Application Security WeeklySubscribe
Application security, Security Staff Acquisition & Development, Identity

Kubernetes Clusters, Microsoft Solarigate, & Apple’s Security DIY – ASW #135

Microsoft purges malicious SolarWinds presence and highlights a threat model around their source code, the tl;drsec crew provides a hardening guide for Kubernetes, Apples provides a user guide for hardening accounts, Firefox provides a new storage system to defeat side channel abuse.

Full episode and show notes

Announcements

  • We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!

  • If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!

Hosts

Tech Lead at Block
  1. 1. Microsoft Internal Solorigate Investigation Update
    Microsoft searches for supply chain fallout from SolarWinds, cleans out malicious binaries, and finds a compromised account accessed source code -- but their threat models already considered an attacker's knowledge of source. Plus, with the ability to reverse engineer binary security patches, how important is source code anyway?
  2. 2. Risk8s Business: Risk Analysis of Kubernetes Clusters
    Even if you're not maintaining your own Kubernetes clusters, this is a good example of building up a threat model to assess the risk of a system and take steps towards hardening it against attacks and misconfigurations.
  3. 3. Apple: Here’s how to secure an iPhone or Apple ID ‘when personal safety is at risk’
    Apple describes threats to iPhones and Apple IDs for different populations of users in a way that sets aside security jargon and focuses on how to help users make informed decisions. You can download the manual directly from https://manuals.info.apple.com/MANUALS/1000/MA1976/en_US/device-and-data-access-when-personal-safety-is-at-risk.pdf
  4. 4. Firefox to ship ‘network partitioning’ as a new anti-tracking defense
    Firefox takes a security-by-design approach to address the abuse of side channels in browsers, from timing attacks to cache hits. You can read more about Client-Side Storage Partitioning at https://github.com/privacycg/storage-partitioning
  5. 5. 3 Metrics That Will Indicate We’re Taking Security Seriously
    While these aren't intended to be prescriptive metrics, the underlying discussion is a step towards the distinction between "What are the consequences of insecure software" and "What ought to be the consequences".
  6. 6. Python is dead. Long live Python!
    We covered this one year ago on episode 90. So...is Python 2 still part of your CI/CD pipeline? Is it in use in production systems? Did you migrate off it using a process that you'll be able to repeat for the next end-of-life software component?
  7. 7. 6 Security Team Goals for DevSecOps in 2020
    We covered this one year ago on episode 90. So...did you make any progress towards these goals? What's left to do? What do you still want to improve on?
Senior Engineering Leader at AWS

Related

AI fixes everything, C++ the actual worst, IAM is hard – ASW #308

This week, in the Application Security News, we dismiss magical thinking and discuss what generative AI will actually be able to do for us. We also discuss whether Secure by Design's goals are practical or not. OSC&R releases a report on software supply chain that should be interesting, though neither of us had time to read it yet. Also, Wat...