Application Security Weekly (Audio)

Crossing tenants with AWS AppSync, more zeros in C++ to defeat vulns, HTTP/3 connection contamination, Thinkst Quarterly review of research, building a research team   MongoDB recently announced the industry’s first encrypted search scheme using breakthrough cryptography engineering called Queryable Encryption. This technology gives developers the ability to query encrypted sensitive data in a simple and intuitive way without impacting performance, with zero cryptography experience required. Data remains encrypted at all times on the database, including in memory and in the CPU; keys never leave the application and cannot be accessed by the database server. While adoption of cloud computing continues to increase, many organizations across healthcare, financial services, and government are still risk-averse. They don’t want to entrust another provider with sensitive workloads. This encryption capability removes the need to ever trust an outside party with your data. This end-to-end client-side encryption uses novel encrypted index data structures in such a way that for the first time, developers can run expressive queries on fully encrypted confidential workloads. Queryable Encryption is based on well-tested and established standard NIST cryptographic primitives to provide strong protection from attacks against the database, including insider threats, highly privileged administrators and cloud infrastructure staff. So even another Capital One type breach is not possible. Segment Resources: - https://www.mongodb.com/products/queryable-encryption - https://www.wired.com/story/mongodb-queryable-encryption-databases/ - https://www.youtube.com/watch?v=mDKfZlQJO3k - https://thenewstack.io/mongodb-6-0-offers-client-side-end-to-end-encryption/   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw221

CosMiss in Azure, $70k bounty for a Pixel Lock Screen bypass, finding path traversal with Raspberry Pi-based emulators, NSA guidance on moving to memory safe languages, implementing phishing-resistant MFA, egress filtering, and how to approach code reviews   Cider Security’s recently published research of the Top 10 CI/CD Security Risks acts to identify vulnerabilities to help defenders focus on areas to secure their CI/CD ecosystem. They created a free learning tool with a deliberately vulnerable environment to demonstrate these flaws -- “CI/CD Goat”. Like similar tools, this helps appsec and devops teams gain a better understanding of major CI/CD security risks and, importantly, their appropriate countermeasures. Segment Resources: - https://www.cidersecurity.io/top-10-cicd-security-risks/ - https://github.com/cider-security-research/top-10-cicd-security-risks - https://www.cidersecurity.io/blog/research/ci-cd-goat/ - https://github.com/cider-security-research/cicd-goat   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw220

While APIs enable innovation, they’re increasingly targeted as a pathway to data. API abuses are often carried out through automated attacks, in which a botnet floods the API with unwanted traffic—seeking vulnerable applications and unprotected data. In this discussion, Karl Triebes shares what you need to know about the automated bot threats targeting your APIs with guidance on how to protect your applications and APIs from these attacks. This segment is sponsored by Imperva. Visit https://securityweekly.com/imperva to learn more about them!   The punycode parsing in OpenSSL, missing authentication in Azure Cosmos DB Notebooks, the importance of documentation in security, labeling IoT security, bad response to a security disclosure   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw219

A critical OpenSSL vuln is coming this Tuesday, a SQLite vuln, Apple blogs about memory safety and bug bounties, determining a random shuffle   The Web3 ecosystem is chock full of applications and projects that have lost money (and their customers’ money) due to breaches, code flaws, or outright fraud. How can security teams do a better job of protecting Web3 apps? Web3 applications (including NFTs) aren’t just vulnerable to attack, they often present a broader attack surface (due to the distributed nature of blockchains) at the same time as being a desirable target because of the value association with tokens. Join us for a lively discussion about key threats to Web3 apps – both on-chain and off-chain - what we can do to mitigate them…and what we absolutely should not do. Additional resources - https://www.bloomberg.com/features/2022-the-crypto-story/ - https://web3isgoinggreat.com - https://blog.trailofbits.com/2022/06/21/are-blockchains-decentralized/   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly     Show Notes: https://securityweekly.com/asw218

Learn what keeps DevOps and SecOps up at night when securing Kubernetes, container, and cloud native applications, what tactics are best for developers and application architects to consider when securing your latest cloud application and hardening your CI/CD pipeline and processes. This segment is sponsored by Qualys. Visit https://securityweekly.com/qualys to learn more about them!   Text4Shell isn't a new patching hell, using supply chain info with GUAC, OpenSSF Scorecards and metrics, Toner Deaf firmware persistence, upcoming OWASP Board Elections, Chrome browser exploitation   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw217

Exploiting FortiOS with HTTP client headers, mishandling memory in Linux kernel Wi-Fi stack, a field guide to security communities, secure coding resources from the OpenSSF, Linux kernel exploitation Cybersecurity is a data problem. Accelerated AI enables 100 percent data visibility and faster threat detection and remediation. Find out how NVIDIA used AI to reduce cybersecurity events from 100M per week to up to 10 actionable events per day, and accelerate threat detection from weeks to minutes.   Segment Resources: Morpheus new digital fingerprinting GTC Fall 22 Demo Video: https://www.youtube.com/watch?v=8rEPkHRvDq0 Morpheus Web Page: https://developer.nvidia.com/morpheus-cybersecurity Morpheus Digital Fingerprinting Blog: https://developer.nvidia.com/blog/fingerprinting-every-network-user-and-asset-with-morpheus/ Detecting Threats Faster with AI-Based Cybersecurity Blog: https://developer.nvidia.com/blog/detecting-threats-faster-with-ai-based-cybersecurity/ Enroll in our free, self-paced, 1-hour DLI course : https://courses.nvidia.com/courses/course-v1:DLI+T-DS-02+V1/ Try Morpheus in NVIDIA LaunchPad: https://www.nvidia.com/try-morpheus Download Morpheus from NVIDIA GPU Cloud: https://catalog.ngc.nvidia.com/orgs/nvidia/teams/morpheus/collections/morpheus_ Get started with Morpheus in GitHub: https://github.com/nvidia/morpheus   This segment is sponsored by NVIDIA. Visit https://securityweekly.com/nvidia to learn more about them!   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw216

We talk with Akira Brand about appsec educational resources and crafting better resources for developers to learn about secure coding. Segment Resources: - www.akirabrand.com - www.wehackpurple.com - www.owasp.org - www.brightsec.com/blog   Rust arrives in the Linux Kernel, verdict in the Uber security case, overview(s) of JavaScript prototype pollution, flaws in PHP Composer and the NPM vm2 package, reading CloudSecDocs   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw215

The core focus of this podcast is to provide the listeners with food for thoughts for what is required for releasing secured cloud native applications - Continuous, Multi-layer, and Multi-service analysis and focusing not only on the code, but also on the runtime and the infrastructure. - Focus on the vulnerabilities that matter. The critical, exploitable ones. Use Context. - Choose the right remediation forms. It may come in different shapes Segment Resources: Oxeye Website for videos and content - www.oxeye.io   Exchange RCE, bulk pull requests to patch at scale, metrics from DORA, best papers from USENIX, implementing passkeys   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw214

Applications are the most frequent external attack vector for companies. However, application security can improve only if developers either code securely or remediate existing security flaws — unfortunately, many don’t receive training with proper security know-how. In this session, we will talk about the state of application security education and what you can do to secure what you sell. Segment Resources: - https://www.forrester.com/blogs/school-is-in-session-but-appsec-is-still-on-vacation/?ref_search=3502061_1663615159889 https://www.wisporg.com/events-calendar/2022/11/8/security-amp-risk-conference-forrester https://www.veracode.com/events/hacker-games https://blogs.microsoft.com/blog/2021/10/28/america-faces-a-cybersecurity-skills-crisis-microsoft-launches-national-campaign-to-help-community-colleges-expand-the-cybersecurity-workforce/ Wiz reveals authorization bypass in Oracle Cloud, Python 15-year old path traversal flaw, Prototype Pollution in Chrome, PS4 flaw reappears in PS5, Why security products fail Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw213

Appsec places a lot of importance on secure SDLC practices, API security, integrating security tools, and collaborating with developers. What does this look like from a developer's perspective? We'll cover API security, effective ways to test code, and what appsec teams can do to help developers create secure code. This segment is sponsored by ThreatX. Visit https://securityweekly.com/threatx to learn more about them!   Appsec dimensions of the Uber breach, Rust creates a security team, MiraclePtr addresses C++ heap mistakes for Chrome, a critical reading of the NSA/CISA Supply Chain guidance, talking about careers   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw212