Don’t miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Join Paul Asadoorian and Rich Mogull on May 4th to learn how to choose the right architecture for your application. Live attendees at this webcast will have the chance to win a $100 Hacker Warehouse gift card! Register at securityweekly.com/webcasts. Don’t forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
We can create top 10 lists and we can count vulns that we find with scanners and pen tests, but those aren’t effective metrics for understanding and improving an appsec program. So, what should we focus on? How do we avoid the trap of focusing on the metrics that are easy to gather and shift to metrics that have clear ways that teams can influence them?
2. OAuth Tokens Taken, Vulns in Medical IoT, Scoring a Proactive Security Culture – 01:00 PM-01:30 PM
Security Weekly listeners, save $100 on your RSA Conference 2022 Full Conference Pass! RSA Conference will be live in San Francisco June 6th-9th, 2022. Security Weekly will be there in full force, delivering real-time, live coverage and interviewing some of the event’s top speakers and sponsors. To register using our discount code, please visit https://securityweekly.com/rsac2022 and use the code 52UCYBER. We hope to see you there!
Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!
OAuth tokens compromised, five flaws in a medical robot, lessons from ASN.1 parsing, XSS and bad UX, proactive security & engineering culture at Chime
GitHub also discussed a security issue in Git that primarily affects Windows users, which is unrelated to the stolen token issue. It’s not exactly a path traversal flaw in the sense of breaking out of a subdirectory, but it does touch on nuances of traversing directories and desired behavior when ownership changes. Check it at out https://github.blog/2022-04-12-git-security-vulnerability-announced/
For others, even if the details seem incomprehensible, the article raises some good points that apply more generally to application development. For example, one of the observations on how these flaws occur “comes down to a combination of ambiguous descriptions in academic papers and a general lack of guidance around these protocols.” The easy summary of that is “needs more documentation”, but the more effective summary is “needs clear communication for developers” — and that’s a topic we revisit on lots of episodes.
But closer to 2022, IoT in the medical space still has flaws related to XSS, passwords stored as MD5 hashes (!?), and an overall lack of strong authentication. Kudos to Cynerio for a nice write-up that explains the flaws without overhyping them *and* provides a more detailed PDF without requiring a signup to a marketing list first. Check it out at https://www.cynerio.com/blog/cynerio-discovers-and-discloses-jekyllbot-5-a-series-of-critical-zero-day-vulnerabilities-allowing-attackers-to-remotely-control-hospital-robots
CVE-2021-30737, @xerub’s 2021 iOS ASN.1 Vulnerability – ASN parsing is notoriously prone to error and abuse that leads to security issues. This article actually covers a flaw from 2021, but its appeal is in the type of questions it poses rather than merely a technical review of the flawed code. One question is whether or how fuzzing could have found this issue. Another question relates to the wisdom of forking code and the kinds of flaws or missed patches that can creep into forks, even well-maintained ones.
Monocle: How Chime creates a proactive security & engineering culture (Part 1) – This article walks through the creation of metrics that inform teams about a security topic followed by a set of concrete actions those teams can take to improve their scores against the metrics. It’s nice to see a team talking about metrics in a way that keeps them simple and ties them to things a team can influence.