Why Companies Continue to Struggle with Supply Chain Security – Melinda Marks – ASW #283
Full Audio
View Show IndexSegments
1. Why Companies Continue to Struggle with Supply Chain Security – Melinda Marks – ASW #283
Companies deploy tools (usually lots of tools) to address different threats to supply chain security. Melinda Marks shares some of the chaos those companies still face when trying to prioritize investments, measure risk, and scale their solutions to keep pace with their development. Not only are companies still figuring out supply chain, but now they're bracing for the coming of genAI and how that will just further highlight the current struggles they're having with data security and data privacy.
Segment Resources: Complete Survey Results: The Growing Complexity of Securing the Software Supply Chain https://research.esg-global.com/reportaction/515201781/Toc
Announcements
Security Weekly listeners save $100 on their RSA Conference 2024 Full Conference Pass! RSA Conference will take place May 6 to May 9 in San Francisco and on demand. To register using our discount code, please visit securityweekly.com/rsac24 and use the code 54USECWEEKLY! We hope to see you there!
Google has announced that they will be shutting down the Google Podcasts platform in mid-2024. To ensure that you don't lose access to the Security Weekly content you know and love, please make sure that you subscribe to your favorite podcasts feeds on an alternative platform such as Spotify, YouTube Music, Amazon Music, Apple Podcasts, Overcast, Podcast Addict, PocketCasts, or anywhere else you listen to podcasts! Visit securityweekly.com/subscribe to find the buttons to subscribe to each show now!
Guest
Melinda Marks is the cybersecurity practice director at Enterprise Strategy Group, a leading IT analyst, strategy, and research firm, where she leads the cybersecurity analyst team and drives new research to provide insight on key cybersecurity topics and trends. Her coverage area includes cloud-native application protection platforms, cloud workload protection, cloud security posture management, DevSecOps, and application security, including web application security testing (SAST, DAST, IAST, SCA) and API security. She has over 20 years of experience in tech marketing and strategy. Most recently, she was chief marketing and strategy officer for Soluble, a startup focused on automating application security testing for developers (acquired by Lacework). She was also VP of Marketing at Armorblox, VP of Marketing at Styra, and head of marketing for StackRox (acquired by Red Hat). Her experience includes running competitive/market intelligence and product marketing teams at Tenable and running global communications for four years at Qualys. She also has a background in infrastructure from working at VMware, where she ran their original customer reference program, and later ran US PR.
Hosts
2. Random Problems, Protecting Packages, and Vulns in Designs, Defaults & Data Leaks – ASW #283
Misusing random numbers, protecting platforms for code repos and package repos, vulns that teach us about designs and defaults, and more!
Announcements
On the evening of Monday, May 6, 2024, W2 Communications and CyberRisk Alliance are bringing CYBERTACOS back to San Francisco! If eating FREE tacos, sipping on margaritas and mingling with cyber professionals from all over the world sounds good to you, make sure to register to secure your spot! Visit securityweekly.com/cybertacos to RSVP today!
Security Weekly listeners: Join the digital identity community at the ARIA Resort & Casino in Las Vegas, May 28 – 31. The 15th annual Identiverse will bring together over 3,000 security professionals for 4 days of world-class learning, engagement, and entertainment.
As a community member, receive 25% off your Identiverse 2024 tickets using code IDV24-SW25!
Register today: securityweekly.com/idv2024
Hosts
- 1. iSharing data leak vulnerability
This article goes into my favorite category of nicely explained write-up and well-considered risks that point out issues that don't need to be fixed vs. those that do.
- 2. Dangerous Import: SourceForge Patches Critical Code Vulnerability
Package and source repos are prime targets. We've seen many push for added security like phishing-resistant MFA required for maintainers. This vuln stood out not exactly because of the file-read vuln, but that the file read could access the signing key used for sessions -- which led to a serialization attack.
- 3. CVE-2024-4040 | AttackerKB
CrushFTP dates back to the late 90s, which partially explains this phrase from the CVE writeup: “…the default configuration uses reversible DES encryption for passwords...”
These long-lived apps always make me wonder what's the breaking point for a re-design. Not a refactor, but a complete revisit of an app's design and defaults.
- 4. Passbolt: a bold use of HaveIBeenPwned – Quarkslab’s blog
The blog has the perfect line for why it caught my attention. It's an "…example of the dangers of designing a cryptographic protocol with a deemed acceptable risk, being used in an unforeseen way such that the risk becomes suddenly unacceptable."
And it's not even a complicated protocol! Just an API that leaks info in an unexpected manner.
- 5. GitHub – spawnmason/randar-explanation: “Randar” is an exploit for Minecraft which uses LLL lattice reduction to crack the internal state of an incorrectly reused java.util.Random…
Some apps have uses for a deterministic random number generator and for reusing seeds. Sometimes those apps also have a need for "more" random (or cryptographically secure random) when the use cases relate to privacy or security. At no time is it ever useful to mix up the two use cases.
- 6. GitHub Advisory Database
Almost every week I come across a mention in Risky Biz about some number of new malware discovered in NPM or PyPI packages. It's about as routine and as interesting as new CVEs or CISA's updates to its KEV list.
With the push for these package repos to require MFA, it makes me wonder what the underlying cause is for the packages to have included malware. Is MFA adoption not at 100%? Is it some other type of account takeover? Is there some other root cause that these repos could address?
- 7. NASA’s Voyager 1 Resumes Sending Engineering Updates to Earth
It's been too long since we covered a space-related article. I don't think there's any metaphor to find here of appsec. Just very cool software engineering.
- 1. An abandoned, buggy PHP encryption library gets forked
Slightly unfortunate scene over on the OSS Security mailing list: Some researchers tried to get the PHP ECC library to patch a bug from 2021. After getting no response (last commit was 4 years ago), they've gone ahead and forked the project.
So now developers get to play the game of "which library should we be using?"
- 2. AV software using HTTP for updates used to distribute malware
This is a great writeup, for something that many of us would have stopped after mentioning antivirus software using HTTP for updates, and casting the appropriate amount of side-eye.
- 3. UK tries to make bad default passwords illegal
(I could link directly to the law, but ain't nobody going to read that, so here's an article from El Reg)
Shipping devices with easily guessable default passwords is now illegal in the UK. Say "thank you" to your government representatives!
Also - reminder to put those default passwords somewhere safe, because in a few years Googling for "default password netgear router" will no longer be of value...
- 4. Arbitrary code execution in R due to deserialization bug
R - the scientific programming language that was very popular in the earlier days of this machine learning wave - has a deserialization bug in the code that loads their serialized data format (RDS).
This writeup feels a little more targeted - they were looking for an exploit in R, and were digging around until they found one, compared to a more casual researcher. That makes for an interesting writeup, as they talk through the hunt as they explore the language...
