Pressured by the speed of innovation, organizations are struggling to achieve the continuous web application security they need in the face of mounting threats and compliance requirements. What does it take in order for your AppSec program to be both effective and agile? In this segment, Ferruh Mavituna, founder and strategic advisor of Invicti Security, discusses best practices to help you implement an effective, agile, and – most importantly – continuous approach to application security. This segment is sponsored by Invicti. Visit https://securityweekly.com/invicti to learn more about them!
Ferruh Mavituna – Founder and Strategic Advisor at Invicti Security
Ferruh Mavituna is the founder and strategic advisor of Invicti Security, a world leader in web application security solutions. His professional obsessions lie in web application security research, automated vulnerability detection, and exploitation features. He has authored several web security research papers and tools, and delivers animated appearances at cybersecurity conferences and on podcasts. Exuberant at the possibilities open to organizations by the deployment of automation, Ferruh is keen to demonstrate what can be achieved in combination with Invicti’s award-winning products, Invicti and Acunetix.
Don’t miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!
Vuln in an Atlassian Confluence app, “Dirty Dancing” in OAuth flows, security audits of sigstore and slf4j, flaws in fleet management app, conducting tabletop exercises.
Open Source isn’t working for AI – While this isn’t a direct security story, I think there’s a security aspect to this: It’s estimated that to train GPT3 costs between 20-30 million dollars worth of compute time. That means that even if the model is open-sourced, the average developer has no chance of training and doing R&D with the model.
The security aspect here: With a model that large, how long would it take security researchers to test even a portion of that model?
Security Partner at Square
Relative path traversal vulnerability allows TZInfo::Timezone.get to load arbitrary files – Hello path traversal! There are several things I love about this example. Despite having a “high” CVSS of 7.5, it admittedly is less likely to be a high risk for most orgs, but I really appreciate the reasoning stated in the advisory: “This could be exploited in, for example, a Ruby on Rails application using tzinfo version 1.2.9, that allows file uploads and has a time zone selector that accepts arbitrary time zone identifiers. The CVSS score and severity have been set on this basis.”
That first sentence is really helpful context for evaluating risk.
Next, it’s interesting that “versions up to and including 1.2.5 can only be made to load files from directories within the load path.” There’s possibly an angle here about app hardening and restricting the locations that a gem file can reach. However, that requires some deeper Ruby (or Ruby on Rails) insights. If you’re a Ruby expert, drop us a note about architecture choices here.
Finally, this has a good lesson in nuances of regular expressions. In one case an unnecessary escape was removed, “\+” changed to “+” because of its context within a character class (between “[” and “]”). More relevant to security is the switch of anchors from “^” and “$” to “\A” and “\z”. Anchoring is a good practice for ensuring a pattern matches the beginning and end of a subject. Using the “\A” and “\z” version of the anchors ensures that it always matches the entire subject — “^” and “$” handle newline characters differently depending on whether the parser is in single-line or multi-line mode. Avoiding surprises from newlines is always a smart security choice.
If you’re interested in reading through the code, check out the fixes at https://github.com/tzinfo/tzinfo/commit/9905ca93abf7bf3e387bd592406e403cd18334c7.
I changed my mind when I got to the paragraph that started with, “Uninstalling the Questions for Confluence app also does not remediate the vulnerability…”
Ouch. That’s an unpleasant surprise. Usually I’d expect removing an app to remove the attack surface — no app, no attack vector. But this situation feels a little too much like the William Hurt and facehugger experience from “Alien”…
This article walks through an attacker’s mindset for picking apart OAuth mis-implementations. It’s a great example of scrutinizing specifications and understanding their security implications. The article provides a brief background on OAuth principles and then explains how to take advantage of mistakes to subvert authentication or authorization workflows.
It also links to good security practices for hardening OAuth 2.0 workflows. So it’s worth reading whether you’re building or breaking apps that depend on it.
These two reports show the value of the OpenSSF investments in security. It’s great to see progress on these security fronts. – https://ostif.org/wp-content/uploads/2022/07/OSTIF-2022-Q1-Sigstore-Report.pdf – https://ostif.org/wp-content/uploads/2022/07/OSTIF-2022-Q2-slf4j-Report-v2.pdf
The Open Source Technology Improvement fund also looked at Argo as part of this work. We covered a JWT flaw in Argo back in episode 199 (https://securityweekly.com/asw199). Check out details for this latest security review at https://ostif.org/our-audit-of-argo-is-complete-critical-and-high-severity-security-issues-found-and-fixed/.
Zero-day flaws in GPS tracker pose surveillance, fuel cut-off risks to vehicles – A hardcoded password, default password, and IDOR stand out from this report by researchers looking at the software side of a fleet management app. Half of this report walks through the vulns, with the other half highlighting the potential exposure to the various industries and countries relying on these GPS tracking devices.
Check out the PDF report at https://www.bitsight.com/sites/default/files/2022-07/MiCODUS-GPS-Report-Final.pdf
In appsec, and infosec in general, tabletop exercises are less about owlbears and locked doors and more about what-if scenarios that explore compromise scenarios, test processes, and push on assumptions about an app’s environment. This article briefly walks through key steps in organizing and executing a tabletop exercise. And if you’re ever in need of inspiration for a tabletop scenario, most of the vulns and research we can lend themselves quite well to this kind of “premortem” evaluation of how they might affect your org.
And, to come back to the role-playing game aspect, those games are collaborative exercises in communication — storytelling. They have all the hallmarks of meetings, from having an agenda (of sorts) to the dynamics of sharing conversation time to practicing active listening. In other words, RPGs are also good practice for the business world. After all, if you can get a gaming group together on a regular basis, most other problems feel easy in comparison.