This week in the Application Security News, Mike and John cover the following news stories: Critical Security Flaw Found in WhatsApp Desktop Platform Allowing Cybercriminals Read From The File System Access, Dropbox bug bounty program has paid out over $1,000,000, Report Pins Cloud Security Woes on Flawed DevOps Processes, Ghost in the shell: Investigating web shell attacks, An Incident Impacting your Account Identity, and Some Google Photos videos in ‘Takeout’ backups were sent to strangers last November.
Visit https://www.securityweekly.com/asw for all the latest episodes!
To learn more about our sponsors visit: The Security Weekly Sponsor’s Page
WhatsApp Flaw, Dropbox Bug Bounty Program, Investigating Web Shell Attacks
Flaws, Breaches, & Threats
- Critical Security Flaw Found in WhatsApp Desktop Platform Allowing Cybercriminals Read From The File System Access
- Dropbox bug bounty program has paid out over $1,000,000. It’s not exactly a goal of programs to reach payout milestones quickly, but it is good to see this kind of information sharing in addition to awarding researchers.
- Boeing’s 2nd Starliner software glitch could have led to an in-space collision
- LINEAR EMERGE E3 ACCESS CONTROLLER ACTIVELY BEING EXPLOITED
Cloud, Code & Controls
- Report Pins Cloud Security Woes on Flawed DevOps Processes. This doesn’t mean infrastructure as code is flawed, just that writing any code is prone to flaws and DevOps teams must have automation and processes to minimize and find mistakes.
Learning & Tools
- Ghost in the shell: Investigating web shell attacks. Appsec doesn’t end once you’ve deployed your code, you need to monitor it and respond to events.
Food for Thought
- An Incident Impacting your Account Identity from Twitter, which highlights yet another type of API abuse that must be addressed by more than just following top 10 lists.
- Some Google Photos videos in ‘Takeout’ backups were sent to strangers last November, which shows how data access controls must be in place throughout the lifetime of data.
- Our next webcast is February 13th with Sri Sundaralingam, Vice President, Product and Solutions Marketing at ExtraHop where we will discuss Cloud Native Network Detection and Response! Register for our upcoming webcasts by visiting securityweekly.com, selecting the webcast drop down from the top menu bar and clicking registration.
- Join us at InfoSecWorld 2020 – March 30 – April 1, 2020 at the Disney Contemporary Resort! Security Weekly listeners save 15% off the InfoSec World Main Conference or World Pass! Visit securityweekly.com/ISW2020, click the register button to register with our discount code or the schedule button to sponsor a micro-interview!
- Attend RSA Conference 2020, February 24-28 in San Francisco, CA! Visit securityweekly.com/rsac2020 to sponsor an interview with us on-site at the conference or register using our code to save $150!