ASW #237 – Ben Sadeghipour

Another project in the .dev domain family of resources for appsec teams and developers. This seems most useful as a means of answering "Am I affected?" when the next popular poisoned package like log4j comes along.

Another project to keep an eye on is securityscorecards.dev, although I'd suggest looking at it in terms for configuration baselines for your own internal repos rather than trying to keep up to date on dependencies.

I don't know if John Deere is the Ferrari of tractors, but this article continues our coverage of wheeled vehicle hacking.

Lots of agricultural device hacking was presented at DEF CON 2022 by sick.codes. Check out their tutorials for more technical write-ups about security issues in this space.

CISA and friends have a guide about security from the design of apps and as a default for apps. It should be an important read for anyone building software or providing advice on the security of software. It's also the kind of guidance that lists like the OWASP Top 10 should be striving for.

The whole thing is worth reading (and it's quick), but my favorite line is, "A secure configuration should be the default baseline."

Check out the guide (PDF).

This brief article refers to some useful tools for inspecting WebSockets traffic.

Adversarial artwork against training models. Glaze offers a way for artists to perturb their images in ways that are mostly-to-sort-of unnoticeable to humans, but noisy and confusing to AI training models.

We'll return to this when the team publishes a more technical deep-dive, but it's worth highlighting now how security engineering is protecting users via a relatively complex mechanism that -- importantly -- does not create a complex cognitive burden for the end user. In other words, this approach improves confidence in the confidentiality of messages without adding to already cumbersome solutions that require user actions that no users consistently adhere to.

Read this tweet thread by Matthew Green for a summary of why this will have a positive impact to users and how it represents cool cryptographic engineering.

Here's an article of what's possible without a commensurate commentary of what's probable -- or how many modern devices protect against certain forms of "juice jacking". (Apple's USB restricted mode is one example.)

Despite the decent alliteration, it's a tedious term for an attack that hasn't been apparent in practice at any meaningful scale. And it hopefully won't start appearing on top 10 lists by the end of 2023.

Keep your device patched. Keep it charged. Enjoy.

The CFP for fwd:cloudsec is still open. You have until Friday, April 28 at 23:59pm Pacific Time (GMT-8) to submit.

We've covered a presentation or two from here in the past. Their CFP page is also an excellent example of providing clear, explicit guidance on the type of presentations they're looking for and what they're not looking for.

A collection of resources for putting together an Android testing toolbox.

An extension that might be useful to all the bug bounty researchers out there.

From its README, "Discover hidden debugging parameters and uncover web application secrets with debugHunter. This Chrome extension scans websites for debugging parameters and notifies you when it finds a URL with modified responses. The extension utilizes a binary search algorithm to efficiently determine the parameter responsible for the change in the response."

Not really much to cover here at the moment, but taking this opportunity to start coining all the space-related buzzwords and references now for the future of space-based appsec.

DevSpaceOps, Top 10 Space Risks, and expecting at least a dozen conference talks with titles that include "space girls", "final frontier", and "no one can hear you scream". Maybe we'll start a bingo prediction card to see what 2024 and beyond brings to this space.

This feels a little light, but still a good start to securing devices related to our health