Don’t miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Developers want bug-free code — it frees up their time and is easier to maintain. They want secure code for the same reasons. We’ll talk about how the definition of secure coding varies among developers and appsec teams, why it’s important to understand those perspectives, and how training is just one step towards building a security culture.
Matias Madou – Co-Founder and CTO at Secure Code Warrior
Matias is the co-founder and CTO of Secure Code Warrior. SCW provides a fully hands-on gamified experience with metrics, leaderboards and badging that enables developers to master secure coding in different development languages and frameworks. Our customers are able track their skills and progress, and benchmark different teams, including assessing potential suppliers and new recruits. SCW is truly the first global platform developers want to learn on and allows you to ensure a minimum baseline of security skills in your organization.
Matias has over a decade of hands-on software security experience. From the research to improve existing solutions to scoping and building new solutions. A dozen patents and a bunch of papers are the result of his research that eventually led to a hand full of commercial products.
Matias holds a Ph.D. in computer engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application. With his Ph.D. in application security, he joined Fortify as an intern and moved up to being the research architect of all runtime solutions within crossing Fortify and ArcSight within HP. He presented at conferences including RSA Conference, BlackHat and DefCon.
Co-founder & CTO at Cysense
Security Partner at Square
2. OWASP Top 10 for K8s, Firefox Process Isolation, Secure Software Factory, CFAA Policy – 01:00 PM-01:30 PM
Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!
Join us June 29th for a webcast with Tyler Robinson and Beau Bullock to learn how to pivot into the world of Crypto security. Visit https://securityweekly.com/webcasts to register with only your name and email! Don’t forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
This week in the AppSec News: OWASP Top 10 for Kubernetes, Firefox improves security with process isolation, CNCF releases guidance on Secure Software Factories and Cloud Native Security, & the DOJ clarifies its policy on CFAA!
Ruby Vulnerabilities: Exploiting Dangerous Open, Send and Deserialization Operations – Here’s a well-written walkthrough of various RCE and deserialization attacks against Ruby on Rails. One of the things that stood out to me was the inclusion of references to prior work on various attack techniques, which provides the opportunity to dive deeper into any of these items as well as showing how the security community works best when it acknowledges and builds upon techniques.
Firefox debuts improved process isolation to reduce browser attack surface – Mozilla released Firefox 100 earlier this month. An appsec aspect worth highlighting is the process isolation they improved for Windows in this release. We talk a lot about choice of programming languages and refactoring memory unsafe code (which is the nice way to refer to C and C++). Here’s a good example of adjusting an app architecture in order to improve security. As with any refactor, tests can bring surprises — in this case, crashes when encounter line endings.
Check out more details on the Mozilla blog at https://hacks.mozilla.org/2022/05/improved-process-isolation-in-firefox-100/
Announcing the Secure Software Factory Reference Architecture Paper – CNCF’s Technical Advisory Group – Security (STAG) has released their guidance on how to design and implement security for a build pipeline. It comes out of the larger supply chain work that CNCF, and just about everyone in infosec this past year, has been investing in. Having a reference architecture with security guidance is an important evolution from the more generic recommendations of “have a secure pipeline”.
Grab the PDF of the paper at https://github.com/cncf/tag-security/blob/main/supply-chain-security/secure-software-factory/Secure_Software_Factory_Whitepaper.pdf
As a point of comparison, Solarwinds described their approach to building a hardened software factory (aka CI/CD pipeline) in a whitepaper at https://www.solarwinds.com/resources/whitepaper/setting-the-new-standard-in-secure-software-development-the-solarwinds-next-generation-build-system/delivery. Their approach is understandably informed by the type of attack they suffered — ephemeral systems to inhibit attacker dwell time, parallel builds to reach consensus on provenance and trustworthiness. It’s interesting to see how organizations respond to attacks and how the changes they make take into account different scenarios.
Announcing the Refreshed Cloud Native Security Whitepaper – Cloud native is an easy term to capture the idea of building, deploying, and running apps within the cloud. And it’s one of those easy terms to use that hides a lot of complexity and effort needed to ensure a secure environment. CNCF first released this whitepaper back in 2020 and now they’ve updated content for sections like Security Assurances, Security Principles and Compliance. They’ve also included commentary and processes on the feedback process, which is an important way to engage the community — check it out and share ways you think it could be further improved.
For those of you following NIST’s SP 800-218 Secure Software Development Framework (SSDF) — we know it’s an exciting topic — the whitepaper now includes a mapping to SSDF practices.
Grab the PDF of the paper at https://github.com/cncf/tag-security/tree/main/security-whitepaper
One Fuzzing Strategy to Rule Them All – More fuzzing! We don’t need to go into detail on this one — it’s likely for a narrow audience who are already running fuzzers. But we’ll leave you with the insights and links to other resources from a Twitter thread by Caroline Lemieux at https://twitter.com/cestlemieux/status/1524438583184138240