asw172

Application Security Weekly Episode #172 – November 01, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Untangling API Security in 2022 – 12:30 PM-01:00 PM

Sponsored By

sponsor
Visit https://securityweekly.com/imperva for more information!

Announcements

  • InfoSec World 2021 is proud to announce its keynote lineup for this year’s event! Hear from Robert Herjavec plus heads of security at the NFL, TikTok, U.S. Department of Homeland Security, Stanford University, and more… Plus, Security Weekly listeners save 20% on Digital Pass registration! Visit https://securityweekly.com/isw2021 to register now!

  • Join us for our next live webcast on November 4th to learn about Pragmatic Steps to Reduce Your Software Supply Chain Risk. Then join us November 11th to learn the key insights and takeaways from the the 2021 OWASP top ten. Visit https://securityweekly.com/webcasts to save your seat! Don’t forget to check out our library of on-demand webcasts & technical trainings at https://securityweekly.com/ondemand

Description

Peter will talk to the challenges he’s hearing from customers and partners about managing the security of APIs and what considerations organizations need to make in 2022 to better protect these growing ecosystems.

This segment is sponsored by Imperva.

Visit https://securityweekly.com/imperva to learn more about them!

Guest(s)

Peter Klimek

Peter Klimek – Director of Technology, Office of the CTO, Imperva at Imperva

Peter Klimek is Director of Technology within the Office of the CTO at Imperva, a market leader in edge, application and data security. Klimek helps global customers protect their applications, data and websites from security threats through all stages of their digital journey. Prior to Imperva, Klimek held roles at Kaspersky, TransUnion and Zebra Technologies as a solutions architect, security analyst and engineer.

Hosts

JohnKinsella

John Kinsella

@johnlkinsella

Co-founder & CTO at Cysense

MikeShema

Mike Shema

@Codexatron

Security Partner at Square

2. Discourse RCE, Trojan Source, WhatsApp Security, & Privacy Engineering – 01:00 PM-01:30 PM

Announcements

  • Security Weekly Unlocked will be held IN PERSON this December 5-7 at the Hilton Lake Buena Vista! Keynotes from Alyssa Miller, John Strand, Lesley Carhart, & Dave Kennedy! Visit https://securityweekly.com/unlocked to register for free and check out our rockstar lineup!

Description

This week in the AppSec News, Mike & John talk: Discourse SNS webhook RCE, a checklist for a Minimum Viable Secure Product, WhatsApp security assessment, privacy engineering specialties, & DevOps presentations!

Hosts

JohnKinsella

John Kinsella

@johnlkinsella

Co-founder & CTO at Cysense

  1. Latest checklist: Mininum Viable Secure Product – Google, Salesforce, Okta, Slack and others put together a checklist for what they want to see at minimum in a product prior to purchase. Mostly standard items, the 72 hour incident notification catches my eye. Some of the password requirements are interesting, as well…
  2. Trojan Source allows unicode comments to take over the world – *scary music* News broke Monday morning of a new vulnerability that’s had coordinated disclosure across several different languages. The basic idea is a unicode string has the ability to inform the unicode renderer if it should be left-to-right or right-to-left. This provides the ability for a comment to look like a comment, but actually affect code outside what’s actually the comment.

    The interesting thing here is this appears to be the first vulnerability that’s not specific to a particular programming language.

    (h/t https://krebsonsecurity.com/2021/11/trojan-source-bug-threatens-the-security-of-all-code/)

MikeShema

Mike Shema

@Codexatron

Security Partner at Square

  1. Discourse SNS webhook RCE – CISA posted a recent warning about an RCE vuln in Discourse. It’s notable due to the prevalence of the software and the impact of the relatively easily exploited vuln.

    It’s a neat vuln to read about because of how cleverly it goes about manipulating signed requests to achieve an RCE. The researcher starts with a simple premise — how to inject an arbitrary path into a call to Ruby’s open() — and the hurdles they overcame in order to bypass what seemed like decent security checks.

    Read the Discourse advisory at https://github.com/discourse/discourse/security/advisories/GHSA-jcjx-pvpc-qgwq

    Read the CISA advisory at https://us-cert.cisa.gov/ncas/current-activity/2021/10/24/critical-rce-vulnerability-discourse

  2. Minimum Viable Secure Product – This is one of those articles that catches my eye as well as John’s, hence the two-for-one-special in the articles of the week. It’s a mix of high-level and detailed security controls for software. Think of it as a more prescriptive method of a vendor security checklist. One of the items, SSO, is important to enterprises — but it’s also often a premium (if supported at all). Hopefully the future of SaaS will see SSO as an ubiquitous, free default in the same way we expect HTTPS Only. One of the best checks on this list is the push for security libraries in the application design controls. Using ORM and UI frameworks to get rid of classes of vulnerabilities might mean we’ll one day have SQL injection and cross-site scripting be the relics they should have been a decade (or more) ago.

    You can find more about it from the Google security blog at https://security.googleblog.com/2021/10/launching-collaborative-minimum.html

  3. Public Report – WhatsApp End-to-End Encrypted Backups Security Assessment – Reading about threat models and security assessments written by others is a great way to improve your own. Here’s a detailed writeup by NCC Group about their security assessment of WhatsApp. It may have some inspiration on system design if you’re dealing with passwords, encrypted communications, or privacy by design. Or it may be an inspiration for additional threats to consider when reviewing other types of systems. And even if the specific details seem less relevant, you can always look at it from the perspective of how to communicate security findings and recommendations.

    Unrelated to this report, but related to OPAQUE protocol it refers to, is this research blog from Cloudflare that provides a great overview of Password-Authenticated Key Exchange (PAKE) at https://blog.cloudflare.com/research-directions-in-password-security/

    Check out AWS 145 for info on a similar analysis of TikTok by Citizen Lab. You can find the show notes at https://securityweekly.com/asw145

  4. Privacy Engineering Superheroes – Privacy engineering has distinct requirements and objectives that separate it from appsec, but you have to have a secure foundation in order to create privacy-by-design on top of it. While the article describes specialities that these engineering teams could dive into, many of them also represent opportunities for security engineering teams to improve software for their users — whether it’s tooling and dashboards for DevOps teams or attention to the user experience (UX) for DevOps and end users alike.
  5. All Day DevOps – The latest All Day DevOps was help on October 28th, 2021 and, being all day and six tracks of presentations, it had a massive amount of material. In fact, a little too much to get through for this week’s show. Instead, we wanted to highlight this resource for you and, if there’s a favorite session you come across, let us know why it grabbed your attention and what others could learn from it!