InfoSec World 2021 is proud to announce its keynote lineup for this year’s event! Hear from Robert Herjavec plus heads of security at the NFL, TikTok, U.S. Department of Homeland Security, Stanford University, and more… Plus, Security Weekly listeners save 20% on Digital Pass registration! Visit https://securityweekly.com/isw2021 to register now!
Don’t miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Developers want to write good code. Secure code. Security tools that optimize developer workflows for handling security issues can take a large burden off security practitioners and make triaging, understanding, prioritizing, and resolving vulnerabilities much easier and faster for the developer. We will discuss GitLab’s views on what it means to provide developer-first security and see how these views manifest in GitLab’s security offerings.
Hillary Benson is Director, Product Management for GitLab Secure & Protect. Prior to GitLab, she served as a product executive in the container security space and led teams in building software tools and executing intelligence collection missions for the National Security Agency. Hillary lives in Los Gatos, CA with her husband and two Welsh Corgis
Co-founder & CTO at Cysense
Product Security Lead at Square
2. Prototype Pollution, Funding Open Source Security, Expiring Root CA, Mariana Trench – 01:00 PM-01:30 PM
Security Weekly Unlocked will be held IN PERSON this December 5-7 at the Hilton Lake Buena Vista!
Keynotes from Alyssa Miller, John Strand, Lesley Carhart, & Dave Kennedy!
Join us October 21 to learn why zero-knowledge encryption matters. If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand
In the AppSec News, John and Mike discuss Prototype pollution vulns, funding open source project hardening, Let’s Encrypt root CA expires, and Marian Trench scanner for Android and Java!
Prototype pollution vulns, funding open source project hardening, Let’s Encrypt root CA expires, Marian Trench scanner for Android and Java
Apparent flaw allows hackers to steal money from a locked iPhone, when a Visa card is set up with Apple Pay Express Transit – This article is a concise, clear threat model and evaluation. It brings a confluence of design focused on the user experience (use your phone to pay for transit), design choices based on business context (allow payments from a locked phone in order to prevent overcrowding due to latency and inconvenience in unlocking), and possible impacts (what compensating controls are in place to make this more difficult as a fraud vector). It’s a good example of how a flaw in one part of a complex system can be mitigated by other checks, which is especially important when money is involved.
Check out the research paper at https://practical_emv.gitlab.io/assets/practical_emv_rp.pdf
Introducing the Secure Open Source Pilot Program – Yeah, another week another article about supply chain and Google security. What really stands out here is that the Linux Foundation is driving constructive security hardening of open source projects with sponsorship from Google. This isn’t about bug bounty awards and financing more people to point out flaws that projects already know exist or have too few devs to address. It’s about getting more support to increase the security practices around those projects, of which fixing vulns is just a small part. In fact, the approach isn’t something that would be relatively straightforward to adapt by orgs building their own software and who rely on open source dependencies. It’s based on the SLSA framework (https://slsa.dev) and practices recommended by the Open Source Security Foundation (https://github.com/ossf/scorecard). The practices include improving how code is managed, how dependencies are managed, and getting to more mature efforts like fuzzing — things that all software projects should be considering.
Check out the program and the types of security improvements they’re looking for at https://sos.dev
Fortinet, Shopify and more report issues after root CA certificate from Lets Encrypt expires – Making HTTPS ubiquitous is a commendable goal and something that appsec teams have been pushing for decades. This article isn’t a cautionary tale of be-careful-what-you-wish-for — it’s good to have HTTPS everywhere. But what it does highlight is that making something secure and maintaining that security are two very distinct responsibilities. Let’s Encrypt did a great job of making certs easy to obtain (i.e., free) and easier to maintain by popularizing the ACME protocol. But all certs eventually expire, even the root ones. And while we can predict when it will happen, the expiration date is right in the cert after all, we can’t always predict what it will affect. This is also what brings out the tension in backwards compatibility and the maintenance of old software, particularly IoT devices. Such devices could still have a long life ahead of them, but they need to have a new certificate to trust in order to continue making secure HTTPS connections.
Android, Java bug bunting tool Mariana Trench goes open source – You might not have millions of lines of Android and Java code, but regardless of how many lines of code you do have, you’ll want to make sure it’s secure. (You might not have millions of negative press either, but that’s a different topic.) When huge companies like Facebook release open source security tools, it’s always interesting to see what problems they’re trying to solve (scalability, it’s always something something “at scale”) and what security issues concern them. Another thing that usually informs these kinds of tools is the developer experience. In other words, building scanners so they integrate with workflows that devs are already using and presenting accurate vulns with remediation actions that devs can take. Even if those aren’t novel concepts, seeing how they’ve been successfully implemented is always helpful — and even more so if the tooling can be adopted by other organizations.
Check out the announcement at https://engineering.fb.com/2021/09/29/security/mariana-trench/ and the project on GitHub at https://github.com/facebook/mariana-trench/
An Intro to Fuzzing (AKA Fuzz Testing) – At ASW we’re fans of fuzzing. In fact, another article this week mentions fuzzing as part of measuring a project’s security scorecard. But extolling the virtues of fuzzing is a bit like saying how important an application asset inventory is — a simple idea that’s a lot easier said than done. Well, this article helps with more of the saying part and linking out to other articles that help show how it’s done. If you’re dealing with C code, IoT devices, or user-generated content like images, video, or HTML, then you should start planning how to introduce fuzzing to your SDLC. And even if you’re building apps in memory-safe languages, fuzzing can be a natural evolution of your testing processes.
GitOops! Attacking and defending CI/CD pipelines. – This is a good companion to the article about the https://sos.dev efforts to improve open source security. The details here are focused on GitHub, but the principles and the threat models behind it can apply to any CI/CD pipeline. If you’re using any parts of the tech stack mentioned here, review the access controls, configurations, and secrets management to make sure they match the level of security you expect.