asw160

Application Security Weekly Episode #160 – August 02, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Platform Firmware Security – 12:30 PM-01:00 PM

Announcements

  • CyberRisk Alliance, in partnership with InfraGard, has launched the Critical Infrastructure Resilience Benchmark study. Measure your readiness for ransomware by completing the survey and getting your score. Visit https://securityweekly.com/CIRB to take the survey

  • SC Media debuts its all-new SC digital experience, fully integrated with Security Weekly podcast content and more. The new site increases the scope and scale of original content resources from editorial staff, contributors, and the far-reaching CyberRisk Alliance network. Visit www.scmagazine.com to check out the new look!

Description

Firmware security is complex and continues to be an industry challenge. In this podcast we’ll talk about the reasons firmware security remains a challenge and some best practices around platform security.

Segment Resources:
https://www.helpnetsecurity.com/2020/04/27/firmware-blind-spots/
https://www.helpnetsecurity.com/2020/09/28/hardware-security-challenges/
https://darkreading.com/application-security/4-open-source-tools-to-add-to-your-security-arsenal
https://chipsec.github.io

Hardware Hacking created by Maggie:
https://securityweekly.com/wp-content/uploads/2021/08/eArt-2.png

Guest(s)

Magggie Jauregui

Maggie Jauregui – Offensive Security Researcher at Intel

@_m46s

Maggie Jauregui is a firmware and hardware security researcher for Intel’s Programmable Solutions Group. Maggie is part of the Black Hat USA review board and President of Security BSides Portland, the non-profit organization that puts together BSidesPDX. Throughout her career, Maggie has presented her research and delivered technical training on firmware and low level platform security topics at conferences such as DEF CON, Black Hat, CanSecWest, DerbyCon, NULLCON, hardwear.io, OSFC, and BSidesTLV.

Hosts

JohnKinsella

John Kinsella

@johnlkinsella

Chief Architect at Accurics

MikeShema

Mike Shema

@Codexatron

Product Security Lead at Square

2. PunkSpider, Bug Bounties, RCE in PyPI, Kernel Pwning With eBPF, & Top Vulns From CISA – 01:00 PM-01:30 PM

Announcements

  • Security Weekly Unlocked will be held IN PERSON this December 5-8 at the Hilton Lake Buena Vista!

    We are excited to announce our first round of speakers: David Kennedy, Alyssa Miller, O’Shea Bowens, Marina Ciavatta, Patrick Coble, Chris Eng, Eric Escobar, Kevin Johnson, and Justin Kohler!

    Visit https://securityweekly.com/unlocked to register and check out our rockstar lineup!

  • If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand

Description

This week in the AppSec News: PunkSpider coming to DEF CON, Google matures its VRP, $50K bounty for an access token, RCE in PyPI, kernel vuln via eBPF, top vulns reported by CISA, & the importance of testing!

Hosts

JohnKinsella

John Kinsella

@johnlkinsella

Chief Architect at Accurics

  1. Web applications have become a security liability – On a previous episode, we discussed a little about if the current focus in application security should be in “legacy” applications, or more around webapp. A study out from F5 and The Cyentia Institute thinks the focus should be more on the webapp side…
MikeShema

Mike Shema

@Codexatron

Product Security Lead at Square

  1. Reboot of PunkSpider Tool at DEF CON Stirs Debate – Here’s a tool that scans for web vulns and makes the results available to anyone. In fact, it’s the second time around for this tool. Even if the tool is new and improved, what about the ecosystem it’s operating in? This is a chance to talk about the ways to prepare for a bug bounty and where engineering investments are needed to make the web more secure. Spoiler: it’s probably not the decades-old approach of shouting about vulns into the void.
  2. A new chapter for Google’s Vulnerability Reward Program – There’s an perennial type of appsec article about how much money companies have spent on a bounty program. Bounty programs can be good investments, but their goal isn’t exactly to reach a high score. Here’s a baseline from Google, which spent roughly $3,000 per vuln over 10 years. But more important is how they’ve grown the scope of targets and maturity of the program to cover emerging technologies and some open source projects. Head over to https://bughunters.google.com for a peek at preferred targets. Two that stand out are Fuchsia OS (https://fuchsia.dev/fuchsia-src/concepts/principles/secure) and Envoy (https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/google_vrp).
  3. Stray GitHub access token from Shopify earns novice bug bounty hunter $50k – “Most or All” isn’t a very reassuring phrase to have to use in response to how much the security of a company’s app is impacted by a bug bounty report. Nor does it help that the mistake was relatively straightforward to identify. But what does help is having a successful interaction with a researcher and an appsec team willing to be transparent about how they respond to and handle security events. It’s also a great reminder of the importance of observability and logging for your apps — there’s a big difference in having confidence that unauthorized access hasn’t been abused vs. crossing your fingers and hoping for the best.

    Check out the brief writeup and interaction with Shopify’s appsec team at https://hackerone.com/reports/1087489

  4. Zimbra 8.8.15 – Webmail Compromise via Email – This may not be the most exciting target out there, but it’s a great educational writeup of XSS and SSRF flaws in the wild. It’s also a good lesson (once again, sigh…) of the subtle security issues that can arise from attempting to sanitize HTML and how to combine security issues into attacks with more consequential impacts.
  5. Potential remote code execution in PyPI – The blog post sets the stage early: “There was a vulnerability in GitHub Actions of PyPI’s repository, which allowed a malicious pull request to execute an arbitrary command. This allows an attacker to obtain write permission against the repository, which could lead to arbitrary code execution on pypi.org.” Then it goes into details about the flaw and how an attack would (or wouldn’t) work. It’s another educational writeup and ties into the evergreen theme of supply chain security.
  6. Kernel Pwning with eBPF: a Love Story – We continue a conversation on a common weakness: out of bounds reads and writes. Here’s some code whose bitwise ops went sideways on 32-bit values and could lead to command execution. It’s a relatively long article that lays out the fundamentals of eBPF before going into the details of finding and exploiting the flaw. Even if kernel hacking isn’t your thing, read the first part to understand the principles behind eBPF and how they contribute to security boundaries.
  7. Top Routinely Exploited Vulnerabilities – We just talked about the CWE Top 25 for 2021 in last week’s episode. Now CISA is out with the top vulns they’ve seen exploited for the past year or so. While the focus is slightly different — CISA highlights specific apps as opposed to weakness — there’s plenty of overlap in terms of what has made those apps insecure. It also seems like another opportunity to talk about patching, threat models, and what kind of influence the specter of “zero-day” should have on both.
  8. We need to talk about testing – If you approach the purpose of testing with the question, “What could possibly go wrong?”, then you’re on your way to security-minded thinking and threat modeling. This article goes through several motivations for testing and its importance in conveying confidence in the app’s behavior to various stakeholders, including security.