Starting an OWASP Project (That’s Not a List!) – Grant Ongers – ASW #272
Full Audio
View Show IndexSegments
1. Starting an OWASP Project (That’s Not a List!) – Grant Ongers – ASW #272
We can't talk about OWASP without talking about lists, but we go beyond the lists to talk about a product security framework. Grant shares his insights on what makes lists work (and not work). More importantly, he shares the work he's doing to spearhead a new OWASP project to help scale the creation of appsec programs, whether you're on your own or part of a global org.
Segment Resources:
https://owasp.org/www-project-product-security-capabilities-framework/
- https://github.com/OWASP/pscf
- https://prods.ec/
- https://owaspsamm.org
- https://iso25000.com/index.php/en/iso-25000-standards/iso-25010
- https://www.scmagazine.com/podcast-episode/application-security-weekly-242
Announcements
Don’t let 3rd party risk ruin your Valentine’s Day! Join Adrian Sanabria and Bill Brenner on an SC Media webcast titled: Understanding third party risk by studying third party breaches. As listeners will know, Adrian loves exploring risk through our understanding of real breaches and incidents. They’ll discuss how to prepare for some of the most concerning third party risks you should be aware of, along with our partner for this webcast, ProcessUnity.
Visit securityweekly.com/ValentineRisk to register!
Guest
Co-founder of Secure Delivery and current OWASP Global Foundation board chair, Grant Ongers is a firm believer in security enabling delivery not blocking it. Well-known in the international InfoSec community (it’s hard to forget the beard!), his 10+ years of experience in Dev, 20 years in Ops and 30 years in Sec (mostly white hat) has made him a firm believer that there’s no such thing as DevSecOps – just DevOps done right, and that compliance != security (or the other way around). Alongside his role as CTO within Secure Delivery, Grant provides C-suite advice and guidance on security to FTSE100 enterprises and strategic risk analysis within M&A diligence teams.
Hosts
2. Sorting Out Glibc Vulns, Apple’s Security Research Device, BoringSSL, Old C Vulns – ASW #272
Qualys discloses syslog and qsort vulns in glibc, Apple's jailbroken iPhone for security researchers, moving away from OpenSSL, what an ancient vuln in image parsing can teach us today, and more!
Announcements
Security Weekly listeners save $100 on their RSA Conference 2024 Full Conference Pass! RSA Conference will take place May 6 to May 9 in San Francisco and on demand. To register using our discount code, please visit securityweekly.com/rsac24 and use the code 54USECWEEKLY! We hope to see you there!
Hosts
- 1. Qualys TRU Discovers Important Vulnerabilities in GNU C Library’s syslog() | Qualys Security Blog
More great research from Qualys. As a commentary on the structure of the article, I appreciate how it puts potential exploitation into context, provides useful technical details up front, adds some understandable marketing at the end (all vendors do this to a degree), and has links to more details at the end.
- 2. Here is Apple’s official ‘jailbroken’ iPhone for security researchers | TechCrunch
Apple took a unique path with making iPhones friendlier to researchers when it made a jailbroken device available in 2020 (if you went through some hurdles). Obviously, we've seen plenty of critical vulns before the advent of officially supported devices for research. But we've also seen significant security design and sandboxing that raises the bar for exploitation. Exploits and malicious apps don't have access to an evil bit or setting to trick users into weakening their device.
Apple has a few details in its platform security guide.
- 3. BoringSSL to make TLS more secure | Fastly
The first bar graph tells a great story of BoringSSL and all the cruft, obscure architectures, and unnecessary code that it removed from OpenSSL. We've covered different approaches to OpenSSL, including the Rustls implementation of TLS 1.2 and 1.3.
As the article notes, using BoringSSL comes with a huge caveat -- Google is essentially doing this project for themselves, so no easy versioning or external support. Amazon has their own flavor of TLS with s2n-tls, which is a complete re-implementation in C.
Heartbleed was the vuln that launched a 1,000 reconsiderations of OpenSSL, with fallout still lasting to this day.
- 4. *nix libX11: Uncovering and exploiting a 35-year-old vulnerability – Part 2 of 2
This is a nice set of articles that walks through developing an exploit for an image-parsing vuln.
Sure, libX11 isn't the most relevant thing out there, but learning about exploiting C is useful. And the underlying premise of mucking about with image formats (or sound or video or PDF formats) should be part of any service's threat model that deals with user-generated content. So, even if you want to skip the X11 and C part of this, use it as a discussion seed for how your services isolate, sandbox, and monitor any file format that needs to be parsed.
- 5. Secure by Design Alert: Security Design Improvements for SOHO Device Manufacturers
Another alert from CISA in their Secure by Design series. I'm still thinking about these in terms of what can make them more impactful and avoid having them become referenced as some sort of "CISA's Top Ten Secure by Design Alerts".
- 6. DEV: You Probably Don’t Need `eslint-config-prettier` or `eslint-plugin-prettier` | Goldblog
This doesn't have an immediate appsec hook, but I highlighted it for a few reasons. One, Josh has been on the show as one of the few developers we've had. He's helped bring the developer perspective to our appsec conversations.
But it also made me think of how we position appsec tools for developers. Do we have an IDE plugin that does one security thing and that thing only, or introduce tools that handle many different security tasks and topics?
Josh last hung out with us last year in ASW 251 and ASW 262.
- 1. More details and discussion on the Qualys glibc stuff
The nerds at Qualys posted more details about the glibc CVE on the OSS security list. Link above is for the buffer overflow in syslog(), and the qsort vuln is posted at https://www.openwall.com/lists/oss-security/2024/01/30/7
- 2. Juniper: Authentication is Optional
The folks at Watchtowr saw another network device with another PHP interface, and did the needful, opening with "please remember that we are discussing an appliance from a security vendor and thus we have to expect the [security] bar to be lower."
After a few moments of poking around, they manage to get the encrypted root password, leaving it as an exercise for the reader to decrypt and enjoy the riches.
While they're at it, they find some XSS, and a bit of deep thought: when doing research on a vuln, it's not uncommon to find a "cluster" of them near each other.
Also - Juniper needs to catch up with the times, as apparently they only release security updates quarterly.
- 3. Container breakout in runc due to order of operations during container build
Rory McNamara, now at Snyk, found a neat vulnerability in runc - the cli that's becoming standard for interacting with container runtimes. In a nutshell of types, he figured out that during runc init and runc exec, runc wasn't checking if a directory passed to WORKDIR - a command to tell the runtime where to look for files to build into the container. This leads to an order of operations type vuln, where by changing to a directory which the runtime has access to but a container shouldn't before privileges are dropped, then the container manages to keep those privileges.