Full episode and show notes

Text4Shell, GUAC for SLSA, OpenSSF Scorecards, Toner Deaf, OWASP Elections – ASW #217

Text4Shell isn’t a new patching hell, using supply chain info with GUAC, OpenSSF Scorecards and metrics, Toner Deaf firmware persistence, upcoming OWASP Board Elections, Chrome browser exploitation

Full Segment Notes

Text4Shell isn't a new patching hell, using supply chain info with GUAC, OpenSSF Scorecards and metrics, Toner Deaf firmware persistence, upcoming OWASP Board Elections, Chrome browser exploitation

Announcements

  • Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

  • We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!

List of Articles

Mike Shema

  1. Experts downplay reach of Apache bug ‘Text4Shell’

    Java, curly braces, and interpolation -- the planets align for another RCE, but this one lacks the dimensional rift of its log4shell predecessor. With luck, we'll just label the language as Java4shell and work on better default configurations and design patterns.

    The vuln announcement is at https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om

  2. Announcing GUAC, a great pairing with SLSA (and SBOM)!

    Supply chain acronyms are stretching their metaphors a bit too far now, but at least the projects are demonstrating investment in solving problems that developers face. This four-letter friend aims to provide better insight on the attack surface exposed by a known vuln within a software dependency: It brings together supply chain info into a graph, walks the graph, and provides an answer.

    They'll be presenting more about this on Thursday at KubeCon.

    Let's hope the next project dips into a new naming scheme.

  3. Report Finds OpenSSF Scorecards Are Highly Effective Measures to Assess Project Security

    How well can metrics drive a behavior? How do we build a culture that uses metrics to improve software security rather than devolve into gaming the metrics themselves?

    The report is on the vendor's site -- thankfully not behind a registration wall!

  4. TSA unveils new railroad cybersecurity directive

    It's always good to step outside familiar software and see what types of security challenges other industries face that don't rely on JavaScript front-ends, a key-value store, and user-generated content. Doing so can inform our practices, recommendations, designs, and threat models.

  5. Toner Deaf – Printing your next persistence (Hexacon 2022)

    Fun hardware hacking and firmware dissection from NCC Group. Although mostly I included this as a missed opportunity to name it a more Halloween-friendly LexMark of the Beast.

  6. SHA-3 Buffer Overflow

    A researcher finds a memory safety issue in a reference implementation of the SHA-3 algorithm -- and it's been in there for ten years. Here's a chance to talk about implementation, copying implementations, test cases for implementations, secure coding, secure code reviews. In other words, a fun example of the eternal challenges in appsec and what progress does -- or doesn't -- look like.

  7. My Manifesto for the OWASP Board Election – Mark Curphey

    This is an interesting reflection on the current state and a future vision for OWASP from its founder. It's a constructive argument that aims to refine and build on what OWASP is doing, not to tear it down. I find the direction towards a product management approach appealing. And, in general, would love to see the OWASP brand recognized more immediately for other appsec resources than just the Top 10.

    General information about the OWASP global board elections can be found here, including a list of all the candidates.

  8. How I Got $10,000 From GitHub For Bypassing Filtration oF HTML tags

    A walkthrough of an HTML injection attack where the researcher's initial report was a duplicate, followed by more research that ultimately found a clever combination of syntax from a JavaScript library for displaying math equations. Patience and a positive bug bounty experience led to a $10,000 award.

  9. Chrome Browser Exploitation, Part 1: Introduction to V8 and JavaScript Internals

    Last episode I included a link to a deep technical article on Linux kernel hacking. This week I found one on exploiting Chrome. We'll keep an eye out for similar long reads on topics that take more than a few minutes to cover. Let us know if you have any favorites we should highlight!

John Kinsella

  1. Break signature on malware, exploit windows

    Modern Windows has functionality to alert the user before running a file downloaded from the Internet. People discovered that by altering the signature to an invalid one, that Window's "Mark-of-the-Web" would throw up it's hands and just execute the file.

  2. Physicists Got a Quantum Computer to Work by Blasting It With the Fibonacci Sequence

    Physicists figure out that a DOS attack using the fibonacci sequence keeps qubits entangled

  3. SBOMs: An Overhyped Concept That Won’t Secure Your Software Supply Chain

    Another counter-point to "must have SBOMs!" :)

Show More

Stay in the Know, No Smoke and Mirrors – Join Our Newsletter

Get expert insights and technical breakdowns straight to your inbox.
Join Now

Related Segments

Related Content

You can skip this ad in 5 seconds