ASW #199 – Nikhil Gupta
Full Audio
View Show IndexSegments
1. Answering the ‘How’ Questions of Software Security – Nikhil Gupta – ASW #199
Nikhil will be discussing the pain points that leaders in the application security space are facing, which can cover how software development has evolved, as well as how this has impacted development teams and security teams as well as the occurrence of shifting left. He would also like to speak to the solution he has found to this problem, specifically being that of developing a community, the Purple Book Community. This closely connects to the final topics he would like to cover, which include how breaches have continued to occur at an increasingly rapid pace, leading to the importance behind why and how companies should be prepared for when, not if, a cyber attack will occur. The talk will also cover how the Purple Book of Software Security came about and how it has now morphed into a global movement by security leaders, for security leaders, to develop secure software.
Segment Resources: https://www.armorcode.com/ https://www.thepurplebook.club/ https://www.armorcode.com/what-is-appsecops https://www.armorcode.com/platform-overview https://www.armorcode.com/news https://www.armorcode.com/integrations
Announcements
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Guest
Nikhil Gupta is the founder and CEO of ArmorCode, the Silicon Valley startup delivering application security at the speed of DevOps. Gupta is a successful serial entrepreneur with more than 25 years of experience leading high-growth security teams. Prior to founding ArmorCode, Gupta was the CEO and Co-founder of Avid Secure (acquired by Sophos), a market-leading AI-powered multi-cloud security and compliance platform.
Gupta is also one of the creators of The Purple Book Community (thepurplebook.club), a diverse community of security leaders who are examining issues related to software security, a topic that has sparked immense interest given recent high-profile cyberattacks on government entities, public sector organizations, and private companies. It started out as a project to write a book on best practices in software security but due to the tremendous interest in the subject, it grew into a community of hundreds of software security leaders. With the launch of AppSecCon 2022 (www.thepurplebook.club/appsecon), world’s premier AppSec conference, it is now morphing into a movement by security leaders, for security leaders.
Hosts
2. Pwn2own, Verizon’s DBIR, Zoom’s XMPP Flaws, $10M Bounty, & More Bad Packages – ASW #199
This week in the AppSec News: Pwn2own results, reading the DBIR for appsec insights, XMPP flaws in Zoom, $10M bounty for a blockchain bridge vuln, researcher puts malicious payloads in ancient packages, Argo patches JWT handling, & more!
Announcements
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
Hosts
- 1. 2022 Data Breach Investigations ReportThe 15th DBIR is out. It's always an excellent reference in communication, both in terms of text (how the report explains its results and analysis) and visualization (how the report presents its data). From an appsec perspective, major attack vectors remain phishing and web hacking. If you haven't migrated to a FIDO2 MFA solution, now's the time to do so. The report looks at patching and, while exploiting known vulns remains far behind breaches based on credential compromise and phishing, they noted an increase in incidents this year. Fortunately, they also observed that more vulns are being patched faster. According to their data, in 2018 roughly 50% of patches were applied within 90 days (days taken to fix findings). In 2022 they saw most findings in this category fixed within 90 days. There's a section dedicated to "Basic Web Application Attacks" that reinforces just how basic attacks can be to still succeed. Once again, stolen credentials top the list. Exploiting vulns comes in second, with the usual suspects of things like SQL injection still making the list.
- 2. Wormhole Uninitialized Proxy Bugfix ReviewWe dip back into the world of smart contract security to highlight a staggering $10 million bounty payout. That's (at least) an order of magnitude larger than even the big bounty programs like Apple and Google. And what does the fix boil down to? A few lines of boilerplate to execute a single-line transaction to call initialize() on a contract. So, a missing 10-letter function call and a $10 million payout -- 10/10 for the mind-bogglingly large sum for clever work. p.s. hope the researcher asked for the bounty in hard cash...
- 3. Zoom patches XMPP vulnerability chain that could lead to remote code executionThe bug writeup has really good details on the issues, which include parsing behavior differences between two XML libraries. That kind of behavior is a favorite topic to highlight, as it's independent of the implementation language and all about adherence to specs, design decisions, and choices of defaults. Check out the bug details at https://bugs.chromium.org/p/project-zero/issues/detail?id=2254
- 4. Poisoned Python and PHP packages purloin passwords for AWS accessSupply chain, expired domain (re-registered with $5 investment), source code modified -- this article hits all the supply chain zeitgeist points, fortunately the impact looks relatively small. But not so small to be ignored. One compromised package went looking for environment variables like AWS keys and exfiltrated them. The investigation into the packages identified the individual behind the compromise, who said he was conducting this as part of bug bounty research. Read more at https://www.bleepingcomputer.com/news/security/hacker-says-hijacking-libraries-stealing-aws-keys-was-ethical-research/ and the individual's own words at https://sockpuppets.medium.com/how-i-hacked-ctx-and-phpass-modules-656638c6ec5e.
- 5. Critical Argo CD vulnerability could allow attackers admin privilegesGood news and bad news here -- bad news is that a misused JWT could allow arbitrary user impersonation, good news is that the system isn't vulnerable in its default configuration. Hopefully we see a growing trend of "not in its default configuration" related to security advisories, but that also has to mean the default configuration is the useful one to devs. JWTs are easy to pick on since they're prone to misuse or misconfiguration themselves. The advisory has some more details at https://github.com/argoproj/argo-cd/security/advisories/GHSA-r642-gv9p-2wjj. This was also a nice example of looking at how the devs patched the flaw. In this case, it took about 30 lines of code across two files to fix it. But then the devs put in another 400 or so lines of testing. It's a critical kind of bug, so kudos for a non-cynical example of taking security seriously. Check out the commit at https://github.com/argoproj/argo-cd/commit/a809469d9af10c626449bfcb8b9a09a9d2dc9065
- 1. Lots of findings from this year’s pwn2own
- 2. Findings from 2022 SaaS security surveyA few interesting takeaways on what CISO types have on their mind regarding the security of SaaS they service and consume.
- 3. How one malware uses DNS for tunelling informationInteresting writeup on how a malware package is communicating with it's C2 servers using DNS as a side channel
- 4. An unpleasnt arbitrary code execution vulnerability in Quanta servers BMCQuanta makes "generic" servers which are usually either white-labeled and resold as other brands, or used in large scale datacenters. A 3 year old vulnerabilty has been found that a user with shell access to the system can overwrite the BMC memory and have it do their will...