1. The Modern Developer Must be Security Minded, Too – 12:30 PM-01:00 PM
The call for papers is now open for InfoSec World 2022! Featuring expert insights, enlightening keynotes, and interactive breakout sessions, this year’s conference will take place on September 26-28 in Orlando. We’re looking for experts and innovators to contribute their ideas, experiences, and perspectives to help shape the 2022 program. To submit your proposal, please visit: https://securityweekly.com/isw2022
Don’t miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
In light of the far-reaching Log4j vulnerability, it’s become increasingly clear that the modern developer can’t operate without a solid level of security expertise.
Vulnerability management is not just about responding quickly but should be top-of-mind during all stages of software development from inception to delivery. Modern threats mean developers can’t assume security isn’t part of their job and push the burden of responsibility to their infrastructure teams.
Doug Kersten, CISO of Appfire, will discuss how the nature of vulnerabilities today makes it critical for developers to make sure they’re building projects in a secure manner in order to quickly mitigate vulnerabilities – or they risk being left scrambling to respond when a threat hits.
Doug Kersten – CISO at Appfire
Doug Kersten is Chief Information Security Officer at Appfire. He is an industry veteran and strategic, tactical, and hands-on leader who has been instrumental in instilling a positive security culture within fast-paced organizations. Kersten brings more than two decades of security leadership experience to his role, having led IT and security programs for some of the world’s top financial institutions and law firms. Kersten is helping Appfire continue to lead the way in Cloud security for the Atlassian ecosystem and software developer community at large.
Co-founder & CTO at Cysense
Security Partner at Square
2. Docker Boundaries, Google Bounties, 2021’s Top Web Hacks, Apple AirTags, AI vs. RFCs – 01:00 PM-01:30 PM
Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!
We have a few webcasts coming up soon. First, join us February 16th to learn about validation techniques within applications. Then join us March 2nd to learn five things you can do to catch more bad guys! Finally, join us March 10th for an intro to KQL queries! To register for these webcasts visit https://securityweekly.com/webcasts. Don’t forget to check out our library of on-demand webcasts & technical trainings at https://securityweekly.com/ondemand.
In the AppSec News: Docker and security boundaries, Google’s year in vuln awards, 2021’s year in web hacks, Apple AirTags and privacy, turning AIs onto RFCs for security, & facial recognition research!
State of Software Security v12 – February seems to be the month when everyone’s reflecting on appsec in 2021. The first article in this vein is the new State of Software Security report from Veracode. As the report notes, scanning of one form or another (SAST, DAST, SCA) has shifted frequency from two to three times a year per app to a majority of apps being scanned three times a week. So, there’s a positive step in the adoption of security tools. Of course, just using a tool doesn’t create a security culture, but tools can contribute to the practices around securing apps. The report also points out that the half-life in third-party flaws (i.e. time to close 50% of flaws) has shrunk from 2017. Unfortunately, that half-life has gone from about three years to about one — so maybe it’s a mixed success.
Heads up that this is one of those PDF reports that’s behind a registration wall.
Top 10 web hacking techniques of 2021 – James Kettle and the folks at Portswigger look back on their favorite web hacking techniques of 2021. No surprise that HTTP Request Smuggling is on the list (deservedly so), with the twist that 2021 saw research into how HTTP/2 and HTTP/3 implementations may be susceptible when they downgrade to HTTP/1 to deal with backend servers that haven’t yet upgraded.
Cache poisoning and OAuth attack vectors are two other items that stand out. In fact, even though XSS is on the list, it’s quite refreshing to see something that doesn’t look like a rehash of the OWASP Top 10. (Of course, many of them could still map into that list.) There are some interesting new attack surfaces being discovered within Exchange and, as we’ve see in the request smuggling, still plenty of implementation details and edge cases to poke at for flaws.
Vulnerability Reward Program: 2021 Year in Review – Google has released some numbers around the activity of their vulnerability reward program for 2021. Overall, paying out $8.7 million seems like a good investment to keep widely used apps like Android and Chrome secure. They’ve only published total payouts and participants, which points to average payouts in Android of around $25K and close to $29K for Chrome. It’d be interesting to know the median reward since the highest payout was $157K.
One neat aspect is seeing the Chrome Fuzzing program get attention and success, with one report earning $16K.
Being Google, this got lots of news coverage (obviously from us as well!). Here are some more articles about it:
Apple plans to make finding unwanted AirTags easier – Apple understandably received a lot of scrutiny for its AirTags when they were first released. While the underlying concept predated Apple, the scale of devices that enabled the tracking was an immense leap. And even if iPhones tracked the AirTags in a privacy preserving manner — that privacy was focused on the owner of the tag. This also meant that threat models for AirTags needed to consider stalking or unwanted tracking. On the technical side, it also touches on hardware (anti-tampering), software (interoperability for users outside of the Apple device ecosystem), and notification design (sound, on-device alerts).
The primary concern is here is individuals being tracked without their knowledge. But there can be other unexpected uses of AirTags. Back in January, there was an article about an activist who used an AirTag to attempt to identity offices associated with a German intelligence agency — they mailed it to one address and tracked all the points where the package was being handled. It’s not clear how successful and correct the end results were for that specific instance, but the idea has a sound principle to it. Check out the article, with links to the activist’s blog (in German) at https://appleinsider.com/articles/22/01/25/apples-airtag-uncovers-a-secret-german-intelligence-agency
Read Apple’s update on AirTags at https://www.apple.com/newsroom/2022/02/an-update-on-airtag-and-unwanted-tracking/
You can find more resources on concerns, countermeasures, and policy around hardware and software tracking at https://stopstalkerware.org
Automated attack synthesis by extracting protocol FSMs from RFCs – We’re diving into quite a different type of article with this one. It has state machines, which we talked about a bit in episode 182, and AI, which we haven’t really talked about other than to question whether the form of AI involved regexes or if statements.
Yet here we have some pretty cool research that uses Natural Language Processing (NLP) to analyze a protocol’s RFC in order to create an implementation of that protocol (it’s state machine) in order to fuzz the protocol for security flaws. The concept is clever and, despite a description like “NLP on an RFC to create an FSM for Korg”, it looks like a worthy investment.
The approach still hasn’t earned its first bounty and it still relies on humans to correct the RFC to state machine translation. But a tool that leads to clearer documentation and reasoning about a protocol is already useful. And one that can turn text into code into “attacker simulation” is one that’s going to get better over time.
Plus, as fans of synthwave, we don’t want to miss any reference to Korg — especially when the open source tool “is named after the KORG MicroKorg synthesizer, which has a dedicated attack knob.
The first section likely won’t be too informative unless you’re familiar with browser engines. Instead, skip to the “Exploitation & Mitigations” section for a nice summary and observations on the past and future of exploits and hardening that browsers have been doing over the years.
The con posts recordings, so we’ll bring you an update once this one appears. In the meantime, check out these two presentations from 2020.
– Keynote from Halvar Flake, https://youtu.be/8QRnOpjmneo
– Talk from Maddie Stone, https://youtu.be/TAwQ4ezgEIo
Biometric Hacking: Face Authentication Systems – This hacking is particularly fun to read about because of how physical the test harness is — pictures, 3D printing, good lighting, and lots of clamps to hold everything in place. It’s quite a different world from URLs and dropping alert() popups everywhere. Both those worlds have an important place in appsec, but we tend to not talk about the hardware side of things as much.
It’s also a chance to revisit threat models and talk about the appropriate times to balance security and convenience, putting choices into informed users hands, and realizing different people have different threat models.
For once we have a PDF that isn’t behind a registration wall. Check out the blog and if you’re curious about the details, read the report at https://act-on.ioactive.com/acton/attachment/34793/f-3ddfff76-d7d8-47e6-8b07-e4d4ee841008/0/-/-/-/-/IOA-wp-FacialRecognition.pdf