asw213

Application Security Weekly Episode #213 – September 26, 2022

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Show, Don’t Tell, Your Developers How To Write Secure Code – 12:30 PM-01:00 PM

Announcements

  • Don’t miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

Description

Applications are the most frequent external attack vector for companies. However, application security can improve only if developers either code securely or remediate existing security flaws — unfortunately, many don’t receive training with proper security know-how. In this session, we will talk about the state of application security education and what you can do to secure what you sell.

Segment Resources:
https://www.forrester.com/blogs/school-is-in-session-but-appsec-is-still-on-vacation/?ref_search=3502061_1663615159889
https://www.wisporg.com/events-calendar/2022/11/8/security-amp-risk-conference-forrester
https://www.veracode.com/events/hacker-games
https://blogs.microsoft.com/blog/2021/10/28/america-faces-a-cybersecurity-skills-crisis-microsoft-launches-national-campaign-to-help-community-colleges-expand-the-cybersecurity-workforce/

Guest(s)

Janet Worthington

Janet Worthington – Senior Analyst for Security at Forrester Research

@janetworthing

Janet Worthington is a Senior Analyst for Security & Risk at Forrester. Janet covers product security, software supply chain, Open Source security and DevSeccOps. Janet’s background is in product management and application security.

Hosts

MikeShema

Mike Shema

@Codexatron

Security Partner at Square

JohnKinsella

John Kinsella

@johnlkinsella

Co-founder & CTO at Cysense

TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element

2. Authz Bypass in Oracle Cloud, Chrome Prototype Pollution, Why Security Products Fail – 01:00 PM-01:30 PM

Announcements

  • Don’t forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

Description

Wiz reveals authorization bypass in Oracle Cloud, Python 15-year old path traversal flaw, Prototype Pollution in Chrome, PS4 flaw reappears in PS5, Why security products fail

Hosts

MikeShema

Mike Shema

@Codexatron

Security Partner at Square

  1. Notice of Recent Security Incident – In brief: protect developer endpoints with strong MFA implementations like FIDO2 security keys.
  2. AttachMe: critical OCI vulnerability allows unauthorized access to customer cloud storage volumes – Ouch. The Wiz research team turned their eyes towards Oracle cloud and found a simple, and highly critical, authorization bypass.
  3. Twitter discloses it wasn’t logging users out of accounts after password resets – Working through the security model of login flows — including account recovery and credential rotation — requires more discussion than just the type of MFA to support.
  4. Tarfile path traversal bug from 2007 still present in 350k open source repos – Of course this one has to be covered. It’s path traversal in Python that’s been around for 15 years.

    Read the research at https://www.trellix.com/en-us/about/newsroom/stories/research/tarfile-exploiting-the-world.html

  5. Prototype pollution bug in Chromium bypassed Sanitizer API – This is a good chance to talk about security boundaries, where to place them, and what their expectations should be for bugs and features.
  6. Sony Reintroduced a PS4 Bug on PS5 Which Could Have Led to a Jailbreak – We’ve been talking about testing a lot lately, specifically unit and functional testing by developers. This isn’t the first time a vuln has been reintroduced, so it’s always useful to ask how the fix for the original vuln was tested and how that test was (or wasn’t) carried forward through the software’s evolution.
  7. Why do security products fail? – Our think piece for the month, which highlights toil, poor UX for devs, and lack of value (aka measurable effectiveness) in security solutions.
JohnKinsella

John Kinsella

@johnlkinsella

Co-founder & CTO at Cysense

  1. Is a Rust rewrite really worth it? – p99 conf is coming up, and TNS offers a preview of 2 talks which talk through the experience of rewriting code into rust.
  2. Does web3 really need it’s own bug bounty platforms? – TC covered the series A funding of Immunefi, a bug bounty platform for web3 (apparently one of many). But the question that this brings to me: do we really need a separate bounty platform?
  3. bgp attack results in $235k crypto loss – I don’t think historically we’ve seen many bgp attacks have direct financial consequences, but as we have a more automated world and things like the web3 space, these attacks can become more and more costly
  4. How to bypass cloudflare bot management – Great article that digs into figuring out how cloudflare attempts to protect against bots, and how to navigate around those protections
  5. So some companies prefer to use less popular languages… – Interesting article that’s on a career site: Many large financial institutions like to use either their own, or public but less popular languages?
    GS: Slang
    MS: A+
    Bridgewater supossedly has their own thing
    Jane Street: OCAML

    unexpected, but interesting…

TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element