asw209

Application Security Weekly Episode #209 – August 22, 2022

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. AppSec Tips & Tricks for Cloud Native and Kubernetes Environments – 12:30 PM-01:00 PM

Announcements

  • Security Weekly listeners save 20% on InfoSec World 2022 passes! InfoSec World will be held September 27th through the 29th at Disney’s Coronado Springs Resort in Lake Buena Vista, Florida. Visit securityweekly.com/isw and use the code ISW22-SECWEEK20 to secure your spot now!

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

Description

The unique nature of cloud native apps, Kubernetes, and microservices based architectures introduces new risks and opportunities that require AppSec practitioners to adapt their approach to security tooling, integration with the CI/CD pipeline, and how they engage developers to fix vulnerabilities.

In this episode, we’ll discuss how AppSec teams can effectively manage the transition from securing traditional monolithic applications to modern cloud native applications and the types of security tooling needed to provide coverage across custom application code, dependencies, container images, and web/API interfaces. Finally, we’ll conclude with tips and tricks that will help make your developers more efficient at fixing vulnerabilities earlier in the SDLC and your pen testers more effective.

Segment Resources:
https://www.deepfactor.io/kubernetes-security-essentials-securing-cloud-native-applications/
https://www.deepfactor.io/resource/observing-application-behavior-via-api-interception/
https://www.deepfactor.io/developer-security-demo-video/

Guest(s)

Kiran Kamity

Kiran Kamity – CEO & Co-Founder at Deepfactor

@kirankamity

Kiran Kamity is Founder & CEO of Deepfactor. He’s a passionate serial Silicon Valley entrepreneur, former head of product at Cisco Cloud BU. He founded and was CEO of ContainerX (acquired by Cisco). He was also Founder/VP at RingCube (acquired by Citrix). He’s also been a dynamic TEDx speaker. Kiran has a Masters degree in Electrical Engineering from Stanford University.

Hosts

JoeSouth

Joe South

@SecUnfPodcast

Sr Content Creator at CyberRisk Alliance

JohnKinsella

John Kinsella

@johnlkinsella

Co-founder & CTO at Cysense

MikeShema

Mike Shema

@Codexatron

Security Partner at Square

2. Debugging & Dev Tools, Isolating PostgreSQL, Abusing the DevOps Pipeline, Xiaomi Flaw – 01:00 PM-01:30 PM

Announcements

  • Don’t miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

  • Don’t forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

Description

Ideas on debugging with IDEs, Wiz.io shares technical details behind PostgreSQL attacks in cloud service providers, looking at the attack surface of source code management systems, a Xiaomi flaw that could enable forged payments, defensive appsec design from Signal, what targeted attacks mean for threat models when the targeting goes awry

Hosts

JoeSouth

Joe South

@SecUnfPodcast

Sr Content Creator at CyberRisk Alliance

JohnKinsella

John Kinsella

@johnlkinsella

Co-founder & CTO at Cysense

  1. John Carmack: Best programming setup & IDE – Most of this conversation has nothing to do with the IDE of Mr. Carmack, of Doom and iD fame. Interesting chat about how he sees many as resistant to modern dev tools like debuggers and IDEs
  2. Two different passwords can unlock a zip file
  3. Malware can be encoded in a string of emojis
  4. Zero day vuln allows attackers to steal crypto from ATMs
  5. Google fixes 5th chrome 0-day for 2022
MikeShema

Mike Shema

@Codexatron

Security Partner at Square

  1. The cloud has an isolation problem: PostgreSQL vulnerabilities affect multiple cloud vendors – Wiz has now revealed more technical details behind their ExtraReplica attack from last April. We covered that in Episode 195 (https://securityweekly.com/asw195). At the time, Wiz held back details because the underlying flaws affected more than just Azure. That’s why this research is so enlightening to read — they looked at an attack surface that could affect any cloud service provider (CSP).

    There’s a line from this article that sums up the problem and the motivation for research quite well: “How are CSPs adapting legacy open-source software to fit the needs of the cloud?”

    They then dive into technical details and present an attacker’s mindset that worked exceedingly well against PostgreSQL. Give it a read and use it for inspiration about other projects whose design never considered the needs of multi-tenancy.

  2. Controlling the Source: Abusing Source Code Management Systems – This article plus the one from Wiz about PostgreSQL in the cloud share themes of threat modeling and attack surfaces. Where the Wiz article highlights implementation flaws of layering modern, granular authorization controls to existing software, this one is about organizing many of the known attack patterns against the systems that manage and build code.

    There’s more than one lesson to take from this article, but one important one is to have MFA deployed for all your developers and admins. Preferably one based on FIDO2 security keys.

    Read more about threat scenarios to consider in their whitepaper at https://www.ibm.com/downloads/cas/OG6KNX1E (PDF).

  3. Xiaomi Phone Bug Allowed Payment Forgery – We’ve got one article about attack software version control systems. Now we have this article about a flaw due to an absence of version control within software. It touches on Trusted Execution Environments and how implementation errors can break the boundaries between the so-called security world vs. the normal world.
  4. How a Third-Party SMS Service Was Used to Take Over Signal Accounts – I grabbed this article to talk about the security design process. Signal made several deliberate decisions on their data model and features that were intended to limit the impact of certain attack scenarios.

    Read Signal’s response at https://support.signal.org/hc/en-us/articles/4850133017242

  5. Impact to DigitalOcean customers resulting from Mailchimp security incident – Another theme of this episode is breaches through third-party service providers. In addition to Twilio + Signal, this is about Mailchimp + DigitalOcean. Both of them have lessons learned that can inform any appsec program. In this case, it’s about improving observability and resiliency with third-party providers. (Plus, yet another example of where MFA protected users.)
  6. Confused cyber criminals have hacked a water company in a bizarre case of mistaken identity – After two articles about breaches that attackers used for targeted attacks, this article provides a counterpoint with a mistakenly(!?) targeted attack. It’s a chance to discuss whether the infosec cliche of, “I don’t have to outrun the bear, I just have to outrun you” informs any useful strategy, or whether it’s a phrase that needs to be relegated to the appsec abyss of spurious statements.

    With this article (and perhaps some others) in mind, re-read these two posts from Phil Venables

    – https://www.philvenables.com/post/are-security-analogies-counterproductive
    – https://www.philvenables.com/post/cybersecurity-the-winner-s-game-and-the-loser-s-game

  7. Secure Open Source Rewards program launched to help protect critical upstream software – We cover bug bounty programs and reports at least every month. I always bring up the question about what it costs to fix these flaws since the award levels from bug bounties show the value of finding them. (Notably, the awards don’t equate to the time required to find them, just their impact.)

    The https://sos.dev program now offers awards to the fixing side of the equation. It’s still focused on the value of the hardening or security improvement as opposed to the effort involved, but it’s a great step towards creating incentives to build better software.