asw189

Application Security Weekly Episode #189 – March 21, 2022

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Helping Secure OSS Software – 12:30 PM-01:00 PM

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

Description

– Past research such as JNDI Injection, Unsafe deserialization, Struts RCEs

OSS security: CodeQL, Dependabot, collaboration between researchers and developers, OWASP Top Ten Proactive Controls, CVD for OSS

Segment Resources:
– [Write more secure code with the OWASP Top 10 Proactive Controls](https://github.blog/2021-12-06-write-more-secure-code-owasp-top-10-proactive-controls/)

– [An analysis on developer-security researcher interactions in the vulnerability disclosure process](https://github.blog/2021-09-09-analysis-developer-security-researcher-interactions-vulnerability-disclosure/)

– [Building security researcher and developer collaboration](https://www.securitymagazine.com/articles/97066-how-to-build-security-researcher-and-software-developer-collaboration)

– [Coordinated vulnerability disclosure (CVD) for open source projects](https://github.blog/2022-02-09-coordinated-vulnerability-disclosure-cvd-open-source-projects/)

– [GitHub Advisory Database now open to community contributions](https://github.blog/2022-02-22-github-advisory-database-now-open-to-community-contributions/)

– [Blue-teaming for Exiv2: creating a security advisory process](https://github.blog/2021-11-02-blue-teaming-create-security-advisory-process/)

Guest(s)

Alvaro Munoz

Alvaro Munoz – Principal Security Researcher at GitHub

@pwntester

Alvaro Muñoz works as Principal Security Researcher with GitHub Security Lab team. Previously he worked as an Application Security Consultant helping top enterprises to deploy their application security programs. He is passionate about Web Application security where he has focused most of his research. Muñoz has presented at many Security conferences including BlackHat, DEFCON, RSA, OWASP AppSec EU and US, JavaOne, etc, and holds several infosec certifications, including OSCP, GWAPT, and CISSP.

Hosts

JohnKinsella

John Kinsella

@johnlkinsella

Co-founder & CTO at Cysense

LeeNeely

Lee Neely

@lelandneely

Information Assurance APL at Lawrence Livermore National Laboratory

2. A Great Escape, Peace Not War, & How to Burp Good – 01:00 PM-01:30 PM

Announcements

  • Don’t miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

  • Join us April 14th to learn how to monitor your wifi network for attacks with Nzyme, a free and open source wireless intrusion detection system, with Lennart Koopmann, hosted by Larry Pesce and Paul Asadoorian. Then, join Alan Stacilauskas and hosts Tyler Robinson and Paul Asadooiran on April 21st to learn how to gain visibility into your enterprise with SYSMON. Live attendees at both of these webcasts will have the chance to win a $100 Hacker Warehouse gift card! Register at securityweekly.com/webcasts. Don’t forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

Description

This week in the AppSec News: A great escape isn’t always as great as it sounds, Solana cryptocurrency logic isn’t always as great as intended, some people’s idea of “peace” isn’t that great at all, and some great security suggestions for package maintainers.

Hosts

JohnKinsella

John Kinsella

@johnlkinsella

Co-founder & CTO at Cysense

  1. Solana vulnerability ELI5 – Often with crypto currencies, things are so complex that it can be difficult to unravel exactly what a vulnerability is, and how it’s exploited – especially to those of us who are not really into crypto. Here’s a simple Reddit post that plainly describes a recently vuln on Solana
  2. Openssl bug could result in client DOS – A bug in function for doing modular square roots in openssl could result in a client-side DOS for elliptic curve public keys crafted with invalid parameters. Of note, this function is used to provide functionality for supporting elliptic curve keys of arbitrary length.
  3. Security for package maintainers – We talk about open source supply chain security, but here’s a post talking through what that means to a maintainer of python packages
  4. How to burp good – At least for me, when I use Burp Suite I’m almost always just using a tiny fraction of it’s capabilities. While several years old, here’s a post with some good suggestions on how to get more out of Burp. (h/t tl;drsec)
  5. Peacenotwar module brings not-peace to vue community – A developer decided to protest the war in Ukraine by modifying a npm package he maintains to target systems in Russia that attempt to use the package.

    What can node do about this? Should maintainers lose all privileges when they pull a stunt like this?

  6. Cr8escape vulnerability in cri-o comes from new functionality – In version 1.19 of cri-o – one of the container runtimes used with kubernetes – functionality was added to allow a user to pass sysctl settings when creating a container. With this feature, any sysctl options were taken without filtering or validation.

    As a POC, the researchers show modifying the kernel configuration on what to do during a core dump (run malicious program).

LeeNeely

Lee Neely

@lelandneely

Information Assurance APL at Lawrence Livermore National Laboratory