Grab A Sword – ASW #145

Announcements

• We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!

• If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!

Guest

Andrew van der Stock

Executive Director at OWASP Foundation

Andrew is a seasoned web application security specialist and enterprise security architect. He is the Executive Director at OWASP, taking the Foundation through organizational change and taking our mission to the next level. Andrew has worked in the IT industry for over 25 years. Andrew has researched and developed the web application security and architecture fields since 1998. He is a Lifetime member of OWASP, former Director, and co-leads the OWASP Application Security Verification Standard and OWASP Top 10 projects. An Australian ex-pat of Melbourne and Sydney, he currently lives in the USA with his family.

Hosts

Mike Shema

Tech Lead at Block

John Kinsella

Senior Engineering Leader at AWS

@jlk_

Announcements

• Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

• Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

Hosts

Mike Shema

Tech Lead at Block

1. 1. TikTok vs Douyin — A Security and Privacy Analysis
   A technical analysis of two social media apps that uses reverse engineering and traffic analysis to gather information on how well the apps handle privacy and security, as well as potential abuse for censorship. It's aimed at providing technical information to inform policy decisions. It also serves as a great template for analyzing and documenting privacy and security aspects of a mobile app, with methodologies that any appsec team could benefit from.
2. 2. SolarWinds Experimenting With New Software Build System in Wake of Breach
   SolarWinds serves as a good thought exercise for establishing a chain of trust throughout a CI/CD pipeline. We've mentioned reproducible builds and and signing deployed artifacts. The pressing security question is how do you gain confidence that the code your developers wrote was ultimately what produced the artifact you built? This raises more questions throughout the pipeline in terms of identity, access controls, and observability of every step that has the potential to influence how code is built and packaged.
3. 3. SaltStack: further injection vulnerabilities
   We sometimes see security patches that need patches -- situations where the original patch addressed a symptom, but missed an underlying design flaw or didn't go deep enough into understanding the original issue. While this particular vuln may not be that impactful, it shows how developers can still make subtle mistakes in the ubiquitous feature of parsing command-line arguments.
4. 4. Un-bee-lievable Performance: Fast Coverage-guided Fuzzing with Honeybee and Intel Processor Trace
   An insight into the engineering that went into turning Intel Processor Trace from performance penalty to advantageous assistant for coverage-guided fuzzing. It's a benefit that makes a lack of source code less of a liability when fuzzing for flaws.
5. 5. Organizations rush to restrict new Slack Connect feature fearing security threats
   Securing software against injection flaws and the types of vulns that show up in top 10 lists doesn't mean the software is secure for users. This is a good lesson in expanding threat models to how well your software secures the user experience, especially in apps designed for social interaction.
6. 6. Secure containerized environments with updated threat matrix for Kubernetes
   How do we communicate that "security is better" or convey the value that security can deliver? This is a brief article that focuses on a handful of k8s changes, from better defaults to new types of attack vectors. Yet it's grounded against a useful framework, MITRE ATT&CK, and only needs to make simple points to demonstrate where security teams might invest their efforts.
7. 7. Analyzing attacks taking advantage of the Exchange Server vulnerabilities
   In the time you've (hopefully!) saved by not running Exchange servers and hence having to go through the patch scramble, you could be running a "premortem" or tabletop exercise on how resilient your app environment might be to the types of post-exploitation activities documented in the Exchange server attacks. How well does your environment detect, prevent, or respond to arbitrary file writes, privilege escalation, arbitrary command execution, and data exfiltration?

John Kinsella

Senior Engineering Leader at AWS

@jlk_

1. 1. Netmask npm library incorrectly parses octal IPs
   It turns out web browsers and such will parse an IP address with a leading 0 as octal. The netmask library doesn't, which could lead to SSRF and other interesting attacks
2. 2. Finding undocumented x86 instructions on modern processors
   Back in The Day, one could iterate through instruction codes, looking for undocumented cpu instructions. Nowadays that's a painful process that can cause crashes, lockups, etc. Here's a way to leverage speculative execution to make the search easier