Creating the Secure Pipeline Verification Standard – Farshad Abasi – ASW #274
Full Audio
View Show IndexSegments
1. Creating the Secure Pipeline Verification Standard – Farshad Abasi – ASW #274
Farshad Abasi joins us again to talk about creating a new OWASP project, the Secure Pipeline Verification Standard. (Bonus points for not being a top ten list!) We talk about what it takes to pitch a new project and the problems that this new project is trying to solve. For this kind of project to be successful -- as in making a positive impact to how software is built -- it's important to not only identify the right audience, but craft guidance in a way that's understandable and achievable for that audience. This is also a chance to learn more about a project in its early days and the opportunities for participating in its development!
Segment resources
Announcements
Security Weekly listeners save $100 on their RSA Conference 2024 Full Conference Pass! RSA Conference will take place May 6 to May 9 in San Francisco and on demand. To register using our discount code, please visit securityweekly.com/rsac24 and use the code 54USECWEEKLY! We hope to see you there!
Guest
Farshad Abasi is the Founder and CEO of Forward Security, bringing over 27 years of industry experience to the forefront of cybersecurity innovation. His professional journey includes key technical roles at Intel and Motorola, evolving into senior security positions as the Principal Security Architect for HSBC Global, and Head of IT Security for the Canadian division. Farshad’s commitment to the field extends to his role as an instructor at BCIT, where he imparts his wealth of knowledge to the next generation of cybersecurity experts.
At Forward Security, Farshad leads the development of the Eureka DevSecOps platform and the delivery of comprehensive security services. His diverse experience, ranging from startups to large enterprises, informs Forward Security’s approach to delivering adaptive, reliable solutions.
Engaged actively in the cybersecurity community through roles in BSides Vancouver/MARS, OWASP Vancouver/AppSec PNW, and as a CISSP designate, Farshad’s vision and leadership continue to drive the industry forward. Under his guidance, Forward Security is setting new standards in application and cloud security
Hosts
2. PrintListener, Post-Quantum Crypto in iMessage, Silent Sabotage, Rust Survey Results – ASW #274
PrintListener recreates fingerprints, iMessage updates key handling for a PQ3 rating, Silent Sabotage shows supply chain subterfuge against AI models, 2023 Rust survey results, the ways genAI might help developers, and more!
Announcements
Dive deeper into the world of cybersecurity with Security Weekly on Instagram! Follow us @SecWeekly to find exclusive clips, hilarious memes, behind-the-scenes sneak peeks, and more! Stay connected, stay informed, and join our growing community!
Hosts
- 1. Wyze camera breach let 13,000 strangers look into other people’s homes | ZDNET
I don't recall seeing cache errors on any top ten lists, but I've many real-world security events associated with cacheing problems.
The disclosure from Wyze demonstrates a nice degree of transparency. The precise numbers of affected users and resources implies they have good visibility and logging -- a capability that's a a fundamental engineering principle that also aids appsec.
- 2. Your fingerprints can be recreated from the sounds made when you swipe on a touchscreen — Chinese and US researchers show new side channel can reproduce fingerprints to enable attacks | Tom’s Hardware
Cool reconstruction of fingerprints from finger swipes on phones. The research is based on real-world situations, not just an acoustically ideal environment. The success so far is relatively low, about 27% for partial fingerprints and about 10% for complete ones.
Another example where measuring something with increased accuracy creates new and interesting threat scenarios. Not necessarily new in concept, but new in its application.
Check out the paper (PDF).
- 3. iMessage with PQ3: The new state of the art in quantum-secure messaging at scale
Apple's security blog has a rather infrequent publication cycle, so it's nice to see a new post and new details on their security work.
In this case, it's a move to quantum-safe key exchange and key refresh for iMessage conversations. Given the immense size of their user base, it's nice to see this security design being done now. It's also important for the cohort of users (journalists, activists, political opponents) that might be targeted by the threat actors capable of the "collect now, decrypt later" approach.
Not every app needs to move to post-quantum cryptography algorithms now. If you still haven't made the transition to TLS 3.0, it's likely your processes around key management, software updates, and infrastructure design need to be improved first.
Some additional news coverage here.
- 4. Silent Sabotage | HiddenLayer Research
Two great topics that go great together: AI and supply chain.
- 5. 2023 Annual Rust Survey Results
First, some commentary on the article itself. It's notable that the automatic translation fared poorly. And yuck those pie charts are awful -- poor readability and poor presentation. A table would have been better and, and visualization is important, a horizontal bar chart would have made for more readable labels that would have been easier to compare and easier to order from top (most, longest) to bottom (least, shortest).
One the survey results itself, it's useful to understand why developers do or do not favorite a language and its features. It's cool to see WebAssembly show up fourth in the runtimes being developed for -- although I'd love to know the real-world apps coming out of that work.
- 6. GitHub: AI helps developers write safer code, but you need to get the basics right | ZDNET
I mean, of course GitHub would have the stance that their AI helps developers. As a fancy tab completion, AI-generated code that quickly sets up basic scaffolding or API calls sounds useful and a nice convenience. But I think we'll be relying on developers for quite a long time for business logic and decisions on software design.
- 7. Secure by Design RFI Response from Shortridge Sensemaking LLC
Kelly Shortridge and Ryan Petrich have posted their response to CISA's call for information on Secure Design.
Check out the PDF here.
- 8. Stable Channel Update for Desktop
Chrome now provides the option to disable JIT for improved security. Microsoft did this in Edge about a year ago, noting that the performance impact for users was minimal -- there's a difference between absolute performance numbers and performance that affects real-world sites. It was nice to see a more nuanced discussion about security and performance rather than just repeat a tired trope of the two in constant opposition.
We talked about Microsoft's design choice and its "Super Duper Secure Mode" in Edge last year back in episode 185.
- 9. MORE DETAILS: Anatomy of a CVE
John noted this back in episode 272.
I'm trying a new thing for our list of news articles where I include useful followups and additional reading on a topic, even though we're not likely to cover it on the show.
- 10. MORE DETAILS: https://www.labs.greynoise.io/grimoire/2024-02-what-is-this-old-ivanti-exploit/index.html
Nice, brief write-up related to the recent Ivanti vulns. The researcher breaks down some PHP code and walks through how a cluster of cookies are used to execute code through a backdoor.
I'm trying a new thing for our list of news articles where I include useful followups and additional reading on a topic, even though we're not likely to cover it on the show.
