Application Security WeeklySubscribe
Application security, AI benefits/risks, DevOps

Paying Down Tech Debt, Rust in Firmware, EUCLEAK, Deploying SSO – ASW #298

Full Audio

View Show Index

Segments

1. Paying Down Tech Debt, Rust in Firmware, EUCLEAK, Deploying SSO – ASW #298

Considerations in paying down tech debt, make Rust work on bare metal, ECDSA side-channel in Yubikeys, trade-offs in deploying SSO quickly, and more!

Hosts

Tech Lead at Block
  1. 1. Security advisory for the standard library (CVE-2024-43402)

    This is less about Rust and more about APIs and their behaviors. The problem stemmed from a mismatch in expectations about where file path normalization occurs and when to escape characters.

  2. 2. Paying down tech debt
  3. 3. Google Online Security Blog: Deploying Rust in Existing Firmware Codebases
  4. 4. Provisioning cloud infrastructure the wrong way, but faster | Trail of Bits Blog
  5. 5. Revival Hijack – PyPI hijack technique exploited in the wild, puts 22K packages at risk | JFrog
  6. 6. MC884011 – (Updated) ActiveX will be disabled by default in Microsoft Office 2024

    Ah, the 90s. Welcome back, Oasis. Goodbye, ActiveX.

  7. 7. EUCLEAK – NinjaLab

    More here

  8. 8. We shipped SSO support in a day, how?

    It's one thing to say, "Deploy SSO" (or MFA). It's another to provide examples and discussion about how to do so. This article also points out engineering trade-offs of an implementation, reminding us once again how much engineering is relevant to security.

Senior Engineering Leader at AWS
  1. 1. RISCV CPUs to support vulnerability sysfs

    I hadn't heard of this before, but apparently Linux now has a feature where any known vulnerabilities for a CPU will be listed under sysfs - and if the vuln is mitigated. Neat, curious to see how it works IRL

  2. 2. TSA, CISA downplay SQLi vuln in vendors software

    A SQL injection vulnerability was found in a cloud-based software package that is used to authorize flight crew was found earlier this year. TSA and CISA have taken a position that it's not that big a deal, though, as there's other layers of security that should protect things.

  3. 3. Porting from Rust…someone didn’t get the memo

    Jane Street is a fairly tech-heavy proprietary trading firm that has a very big love for OCAML. This post covers what their interns did this summer - it's that time of year - and of note is they ported a rust-based dataframe library to OCaml. Not the direction we usually think of, but interesting to see.

Related

You can skip this ad in 5 seconds