Application Security Weekly (Audio)

It is hard, if not impossible, to secure something you don’t know exists. While security professionals spend countless hours on complex yet interesting issues that *may* be exploitable in the future, basic attacks are occurring every day against flaws in code that receives little review. For example, a “dated trend” by effective yet lazy hackers is to search for APIs unknown by security teams, coined “Shadow APIs”, then connect to these APIs and extract data. SQL Injection used to be the hack of choice, as a few simple SQL commands would either mean pay dirt or “move on to the next target”. Now the same can be said for Shadow API: Find, Connect, Extract. Himanshu will discuss one of many methods that are used in the wild to target Shadow APIs and export large volumes of data with a few clicks of a button or a few lines of code in Python. In the AppSec News, Safari fixes a privacy leak in IndexedDB, integer arithmetic flaw leads to Linux kernel bug, a look back on Zoom security, SSRF from an URL allow list bypass, a security engineering course and lectures, 25 years of HTTP/1.1   Show Notes: https://securityweekly.com/asw181 Visit https://www.securityweekly.com/asw for all the latest episodes!   Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

This isn't a story about NPM even though it's inspired by NPM. Twice. The maintainer of the "colors" NPM library intentionally changed the library's behavior from its expected functionality to printing garbage messages. The library was exhibiting the type of malicious activity that typically comes from a compromised package. Only this time users of the library, which easily number in the thousands, discovered this was sabotage by the package maintainer himself. This opens up a broader discussion on supply chain security than just provenance. How do we ensure open source tools receive the investments they need -- security or otherwise? For that matter, how do we ensure internal tools receive the investments they need? Log4j was just one recent example of seeing old code appear in surprising places.   Scams and security flaws in (so-called) web3 and when decentralization looks centralized, SSRF from a URL parsing problem, vuln in AWS Glue, 10 vulns used for CI/CD compromises!   Show Notes: https://securityweekly.com/asw180 Segment resources: - https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/ - https://www.zdnet.com/article/when-open-source-developers-go-bad/ - https://www.zdnet.com/article/log4j-after-white-house-meeting-google-calls-for-list-of-critical-open-source-projects/ - https://www.theregister.com/2022/01/17/open_source_closed_wallets_big/ - https://blog.google/technology/safety-security/making-open-source-software-safer-and-more-secure/ - https://docs.linuxfoundation.org/lfx/security/onboarding-your-project - https://arstechnica.com/information-technology/2016/03/rage-quit-coder-unpublished-17-lines-of-javascript-and-broke-the-internet/   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

There's an understandable focus on "shift left" in modern DevOps and appsec discussions. So what does it take to broaden what we call appsec into something effective for modern apps, whether they're on the web, mobile, or cloud? We'll talk about moving on from niche offerings into successful appsec programs. The FTC issues a warning about taking log4j seriously, JNDI is elsewhere, cache poisoning shows challenges in normalizing strings, semgrep for refactoring configs with security in mind, the Q4 2021 ThinkstScape quarterly, Salesforce to require MFA!   Show Notes: https://securityweekly.com/asw179 Visit https://www.securityweekly.com/asw for all the latest episodes!   Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

What does a collaborative approach to security testing look like? What does it take to tackle an entire attack class as opposed to fixing a bunch of bugs? If we can shift from vulnerability mitigation to vulnerability elimination, then appsec would be able to demonstrate some significant wins -- and they need a partnership with DevOps teams in order to do this successfully. Log4j has more updates and more vulns (but probably not more heartburn...), revisiting outages and whether availability has made it into your threat models, deep dive into hardware security, another data point on bug bounty awards, and looking at risk topics for the next year. This completes another year of the podcast! A very heartfelt thank you to all our listeners! And a special thank you and shout out to the crew that helps make this possible every week -- Johnny, Gus, Sam, and Renee. We'll keep the New Wave / Post-Punk, movie, and pop culture references coming for all the appsec and DevOps topics you can throw our way. Thanks again everyone!!   Show Notes: https://securityweekly.com/asw178 Segment Resources: - https://blog.trailofbits.com/   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly  

This week, we welcome Francesco Cipollone - CEO & Founder - AppSec Phoenix Ltd, to discuss DevSecOps, Compliance GRC, and the Future of Application Security! In the AppSec News, Mike & John talk: All about Log4Shell, Mozilla's BigFix bug and new sandbox, Rust in the Linux kernel, path traversals, reflections on the security profession, & more!   Show Notes: https://securityweekly.com/asw177 Segment Resources: - AppSec Cali 19 Talk: https://www.youtube.com/watch?v=cegMUjo25Zc - ADDO19: https://www.youtube.com/watch?v=x1p3exzkTIY - Open Security Summit 20 - https://www.youtube.com/watch?v=8myMG36gq4o , https://www.youtube.com/watch?v=mh_P1C1a-CM   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

In today’s session Chris Wysopal will address a number of topics with Mike, including systemic risk in software development and how developers and security teams can work together to meet common goals and solve the speed vs. security dilemma. Specifically, they’ll discuss processes for fixing more vulnerabilities faster and tools for ensuring developer success. And they’ll talk about improving the overall maturity of DevOps teams through good development practices, good testing, remediation, and training. In the AppSec News: Bug bounty payout practices, Edge goes super duper secure mode, WebKit CSP flaw has consequences for OAuth, GoDaddy breach, vuln in MediaTek audio DSP, & more!   Show Notes: https://securityweekly.com/asw176 Segment Resources: Veracode State of Sofware Security v11 https://www.veracode.com/state-of-software-security-report   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

This week, we welcome Liam Randall, CEO at Cosmonic, to talk about wasmCloud - Distributed Computing With WebAssembly! CNCF wasmCloud helps developers to build distributed microservices in WebAssembly that they can run across clouds, browsers, and everywhere securely! In the AppSec News: What would CVEs for CSPs look like, clever C2 in malicious Python packages, diversity in bounty programs, shared responsibility and secure defaults, breach costs to influence AppSec programs!   Show Notes: https://securityweekly.com/asw175 Segment Resources: https://webassembly.org/ https://wasmcloud.com/   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

This week, we welcome Ryan Lloyd, Chief Product Officer at Guardsquare, to discuss Mobile Application Security! Mobile applications have a unique attack surface. The tools and techniques being used to compromise these environments are constantly evolving. We'll talk about how to harden mobile apps against modern threats. In the AppSec news: Disclosure decisions and CVE-2021-3064, technical details behind ChaosDB in Azure, fuzzing BusyBox, Prossimo and Rust, vulns in Nucleus RTOS, & HTML smuggling!   Show Notes: https://securityweekly.com/asw174 Visit https://securityweekly.com/guardsquare to learn more about them!   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

This week, Mike, John and Dan McKinney from Cloudsmith will be discussing SBOM and what that looks like for your applications. Other topics include: cloud-native tooling for your software supply chain, the history of provenance, GPG Keys & signing commits, package consumption, understanding threat modeling, and knowing the roles and responsibilities when it comes to security of your assets.   In the AppSec News, Mike and John talk: Excel gains support for JavaScript data types and functions, arbitrary code execution in Linux kernel TIPC, more malware in npm packages, threat models and OTP/2FA bots, NIST Security Labels!   Show Notes: https://securityweekly.com/asw173 Visit https://securityweekly.com/cloudsmith to learn more about them!   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

This week, we welcome Peter Klimek, Director of Technology, Office of the CTO at Imperva! Peter will talk to the challenges he's hearing from customers and partners about managing the security of APIs and what considerations organizations need to make in 2022 to better protect these growing ecosystems. In the AppSec News, Mike & John talk: Discourse SNS webhook RCE, a checklist for a Minimum Viable Secure Product, WhatsApp security assessment, privacy engineering specialties, & DevOps presentations!   Show Notes: https://securityweekly.com/asw172 Visit https://securityweekly.com/imperva to learn more about them!   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly