A new deps.dev API for supply chain enthusiasts, hacking and modding agricultural devices, guidance from CISA on secure by design (and by default!), Glaze brings adversarial art to AI training, key transparency for WhatsApp, a new appsec myth(?), Android hacking tool list, and a Chrome extension to find web debugging behavior.
As a member of the Security Weekly community, we are pleased to offer you 20% off your InfoSec World 2023 tickets! Join a community of over 2,000 security professionals and innovators at InfoSec World on September 25th through 27th at Disney’s Coronado Springs Resort. Experience world-class learning and networking through enlightening keynotes, informative panel discussions, interactive breakout sessions, hands-on workshops, and more.
Register today at securityweekly.com/infosecworld2023 using code ISW23-SECWEEK20!
Mike Shema
- Announcing the deps.dev API: critical dependency data for secure supply chains
Another project in the .dev domain family of resources for appsec teams and developers. This seems most useful as a means of answering "Am I affected?" when the next popular poisoned package like log4j comes along.
Another project to keep an eye on is securityscorecards.dev, although I'd suggest looking at it in terms for configuration baselines for your own internal repos rather than trying to keep up to date on dependencies.
- Farmers Win the Right to Repair Their Own Tractors in Colorado
I don't know if John Deere is the Ferrari of tractors, but this article continues our coverage of wheeled vehicle hacking.
Lots of agricultural device hacking was presented at DEF CON 2022 by sick.codes. Check out their tutorials for more technical write-ups about security issues in this space.
- Security-by-Design and -Default
CISA and friends have a guide about security from the design of apps and as a default for apps. It should be an important read for anyone building software or providing advice on the security of software. It's also the kind of guidance that lists like the OWASP Top 10 should be striving for.
The whole thing is worth reading (and it's quick), but my favorite line is, "A secure configuration should be the default baseline."
Check out the guide (PDF).
- WebSockets are a Pain – A Journey in Learning and Leveraging
This brief article refers to some useful tools for inspecting WebSockets traffic.
- Glaze Project
Adversarial artwork against training models. Glaze offers a way for artists to perturb their images in ways that are mostly-to-sort-of unnoticeable to humans, but noisy and confusing to AI training models.
- Deploying key transparency at WhatsApp
We'll return to this when the team publishes a more technical deep-dive, but it's worth highlighting now how security engineering is protecting users via a relatively complex mechanism that -- importantly -- does not create a complex cognitive burden for the end user. In other words, this approach improves confidence in the confidentiality of messages without adding to already cumbersome solutions that require user actions that no users consistently adhere to.
Read this tweet thread by Matthew Green for a summary of why this will have a positive impact to users and how it represents cool cryptographic engineering.
- MYTH: FBI warns of public ‘juice jacking’ charging stations that steal your data. How to stay protected
Here's an article of what's possible without a commensurate commentary of what's probable -- or how many modern devices protect against certain forms of "juice jacking". (Apple's USB restricted mode is one example.)
Despite the decent alliteration, it's a tedious term for an attack that hasn't been apparent in practice at any meaningful scale. And it hopefully won't start appearing on top 10 lists by the end of 2023.
Keep your device patched. Keep it charged. Enjoy.
- CFP: fwd:cloudsec
The CFP for fwd:cloudsec is still open. You have until Friday, April 28 at 23:59pm Pacific Time (GMT-8) to submit.
We've covered a presentation or two from here in the past. Their CFP page is also an excellent example of providing clear, explicit guidance on the type of presentations they're looking for and what they're not looking for.
- INFO: Android Penetration Testing Cheat Sheet
A collection of resources for putting together an Android testing toolbox.
- TOOL: debugHunter – Chrome Extension
An extension that might be useful to all the bug bounty researchers out there.
From its README, "Discover hidden debugging parameters and uncover web application secrets with debugHunter. This Chrome extension scans websites for debugging parameters and notifies you when it finds a URL with modified responses. The extension utilizes a binary search algorithm to efficiently determine the parameter responsible for the change in the response."
- DEVSPACEOPS: Cyberspace Solarium Commission: Space Systems Need Critical Infrastructure Label | Decipher
Not really much to cover here at the moment, but taking this opportunity to start coining all the space-related buzzwords and references now for the future of space-based appsec.
DevSpaceOps, Top 10 Space Risks, and expecting at least a dozen conference talks with titles that include "space girls", "final frontier", and "no one can hear you scream". Maybe we'll start a bingo prediction card to see what 2024 and beyond brings to this space.
John Kinsella
- FDA to refuse devices without “detailed cybersecurity plans”
This feels a little light, but still a good start to securing devices related to our health
- TOOL: VSCode Security Notes
