure patterns and notify devs so they could fix misconfigurations quickly. It’s a great step towards hardening the org’s processes for provisioning DNS entries and instances so that takeovers don’t even become possible.
Kaseya Patches Imminent After Zero-Day Exploits, 1,500 Impacted – As we’re talking about appsec vocabulary this episode (see the other article on the D3FEND framwork), we’ll first point out that not every security event that affects a vendor is a supply chain issue. Or, at least, it’s not a software composition issue.
But the more important appsec lesson from this most recent ransomware episode is the cost of legacy code — the initial attack vectors were apparently dead-simple SQL injection exploits against ASP code. The entire vuln class could have been avoided by using parameterized queries, but that also forces us to ask at what point should ancient ASP code have been refactored into a newer language with better security frameworks. There are few ways the code could have been worse (ahem, Perl) and many ways it could have been better (any modern language that has native support for parameterized queries, not to mention CSRF countermeasures, better linting, and security scanners).
PrintNightmare official patch is out – update now! – This latest big bug for Windows hit a few interesting appsec angles. Researchers accidentally disclosed the vuln after mistakenly thinking a prior patch had addressed it — turns out there was more than one bug in this particular codebase. Another angle is looking at how much risk a printer spooler posed to Windows systems and AD servers. It looks like another case where Microsoft is trying to navigate backwards compatibility and support for older system architectures at the expense of better sandboxing and isolation for services.
Check out Microsoft’s latest updates at https://msrc-blog.microsoft.com/2021/07/06/out-of-band-oob-security-update-available-for-cve-2021-34527/
An Introduction to Fault Injection (Part 1/3) – Here’s an article that’s more focused on the hardware side of appsec. It covers various methods for putting hardware and firmware into error states, especially states that might bypass security controls. Even if you’re not working in hardware, the series of articles are easy to understand and several of the concepts can be generalized (or have parallels) to software applications. Reading about the threat modeling and countermeasures from one domain is a great way to bring a creative and thoughtful approach to threat models in other domains.
Check out the followup articles
CAIDA Analysis of Code-Red – Twenty years ago the Code Red worm ran havoc throughout IIS systems across the internet. At the time, infecting almost 360,000 systems in half a day was quite an accomplishment — landing it on the radar of the FBI and White House. It occupied news cycles for a month leading up to an anticipated Code Red 2 outbreak that…turned out to be a fizzle.
On the heels of Code Red (and the double decode vuln that preceded it), Microsoft significantly hardened IIS to the point where these remote vulns became exceedingly rare. Yet Microsoft still deals with significant flaws elsewhere in its codebase. We also still see significant appsec attacks in 2020 and 2021 that are once again “wake up calls” about the security of software and supply chains. It can be helpful to reflect on old attacks and find the appsec lessons that lead to their extinction, not their repetition.
A few more articles:
2. Web App and API Security Needs to Be Modernized: Here’s How – 01:00 PM-01:30 PM
The truth is, most web app and API security tools were designed for a very different era. A time before developers and security practitioners worked together, before applications were globally distributed and API-based. But attackers are developers too, and they aren’t bogged down by the limitations of legacy solutions. It’s never been more clear that it’s time for a change. Sean will outline new rules for web application and API security that respect the way modern applications are built.
Sean is the Chief Product Architect at Fastly, where he focuses on building and scaling products around large scale, mission critical infrastructure. He was previously VP, Technology for Verisign, where he provided strategic direction along with product and technical architecture and was a primary company spokesperson. Sean was previously CTO of name.com, a top 15 domain registration and web hosting company as well as a Sr. Director at Neustar.
He holds a BS in Computer Science from the University of Delaware. His current research focus is on DNS, DDOS, Web/network performance, Internet infrastructure and combating the massive internet security epidemic.