TikTok Analysis, Patching Patches, CI/CD Integrity, Faster Fuzzing, & Slack Safety – ASW #145

A technical analysis of two social media apps that uses reverse engineering and traffic analysis to gather information on how well the apps handle privacy and security, as well as potential abuse for censorship. It's aimed at providing technical information to inform policy decisions. It also serves as a great template for analyzing and documenting privacy and security aspects of a mobile app, with methodologies that any appsec team could benefit from.

SolarWinds serves as a good thought exercise for establishing a chain of trust throughout a CI/CD pipeline. We've mentioned reproducible builds and and signing deployed artifacts. The pressing security question is how do you gain confidence that the code your developers wrote was ultimately what produced the artifact you built? This raises more questions throughout the pipeline in terms of identity, access controls, and observability of every step that has the potential to influence how code is built and packaged.

We sometimes see security patches that need patches -- situations where the original patch addressed a symptom, but missed an underlying design flaw or didn't go deep enough into understanding the original issue. While this particular vuln may not be that impactful, it shows how developers can still make subtle mistakes in the ubiquitous feature of parsing command-line arguments.

An insight into the engineering that went into turning Intel Processor Trace from performance penalty to advantageous assistant for coverage-guided fuzzing. It's a benefit that makes a lack of source code less of a liability when fuzzing for flaws.

Securing software against injection flaws and the types of vulns that show up in top 10 lists doesn't mean the software is secure for users. This is a good lesson in expanding threat models to how well your software secures the user experience, especially in apps designed for social interaction.

How do we communicate that "security is better" or convey the value that security can deliver? This is a brief article that focuses on a handful of k8s changes, from better defaults to new types of attack vectors. Yet it's grounded against a useful framework, MITRE ATT&CK, and only needs to make simple points to demonstrate where security teams might invest their efforts.

In the time you've (hopefully!) saved by not running Exchange servers and hence having to go through the patch scramble, you could be running a "premortem" or tabletop exercise on how resilient your app environment might be to the types of post-exploitation activities documented in the Exchange server attacks. How well does your environment detect, prevent, or respond to arbitrary file writes, privilege escalation, arbitrary command execution, and data exfiltration?

It turns out web browsers and such will parse an IP address with a leading 0 as octal. The netmask library doesn't, which could lead to SSRF and other interesting attacks

Back in The Day, one could iterate through instruction codes, looking for undocumented cpu instructions. Nowadays that's a painful process that can cause crashes, lockups, etc. Here's a way to leverage speculative execution to make the search easier