CISA’s Secure by Design Principles, Pledge, and Progress – Jack Cable – ASW #321
Just three months into 2025 and we already have several hundred CVEs for XSS and SQL injection. Appsec has known about these vulns since the late 90s. Common defenses have been known since the early 2000s. Jack Cable talks about CISA's Secure by Design principles and how they're trying to refocus businesses on addressing vuln classes and prioritizing software quality -- with security one of those important dimensions of quality.
Segment Resources:
Jack Cable is a hacker who works at the intersection of cybersecurity and public policy, currently the CEO and Co-Founder of Corridor. Prior to that, Jack served as a Senior Technical Advisor at the Cybersecurity and Infrastructure Security Agency (CISA), where he helped lead the agency’s Secure by Design initiative. Before CISA, Jack worked as a TechCongress Fellow for the Senate Homeland Security and Governmental Affairs Committee, advising Chairman Gary Peters on cybersecurity policy, including open source software security. He previously worked as a Security Architect at Krebs Stamos Group. Jack is a top bug bounty hacker, having identified over 350 vulnerabilities in hundreds of companies. After placing first in the Hack the Air Force bug bounty challenge, he began working at the Pentagon’s Defense Digital Service. Jack studied computer science at Stanford University and has published academic research on election security, ransomware, and cloud security.
Identiverse 2025 is returning to Las Vegas, June 3-6. Hear from 250+ expert speakers and connect with 3,000+ identity security professionals across four days of keynotes, breakout sessions, and deep dives into the latest identity security trends. Plus, take part in hands-on workshops and explore the brand-new Non-Human Identity Pavilion. Register now and save 25% with code IDV25-SecurityWeekly at https://www.securityweekly.com/IDV2025
Skype Hangs Up, Android Backdoors, Jailbreak Research, Pretend AirTags, Wallbleed – ASW #321
Skype hangs up for good, over a million cheap Android devices may be backdoored, parallels between jailbreak research and XSS, impersonating AirTags, network reconnaissance via a memory disclosure vuln in the GFW, and more!
Security Weekly listeners save $100 on their RSAC Conference 2025 Full Conference Pass! RSA Conference will take place April 28 to May 1 in San Francisco and on demand. To register using our discount code, please visit securityweekly.com/rsac25 and use the code 5U5SECWEEKLY! We hope to see you there!
Mike Shema
- As Skype shuts down, its legacy is end-to-end encryption for the masses
So long and thanks for all the e2ee!
- 1 Million Third-Party Android Devices Have a Secret Backdoor for Scammers
Cheap devices that carry more security risks for users. A chance to talk about supply chain, trust marks, and how Android can still protect users.
Also check out the article from HUMAN Security.
- [Rust] February Project Goals Update
We were excited to cover when Rust made its first inroads into the Linux kernel development. And were quick to point out that that journey took dozens of people working for close to a year just to get sufficient tooling in place.
Here's an example of how that tooling development continues.
Back in episode 320 we talked with Daniel Stenberg about why the Curl project remains steadfastly in C. One of his points was that Rust was (and perhaps remains) still immature for the needs of such a wide-ranging project. He also pointed out how 60% of curl's security issues were due to a flaw other than memory safety.
Curl will remain in C likely forever, but we'll see Rust continue to be adopted for new projects and slowly make more inroads to large projects like the Linux kernel, Microsoft Windows, and browsers. It's still comparatively early days for the language, let alone its adoption.
- Tracking You from a Thousand Miles Away! Turning a Bluetooth Device into an Apple AirTag Without Root Privileges
Cool research showing how to use an arbitrary Bluetooth device as an AirTag tracker with a combination of protocol knowledge and cryptography.
Fortunately, it's also an example that the AirTag design is resilient enough so that Apple is able to fix this and not have to throw away the whole thing.
- How to protect your Web applications from XSS | 2025 | Blog | W3C
The W3C is sharing advice on eradicating XSS now. More specifically, this is a collection of six talks from Google about their experience with deploying Content Security Policy and Trusted Types.
Check out the videos on YouTube.
- [FYI] NEW FREE COURSE: Security for Software Development Managers (LFD125)
The OpenSSF now has a "free, 2-hour, self-paced, e-Learning course.”
OWASP has also been broadening its training material around personas for builder, breaker, defender, and manager. It'll be interesting to follow what new content pops up this year to see what the latest trends are. Fingers crossed it'll be more strategic or actionable than just "shift left" slogans.
- Wallbleed: A Memory Disclosure Vulnerability in the Great Firewall of China
I love this research for so many reasons. On a technical front, it's about protocols and parsing and messing with length fields -- classic, effective techniques.
In addition to be a great technical writeup, it's also an important topic in terms of reverse engineering a system designed to enforce censorship. And the researchers were apparently able to leverage this vuln for two years!
- Do not write that jailbreak paper
From an appsec view, I see jailbreaks and prompt injections like the XSS of LLMs. For XSS, there has been (and likely will still be) research to identify broad classes of how and where it manifests, from unexpected vectors like cookies and headers to DOM elements to nth-order appearances in log viewers. But these classes have known frameworks and secure design methods for context-specific output encoding to inoculate them.
On the LLM side, jailbreaks and prompt injection techniques still remain fun CTF exercises. The spirit of this paper isn't to preclude research or more creative thinking; it's to make sure one attack class doesn't consume too much focus at the expense of identifying new classes. It's more about crafting better ways to measure the effectiveness of current controls (or impacts of attacks) and looking for new inspiration.
Also think of it in terms of the Top 10 Web Hacking Techniques of 2024 that we talked about with James Kettle back in episode 318. Yes, it's possible to get an XSS or SQL injection attack on that list, but doing so requires demonstrating something new and innovative -- even though the targets technologies can be old and creaky!
Check out the blog post it was based on and prior research on evaluating adversarial ML.
