Application Security WeeklySubscribe
Cloud Security, Application security

Sudo Vuln, Libgcrypt, BlastDoor on iMessage, & AWS Lambda security – ASW #138

This week in the Application Security News, Sudo sure does, Libgcrypt flaw, iMessage demonstrates security by design, AWS Lambda shares a message on its design security, & more!

Full episode and show notes

Announcements

  • Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

  • If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!

Hosts

Tech Lead at Block
  1. 1. CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)
    Sudo mishandles escaping command args to hand attackers a command for gaining root. Also check out the project's advisory at https://www.sudo.ws/alerts/unescape_overflow.html and see if you'd catch the near decade-old mistake in a code review of https://github.com/sudo-project/sudo/commit/8255ed69. Notably, testing the exploit led to discovering a different refactor that weakened a different security assumption.
  2. 2. Libgcrypt 1.9.1 relased
    A two-year old flaw in libgcrypt could lead to heap buffer overflow during decryption and before signature validation. It's in a recent version that may not be deployed in many systems, but still highlights the importance of being able to enumerate your dependencies -- and hope this library isn't statically linked anywhere...
  3. 3. Apple iOS 14 Thwarts iMessage Attacks With BlastDoor System
    Security by design is on display in recent iMessage architecture improvements. Project Zero shares their insights on what these changes imply for modern exploit chains, check out their write-up at https://googleprojectzero.blogspot.com/2021/01/a-look-at-imessage-in-ios-14.html
  4. 4. A deeper dive into our May 2019 security incident
    The incident may be old, but the details are fresh -- and they include some "Advice to others" that's a good reminder about product security basics.
  5. 5. Security Overview of AWS Lambda
    AWS updated their documentation about Lambda security. It includes an overview of the isolation model that makes sure the serverless part of Lambda runs on servers with security separation so customers can just focus on the "-less" part.
  6. 6. A Pragmatic Approach to DevSecOps
    Familiar reminders for introducing security to DevOps processes by demonstrating the value of a security tool and enabling DevOps teams to benefit from it within their own workflows.
  7. 7. Cloud Native Predictions for 2021 and Beyond
    More interesting for the themes of technology than whether they'll arise in 2021. Also a way to consider what your DevOps roadmap looks like for the year and how much security is a part of it.
Senior Engineering Leader at AWS
Chief Product Officer at CyberSaint

Related

You can skip this ad in 5 seconds