Application Security WeeklySubscribe
Application security

ASW #189 – Alvaro Muñoz

Full Audio

View Show Index

Segments

1. Helping Secure OSS Software – Alvaro Munoz – ASW #189

Announcements

  • We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!

Guest

Principal Security Researcher at GitHub

Alvaro Muñoz works as Principal Security Researcher with GitHub Security Lab team. Previously he worked as an Application Security Consultant helping top enterprises to deploy their application security programs. He is passionate about Web Application security where he has focused most of his research. Muñoz has presented at many Security conferences including BlackHat, DEFCON, RSA, OWASP AppSec EU and US, JavaOne, etc, and holds several infosec certifications, including OSCP, GWAPT, and CISSP.

Hosts

Senior Engineering Leader at AWS
Retired Senior Cyber Advisor at Lawrence Livermore National Laboratory

2. A Great Escape, Peace Not War, & How to Burp Good – ASW #189

This week in the AppSec News: A great escape isn't always as great as it sounds, Solana cryptocurrency logic isn't always as great as intended, some people's idea of "peace" isn't that great at all, and some great security suggestions for package maintainers.

Announcements

  • Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

  • Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

Hosts

Senior Engineering Leader at AWS
  1. 1. Solana vulnerability ELI5
    Often with crypto currencies, things are so complex that it can be difficult to unravel exactly what a vulnerability is, and how it's exploited - especially to those of us who are not really into crypto. Here's a simple Reddit post that plainly describes a recently vuln on Solana
  2. 2. Openssl bug could result in client DOS
    A bug in function for doing modular square roots in openssl could result in a client-side DOS for elliptic curve public keys crafted with invalid parameters. Of note, this function is used to provide functionality for supporting elliptic curve keys of arbitrary length.
  3. 3. Security for package maintainers
    We talk about open source supply chain security, but here's a post talking through what that means to a maintainer of python packages
  4. 4. How to burp good
    At least for me, when I use Burp Suite I'm almost always just using a tiny fraction of it's capabilities. While several years old, here's a post with some good suggestions on how to get more out of Burp. (h/t tl;drsec)
  5. 5. Peacenotwar module brings not-peace to vue community
    A developer decided to protest the war in Ukraine by modifying a npm package he maintains to target systems in Russia that attempt to use the package. What can node do about this? Should maintainers lose all privileges when they pull a stunt like this?
  6. 6. Cr8escape vulnerability in cri-o comes from new functionality
    In version 1.19 of cri-o - one of the container runtimes used with kubernetes - functionality was added to allow a user to pass sysctl settings when creating a container. With this feature, any sysctl options were taken without filtering or validation. As a POC, the researchers show modifying the kernel configuration on what to do during a core dump (run malicious program).
Retired Senior Cyber Advisor at Lawrence Livermore National Laboratory

Related

You can skip this ad in 5 seconds