In Search of Secure Design – ASW #325
We have a top ten list entry for Insecure Design, pledges to CISA's Secure by Design principles, and tons of CVEs that fall into familiar categories of flaws. But what does it mean to have a secure design and how do we get there? There are plenty of secure practices that orgs should implement around supply chains, authentication, and the SDLC. Those practices address important areas of risk, but only indirectly influence a secure design. We look at tactics from coding styles to design councils as we search for guidance that makes software more secure.
Segment resources
- https://owasp.org/Top10/A042021-InsecureDesign/
- https://www.cisa.gov/securebydesign/pledge
- https://www.cisa.gov/securebydesign
- https://kccnceu2025.sched.com/event/1xBJR/keynote-rust-in-the-linux-kernel-a-new-era-for-cloud-native-performance-and-security-greg-kroah-hartman-linux-kernel-maintainer-fellow-the-linux-foundation
- https://newsletter.pragmaticengineer.com/p/how-linux-is-built-with-greg-kroah
- https://daniel.haxx.se/blog/2025/04/07/writing-c-for-curl/
Announcements
Identiverse 2025 is returning to Las Vegas, June 3-6. Hear from 250+ expert speakers and connect with 3,000+ identity security professionals across four days of keynotes, breakout sessions, and deep dives into the latest identity security trends. Plus, take part in hands-on workshops and explore the brand-new Non-Human Identity Pavilion. Register now and save 25% with code IDV25-SecurityWeekly at https://www.securityweekly.com/IDV2025
Adrian Sanabria, host of Enterprise Security Weekly, will be running an panelcast with Fastly, titled Security Without Speed Bumps: Using WAF Simulator to Transform DevSecOps Workflows. Join him for this exciting webcast on April 16th. To register for this panelcast, go to securityweekly.com/WAF
Hosts
- 1. MCP Security Notification: Tool Poisoning Attacks
I'm sure we'll see more of these classes of attacks that influence model behavior. Calling it a rug pull is a poor choice, though. A rug pull builds trust to a point where the attacker disappears with whatever thing of value they had control over. This is more of a bait and switch, misdirection, or a juke. It's similar to malicious apps that demonstrate normal behavior for a short period in order to avoid behavioral-based detections, then change their behavior while still hoping to go undetected.
Crypto has plenty of examples of rug pulls. This is a good type of attack to demonstrate. Focusing on the techniques behind it will lead to better countermeasures.
- 2. New Vulnerability in GitHub Copilot and Cursor: How Hackers Can Weaponize Code Agents
Recreating a white font on a white background to bypass email spam filters.
- 3. Google Quick Share Bug Bypasses Allow Zero-Click File Transfer
Great writeup of the original bugs, showing the success of fuzzing.
The slides for the recent briefing at Black Hat Asia 2025 show why the original patches needed to be re-patched.
In the invalid UTF-8 case, the patch apparently targeted the payload (the x00 null character) instead of the problem (any invalid sequence like xc5xff).
In the file bypass, the patch didn't account for multiple files with the same payload ID and only deleted one instead of all.
- 4. https://www.cloudvulndb.org/imagerunner
I can see this kind of abstraction of abstractions becoming more significant in a world of LLM-generated code.
More details in Tenable's writeup.
- 5. [FYI (in French)] Opération Cactus : lancement national de la campagne de sensibilisation à l’hameçonnage dans les espaces numériques de travail | Ministère de l’Education Nationale, de l’Enseignement supérieur et de la Recherche
More details here (also in French).
I included this as an excuse to mention Jacque Dutronc's "Les Cactus". I also love "Et Moi, Et Moi, Et Moi". Be sure to check out at least those two songs, if not more of his albums.
