ASW #212 – Sam Placette

Mike Shema

1. Uber Investigating Breach of Its Computer Systems
   The very week that Uber's former CISO, Joe Sullivan, is in court over Uber's 2016 data breach, an alleged 18-year old hacker created a spectacle of the company's security practices. On a meta-level, it's been nice to see the majority of the industry response as having sympathy for the security teams responding to the incident, the pushback against marketing on top it, and the resistance to blaming any one user for the breach. On the appsec angle, we'll talk about hard-coded credentials, designing for "break glass" situations, the pros (many) and cons (some) of FIDO2 and WebAuthn, and the threat models you should -- and those you shouldn't -- bother with based on this breach example. Additional resources - https://www.darkreading.com/attacks-breaches/attacker-apparently-didnt-breach-single-system-pwn-uber - https://www.uber.com/newsroom/security-update/
2. Rust Foundation Establishes Security Team to Support and Advance Rust Programming Language
   This might be one of those articles that makes me unreasonably excited. It's great to see programming languages move towards explicit acknowledgment and ownership of security issues. The article mentions a lot of threat modeling, which hopefully focuses not only on the language's design, but the ways that programmers use, misuse, or misunderstand it. Ideally, this team will create more than just a "Secure Rust Checklist" -- we don't need more checklists. We need safe defaults, aggressive deprecation of functions or features that lead to insecure designs, and improved tooling for analyzing security mistakes.
3. Securing the Supply Chain of Nothing
   Kelly Shortridge wrote a detailed, insightful article about the recent NSA supply chain guidance (we covered it last week in episode 211). She sees it as flawed, with contradictory messages and recommendations likely to remain forever aspirational. It's a good reminder that any guidance out there, whether multi-page PDFs or OWASP Top 10 lists, is useful to inform a security program, but that a program has to be well planned and have milestones that show how it delivers value. More specifically, it also means that some guidance either isn't helpful at all (which the article argues is the case for much of the supply chain doc) or that it requires context about the org -- where context, like "it depends", is the magic word that shows just how much of a subjective art appsec remains.
4. Use-after-freedom: MiraclePtr
   Cool news for folks into C++ nerdery (and users of Chrome, who will benefit from this work). In short, the MiraclePtr is a design solution for an entire class of memory safety issues in the heap. It doesn't reach the safety guarantees of Go or Rust, nor is it a wholesale replacement of every raw pointer within the codebase. But it is a welcome design improvement and the type of solution that can make future code or new projects much safer. Plus, bonus points for a security mechanism that also helps identify bugs.
5. The Scoop: Netflix’s historic introduction of levels for software engineering
   One of our friends from Enterprise Security Weekly, Adrian Sanabria, shared this article with us. On the surface, it might not seem to have a direct connection to appsec. Yet we've mentioned Netflix many times when talking about paved roads, DevOps, and SRE approaches to application design. Plus, this is an article about developer incentives and careers. Not only should appsec teams be having similar discussions about compensation, career growth, and team compositions, but teams should also build an understanding of organizational dynamics, incentives, and how large changes -- whether engineering levels or engineering security hurdles -- impact an org.
6. How to hire and build your cybersecurity team
   As a parallel to the other Netflix article this week, here's one from a former Netflix infosec leader about building teams.
7. This Hacker Is Trying to Close the Gender Pay Gap in Cybersecurity
   Another article on this week's theme of careers. In this case, it's highlighting the ongoing failure in orgs to pay fairly, leading to a gender gap in compensation. Katie Moussouris hasn't been alone as a subject to this, having sued Microsoft for their practices. She has turned that into a broader effort to highlight the reality of the problem and demand changes like transparency in compensation and actions that orgs can take to reduce bias in hiring, negotiation, and pay.

John Kinsella

1. Meta releases a framework for finding memory leaks in javascript apps
   Neat idea to diff heap snapshots between two browser states. I wonder where else this can be used in security R&D
2. “Prompt injection attack” vulnerability class found for GPT3, probably other ML systems
   So GPT3 now allows us to converse with a bot in English*, but also to manipulate what the bot does/says in English, as well. * I'm sure for things like the huggingface models, this can work with other languages, as well...
3. EA’s latest anti-cheat code uses ring-0 code
   ...how long until it leads to system compromise?
4. VMWare: Retbleed fix causes up to 70% performance hit
5. Call Depth Tracking coming soon for more performant retbleed protection
   The kernel peeps have been busy in recent weeks, working on better approaches to retbleed. Call Depth Tracking works by putting traps that break the speculation execution just far enough away that some speculative execution happens, but not enough to make the capability useless.