Groundhog Day – It’s Time to Reset the Script on Vulnerabilities – John Delaroderie – ASW #138
In honor of the movie Groundhog Day, John will take a look at the top 10 most routinely exploited vulnerabilities through a web app security lens.
This segment is sponsored by Qualys.
Visit https://securityweekly.com/qualys to learn more about them!
John Delaroderie is a Security Solution Architect and Subject Matter Expert for Web Application Scanning. He has been with Qualys since early 2018, and prior to that he worked for a variety of government agencies and private organizations in the fields of cyber security, incident response, digital forensics, and systems integrations.
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
Sudo Vuln, Libgcrypt, BlastDoor on iMessage, & AWS Lambda security – ASW #138
This week in the Application Security News, Sudo sure does, Libgcrypt flaw, iMessage demonstrates security by design, AWS Lambda shares a message on its design security, & more!
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!
Mike Shema
- CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)Sudo mishandles escaping command args to hand attackers a command for gaining root. Also check out the project's advisory at https://www.sudo.ws/alerts/unescape_overflow.html and see if you'd catch the near decade-old mistake in a code review of https://github.com/sudo-project/sudo/commit/8255ed69. Notably, testing the exploit led to discovering a different refactor that weakened a different security assumption.
- Libgcrypt 1.9.1 relasedA two-year old flaw in libgcrypt could lead to heap buffer overflow during decryption and before signature validation. It's in a recent version that may not be deployed in many systems, but still highlights the importance of being able to enumerate your dependencies -- and hope this library isn't statically linked anywhere...
- Apple iOS 14 Thwarts iMessage Attacks With BlastDoor SystemSecurity by design is on display in recent iMessage architecture improvements. Project Zero shares their insights on what these changes imply for modern exploit chains, check out their write-up at https://googleprojectzero.blogspot.com/2021/01/a-look-at-imessage-in-ios-14.html
- A deeper dive into our May 2019 security incidentThe incident may be old, but the details are fresh -- and they include some "Advice to others" that's a good reminder about product security basics.
- Security Overview of AWS LambdaAWS updated their documentation about Lambda security. It includes an overview of the isolation model that makes sure the serverless part of Lambda runs on servers with security separation so customers can just focus on the "-less" part.
- A Pragmatic Approach to DevSecOpsFamiliar reminders for introducing security to DevOps processes by demonstrating the value of a security tool and enabling DevOps teams to benefit from it within their own workflows.
- Cloud Native Predictions for 2021 and BeyondMore interesting for the themes of technology than whether they'll arise in 2021. Also a way to consider what your DevOps roadmap looks like for the year and how much security is a part of it.
