Application Security WeeklySubscribe
Application security, Breach, AI/ML, DevSecOps, Security Architecture

All the News – Just Six Months Later – Application Security Weekly #265

Full Audio

View Show Index

Segments

1. All the News — Just Six Months Later – ASW #265

We cover appsec news on a weekly basis, but sometimes that news is merely about the start of a new project, sometimes it's yet another example of a vuln class, and sometimes it's a topic we hope doesn't become a trend.

So, what themes have we seen and where do we see them going? Here are a few headline topics that have alternately generated yays and yawns.

  • CISA's Secure by Design and Secure by Default
  • CVSS 4.0
  • Generative AI
  • MFA mandates
  • Microsoft, Rust, and Memory Safety
  • New TLDs
  • OAuth
  • OpenSSF and OWASP

Hosts

Tech Lead at Block
Senior Engineering Leader at AWS

2. Extracting Data from ChatGPT, Vulns Around AI, Secure AI Guidance, LogoFAIL, BLUFFS – ASW #265

Repetition extracts data from ChatGPT, more vulns in the software that surrounds AI, guidelines for secure AI, LogoFAIL trips a boot, BLUFFS attack on Bluetooth, CISA's first secure by design alert, Okta's updated breach disclosure, and more!

Hosts

Tech Lead at Block
  1. 1. Extracting Training Data from ChatGPT

    As Duran Duran might say, "Please, please tell me now". Or rather "please, please, please, please" repeated a few dozen times before ChatGPT tells you some of its verbatim training data.

    Check out the research paper, https://arxiv.org/abs/2311.17035 (PDF).

  2. 2. Ray, Versions 2.6.3, 2.8.0 | Bishop Fox
  3. 3. UK and US develop new global guidelines for AI security

    Read the guidelines here.

  4. 4. CISA Releases First Secure by Design Alert
  5. 5. The Far-Reaching Consequences of LogoFAIL | Binarly – AI -Powered Firmware Supply Chain Security Platform
  6. 6. BLUFFS: Bluetooth Forward and Future Secrecy Attacks and Defenses | Daniele Antonioli

    The Bluetooth SIG's recommendations.

  7. 7. October Customer Support Security Incident – Update and Recommended Actions

    Good for transparency, not good for all customers. The practical consequences to customers seems minimal, but the reputational consequences to Okta remain.

    There's also so little transparency elsewhere, that it's hard to put this breach into perspective in terms of how long it took to investigate and how much the disclosure is revised based on ongoing analysis. It doesn't feel like this situation is out of the ordinary.

    Overall, the industry still needs to have less sso.tax and more strong MFA adoption -- including resilience for multi-tenant systems and processes that are resistance to social engineering.

  8. 8. TOOL: Nikto 2.5.0 Released!

    Wow -- Nikto is still under (sort of) active development!

    Less wow -- Nikto is still written in Perl.

Senior Engineering Leader at AWS
  1. 1. RCE in Splunk Enterprise

    Everybody's favorite most expensive web grep has a remote code execution vulnerability where a malicious user can upload a XSLT that results in remote code execution. Nathan digs into the vuln and reverse engineers a POC in his first blog post!

  2. 2. 40 years of Turbo Pascal

    What language did you start with?

  3. 3. IBM announces WatsonX code assistant

    IBM is previewing their "enterprise grade AI code generation" in Watsonx code assistant - looks like a plugin for VSCode.

Related

AI fixes everything, C++ the actual worst, IAM is hard – ASW #308

This week, in the Application Security News, we dismiss magical thinking and discuss what generative AI will actually be able to do for us. We also discuss whether Secure by Design's goals are practical or not. OSC&R releases a report on software supply chain that should be interesting, though neither of us had time to read it yet. Also, Wat...