asw170

Application Security Weekly Episode #170 – October 18, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Dev(Sec)Ops Scanning Challenges & Tips – 12:30 PM-01:00 PM

Sponsored By

sponsor
Visit https://securityweekly.com/probely for more information!

Announcements

  • InfoSec World 2021 is proud to announce its keynote lineup for this year’s event! Hear from Robert Herjavec plus heads of security at the NFL, TikTok, U.S. Department of Homeland Security, Stanford University, and more… Plus, Security Weekly listeners save 20% on Digital Pass registration! Visit https://securityweekly.com/isw2021 to register now!

  • Don’t miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

Description

There’s a plenitude of ways to do Dev(Sec)Ops, and each organization or even each team uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important to understand how to integrate a security scanner in your DevSecOps processes. It all comes down to speed, how fast can I scan the new deployment? Discussion around the challenges on how to integrate a DAST scanner in DevSecOps and some tips to make it easier.

This segment is sponsored by Probely.

Visit https://securityweekly.com/probely to learn more about them!

Guest(s)

Nuno Loureiro

Nuno Loureiro – CEO at Probely

@nunoloureiro

Nuno is a Co-Founder and the CEO of Probely. In the past, he led an Application Security team at a Telco Provider, where he provided training on secure coding, security guidance during the development lifecycle of projects, performed penetration testing, and implemented PCI-DSS across the organization.

He holds an MSc in Information Security from Carnegie Mellon University.

Tiago Mendo

Tiago Mendo – CTO at Probely

CTO and Co-founder of Probely, a cybersecurity startup that does web application security scanning as a service. He has 17+ years of experience in information security, builder of a web app security team, programmer, pentester, and father. Master in Information Technology/Information Security by the Carnegie Mellon University. Travel addicted.

Hosts

JohnKinsella

John Kinsella

@johnlkinsella

Co-founder & CTO at Cysense

MikeShema

Mike Shema

@Codexatron

Product Security Lead at Square

2. View Source, Bindiff for Vuln Analysis, Bypass with GitHub Actions, & NIST DevSecOps – 01:00 PM-01:30 PM

Announcements

  • Security Weekly Unlocked will be held IN PERSON this December 5-7 at the Hilton Lake Buena Vista!

    Keynotes from Alyssa Miller, John Strand, Lesley Carhart, & Dave Kennedy!

    Visit https://securityweekly.com/unlocked to register and check out our rockstar lineup!

  • Join us in our next live webcast, on October 21, to learn why zero-knowledge encryption matters! Then join us November 4th to learn about Pragmatic Steps to Reduce Your Software Supply Chain Risk. Finally, join us November 11th to learn the key insights and takeaways from the the 2021 OWASP top ten. Visit https://securityweekly.com/webcasts to save your seat! Don’t forget to check out our library of on-demand webcasts & technical trainings at https://securityweekly.com/ondemand

Description

This Week in the AppSec News: View source good / vuln bad, IoT bad / rick-roll good, analyzing the iOS 15.0.2 patch to develop an exploit, bypassing reviews with GitHub Actions, & more NIST DevSecOps guidance!

Hosts

JohnKinsella

John Kinsella

@johnlkinsella

Co-founder & CTO at Cysense

MikeShema

Mike Shema

@Codexatron

Product Security Lead at Square

  1. Missouri governor faces backlash and ridicule for threatening reporter who discovered exposed teacher SSNs – Journalism is an important tool against abuse of political power and holding power to account. In this case, a journalist discovered that their state’s education web site exposed payment data and SSNs for its teachers. The governor’s response — a belligerent misstatement of the flaw and threats of legal action — hearken back to early days of appsec before coordinated vulnerability disclosure was a term of art and it was never sure whether an org’s security team (if one existed at all) or legal team would respond to a vuln report.

    Orgs don’t need to dive right into bug bounty programs to handle vuln disclosure, but they should take the steps towards a solution like that. One resource for this kind of maturity model is at https://www.lutasecurity.com/vcmm

  2. Student finds zero-days in Exterity devices while rick-rolling school district – In our other vuln disclosure article of the week, a student discovered flaws in his school’s IoT devices — which just happened to be network-connected TVs, which just happened to be the perfect vector for the infamous rick-roll. The outcome this time around was fortunately more collaborative. Even so, there are still lessons in this story about coordinated disclosure and needing productive responses from vendors to patch vulns.

    Read the student’s write up at https://whitehoodhacker.net/posts/2021-10-04-the-big-rick

    And, of course, refresh your 80s vibe with the video at https://youtu.be/dQw4w9WgXcQ

  3. Bindiff and POC for the IOMFB vulnerability, iOS 15.0.2 – While this is a rather technical write-up, it’s still accessible for readers who aren’t experts in iOS internals or reverse engineering. It’s a nice example of using binary diffs to analyze a patch in order to understand the vuln it fixes. Then, given that understanding, develop a working exploit. Even though the flaw itself seems simple — an integer overflow in a size calculation — the thought process to analyze and exploit it are more complex. This article does a great job in walking through those steps.
  4. Bypassing required reviews using GitHub Actions – Here’s another article that fits into a recurring theme of security issues stemming from a SaaS vendor’s features that can impact your data even if you’re not using those features. Consequently, it’s also a good example of vendor responsibility in the shared security responsibility model developed by cloud service providers. A positive aspect about this vuln is that it demonstrated what a successful vulnerability disclosure program looks like. A researcher discovered the flaw, shared it with GitHub via their bug bounty platform, and GitHub resolved the issue and rewarded the researcher. All in all the modern model we like to see in such situations.
  5. The ‘Leak’ of Warzone’s New Anti-Cheat System Was Actually Part of the Plan – Infosec in general has many adversarial threat models. Gaming is an interesting area of appsec that has to focus on far more than just secure software practices. Many games also need to counter cheating and abuse in order to keep their games enjoyable and playable for a large population. It’s a good exercise in evaluating threat models that go beyond simple injection-style attacks and start to consider ways of countering unintended use or abuse of “business logic” within a game.
  6. Implementation of DevSecOps for a Microservices-based Application with Service Mesh – NIST is collecting feedback on an upcoming guidance for securing the CI/CD pipelines for microservices and containers. It’s a bit dense and, by necessity, covers the topic at a high level. However, it can be a useful resource for ensuring your appsec program covers CI/CD well and provides the tools and processes needed to maintain security from writing code to deploying it. It also has useful abstractions in addressing infrastructure as code, policy as code, and observability as code. In other words, it’s not shying away from expressing security properties within various areas of a system so that they can be automatically configured, analyzed, and reported on. That kind of automation is a far better future than yet another hardening checklist.
  7. SAML explained: How this open standard enables single sign on – This article doesn’t have as neat of a thematic tie-in with the rest of the ones we cover this week, but it still falls into the category of education. We’ve covered SAML and OAuth a few times in the past, so it makes sense to share an article that provides an easy introduction to their main concepts.