asw169

Application Security Weekly Episode #169 – October 11, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Modernizing the Management of Your Software Supply Chain – 12:30 PM-01:00 PM

Sponsored By

sponsor
Visit https://securityweekly.com/cloudsmith for more information!

Announcements

  • Don’t miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

  • Security Weekly Unlocked will be held IN PERSON this December 5-7 at the Hilton Lake Buena Vista!

    Keynotes from Alyssa Miller, John Strand, Lesley Carhart, & Dave Kennedy!

    Visit https://securityweekly.com/unlocked to register and check out our rockstar lineup!

Description

SBOM: What does it really tell you and the importance of having one for your organization.

– Finding and fixing known vulnerabilities in dependencies and container images
– Building a source of truth for packages to avoid malicious packages getting through
– Combining continuous packaging and security into a CI/CD pipeline
– Establishing Trust & Provenance in your Software Supply Chain
– Visibility in your Software Supply Chain with upstreams and signatures

This segment is sponsored by Cloudsmith.

Visit https://securityweekly.com/cloudsmith to learn more about them!

Guest(s)

Tom Gibson

Tom Gibson – Senior Staff Engineer at Cloudsmith

With over ten years in the worlds of DevOps and Fintech, Tom is currently a Senior Staff Engineer at Cloudsmith, where he helps lead and develop the product and platform. As an automation and security enthusiast, Tom is incredibly passionate about helping people and organizations implement and adopt technologies and processes that help secure their software supply chain. When he’s not busy with computers, you can find him watching the latest reality dating TV show, building legos, or doing his 500th home improvement project.

Hosts

JohnKinsella

John Kinsella

@johnlkinsella

Co-founder & CTO at Cysense

MikeShema

Mike Shema

@Codexatron

Product Security Lead at Square

2. Twitch Breach, HTTPd Path Traversal, Disabling Macros, & Great Cybersecurity Programs – 01:00 PM-01:30 PM

Announcements

  • InfoSec World 2021 is proud to announce its keynote lineup for this year’s event! Hear from Robert Herjavec plus heads of security at the NFL, TikTok, U.S. Department of Homeland Security, Stanford University, and more… Plus, Security Weekly listeners save 20% on Digital Pass registration! Visit https://securityweekly.com/isw2021 to register now!

  • Join us October 21 to learn why zero-knowledge encryption matters. If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand

Description

This week in the AppSec News, Mike and John talk: The Twitch breach, a path traversal in Apache httpd, Microsoft disables macros by default after almost 30 years, factors in a great cybersecurity program, & more!

Hosts

JohnKinsella

John Kinsella

@johnlkinsella

Co-founder & CTO at Cysense

  1. The case for a bill of materials – for SaaS – We talked about this recently, but here’s an article to think about this a little more. We’re hitting an imbalance of discussion around the supply chain of our source code vs the supply chain of our cloud providers.
MikeShema

Mike Shema

@Codexatron

Product Security Lead at Square

  1. Updates on the Twitch Security Incident – While we don’t have specifics on the breach, Twitch has noted that a server configuration error was taken advantage of to gain unauthorized access to their systems. Among the data exposed, a few people have pointed out DB connection strings with passwords in addition to business-related info like how much money top streamers have been earning. With a leak of source code, it’ll be interesting if bug bounty researchers go after vulns discoverable via source, or if other attackers find exploitable flaws to once again compromise one of Twitch’s systems.

    This breach got a lot of coverage. Here’s a sampling of additional articles:
    – https://threatpost.com/twitch-source-code-leaked/175359/
    – https://www.zdnet.com/article/twitch-attributes-breach-to-server-configuration-error-resets-all-stream-keys/
    – https://www.vice.com/en_us/article/jg8w9b/the-twitch-hack-is-worse-for-streamers-than-for-twitch

  2. Additional fixes released addressing Apache HTTP Server issue – As listeners know, one of the favorite vulns here at ASW is path traversal — it’s simple to exploit, tends to be very high impact, and needs no other tooling than a browser’s navigation bar. So it’s pretty eventful when we see this type of ancient vuln pop up in Apache httpd server.

    True to form, the payloads are trivial and scanners are already using it to search for common files that might lead to further compromise of a system:
    – /cgi-bin/.%2e/app/etc/local.xml
    – /cgi-bin/.%2e/app/etc/env.php
    – /cgi-bin/.%2e/%2e%2e/%2e%2e/etc/passwd

    The patch for this also fell into the category of having to release a patch for the patch in order to properly fix the vuln. It’s understandably a critical vuln. Furthermore, as listeners also know, we’re huge fans of fuzzing here at ASW. So it’s also nice to see fuzzing help identify a moderate vuln, in this case a null pointer dereference, that was also fixed in this release.

    Check out the release notes from Apache at https://httpd.apache.org/security/vulnerabilities_24.html

  3. Microsoft to disable Excel 4.0 macros, one of the most abused Office features – It’s amazing that a software feature from 1992 remains supported in Excel to this day. It’s also tragic because these XLM macros have also been a frequently abused attack surface over the decades. Now, with an apparent spike in attacks by “top tier threat actors” against this feature, Microsoft has moved to disable this legacy feature by default.

    This article is a chance to reflect on when and how to make decisions on creating a secure default, deprecating a feature, or removing a feature altogether. On one hand, supporting a feature for almost 30 years is impressive. On the other hand, being consistently exploited for so long has to raise a red flag to at least rearchitect such a brittle are of code. A similarly ancient and ever-vulnerable piece of software, Flash, took almost as long to disappear from web browsers. Hopefully we’ll see more acceleration in other cases so these timelines can be measured in months or years rather than decades.

    Now, if only we could encourage these same top-tier threat actors to target year-old unpatched vulns and weak designs in parsers, we might see further progress made by the infosec community…

  4. Microservices Adoption and the Software Supply Chain – We come across lots of articles that have a vendor angle to them. Sometimes that angle is implicit, sometimes explicit. This one caught the attention of ASW by the nature of the problem it was looking at combined with an open source project to help solve that problem.

    Making code changes, even simple ones, at scale can be tedious — but many times those changes are necessary. Think of cases for bumping a package version or changing a configuration line for Terraform or Kubernetes to enable a more secure setting. This OpenRewrite project looks to make such refactoring possible in a safe and quick manner. Of course, code changes don’t come without risk, so you’ll need some robust testing and error handling to catch unintended consequences, but the idea of using automation to save developers’ time has a great appeal to it.

    Check out more documentation at https://docs.openrewrite.org/ and the open source repo at https://github.com/openrewrite/rewrite

  5. NSA warns of ALPACA TLS attack, use of wildcard TLS certificates – We pull on a thread from this article able wildcard certs to talk about the economics and incentives of application security. For the longest time, presenters at infosec and appsec conferences pointed out attacks against unencrypted HTTP traffic, to the point of trying to shame sites into adopting HTTPS. Fortunately, HTTPS has become more pervasive and unencrypted HTTP traffic is almost eradicated. Of course, there were also several flaws along the way in TLS stacks — something we’re still dealing with in the divergence of OpenSSL, BoringSSL, and other TLS stacks. But there were also costs to HTTPS adoption and security concerns in handling certs. We like certs, certs can be a big part of mutual authentication between services. So it’s worth discussing some of the challenges or trade-offs that come with different certs.

    As an additional resource on TLS history, insights, and implementations, check out https://blog.ivanristic.com (in particular the “OpenSSL Cookbook” and “Bulletproof SSL and TLS” book).

    We covered ALPACA back in episode 154 on June 14, 2021.

  6. The Leading Indicators of a Great Info/Cybersecurity Program – This is the second time we’ve covered a blog post from Phil Venables. And while appsec is only part of a cybersecurity program, it’s definitely a critical piece. It’s a quick read and even if it feels like high-level advice, it should serve as a reminder that strategic architecture and preventative maintenance should be on your appsec roadmaps. That kind of focus on secure by default and tamping down legacy tech (aka paying off tech debt) may have a far more positive security impact than any appsec tool you might deploy. Oh — and you have an app inventory to go along with that, right?