asw186

Application Security Weekly Episode #186 – February 28, 2022

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Integrating Appsec Tools for DevOps Teams – 12:30 PM-01:00 PM

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

Description

DevOps teams have often been underserved by security tools. Modern appsec solutions need to fit within the existing workflows related to how software is built and deployed. But just dropping a tool into that pipeline isn’t sufficient — there are apps that haven’t migrated to modern build processes or framework and many cloud-native apps demand different approaches to deployment. We’ll cover the different approaches to adapting security tools to the needs of the developers.

This segment is sponsored by Contrast Security. Visit https://securityweekly.com/contrast to learn more about them!

Guest(s)

Steve Wilson

Steve Wilson – Chief Product Officer at Contrast Security

Steve is currently the Chief Product Officer at Contrast Security. Today his team is responsible for Engineering, Product Management and Product Design for all products.

Steve has over 25 years of experience developing and marketing products at multi-billion-dollar technology companies such as Citrix, Oracle and Sun Microsystems. Prior to Contrast, Steve was the Vice President of Product Management for Citrix Cloud where he led the transformation of Citrix products from traditional on-prem to SaaS. At Oracle, he led core engineering for a billion-dollar product line of systems management software. During his time at Sun Microsystems, Steve was an early member of the team that developed the Java computer programming system, the most widely used set of software development tools in history.

Steve is the author of “Java Platform Performance: Strategies and Tactics” and “The Father/Daughter Guide to Cryptocurrency Mining.” He is a popular speaker on future of work and artificial intelligence topics and has recently presented at The Churchill Club, Silicon Valley Leadership Group, DLA Piper Global Technology Summit, IDG Agenda, SAP TechEd and WSJ Tech D.Live. He holds a degree in Business Administration from the University of San Diego and a second-degree black belt from the American Taekwondo Association.

Hosts

JohnKinsella

John Kinsella

@johnlkinsella

Co-founder & CTO at Cysense

MikeShema

Mike Shema

@Codexatron

Security Partner at Square

2. Bug Bounty Costs, GitHub’s Advisory Database, ICS Vulns of 2021, CNCF Secure Software – 01:00 PM-01:30 PM

Announcements

  • Don’t miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

  • We have a couple webcasts coming up soon. First, join us March 2nd to learn five things you can do to catch more bad guys! Live attendees will have the chance to win a $100 gift card to Hacker Warehouse. Then join us March 10th for an intro to KQL queries! To register for these webcasts visit https://securityweekly.com/webcasts. Don’t forget to check out our library of on-demand webcasts & technical trainings at https://securityweekly.com/ondemand.

Description

Salesforce reveals their bounty totals for 2021, GitHub opens its advisory database for collaboration, a year in review of ICS vulns, automating WordPress plugin security analysis, the Secure Software Factory from CNCF, Samsung’s encryption mistakes, filling in the missing semester of Computer Science

Hosts

JohnKinsella

John Kinsella

@johnlkinsella

Co-founder & CTO at Cysense

  1. Gitbleed allows access to seemingly deleted code, credentials
  2. Is MFA less effective than it used to be? – Interesting to see this getting covered in a non-industry publication (although Slate Future Tense is their emerging tech sub-platform). Part of this is how the numbers are being reported, and partially the malicious actors are getting better at bypassing 2fa
MikeShema

Mike Shema

@Codexatron

Security Partner at Square

  1. Salesforce paid more than $2.8 million in 2021 bug bounties, $12.2 million since 2015 – Yes, another bit of marketing about how much a company has spent on bounties. (We covered Google’s VRP and its $8.7M payouts in 2021 two episodes ago.) Overall, having bounty programs that build collaboration with researchers is a positive thing. The quick stat here is that Salesforce’s $2.8M payout for 4,700 vulns works out to an average of ~$600 per vuln. It’d be interesting to know what the media payout was.

    The other side of these programs that we haven’t seen reported by organizations is the money and time invested in fixing these vulns. Does Salesforce or Google (or any other program) track the time or costs associated with fixing vulns? Do they conduct postmortems on whether a vuln could or should have been found by internal tools? Was a vuln easily found by a tool that a researcher ran that the org should have been running? For more mature programs like Google’s, it’s more likely that these vulns stem from clever manual analysis. But in any case, we’d be curious to understand the different trade-offs in investing resources in bounty programs vs. investing in development tools and processes — after all, this latter part is where the open source ecosystem is currently struggling.

    Read the announcement from Salesforce at https://www.salesforce.com/news/stories/why-salesforce-paid-hackers-2-8m-in-2021-to-break-into-its-products/

  2. GitHub Opens Security Database to Community Contributions – It’s cool to see a framework, even one as simple as a git repo, for collaborating to improve CVE write-ups and recommendations.

    It also might (emphasis on might) be a model for curating cloud vulnerabilities — vulns in configurations, services, or older versions within cloud service providers’ environments. That’s something that wiz.io brought up and that John has talked about in an episode or two.

    Read GitHub’s announcement at https://github.blog/2022-02-22-github-advisory-database-now-open-to-community-contributions/

    Find the wiz.io discussion about the need for tracking cloud vulns at https://blog.wiz.io/security-industry-call-to-action-we-need-a-cloud-vulnerability-database/

  3. 2021 ICS Cybersecurity Year in Review – We’re still in the timeframe of “year in review” articles about 2021. This is a good summary of security around industrial control systems and operational technology — the non-consumer side of embedded systems.

    One thing that stands out is how the quality of advisories leaves plenty of room for improvement. According to the review, 38% of advisories had incorrect data, 24% had not patch available and of those with no patch available 19% didn’t even include mitigations. This quality of vuln information and guidance on patches and mitigating controls falls squarely onto an appsec role. It’s an interesting metric to consider for the industry as a reflection of how well it is — or isn’t — serving its customers.

  4. A technique to semi-automatically discover new vulnerabilities in WordPress plugins – This might only be the second or third mention of WordPress in the past two years. Typically, stories about yet another flaw in a WordPress plugin are generic, far too common, and far too unsurprising. The core WordPress remains relatively secure, but its plugin architecture too easily exposes the system to high-impact vulns.

    This article stood out because it’s about a tool and process to identify classes of vulns that appear in WordPress plugins. For example, rather than launch a bounty to go after these kinds of vulns, having a tool like this helps the approach scale better and to be a self-serve mechanism for plugin developers. That’s the kind of evolution we love to see in the appsec space.

    Check out the repo at https://github.com/kazet/wpgarlic

  5. The Secure Software Factory – The initial content on this link is deceptively simple: securing how software is built. Then you dive into the white papers it’s based on and you realize how complex and how much effort goes into security a CI/CD pipeline. Even if you’re not using many of the CNCF projects noted in the reference project (or even if you don’t even recognize some of the names), the principles behind this are universally applicable.

    A few key items that stand out are deploying MFA for all developers (with FIDO2 keys only), using short-term SSH certs/keys for access to repos and prod systems, and requiring signed commits are just simple starters for securing some of the human element in creating software. Then there’s the software integrity and authenticity validation throughout the build and deploy steps. And then there’s the third-party security that includes SBOMs and SCA.

    Read the related white paper at https://docs.google.com/document/d/1FwyOIDramwCnivuvUxrMmHmCr02ARoA3jw76o1mGfGQ/edit

  6. The Missing Semester of Your CS Education – We’re always interested in finding more educational resources on basics of appsec, software development, or modern toolchains. Here’s a group of lectures and freely available resources that touches on each of those topics.
  7. Samsung Shattered Encryption on 100M Phones – One of the challenges in high-level security recommendations like the OWASP Top 10 is that cryptographic failures can be subtle. At a glance, Samsung made good cryptographic choices like using AES-GCM, but then made a fatal mistake of reusing IVs. This highlights an area where subject matter expertise and careful analysis is extremely important. It’s one of those chances where even appsec practitioners should be comfortable saying, “I don’t know” when they approach a topic and search out experts who can apply the scrutiny necessary to review foundational cryptographic components.

    Read the research paper at https://eprint.iacr.org/2022/208.pdf

  8. Digital Security on Twitter: Advice for those in conflict zones or other high-risk areas – Appsec is not even close to the central part of the story in the Ukraine conflict. It’s important to keep that perspective in mind when considering what areas of appsec, if any, might be relevant to the conflict and protests.

    Social media platforms like Twitter and Meta (Facebook) have provided guidance to users for protecting both the security and privacy of their accounts. This is important for individuals fleeing, reporting, or protesting within Ukraine or high-risk areas. This is when personal threat models can suddenly change and individuals need tools to protect themselves, whether it’s via secure messaging or protecting their profiles. When companies reach these scale of users and become tools within these situations, it’s their responsibility to understand how to best enable users to protect themselves on these sites and make those capabilities simple to understand and implement. In that respect, appsec becomes relevant in terms of threat modeling, establishing security requirements, and having clear communications.

    Here’s another Twitter thread on steps Meta provides for protecting profiles: https://twitter.com/ngleicher/status/1497417241947607043