asw165

Application Security Weekly Episode #165 – September 13, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Findings From the 2021 AppSec Shift Left Progress Report – 12:30 PM-01:00 PM

Announcements

  • InfoSec World 2021 is proud to announce its keynote lineup for this year’s in-person event! Hear from Robert Herjavec plus heads of security at the NFL, TikTok, U.S. Department of Homeland Security, Stanford University, and more… Plus, Security Weekly listeners save 20% on world pass and main conference registration! Visit https://securityweekly.com/isw2021 to register now!

  • If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand

Description

Data from the ShiftLeft customer report shows that companies that have rebuilt their core testing processes around faster and more accurate static analysis are able to release more secure code at scale, scan more frequently, fixes earlier in the software development life cycle, have less security debt, and maintain more security fixes overall.

Segment Resources:

http://shiftleft.io/resources/appsec-shift-left-progress-report-2021?utm_source=cyber_risk_alliance&utm_medium=podcast

This segment is sponsored by ShiftLeft.

Visit https://securityweekly.com/shiftleft to learn more about them!

Guest(s)

Manish Gupta

Manish Gupta – CEO and Co-Founder at ShiftLeft

@manishguptaTD

Manish has 15+ years in cybersecurity. He was previously the Chief Product and Strategy Officer at FireEye, helping grow the company from approximately $70 million to more than $700 million in revenue. Prior, he was VP of Product Management for Cisco’s $2 billion security portfolio. He also served as a VP/GM at McAfee growing the network security business five fold in 5 years.

Hosts

JohnKinsella

John Kinsella

@johnlkinsella

Co-founder & CTO at Cysense

MikeShema

Mike Shema

@Codexatron

Product Security Lead at Square

2. OWASP Top 10, CISA Bad Practices, Azurescape, Confluence RCE, & API Security Tokens – 01:00 PM-01:30 PM

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, join our Discord Server, and follow us on our newest live-streaming platform, Twitch!

  • Security Weekly Unlocked will be held IN PERSON this December 5-7 at the Hilton Lake Buena Vista!

    We are excited to announce our speakers: Lesley Carhart, John Strand, Alyssa Miller, Dave Kennedy, O’Shea Bowens, Marina Ciavatta, Patrick Coble, Chris Eng, Eric Escobar, Nick Leghorn, Michael Schladt, Kevin Johnson, Justin Kohler, Jay Beale, Trenton Ivey & Ryan Cobb!

    Visit https://securityweekly.com/unlocked to register and check out our rockstar lineup!

Description

This week in the AppSec News, Mike and John talk: OWASP Top 10 draft for 2021, bad practices noted by CISA, Azurescape cross-account takeover, Confluence RCE, WhatsApp image handling, API security tokens survey, & more!

Hosts

JohnKinsella

John Kinsella

@johnlkinsella

Co-founder & CTO at Cysense

  1. Home security system vulnerable to unauthenticated credential disclosure – “Credential” is my word choice, here. Technically, the system’s IMEI can be gathered without authentication, and then that “credential” used along with the owners email address provide enough authentication to disarm a system.
  2. Cross-Account Container Takeover in Azure Container Instances – Ignoring the provider, the Unit42 guys did some good research, here. Let’s focus on two things: 1) Look at figures 13 and 14, and think about how could someone running their own k8s cluster identify and remediate permissions issues like these. 2) Software supply chain is a popular theme in 2021. Should we also be asking for SBOMs from our cloud providers?
MikeShema

Mike Shema

@Codexatron

Product Security Lead at Square

  1. OWASP Top 10:2021 (DRAFT FOR PEER REVIEW) – A new OWASP Top 10 is coming this month, which coincides with OWASP’s 20th anniversary. A first question might be, how has the Top 10 list changed since its inception? But that’s a question that accepts the premise of the OWASP Top 10 in the first place.

    As this new version points out from the start, “The OWASP Top 10 is primarily an awareness document.” As a means of awareness, the Top 10 has become the catch-phrase for bad things that happen to web apps and a recognizable reference. Over time it’s been a mix of risks, attacks, and weaknesses. In 2021 it’s nice to see the list settling into a more coherent focus on root causes with associated CWEs as examples of common ways those underlying flaws manifest. But it’s still not a list of specific vulns that you scan for or a prescriptive standard that you demonstrate adherence to.

    So what does appsec have to show for nearly two decades of awareness? To pose the question differently, how would you use this list? If two major items are insecure design and security misconfigurations, what tools and processes would you use to build confidence in a secure design and configuration? In other words, what’s more relevant to your DevOps team today — a catalog of CWEs or a framework (or paved road or secure default or analysis tool) that makes it harder to introduce these weaknesses in the first place?

  2. CISA’s Bad Practices – Best practices are sometimes just good practices and sometimes irrelevant practices — a lot of appsec requires context to understand a threat model and recommend security practices to address it. On the other hand, lots of bad practices are common practices that nevertheless should be replaced by better choices.

    In the same month we get a new draft of the OWASP Top 10, CISA gives us three bad practices. And where the OWASP Top 10 has some ambiguous actionability (it’s an awareness project), these bad practices have clear actions that an org can take to address them. They might not be easy — removing and replacing unsupported and end-of-life software is easier said than done — but they’re still useful goals to align against. After all, a goal like moving away from single-factor authentication (hint: adopt FIDO keys and WebAuthn) is measurable and impactful.

    Check out the discussion on GitHub at https://github.com/cisagov/bad-practices/discussions

  3. CVE-2021-26084 Remote Code Execution on Confluence Servers – Here’s a vuln write-up that doesn’t involve reverse engineering a binary or poking about in C code. Some researchers took a look at the recent patch from Atlassian that fixed an RCE and worked out how to exploit the original vuln. It’s a nice example of diving into an unfamiliar area (OGNL) and applying an attacker mindset to the app’s design in order to identify and exploit a flaw.
  4. Now Patched Vulnerability in WhatsApp could have led to data exposure of users – Ok, we’re back to another write-up that involves compiled binaries and insecure C code. What stands out in this case is the successful use of fuzzing (AFL) to find yet another vuln in an image parser — this time in Whatsapp’s handling of GIF files. It seems that image files remain a profitable attack surface, which also seems to point to image handling code as an area to prioritize for refactoring into a more memory-safe language.
  5. GitHub security update: Vulnerabilities in tar and @npmcli/arborist – The details behind these flaws are perhaps more interesting than the bugs themselves. If you’re using Node.js and either of these packages, then you’ll want to upgrade. Just as you’d normally upgrade for any security release.

    What might be more interesting is the session in path sanitization and normalization. In this case, the code made the effort to normalize paths before applying security checks to them, but the code was subverted by some simple, yet clever, patterns. It’s a nice demonstration of the need for comprehensive test cases. Plus, if your org has a more mature appsec or DevOps program, it’s also a potential use case for fuzzing.

    Check out these advisories for more details:
    – https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9
    – https://github.com/npm/node-tar/security/advisories/GHSA-5955-9wpr-37jh

  6. API Tokens: A Tedious Survey – The title may say it’s tedious, but the truth is that this overview of tokens takes the topic seriously and provides helpful technical insight into common design patterns. It’s not much of a spoiler to say JWTs are (quite actively) discouraged. The article provides clear, concise reasoning on why that particular construct is poor and how alternatives are more appealing from a security and usability perspective.