asw199

Application Security Weekly Episode #199 – May 27, 2022

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Answering the ‘How’ Questions of Software Security – 01:00 PM-01:30 PM

Announcements

  • Don’t miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

Description

Nikhil will be discussing the pain points that leaders in the application security space are facing, which can cover how software development has evolved, as well as how this has impacted development teams and security teams as well as the occurrence of shifting left. He would also like to speak to the solution he has found to this problem, specifically being that of developing a community, the Purple Book Community. This closely connects to the final topics he would like to cover, which include how breaches have continued to occur at an increasingly rapid pace, leading to the importance behind why and how companies should be prepared for when, not if, a cyber attack will occur. The talk will also cover how the Purple Book of Software Security came about and how it has now morphed into a global movement by security leaders, for security leaders, to develop secure software.

Segment Resources:
https://www.armorcode.com/
https://www.thepurplebook.club/
https://www.armorcode.com/what-is-appsecops
https://www.armorcode.com/platform-overview
https://www.armorcode.com/news
https://www.armorcode.com/integrations

Guest(s)

Nikhil Gupta

Nikhil Gupta – Co-Founder and CEO at ArmorCode

@nikhilgupta2453

Nikhil Gupta is the founder and CEO of ArmorCode, the Silicon Valley startup delivering application security at the speed of DevOps. Gupta is a successful serial entrepreneur with more than 25 years of experience leading high-growth security teams. Prior to founding ArmorCode, Gupta was the CEO and Co-founder of Avid Secure (acquired by Sophos), a market-leading AI-powered multi-cloud security and compliance platform.

Gupta is also one of the creators of The Purple Book Community (thepurplebook.club), a diverse community of security leaders who are examining issues related to software security, a topic that has sparked immense interest given recent high-profile cyberattacks on government entities, public sector organizations, and private companies. It started out as a project to write a book on best practices in software security but due to the tremendous interest in the subject, it grew into a community of hundreds of software security leaders. With the launch of AppSecCon 2022 (www.thepurplebook.club/appsecon), world’s premier AppSec conference, it is now morphing into a movement by security leaders, for security leaders.

Hosts

JohnKinsella

John Kinsella

@johnlkinsella

Co-founder & CTO at Cysense

MikeShema

Mike Shema

@Codexatron

Security Partner at Square

2. Pwn2own, Verizon’s DBIR, Zoom’s XMPP Flaws, $10M Bounty, & More Bad Packages – 01:30 PM-02:00 PM

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

  • Don’t forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

Description

This week in the AppSec News: Pwn2own results, reading the DBIR for appsec insights, XMPP flaws in Zoom, $10M bounty for a blockchain bridge vuln, researcher puts malicious payloads in ancient packages, Argo patches JWT handling, & more!

Hosts

JohnKinsella

John Kinsella

@johnlkinsella

Co-founder & CTO at Cysense

  1. Lots of findings from this year’s pwn2own
  2. Findings from 2022 SaaS security survey – A few interesting takeaways on what CISO types have on their mind regarding the security of SaaS they service and consume.
  3. How one malware uses DNS for tunelling information – Interesting writeup on how a malware package is communicating with it’s C2 servers using DNS as a side channel
  4. An unpleasnt arbitrary code execution vulnerability in Quanta servers BMC – Quanta makes “generic” servers which are usually either white-labeled and resold as other brands, or used in large scale datacenters. A 3 year old vulnerabilty has been found that a user with shell access to the system can overwrite the BMC memory and have it do their will…
MikeShema

Mike Shema

@Codexatron

Security Partner at Square

  1. 2022 Data Breach Investigations Report – The 15th DBIR is out. It’s always an excellent reference in communication, both in terms of text (how the report explains its results and analysis) and visualization (how the report presents its data). From an appsec perspective, major attack vectors remain phishing and web hacking. If you haven’t migrated to a FIDO2 MFA solution, now’s the time to do so.

    The report looks at patching and, while exploiting known vulns remains far behind breaches based on credential compromise and phishing, they noted an increase in incidents this year. Fortunately, they also observed that more vulns are being patched faster. According to their data, in 2018 roughly 50% of patches were applied within 90 days (days taken to fix findings). In 2022 they saw most findings in this category fixed within 90 days.

    There’s a section dedicated to “Basic Web Application Attacks” that reinforces just how basic attacks can be to still succeed. Once again, stolen credentials top the list. Exploiting vulns comes in second, with the usual suspects of things like SQL injection still making the list.

  2. Wormhole Uninitialized Proxy Bugfix Review – We dip back into the world of smart contract security to highlight a staggering $10 million bounty payout. That’s (at least) an order of magnitude larger than even the big bounty programs like Apple and Google. And what does the fix boil down to? A few lines of boilerplate to execute a single-line transaction to call initialize() on a contract. So, a missing 10-letter function call and a $10 million payout — 10/10 for the mind-bogglingly large sum for clever work.

    p.s. hope the researcher asked for the bounty in hard cash…

  3. Zoom patches XMPP vulnerability chain that could lead to remote code execution – The bug writeup has really good details on the issues, which include parsing behavior differences between two XML libraries. That kind of behavior is a favorite topic to highlight, as it’s independent of the implementation language and all about adherence to specs, design decisions, and choices of defaults.

    Check out the bug details at https://bugs.chromium.org/p/project-zero/issues/detail?id=2254

  4. Poisoned Python and PHP packages purloin passwords for AWS access – Supply chain, expired domain (re-registered with $5 investment), source code modified — this article hits all the supply chain zeitgeist points, fortunately the impact looks relatively small. But not so small to be ignored. One compromised package went looking for environment variables like AWS keys and exfiltrated them. The investigation into the packages identified the individual behind the compromise, who said he was conducting this as part of bug bounty research.

    Read more at https://www.bleepingcomputer.com/news/security/hacker-says-hijacking-libraries-stealing-aws-keys-was-ethical-research/ and the individual’s own words at https://sockpuppets.medium.com/how-i-hacked-ctx-and-phpass-modules-656638c6ec5e.

  5. Critical Argo CD vulnerability could allow attackers admin privileges – Good news and bad news here — bad news is that a misused JWT could allow arbitrary user impersonation, good news is that the system isn’t vulnerable in its default configuration. Hopefully we see a growing trend of “not in its default configuration” related to security advisories, but that also has to mean the default configuration is the useful one to devs. JWTs are easy to pick on since they’re prone to misuse or misconfiguration themselves.

    The advisory has some more details at https://github.com/argoproj/argo-cd/security/advisories/GHSA-r642-gv9p-2wjj.

    This was also a nice example of looking at how the devs patched the flaw. In this case, it took about 30 lines of code across two files to fix it. But then the devs put in another 400 or so lines of testing. It’s a critical kind of bug, so kudos for a non-cynical example of taking security seriously. Check out the commit at https://github.com/argoproj/argo-cd/commit/a809469d9af10c626449bfcb8b9a09a9d2dc9065