Evolving Security Testing – Dan Guido – ASW #178
What does a collaborative approach to security testing look like? What does it take to tackle an entire attack class as opposed to fixing a bunch of bugs? If we can shift from vulnerability mitigation to vulnerability elimination, then appsec would be able to demonstrate some significant wins -- and they need a partnership with DevOps teams in order to do this successfully.
Segment Resources
Dan Guido is the CEO of Trail of Bits, a cybersecurity firm he founded in 2012 to address software security challenges with cutting-edge research. In his tenure leading Trail of Bits, Dan has grown the team to 80 engineers, led the team to compete in the DARPA Cyber Grand Challenge, built an industry-leading blockchain security practice, and refined open-source tools for the endpoint security market. In addition to his work at Trail of Bits, Dan serves as a director at hack/secure, an investment syndicate focused on seed stage cybersecurity firms. He’s active on the boards of four early stage technology companies. Dan contributes to cybersecurity policy papers from RAND, CNAS, and Harvard. He runs Empire Hacking, a 1,500-member meetup group focused on NYC-area cybersecurity professionals. His latest hobby coding project — AlgoVPN — is the Internet’s most recommended self-hosted VPN. In prior roles, Dan taught a capstone course on software exploitation at NYU as a faculty member and the Hacker in Residence, consulted at iSEC Partners (now NCC Group), and worked as an incident responder for the Federal Reserve System.
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
We had an absolute blast putting together this year's SW Unlocked virtual event! All presentations are now available on-demand for your viewing pleasure. Please visit https://securityweekly.com/unlocked to register and watch now!
Latest Log4j, Outages & Availability, FPGA Security Concepts, & Bug Bounty Awards – ASW #178
Log4j has more updates and more vulns (but probably not more heartburn...), revisiting outages and whether availability has made it into your threat models, deep dive into hardware security, another data point on bug bounty awards, and looking at risk topics for the next year.
This completes another year of the podcast! A very heartfelt thank you to all our listeners! And a special thank you and shout out to the crew that helps make this possible every week -- Johnny, Gus, Sam, and Renee.
We'll keep the New Wave / Post-Punk, movie, and pop culture references coming for all the appsec and DevOps topics you can throw our way. Thanks again everyone!!
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
Mike Shema
- Apache releases new 2.17.0 patch for Log4j to solve denial of service vulnerabilityThe log4j vuln remains a high-profile event that is as much due to the pervasiveness of affected Java deployments as it is the shifting status of the vuln's apparent impacts. Having to patch the patch and trying to figure out how to prioritize the latest vuln information is challenging for situations like this when teams might already be feeling burned out by the initial response exercises they had to go through. For now, it seems like 2.15.0 plus disabling the Lookups feature remains the safest immediate course of action, with deploying to 2.17.0 as the preferred version to get to as part of your regular release schedule. This is also a chance to repeat the caution to avoid falling into a reactive "BugOps" practice where you're only chasing the most up-to-date info about a specific package (log4j) instead of having a strategic approach to application hardening and network controls that could give you more breathing room by reducing the potential impact of such bugs. And, of course, it's an annual reminder of how important an app asset inventory is -- even though maintaining an accurate one isn't simple to do. Find out more details about the various exploit techniques, underlying vulns, and presence of log4j in these additional articles: - https://www.blumira.com/analysis-log4shell-local-trigger/ - https://www.fastly.com/blog/new-data-and-insights-into-log4shell-attacks-cve-2021-44228 - https://security.googleblog.com/2021/12/understanding-impact-of-apache-log4j.html
- Summary of the AWS Service Event in the Northern Virginia (US-EAST-1) RegionThere are basically three things to investigate for any outage - Is there a DNS problem? - Did we make a config change? - Is us-east-1 down? This postmortem from AWS describes their recent us-east-1 outage. While the outage itself was not the byproduct of a breach or security event, it's a good reminder that availability in the CIA triad is a security topic for appsec and DevOps teams to create threat models for. It's also a good reminder that even if your apps are resilient to outages, your internal tooling and messaging might not be. When an outage like this impacts your ability to authenticate or communicate, it's important to evaluate how that impacts your org and what you should do about it.
- FPGAs: Security Through Obscurity?There's more to appsec than supply chain issues! (We had the high profile event at the end of 2020 that every still talks about, the one that rhymes with polar fins. And 2021 is ending on the spectacularly unpleasant realization about how logging text leads to data exfiltration and deserialization attacks in Java.) Here's a very deep dive into hardware security concepts and a detailed review of the state of FPGA security and analysis. As we've said before, you don't have to be a hardware expert or even working on hardware to benefit from reading about these topics. Reading about how other disciplines create and handle threat models can be inspiration for your own apps. At the very least, it's a good way to learn from others about how to communicate and explain technical topics -- that's a skill that serves appsec well.
- New “Hack DHS” program will pay up to $5,000 for discovered vulnerabilitiesNothing too exciting or insightful to cover on this article. It does, however, provide a data point on bug bounty payouts, which is something we've touched on throughout the year. As a reminder, a bug bounty program shouldn't be the first step in your appsec program. But when your program does reach a mature enough state to have resolved most obvious issues and can triage incoming reports, learning from other programs is useful to designing your own.
- Risk Megatrends – UpdatedWe'll close the year with another article from Phil Venables. This time it's an update on "megatrends" that should be informing an org's risk management. While they might not all be relevant to your org, the callouts on "the API Economy" and "Complexity Management" are more than likely universally applicable. This articles doesn't go into depth on these areas or how they could be addressed, but that's not its goal -- it's highlighting areas that should be considered within your strategic planning as you look ahead to a new year of your appsec program, threat modeling, and addressing attack classes.
John Kinsella
- The 5 best infosec books for 2021
- The crypto exchanges keep getting hackedI'm going to highlight these crypto coin articles over coming weeks. There's an ongoing (and increasing) trend of both blockchains as well as crypto exchanges getting hacked. As the "future" of finance - it's not a good look.
