In today’s high-tech industries, security is struggling to keep up with rapidly changing production systems and the chaos that agile development introduces into workflows. Application security (AppSec) teams are fighting an uphill battle to gain visibility and control over their environments. Rather than invest their time in critical activities, teams are overwhelmed by gaps in visibility and tools to govern the process. As a result, many digital services remain improperly protected.
In this episode, we plan to address and discuss the current state of AppSec, and point out a few common failure points. Afterwards we plan to discuss what agile AppSec looks like, and how a reorganization, and a shift in management strategy could greatly transform the field, and allow business to truly address the risk of under-protected software.
Chen Gour Arie is the Chief Architect and Co-Founder of Enso Security. With over 15 years of hands-on experience in cybersecurity and software development, Chen demonstrably bolstered the software security of dozens of global enterprise organizations across multiple industry verticals. An enthusiastic builder; he has focused his career on building tools to optimize and accelerate security testing and all related workflows.
Co-founder & CTO at Cysense
Security Partner at Square
2. Auth Problems from Parsing, Slack’s Password Hashes, Twitter’s Info Breach – 01:00 PM-01:30 PM
Don’t miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!
Nextauth.js account takeover due to parsing flaw, URL parsing flaw in Go’s net/url, another path traversal, Slack exposes password hashes (whaaat!?), Twitter exposes 5.4 million accounts, ransomware and research against PyPI and GitHub, videos from fwd:cloudsec 2022.
ParseThru: HTTP parameter smuggling flaw uncovered in several Go applications – We have one standard for parsing URLs, RFC 3986, but many implementations thereof. And, as with all one-to-many mappings of standard-to-implementations, there will be discrepancies. This article shows how a mishandled (i.e., ignored) parsing error due to a semicolon leads to security flaws. It also falls into the recurring theme that while memory-safe languages solve one important class of vulnerabilities, they don’t absolve programmers from the responsibility for secure code. Using Go is still a good choice; parsers are notorious for memory-safety issues. This kind of flaw should be an ideal case for fuzzers to identify and help programmers harden their code.
Check out the researcher’s article at https://www.oxeye.io/blog/golang-parameter-smuggling-attack
You can find RFC 3986 at https://datatracker.ietf.org/doc/html/rfc3986#section-3
CompleteFTP path traversal flaw allowed attackers to delete server files – Path traversal strikes again! These types of flaws are ideal for discussing the importance of normalizing data before applying security checks. Then, once you’ve handled the complexity of file paths, it’s an opportunity to talk about restricting file access. Then, once you’ve managed to sandbox your filesystem, it’s an opportunity to talk about whether that was a good design pattern in the first place. (Ok, probably better to have had this step in the conversation up front.) After all, a cloud datastore like S3 or a local one like sqlite might solve the same feature and be prone to fewer security mistakes.
A Slack Bug Exposed Some Users’ Hashed Passwords for 5 Years – Why can a system access password hashes in the first place? Why are we still stuck with authentication based on comparing password hashes? Why are we still sending plaintext passwords so they can be hashed and then compared? Why do we still have passwords!?
Slack’s disclosure about the event is at https://slack.com/blog/news/notice-about-slack-password-resets
WebAuthn is one alternative, http://webauthn.io/. Another is OPAQUE, which avoids having to share a plaintext password with servers in the first place. Check out a good article on it at https://blog.cloudflare.com/opaque-oblivious-passwords/
And, if you want to brush up on digital identities and a reminder why regular password rotation should be a thing of the past, check out NIST-SP800-63 at https://www.nist.gov/identity-access-management/nist-special-publication-800-63-digital-identity-guidelines.
Fortunately, they occasionally provide useful appsec lessons. In this case, it’s about initializing values to zero (usually good), roots of trust (also good), and what happens when those situations come together without proper testing (oops).
You can find another article on this at https://nakedsecurity.sophos.com/2022/08/02/cryptocoin-token-swapper-nomad-loses-200-million-in-coding-blunder/
fwd:cloudsec 2022 videos – I haven’t had a chance to watch them all and pick out some favorites. Plus, we’ll have a slew of presentations coming out of Vegas from DEF CON, BlackHat, and BSidesLV.
What favorite presentations have you watched in the past year? What additional resources should we highlight?