Security Weekly Unlocked will be held IN PERSON this December 5-8 at the Hilton Lake Buena Vista! Our Call For Presentations Deadline has been extended through July 23rd at 11:59 pm ET! Visit securityweekly.com/unlocked to submit your presentation!
In the wake of events such as the Solarwinds breach, there has been a lot of misinformation about the role of open source in DevSecOps. GitLab believes everyone benefits when everyone can contribute. Open source plays a key role in how GitLab addresses DevSecOps. We will discuss GitLab’s view of the role of open source in DevSecOps including recent contributions to the open source community as well as GitLab’s plans for the future.
David DeSanto – Senior Director, Product Management – Dev & Sec at Gitlab
David is the Senior Director, Product Management – Security at GitLab. He is a network security professional with a deep background in security research and product strategy. David lives in the greater Dallas, TX area with his wife and their two dogs.
Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, join our Discord Server, and follow us on our newest live-streaming platform, Twitch!
This week in the AppSec News: Security from code comments, visualizing decision trees, bypassing Windows Hello, security analysis of Telegram, paying for patient bug bounty programs, cloud risks, & more!
Chief Architect at Accurics
Best practices for writing comments in code – While code comments may not seem directly related to appsec, they allow code to be easier understood, so people looking to understand and/or modify software have a better chance of not making mistakes. Also, writing good comments is a little like learning something by explaining it to someone else – as you write a comment in English or other non-programming language, you may realize that you missed a use case in the computer language.
Facebook announces time bonus payouts for bug hunters – Bug bounty programs inevitably come up when we talk about appsec issues. Just this past episode (ASW 157), John had a random thought about using escalating payouts for vuln classes as a means of driving behavioral change within an org’s Security Development Lifecycle. In other words, what if the budget impact of payouts was more closely tied to whether common flaws were continually cropping up in a code base. We didn’t get into details of how we’d model such a program, nor its pros and cons. But this week we have a chance to think about Facebook’s move to essentially pay for patience of bug bounty hunters. Yet it could also be thought of as a “security tax” on both slow triage and slow remediation.
It’ll be interesting to see how this plays out and what behaviors it ultimately incentivizes. Is it cheaper to just pay for a delay rather than have to continually respond to “is it fixed yet?” queries? Would this be a good way to tie budget consequences to slow code fixes?
Deciduous: A Security Decision Tree Generator – Threat modeling and security decisions are essential appsec practices. Yet for as common as they are, the variety of tooling for them varies from docs and spreadsheets to complex web apps. Here’s a visualization approach that lands somewhere in between in terms of easy to use (loosely structured text) and informative (flow charts and directed graphs).
However, what’s even more important in this article is the motivation for building these trees. There’s a nod to “Security Chaos Engineering” (which is free, but sadly behind a registration wall) and a prior article on security anti-patterns. Or maybe security way-too-familiar patterns because they represent not really bothering with security at all or following a security practice because everyone else is — even if your budgets, environments, and threat models are completely different. Be sure to check out the much more detailed and insightful blog post, “On YOLOsec and FOMOsec”, at https://swagitda.com/blog/posts/on-yolosec-and-fomosec/.
Bypassing Windows Hello Without Masks or Plastic Surgery – A heartwarming story of face meets computer, computer likes face, computer lets human in. However, this relationship status gets complicated when face meets USB camera, USB camera meets computer, and the computer ends up with the wrong human. It’s a story with unexpected handling of picture frames that reminds us why security plus hardware needs a strong root of trust.
The article is a preview of the researchers’ upcoming Black Hat presentation, “Bypassing Windows Hello for Business and Pleasure”. If you’ll be attending the con, check it out.
‘Undetectable’ Console Cheat Shuts Down After Activision Request – Why have one machine vision article this episode when we could have two! Here we have an appsec angle of unexpected threat models from old technologies applied in new ways. Many games have cheating and fraud in their threat models, with various mechanisms for detecting suspicious processes or behavior. In this case, machine vision is doing the work of “helper” apps like targeting. While it might still lead to some suspicious behaviors, the technique is novel for the approach it takes in analyzing game events.
If you’re interested in the domains of machine learning and games, here’s an article about using ML to beat Atari games without relying on a human demo or training sequence, https://venturebeat.com/2021/03/05/how-ai-trained-to-beat-atari-games-could-impact-robotics-and-drug-design/
SonicWall warns of ‘imminent ransomware campaign’ targeting its EOL equipment – As an update to the article notes, the “imminent” campaign is in fact current and ongoing. Normally the commentary for an article like this would be, “Have an asset inventory, have a patching program”. The more interesting angle here is what do to with EOL software — a situation shared by enterprise and IoT devices (and OT and enterprise IoT and all the combinations therein). So, how does an appsec team handle this from the vendor’s perspective? Patch in perpetuity? What perverse incentives arise if backwards compatibility or systems with fundamentally weak designs aren’t put out to pasture? What if device lifecycles were accelerated and only new systems got new patches?
Amazon rolls out encryption for Ring doorbells – The trend of end-to-end encryption in devices is slow, but rising. There’s not much appsec depth in this article other than seeing a positive improvement to the confidentiality of user data and, importantly, the keys to encrypt that data.
Security Analysis of Telegram (Symmetric Part) – This is a great article that goes far beyond the security advice cliche of “don’t roll your own crypto” to point out *how* custom crypto can go askew. It’s a great read that covers good encryption principles for readers who aren’t experts.
So, onto the premise: The cloud offers many excellent resources for the security CIA triad. In particular, the secrets management and encryption systems, combined with strong IAM policies, make for excellent controls to address confidentiality and integrity. But there’s always the letter A — our poor friend availability, that’s often neglected in threat models. This brings up the very first question, how does your appsec team cover availability in their threat models? With a followup sequence of: Who does the security team think is responsible for availability? Do they agree with the security team? The answers to these questions probably influence how you’d measure the risks described in this article.