asw194

Application Security Weekly Episode #194 – April 25, 2022

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. What Does Software Supply Chain Security Threat Mean to Developers? – 12:30 PM-01:00 PM

Announcements

  • Security Weekly listeners, save $100 on your RSA Conference 2022 Full Conference Pass! RSA Conference will be live in San Francisco June 6th-9th, 2022. Security Weekly will be there in full force, delivering real-time, live coverage and interviewing some of the event’s top speakers and sponsors. To register using our discount code, please visit https://securityweekly.com/rsac2022 and use the code 52UCYBER. We hope to see you there!

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

Description

How should we empower developers to embrace the NIST software development practices? Because from here on out, developers need to view themselves as the front lines of defense for the end-consumer. A more secure-aware developer leads to a more-protected consumer. Dr. Wang will offer her perspectives on the above question as well as address:
– How companies can set their developers up for security success
– The importance of implementing micro-learnings
– What should CISOs’ expectations be of developers and developers’ expectations of CISOs after Feb. 6 and beyond?
– How corporate boards should be aware of implications of developer’s pervasive development and software security and how they should work together

Guest(s)

Dr. Chenxi Wang

Chenxi Wang – Managing General Partner at Rain Capital

@chenxiwang

Dr. Chenxi Wang is the Founder and General Partner of Rain Capital, a Silicon Valley-based venture fund focused on Enterprise Software and Cybersecurity investments. A well-known operator, technologist, and thought leader in the Cybersecurity industry, Dr. Wang is a member of the Board of Directors for MDU Resources, a Fortune 500 company. Previously, Chenxi was Chief Strategy Officer at Twistlock, VP of strategy for Intel Security, and VP of research for Forrester. Chenxi was recognized as a Women-of-Influence by the SC Magazine, Women Tech Founders, and Cyber Risk alliance.

Chenxi’s career began as a faculty member at Carnegie Mellon University, where she helped found the Cybersecurity Lab of Carnegie Mellon. Chenxi is a trusted advisor to IT executives and a sought-after keynote speaker. She has headlined events worldwide and been featured by top media outlets for her thought leadership work. Chenxi is a Forbes contributor and writes a column for Dark Reading. Chenxi holds a Ph.D. in Computer Science from the University of Virginia.

Hosts

JohnKinsella

John Kinsella

@johnlkinsella

Co-founder & CTO at Cysense

MikeShema

Mike Shema

@Codexatron

Security Partner at Square

2. Java’s ECDSA for Nought, Writing a Kernel RCE, Okta’s Conclusion, Log4Shell Hot Patch – 01:00 PM-01:30 PM

Announcements

  • Don’t miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

  • Join Paul Asadoorian and Rich Mogull on May 4th to learn how to choose the right architecture for your application. Live attendees at this webcast will have the chance to win a $100 Hacker Warehouse gift card! Register at securityweekly.com/webcasts. Don’t forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

Description

Java’s ECDSA implementation is all for nought, writing a modern Linux kernel RCE, lessons learned from the Okta breach, lessons repeated from a log4shell hot patch, a strategy for bug bounties, Microsoft finally disables SMB1

Hosts

JohnKinsella

John Kinsella

@johnlkinsella

Co-founder & CTO at Cysense

  1. Psychic Signatures in Java… – This is starting to turn into the year of Java insecurities…

    In a nutshell, the Java team rewrote some of the crypto code in native Java from it’s previous C++. They failed to do a critical check on the signature (r,s): If r and s are set to 0, basically any message signed with that signature is considered valid – for any public key.

  2. New XSS Vectors – …in which Gareth Heyes figures out how to use that little highlight around an active button in your browser for XSS.

    And the SVG animate example? *chefs kiss*

MikeShema

Mike Shema

@Codexatron

Security Partner at Square

  1. CVE-2022-21449: Psychic Signatures in Java – A vuln worth covering twice in the show notes! John noted the flaw — the r and s components of an ECDSA signature should be greater than or equal to one. But there’s also an unfortunate aspect of this story about why the flaw came about. Java developers decided to rewrite a C++ implementation of the algorithm into Java, which in theory is a reasonable decision to reduce the attack surface of memory-unsafe code and have Java functions based on Java implementations. Yet the re-implementation committed basic errors and apparently skipped simple test cases that would have caught this flaw.

    If you’re curious about more robust test suites for cryptographic implementations of various algorithms, check out https://github.com/google/wycheproof.

  2. Writing a Linux Kernel Remote in 2022 – This article goes into the longer-read category, but also the categories of very approachable and well-written overview of creating an RCE for a Linux kernel flaw in TIPC (we covered this briefly back in episode 173 at https://securityweekly.com/asw173). The article walks through the security boundaries that an exploit developer must overcome (hint: kernel ASLR has been relatively effective at increasing attacker cost) and the nuances of shifting from the context of gaining control of an interrupt (think network traffic) to gaining control of a process (think user space).

    Overall, it’s a useful insight into Linux exploitation techniques as well as examples of how kernel hardening and compiler features can (or at least should) make those attacks more difficult.

  3. Okta Concludes its Investigation Into the January 2022 Compromise – All the noise and attention on the Okta breach comes down to a brief compromise of a single workstation from which the attacker was able to see some interesting information, but unable to leverage that access into something more consequential. The saga has been a good lesson (or probably a tough lesson from Okta’s perspective), about transparency and communicating risk. This final update removes a lot of ambiguity and lays out some actionable steps the company will take — steps that easily generalize to any appsec team.
  4. AWS’s Log4Shell Hot Patch Vulnerable to Container Escape and Privilege Escalation – “Just apply the patch” is security advice that becomes difficult when the affected software is pervasive, possibly unsupported, and in systems with ambiguous ownership. This confluence of unfortunate events sometimes leads to hot patches — mitigations that modify a configuration or process execution in a way that addresses a vuln without applying the official patch (or when an official patch isn’t available). Here’s an example of when that approach introduces more security headaches than it solves.
  5. How Flipkart Reacts to Security Vulnerabilities – I’d love to see more details or case studies in this article about strategically going after classes of vulns rather than just fixing vulns as they appear. It also fits into the idea of what a bug bounty’s engineering costs might look like and how to demonstrate the impact of that investment.
  6. Reverse Engineering of DAL-A Certified Avionics: Collins’ Pro Line Fusion—AFD-3700 – It’s been quite a long time since we covered an article related to appsec and aviation. That drought is over with this article from IOActive that goes into detail on analyzing an avionics system. While the technical detail may be mostly of interest to those wanting to learn about reverse engineering, the white paper has a good structure of analysis and attacker-minded thinking that may appeal to anyone who has to present their findings — in any domain of expertise — to a technical audience.
  7. Microsoft disables SMB1 file-sharing protocol by default in Windows 11 Home – Noting this article very briefly as a chance to talk about the challenges of deprecating APIs, as well as this quote that has sad implications for the appsec future of legacy systems — “Microsoft will provide an out-of-band, unsupported install package for users that still need to connect to old factory machinery, medical gear, consumer NAS and other equipment that still requires SMB1, however.”