You’ve Got Appsec, But Do You Have ArchSec? – Merritt Baer – ASW #250
Full Audio
View Show IndexSegments
1. You’ve Got Appsec, But Do You Have ArchSec? – Merritt Baer – ASW #250
Mature shops should be looking to a security architecture process to help scale their systems and embrace security by design. We talk about what it means to create a security architecture process, why it's not just another security review, and why it requires security to dig into engineering.
Segment Resources:
Announcements
Join us at an upcoming Official Cyber Security Summit in a city near you! This series of one-day, invitation-only, executive level conferences are designed to educate senior cyber professionals on the latest threat landscape.
We are pleased to offer our listeners $100 off admission when you use code SecWeek23 to register.
Visit securityweekly.com/cybersecuritysummit to learn more and register today!
Guest
Merritt (Twitter: @MerrittBaer) is Field CISO at Lacework, a cloud security unicorn. Merritt provides technical security guidance to Lacework’s customer executives. She is also instrumental in the security industry: speaking, talking and advising companies on security at scale, and she helps to inform Lacework product roadmaps with customer and threat landscape feedback.
Previously, Merritt served in the Office of the CISO at Amazon Web Services, as part of a small elite team that formed a Deputy CISO. Merritt has experience in all three branches of government and the private sector. Before Amazon, Merritt served as Lead Cyber Advisor to the Federal Communications Commission. She also advises and serves on boards of young companies, including Expanso (open-source platform that enables efficient and secure distributed computation). Merritt is a graduate of Harvard Law School and Harvard College.
Hosts
2. Zap’s New Home, Clang & Security Tools, LLM Attacks, Rust Supply Chain – ASW #250
Zap gets a jolt of new support, using Clang for security research, LLM attacks learn models, Rust visualizes dependencies, a National Cyber Workforce and Education Strategy, and more!
Announcements
Security Weekly listeners: Now is your chance to join the infosec community as they come together at InfoSec World 2023, September 23 – 28, 2023 at Disney's Coronado Spring Resort in Lake Buena Vista, FL. Hear keynotes from Scott Shapiro, Founding Director at Yale CyberSecurity Lab’s and Rachel Wilson, Managing Director and Head of Cybersecurity at Morgan Stanley.
As a Security Weekly community member, you’re able to receive 20% off your InfoSec World 2023 tickets using code ISW23-SECWEEK20! Register today: securityweekly.com/infosecworld2023
Hosts
- 1. The future of Clang-based tooling | Trail of Bits Blog
(If this looks familiar, it's because we had it in last episode's news queue. We ran out of time to cover it, but there were some still-relevant points I wanted to highlight.)
I've been a long-time fan of Clang and LLVM. Its various analyzers are immensely helpful for discovering and fixing issues that lead to bugs and security flaws.
This article highlights the desire of researchers who want to work more directly through the compiler toolchain, such as reviewing and manipulating the AST in order to find all sorts of security issues. (In fact, the analyzers work on the CFG, not the AST -- which I didn't realize.) It points out how Clang is optimized to optimize code and serve developers, but it doesn't have all the features a security researcher would want.
But if you don't care about compiled code or the few acronyms in this summary have already thrown you off, think instead about the development toolchains you currently use and how well they can be instrumented for security purposes.
- 2. National Cyber Workforce and Education Strategy
There are ideas and structure in here that could apply to a company's approach to security awareness and the digital literacy and resilience of its employees.
- 3. CISA Cybersecurity Strategic Plan
Here's our second security strategy from the U.S. government this week. Once again, the guidance feels directionally effective and something that companies can use to inspire their own programs.
- 4. Tesla Jailbreak Unlocks Theft of In-Car Paid Features
More car hacking! This time with a more consumer-focused angle reminiscent of the John Deere agricultural vehicle hacking we covered back in April with episode 237.
Keep an eye on the researcher's BlackHat presentation this week. We'll follow up with any fun updates.
- 5. TOOL: Streamlining Websocket Pentesting with wsrepl · Doyensec’s Blog
WebSocket pentesting can be a pain. It can tunnel arbitrary protocols, many of which aren't text-based and therefore aren't human-friendly for reading and manipulating data.
- 6. Google, Microsoft Take Refuge in Rust Language’s Better Security
There's not too much new in this article that we haven't already covered in the last few months. So I'm just going to use it as a reminder that choosing Rust for new projects is far more likely to be successful than attempting to rewrite existing code that lacks memory safety into Rust.
And I'll also use it to must on headlines and framing. Rust has better default security for memory safety -- that alone is a great benefit -- but it is just as prone to all the Top 10-style vulns that plague web apps. It'll be wonderful to reduce the amount of vulns that stem from memory safety, but there'll be plenty of other vuln classes to deal with. Hopefully we'll discover better ways of addressing them than just relying on security awareness through top 10 lists.
In related news, Rust released a tool "to build a graph database of dependencies and invocations between all crates within the crates.io ecosystem."
Find the code at https://github.com/rustfoundation/painter
- 7. Collide+Power
This goes into the cool research, but don't worry about revising all your threat models.
It might also be a departure point for us to talk about directions in cybersecurity research and what it looks like in academia vs. industry.
- 8. LLM Attacks
I like how this research generated adversarial attacks not by clever prompt creation by humans (which can be a fun way to explore LLMs), but by creating an adversarial prompt that takes advantage of the LLM's underlying model. To roughly explain the idea, the attack relies on crafting prompts that trigger the paths of probability that string together responses that the LLM owners would otherwise like to suppress -- think offensive words or similar "jailbreaks".
- 9. Bleeding Pipe: A RCE vulnerability exploited in the wild
One of the points we try to emphasize in security awareness and secure code training is to be relevant -- both in programming language as well as being topical. Using old examples from 20 years ago might be interesting from a history of appsec (or a slightly cynical show of how little progress appsec has made). On the other hand, pulling examples from headlines and from software that developers are familiar with can increase their curiosity and engagement. With that in mind, here's a chance to talk about Minecraft and deserialization attacks.
- 1. Zap proxy project moving to SSP
Zap has made some noises over the years about not being totally happy at OWASP, and now they're announcing that they are moving to SSP and two of the core developers will be on payroll.
I mention here for zap users to know "hey where'd zap go?!" and also as we've talked about issues at OWASP several times.
(h/t Akira)
- 2. Using AWS SSM as a RAT
This is mostly a cloud-security story, but there's an appsec aspect, I think: When you create a tool, how do you control when it is used for good vs bad?
- 3. Lexon – a “plain text programming language for digital contracts and law”
On the crypto side of things, Lexon is a language designed to read/write like a "normal" human language. I bring it up here for the discussion: Will this improve appsec?
h/t Coin Telegraph
- 4. You don’t always need machine learning to improve algorithms
Interesting story coming out of Pacific Northwest National Lab: Some of their staff were looking to improve DOS detection/response. They turned to look at how entropy changes in a network between normal users browsing a website vs a DOS attack. They found a solution much more compute-efficient and easier to understand/manage than training a ML algorithm.
- 5. Adding chalk marks to your releases
One of the problems orgs can have is tracking the non-code parts of an application - who wrote something, why, who is supporting/"owns" the app, possibly what code is actually being used. On the other hand, perhaps you're looking at a code repo, but are not sure if/when/where it was deployed?
Crash Override's attempting to address this by releasing Chalk, a soon to be open source (grrr don't develop "open source" in closed environments) tool to annotate git repos and releases in a standardized way to make answering these questions easier.