Each week, Security Journey's CEO, Chris Romeo, takes you through the five security articles he thinks are worth your time. Links to all the articles are included with each episode.
“SBOM” should not exist! Long live the SBOM.This article by Steve Springett, who is at the center of the software bill of materials universe, explains what an SBOM is and why they should exist. In defense of simple architecturesAs security professionals, we love simple because complex is hard to secure. This article is about a 1.7 billion dollar company that runs its web app as a Python monolith on top of Postgres and how this simplified architecture runs a successful application. Alex Mor -- Application Risk Profiling at ScaleHow do you manage appsec when you have thousands of applications in an enterprise? Alex Mor joined the Application Security Podcast to talk about application risk profiling. He defines what it is, then walks through how to scale across an organization. HOW INFRASTRUCTURE AS CODE SHOULD FEELThis article is all about feelings...infrastructure feeling. It dives into how your infrastructurous code should feel; it should feel safe, better, etc. Check it out to understand this new way of thinking. Improving software supply chain security with tamper-proof buildsWe all still, to this day, struggle with the software supply chain. This article, showing how to better create tamper-proof builds, dives into SLSA and the principles you can apply to your software supply chain to make it more secure.
3 Cultural Obstacles to Successful DevSecOps ImplementationWhen our goal is to change security culture we must consider how to influence our developers while still caring for their needs. This article shares helpful insight into implementing successful security culture change within an organization. Brenna Leath -- Product Security Leads: A different way of approaching Security ChampionsBrenna Leath, head of product security at SAS, visited the Application Security Podcast to share her insight on security champions and how she approaches this role in her organization with product security leads. We hope you enjoy this conversation with...Brenna Leath. How GO Mitigates Supply Chain AttacksThis post, from the GO blog, dives into how this coding language mitigates supply chain attacks. GitHub can now auto-block commits containing API keys, auth tokensIt is vital to keep private information, such as API keys, passwords and authentication tokens, secure. GitHub recently released a new update that scans code for this sensitive information before committing the code to a repository.If you're not using SSH certificates you're doing SSH wrong If you use SSH without certificates, this story may make you uneasy. The author argues why we shouldn't be using SSH with anything other than certificates in the modern day.
1. An Analysis of Open-source Automated Threat Modeling Tools and Their Extensibility from Security into Privacy-https://www.usenix.org/publications/l...We conducted our review of threat modeling tools in three main phases: Tool Discovery, Evaluation Criteria Selection, and Application of Evaluation Criteria.2. In-depth research and trends analyzed from 50+ different concepts as code-https://www.jedi.be/blog/2022/02/23/t...•DevSecOps as code explosion•Data as code •Capturing knowledge as code3. Security Journey Provides Free Application Security Training Environment for OWASP® Members-https://www.securityjourney.com/post/...Security Journey's OWASP dojo will be open and available to all OWASP members starting April 1st. Members can access it in their member portal.4. GitHub - 99designs/aws-vault: A vault for securely storing and accessing AWS credentials in development environments-https://github.com/99designs/aws-vaultAWS Vault is a tool to securely store and access AWS credentials in a development environment.5. Avoiding the top Nginx configuration mistakes (nginx.com)-https://www.nginx.com/blog/avoiding-t...This blog takes a deep look at the 10 of the most common errors, sometimes even committed by NGINX engineers. The article will explain what are the 10 most common mistakes and how to fix them.
1. Is it safe to use SECRETS_INTERNALS_DO_NOT_USE_OR_YOU_WILL_BE_FIRED?- https://datasociety.net/wp-content/up...This first story is a react development issue. A developer was asking if a specific property was safe to use. This shows the importance of naming in understanding the security risks when using specific properties. 2. Adam Shostack -- Fast, cheap, and good threat models-https://www.securityjourney.com/podca...Adam is very well known in the world of threat modeling as a thought leader. This is his take on some new approaches he wants everyone in the industry to understand.3. SHA-256 explained step-by-step visually- https://sha256algorithm.com/This is a website that will describe how SHA-256 works. Hashing algorithms are a critical part of how we protect information whether it is at rest or in transit. This is a fascinating way to go through the steps and understand how they work. 4. Over 28,000 Vulnerabilities Disclosed in 2021: Report- https://sha256algorithm.com/This article is describing a report published by Risk Based Security highlighting the 28,000 vulnerabilities that were disclosed in 2021. It shows that not much has changed since 2020, but check it out to see all the details. 5. Known exploited vulnerabilities catalog- https://www.cisa.gov/known-exploited-...This is the Know Exploited Vulnerabilities Catalog from CISA. There was a pointer in the previous story to the site as a resource to search and stay up to date on different exploitable vulnerabilities and their remediations.
Bounty EverythingThis ebook has in-depth explanations of how bug bounties work, how the economy works within the bug bounty, and how the researchers are paid and treated.Understanding Website SQL InjectionsA high-level deep dive into SQL injection, so even those that have no understanding of what an injection attack is can learn how they work.Mazin Ahmed -- Terraform SecurityTerraform is all the rage in the infrastructurous code world. Mazin walks through all things you need to understand about terraform, the security challenges and where to learn more in this episode of the Application Security Podcast. 10 real-world stories of how we've compromised CI/CD pipelineWe all have CI/CD pipelines that we are using in a DevOps world to build our production software; those pipelines have vulnerabilities. Check out these real-world examples to become more educated about the security issues you need to care about. Cryptocurrencies: Tracing the evolution of criminal financesThis Intelligence Notification provides an overview of the illicit use of cryptocurrencies, including those services that facilitate their illicit use, illustrating relevant modi opzerandi using case examples.
5% of 666 Python repos had comma typos (including Tensorflow, PyTorch, Sentry, and V8)Out of a group of GitHub repositories that had been checked, 5% had a comma problem. Either too few or too many commas somewhere in the library. Advanced SQL Injection Cheatsheet This repository contains an advanced methodology of all types of SQL Injection. MySQL, PostgreSQL, Oracle, and MSSQL10 Threats ebookRead about the eBook on 10 Greatest Threats to Your Application's Security 2021 version. Dev corrupts NPM libs ‘colors' and ‘faker' breaking thousands of apps The colors library receives over 20 million weekly downloads on npm alone and has almost 19,000 projects relying on it. Whereas, faker receives over 2.8 million weekly downloads on npm, and has over 2,500 dependents. How I Discovered Thousands of Open Databases on AWSMy journey on finding and reporting databases with sensitive data about Fortune-500 companies, Hospitals, Crypto platforms, Startups during due diligence, and more.
1.Fuzzing for XSS via nested parsers condition-https://swarm.ptsecurity.com/fuzzing-...In this article web application security researcher, Igor Sak-Sakovskiy reveals a novel technique for finding sanitization issues that could lead to XSS attacks. 2.Anti-Patterns in Cybersecurity Management-https://systemweakness.com/anti-patte...In this article, this author walks through the most memorable anti-patterns he's seen recurring in cybersecurity management. 3.OWASP Top 10 Peer Review-http://www.securityjourney.com/podcas...Robert and Chris break down the OWASP Top 10 2021 Peer Review Edition in this episode of the Application Security Podcast. They walk through and give their insights, highlight the things that stood out and ask questions. 4.My first impressions of web3 - https://moxie.org/2022/01/07/web3-fir...Security researcher and entrepreneur, Moxie Marlinspike recently explored web3. He shares what he's learned about how web3 works from the inside out. 5.How a routine gem update ended up creating $73k worth of subscriptions- https://serpapi.com/blog/how-a-routin...This is the story of how a company attempted to deploy what looked like an innocent gem update but ended up costing them $73k. In less than an hour, 474 new subscribers had been mistakenly added to their service.
ZAPping the OWASP Top 10This document gives an overview of the automation and manual components provided by OWASP Zed Attack Proxy (ZAP) that are recommended for testing each of the OWASP Top Ten Project 2021 risks. AWS Is the Internet's Biggest Single Point of FailureIn December, several services on the internet ground to a halt because of an outage at some Amazon Web Services cloud servers. The outage affected Netflix, Disney Plus, PUBG, League of Legends, Ring security cameras, as well as Amazon products and delivery infrastructure. The outage only lasted a few hours, but it showed the world just how much the internet depends on Amazon's infrastructure. Eran Kinsbruner -- DevSecOps Continuous TrainingEran joins the Application Security Podcast to talk about the role of testing in a secure software pipeline. They talk about the intersection of security and quality, challenges in getting started, and even a brief conversation about how SAST is used to check automotive software. Find the root cause of your productivity problem with the "5 Whys" techniqueThe 5 Whys technique was developed in the 1930s by Sakichi Toyoda, the founder of the automotive manufacturer Toyota Industries. The idea is simple: ask "why" 5 times, until you get to the root cause of your issue. It's not dissimilar to a kid who exasperates their parents by continually creating "why"... but the benefits can be transformative!Why I'm Using HTTP Basic Auth in 2022Building an entire login system from scratch can be a significant investment and creates a major barrier to entry. It's prevented me from building useful tools because they would require a login.
Exploring Container Security: A Storage Vulnerability Deep Dive - https://security.googleblog.com/2021/...Recently, the GKE Security team discovered a high severity vulnerability that allowed workloads to have access to parts of the host file system outside the boundaries of the mounted volume. Remember, vulnerabilities can exist deep within the internals of Kubernetes.Really Stupid “Smart Contract” Bug Let Hackers Steal $31 Million In Digital Coin - https://arstechnica.com/information-t...An accounting error built into the company's software let an attacker inflate the MONO tokens price and then use it to cash out all the other deposited tokens, MonoX Finance revealed in a post. The haul amounted to $31 million worth of tokens on the Ethereum or Polygon blockchains, both of which are supported by the MonoX protocol. Thinking back, Looking forward – A Balanced Approach to Securing our Software Future - https://www.buzzsprout.com/1730684/88...Keven Greene is the Director of Security Solutions at Parasoft and has extensive experience and expertise in software security, cyber research and development, and DevOps. He and Chris discussed software security from the past into the future. They cover how to make security easier for devs, SBOM, software minimalism, and so much more in this episode of the Application Security Podcast.Security Metrics that Count - https://www.twilio.com/blog/security-...Metrics can be challenging. Twilio uses security metrics to drive change within their organization, celebrate improvements over time to help better protect their customers, and measure their security program. Playbook for Threat Modeling Medical Devices - https://www.mitre.org/publications/te...The "Playbook for Threat Modeling Medical Devices" was developed further to increase knowledge of threat modeling throughout the medical device ecosystem and strengthen the cybersecurity and safety of medical devices.
How to Learn Stuff Quickly: https://www.joshwcomeau.com/blog/how-...Learning how to learn is a crucial skill of the security professional and developerNever Update Anything: https://blog.kronis.dev/articles/neve..."In my eyes, it could be pretty nice to have a framework version that's supported for 10-20 years and is so stable that it can be used with little to no changes for the entire expected lifetime of a system."Bridges fall down due to insecure design - make sure your web applications don't: https://www.securityjourney.com/post/...This principle also applies to web applications, which is why the new #4 on the OWASP Top 10 2021 list is Insecure Design. Pin exact dependency versions: https://betterdev.blog/pin-exact-depe...Use a dependency manager that creates a lock file and commits it to the repository. Even then, pin your dependencies - explicitly specify their exact versions.Financial services need to prioritize API security to protect their customers: https://www.helpnetsecurity.com/2021/...Given this growing trend, Knight focused her vulnerability research on the financial services and FinTech companies and was able to access 55 banks through their API's, giving her the ability to change customers' PIN codes and move money in and out of customers accounts.
Protect your open source project from supply chain attacks - https://opensource.googleblog.com/2021/10/protect-your-open-source-project-from-supply-chain-attacks.html?m=1This blog post walks through the quiz questions, answers, and options for prevention, and can serve as a beginner's guide for anyone who wants to protect their open source project from supply chain attacks.Trojan Source Attacks - https://trojansource.codes/Some vulnerabilities are invisible - rather than inserting logical bugs, adversaries can attack the encoding of source code files to inject vulnerabilities. The attack is to use control characters embedded in comments and strings to reorder source code characters in a way that changes its logic. An Opinionated Guide on How to Reverse Engineer Software, Part 1 - https://margin.re/media/an-opinionated-guide-on-how-to-reverse-engineer-software-part-1.aspx"This is an opinionated guide. After 12 years of reverse engineering professionally, I have developed strong beliefs on how to get good at RE."AppSec Things to Watch in 2022 - https://www.securityjourney.com/post/appsec-things-to-watch-in-2022It's that time of the year again when everyone under the sun comes up with predictions. We're not fans of predictions, so instead, we give you Security Journey's Application Security Things to Watch in 2022.AWS WAF's Dangerous Defaults - https://osamaelnaggar.com/blog/aws_waf_dangerous_defaults/Any malicious payload that starts after the 8KB limit in a POST request will completely bypass your WAF unless you've explicitly added a rule to block any POST request greater than 8KB in size. Even the simplest SQL injection, the legendary '1=1' can fly right by.
GitLab analysis of OWASP Top 10 changes from 2004 to 2021-https://public.flourish.studio/visual...Visualization of how OWASP Top Ten has changed over the years. To Learn a New Language, Read Its Standard Library-http://patshaughnessy.net/2021/10/23/...The best way to learn a new programming language, just like human language, is from example. To learn how to write code you first need to read someone else's code. Making sense of OWASP A08:2021 - Software & Data Integrity Failures-https://www.securityjourney.com/post/...We should expect this category to rise higher within a few years. Supply chain poisoning is difficult to detect and prevent. Our countermeasures are, arguably, in infancy. GitHub - xntrik/hcltm: Documenting your Threat Models with HCL-https://github.com/xntrik/hcltmHcltm aims to provide a DevOps-first approach to documenting a system threat model by focusing on the following goals: Simple text-file format, simple cli-driven user experience, and integration into version control systems (VCS). This repository is the home of the hcltm cli software. The hcltm spec is based on HCL2, HashiCorp's COnfiguration Language, which aims to be. "pleasant to read and write for humans, and a JSON-based variant that is easier for machines to generate and parse". Combining the hcltm cli software and the hcltm spec allows practitioners to define a system threat model in HCL. All Things SSRF-https://github.com/jdonsec/AllThingsSSRFThis is a collection of writeups, cheat sheets, videos, related to SSRF in one single location.
Minimum Viable Secure ProductMinimum Viable Secure Product is a minimalistic security checklist for B2B software and business process outsourcing suppliers. How to Secure Python Web App Using BanditBandit is a tool developed to locate and correct security problems in Python code. To do that Bandit analyzes every file, builds an AST from it, and runs suitable plugins to the AST nodes. Once Bandit has completed scanning all of the documents, it generates a report. Explain Sigstore to me like I am fiveSigstore provides an easier way to seamlessly issue and validate signatures from constituent dependencies, including base images, all the way to the final deployed application artifact. Threat Matrix for CI/CD PipelineThis is an ATT&CK-like matrix focus on CI/CD Pipeline specific risk. Malware Found in NPM Package with Millions of Weekly DownloadsA massively popular JavaScript library, UAParser.is (npm package), was modified with malicious code that downloaded and installed a password stealer and cryptocurrency miner on systems where compromised versions were used.SHOW LESS
Commonjoe/ WrongSecrets - https://github.com/commjoen/wrongsecretsImproper secret storage is a common technology problem. Use this tool to expose your developers to how to do it wrong, so they can learn how to do it rightList of IT Assets an Attacker is most likely to Extort -https://www.helpnetsecurity.com/2021/10/13/it-assets-target/Attackers love IT assets; here are the top things they are targeting and exploiting.OWASP Top 10 2021: 7 action items for app sec teams https://www.securityjourney.com/post/owasp-top-10-2021-7-action-items-for-app-sec-teamsYour AppSec team has work to do with the new OWASP Top Ten for 2021.How to win at CORS - https://jakearchibald.com/2021/corsCORS is tough to implement correctly and develop against – but it is worth the effort. Security is often difficult.7 Unconventional Pieces of Password Wisdom -https://www.darkreading.com/application-security/7-unconventional-pieces-of-password-wisdom Nice summary of NIST 800-63b.
How Yahoo Built a Culture of Cybersecurity- https://hbr.org/2021/09/how-yahoo-built-a-culture-of-cybersecurityCommentary: Security culture continues to grow as a non-negotiable piece of a security strategy. minimaxir/big-list-of-naughty-strings – https://github.com/minimaxir/big-list-of-naughty-stringsCommentary: Safe list input validation is always our go to, but the big list of naughty strings is a nice input for testing!Have Trusted Types API built directly into the jQuery Core Files · Issue #4409 jquery/jquer- https://github.com/jquery/jquery/issues/4409Commentary: jQuery is still widely in use across the web, and adopting trusted types is a strong security step forward.Making sense of OWASP A08:2021 – Software & Data Integrity Failures- Encryption is easy, key management is hard - https://www.securityjourney.com/post/making-sense-of-owasp-a08-2021-software-data-integrity-failuresCommentary: Software and data integrity failures are the root cause of many supply chain debacles in the past few y Apache Servers Actively Exploited in the Wild, and the Importance of Prompt Patching - https://blog.sonatype.com/apache-servers-actively-exploited-in-wild-importance-of-prompt-patchingCommentary: We often think of patching as a security problem that has been solved – patching is always challenging!
1. NIST Brings Threat Modeling into the SpotlightIf you haven't heard about the NIST Executive Order about software security and supply chain, you've been living under a rock. Adam gives us the threat modeling perspective on the EO2. How to ensure the highest quality of Software codeSecurity or development, we all want the highest quality of software code. Explore linting, unit testing, SAST, and continuous monitoring of software.3. A cloud company asked security researchers to look over its systems. Here's what they foundEverything is broken, and everything is breakable – don't let anyone lead you to a different conclusion. The cloud is someone else's computer.4. Masscan: TCP port scanner, scanning entire Internet in under 5 minutes Masscan is a TCP port scanner that can scan the entire Internet in under five minutes. The entire Internet!5. Why is Server-Side Request Forgery #10 in OWASP Top 10 2021SSRF cracked the OWASP Top 10 for 2021. Learn it. Live it. Know it.
1. Application security tools ineffective against new and growing threatsOutdated offerings, false positives, and ineffective blocking are among the main causes driving this global concern.2. HTTP/2: The Sequel is Always WorseAttackers are learning HTTP/2. Developers and defenders must learn it as well.3. AppSec Village Live Stream of DefCON 29Check out AppSec Village as it is the perfect place to connect with those with related interests.4. Mark Loveless -- Threat modeling in a DevSecOps environmentWe discuss his philosophical approach, framework choice (spoiler alert, it's a pared-down version of PASTA), and success stories / best practices he's seen for threat modeling success.5. Do you like to read? I can take over your Kindle with an e-bookAn attacker could delete e-books, potentially gain full access to an Amazon account, converted a Kindle to a bot, attacked other devices in the local network, and more.
1. Empty npm package '-' has over 700,000 downloads — here's whyThere have been 720,000 downloads since its publication on the npm registry since early 2020.2. Privacy – more than the icing on the cakeQuestions to consider: What are we working on? What can go wrong? and more. Give this a read to gain more context.3. Jeroen Willemsen -- Security automation with ci/cdJeroen joins us to unpack security automation in a DevOps world.4. Why cybersecurity pros need to learn how to codeLearn to code to level up your breaking skills; it is easier to find issues when you understand the underlying construction of the things you break.5. Supply chain attacks are getting worse, and you are not ready for themManage suppliers over the whole lifecycle of a product or service, including procedures to handle end-of-life products or components.
1. 16 of 30 Google results contain SQL injection vulnerabilities The dreadful quality of most of Google's search results. Several of these results were, simply put, SEO-optimized baloney.2. A case against security nihilismSkepticism that we can guard against the NSO Group's Pegasus spyware, or similar products.3. Why the password isn't dead quite yetIt will take time and more experimentation to create a passwordless ecosystem that can replace all the functionality of passwords, especially one that doesn't leave behind the billions of people who don't own a smartphone or multiple devices.4. Thinking back, Looking forward - A Balanced Approach to Securing our Software FutureWe cover how to make security easier for developers, SBOM, software minimalism, cyber resiliency, and so much more!5. 2021 CWE Top 25 Most Dangerous Software WeaknessesThe 2021 Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Weaknesses (CWE Top 25) is a demonstrative list of the most common and impactful issues experienced over the previous two calendar years.
1. Jeevan Singh -- Threat modeling based in democracyJeevan joins us to speak about self-serve threat modeling at Segment or threat modeling based in democracy. 2. joswha/Secure-Coding-HandbookClient side, Server Side, Auxiliary.3. Security headers quick referenceSecurity headers recommended for all websites, websites that handle sensitive user data, and websites with advanced capabilities.4. Cyber insurance isn't helping with cybersecurity, and it might be making the ransomware crisis worse, say researchersThe paper suggests that insurance should require 'minimum ransomware controls' as part of any ransomware coverage.5. Microsoft Refining Third-Party Driver Vetting Processes After Signing Malicious RootkitIf you sign something malicious, you allow it to bypass all your other security controls.
1. How we're creating a threat model framework that works for GitLabWhile our Security team owns the framework, we don't "run" it. It is run by the people who are running the project.2.Deciduous: A Security Decision Tree GeneratorSecurity decision trees are a powerful tool to inform saner security prioritization when designing, building, and operating software systems.3.npm audit: Broken by DesignI see the point, but I also disagree – SCA and finding/mitigating supply chain issues is a security requirement.4.Trusted Types - mid 2021 report"We believe Trusted Types are necessary to obliterate DOM XSS, one of the most prevalent web application vulnerabilities."5.When shifting security left falls off a cliffThe author talks about the dangers of pushing security too far left, where tools can hinder the dev instead of providing value.
1. Groundhog day: NPM package caught stealing browser passwords The author intended to trick the targets into executing the malicious package. In cases of malware placed in package repositories, attackers usually rely on typo squatting.2. TypeScript Doesn't Suck; You Just Don't Care About SecuritySecurity wins against the eleven popular reasons developers disapprove of TypeScript.3.Recommended Minimum Standard for Vendor or Developer Verification of CodeThreat modeling, automated testing, code-based (static) analysis, DAST, check included software, fix bugs.4.CVE-2021-3438: 16 Years In Hiding – Millions of Printers Worldwide VulnerableAn exploitable kernel driver vulnerability can lead an unprivileged user to a SYSTEM account and run code in kernel mode (since the vulnerable driver is locally available to anyone).5.Over half of exploits sold on underground forums are for Microsoft productsMicrosoft Office exploits make up 23 percent, while Windows accounts for 12 percent of exploits sold on hacker forums. Remote Desktop Protocol (RDP) exploits make up 10 percent, with Internet Explorer and Share Point taking three percent each.
1. Sonatype Catches New PyPI Cryptomining MalwareMalicious packages continue to infect our public package repositories; all developers must understand these threats!2. (Technical) Infosec Core CompetenciesWhile these core competencies stray slightly to the red team / pen test side, this is a solid list of what folks need to know as they grow.3. SSRF Cheat Sheet & Bypass TechniquesSSRF vulns are growing; application security people must understand SSRF and know how to properly find it and mitigate it.4. MySQL 101: Installation, care, and feeding on UbuntuSecurity professionals need to have basic skills to understand and operate the technologies in our developers' tech stack.5. BEC Taxonomy: ExtortionAs application security people, we must understand the threats that impact our entire user population and look for ways to help secure the Enterprise.
1. Cybereason: 80% of orgs that paid the ransom were hit againPrevention of ransomware is a human and technology solution.2. Introducing SLSA, an End-to-End Framework for Supply Chain IntegrityLearn from Google's eight years of protecting their supply chain.3. Peloton Bike+ vulnerability allowed complete takeover of devices Secure your fitness equipment – seems strange that we have to say that, but hey, it is 2021.4. Irish police to be given powers over passwordsPrivacy advocate or crime fighter? Giving anyone power over passwords requires strong checks and balances. 5. New Top 20 Secure-Coding List Positions PLCs as Plant 'Bodyguards' Secure coding is for everything, including programmable logic controllers.
1. Impact of GDPR on Cloud Service ProvidersPrivacy is here to stay -- long live data privacy in the cloud.2. Static Analysis of Client-Side JavaScript for pen testers and bug bounty huntersBug bounty hunter techniques are the same techniques adversaries use.3. What Every Incident Response Plan NeedsNobody thinks they'll need an incident response plan… until it's too late.4. Dev-Sec Disconnect Undermines Secure Coding EffortsDeveloper empathy – as a security person, walk a mile in the shoes of your developers. It will change your whole perspective.5. Look how many cybercriminals love Cobalt StrikeAdversaries use the best tools available for any job. Sometimes those tools are the same tools used by those on the side of good.
1. The Unified Kill ChainThe Unified Kill Chain is thorough, and all builders and defenders must understand the techniques of our adversaries.2. Why Developers Dislike Security -- and What You Can Do About ItDevelopers that embrace security and learn all the ins and outs rise to the top and have the option to transition into dedicated security professionals in the future.3. Hacker Tools Used for Good as Exposed Amazon Cloud Storage Accounts Get WarningsSecure those AWS S3 buckets by disabling public access across your entire account!4. Modern JavaScript: Everything you missed over the last 10 yearsWhile JavaScript has matured functionally, developers must still apply secure coding principles when using JavaScript.5. obheda12/GitDorkerGitDorker is worth considering as another tool that you run at some interval against your Git repos.
1. I Mailed an AirTag and Tracked Its Progress; Here's What Happened AirTags use the network capacity of all other Apple devices. If you own an Apple device, you're now part of a mesh network that you cannot disable.2. The Need to Protect Public AWS SSM Documents – What the Research Shows Follow the AWS Best Practices for SSM: https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-before-you-share.html3. Application Security and the Zen of PythonApplication security and the Zen of Python are complementary of each other. All languages can have security applied.4. More Companies Adopting DevOps & Agile for Security We saw DevOps & Agile Security move forward in the past year, but we have more room to grow.5. Over 40 Apps With More Than 100 Million Installs Found Leaking AWS KeysHardcoded keys should NEVER be embedded in any type of app.
1. Cross-site scripting (XSS) cheat sheetLearn XSS at a depth that you can explain it to anyone, and understand the diversity of attack that exists across the set of XSS vectors.2. Why DevOps Will Cease to ExistJust like DevOps is integrated into every developer's job, so is security.3. OAuth 2.0 Threat Model Pentesting ChecklistOAuth 2.0 is used everywhere, and many developers and security people aren't aware of the depth of threat that exists.4. A deep dive into how we investigate and secure GitLab packagesSolving the software supply chain security issues requires a coordinated and organizationally wide approach.5. Modern Static Analysis: how the best tools empower creativityIf you haven't evaluated semgrep as a tool for inclusion in your application security program, it's time.
1. JWT should not be your default for sessionsJWT is a bad default -- be deliberate and careful when you use it.2. Exploiting custom protocol handlers for cross-browser tracking in Chrome, Firefox, Safari, and TorProtecting user privacy is a foundational capability of the web browser, and scheme flooding violates that capability.3. Dustin Lehr -- Advocating and being on the side of developersAs AppSec people, work hard to be an advocate for your developers and evaluate tools that will work for them.4. Send My: Arbitrary data transmission via Apple's Find My NetworkAs consumers, we need to push back on this idea that our devices are used together to form super networks, without us opting in.5. 47 powerful open-source app sec tools you should considerApplication security tools save us time by doing something manual and providing an automated series of steps to make the action repeatable.
1. The AppSec ManifestoThe AppSec Manifesto has some good advice contained within, but we think a Manifesto should be the work of multiple people to ensure that the opinions are vetted.2. Security Chaos EngineeringSecurity chaos engineering is providing a methodology to prepare your system for the unexpected happenings that could adversely impact security and privacy.3. Linux bans University of Minnesota for committing malicious codeOpen-source is built upon a trust model of the people that contribute towards it. The community only trusts after verifying. The UMN team violated that trust, and the outcome is fair.4. Looking for Greater Security Culture? Ask an 8-Bit PlumberThere are lessons about security culture to be found in many places – perhaps even in an 8-bit Mario World.5. “BadAlloc” – Memory allocation vulnerabilities could affect wide range of IoT and OT devices in industrial, medical, and enterprise networksApplication security professionals must understand new threats and new manifestations of threats – this is a new approach to an old problem.
1. Kube-goat: A deliberately vulnerable Kubernetes cluster https://reconshell.com/kube-goat-a-deliberately-vulnerable-kubernetes-cluster/To truly learn how to protect Kubernetes clusters, it’s helpful to exploit known bad security settings.2. Microsoft says mandatory password changing is “ancient and obsolete” https://arstechnica.com/information-technology/2019/06/microsoft-says-mandatory-password-changing-is-ancient-and-obsolete/Embrace password managers for your Enterprise and remove the motivation for creating short passwords.3. How Performance Became the Nemesis of the Secure Python Code https://www.securityjourney.com/post/how-performance-became-the-nemesis-of-the-secure-python-codeWith Python, simpler and readable code contains fewer bugs and vulnerabilities. Great advice for every language!4. Secure your code review: 8 key questions to ask https://techbeacon.com/security/secure-your-code-review-8-key-questions-askTrain your developers' eyes for security – security code review is crucial.5. The Need for Continuous and Dynamic Threat Modeling https://blogs.cisco.com/security/the-need-for-continuous-and-dynamic-threat-modelingSecurity is a journey that requires influencing and enabling teams to adopt and employ best practices and controls for their architectures.
1. Uncomplicate Security for developers using Reference ArchitecturesReference architectures assist developers in building secure applications and limit rework as a result of later security reviews.2. “Huge upsurge” in DDoS attacks during pandemic Acknowledge that a DDoS attack is coming your way, and architect your system in a scalable manner to ensure that you can absorb a DDoS attack of any size.3. Codecov discloses 2.5-month-long supply chain attackAttackers are targeting the supply chain to magnify distribution of the attack. Assess all your systems with the assumption that attackers are coming for your supply chain.4. Grype – Vulnerability Scanner For Container Images & FilesystemsAll DevOps build pipelines must include one to many vulnerability scanners. If you use containers, you must scan your containers!5. Security Coaches Security coaching changes your application or software security program and adds value on top of a security champions program.
1. Threat matrix for Kubernetes The application of the ATT&CK methodology to Kubernetes is the subject matter that everyone using Kubernetes should know. 2. 5 Objectives for Establishing an API-First Security Strategy The five objectives are a good reminder that when using API (and we all are), think security first. 3. Izar Tarandach and Matt Coles-- Threat Modeling: A Practical Guide for Development TeamsThreat model all the things! 4. Deep dive in CORS: History, how it works, and best practices Put in the work to enable CORS for your web applications. 5. NSA: Top 5 vulnerabilities actively abused by Russian govt hackers Application security is more than just the application. We must build a strong foundation across all the other layers of our system.
1. The Current State of DevSecOps MetricsMeasure what matters, and what gets measured gets attention. Apply this guidance to your DevOps program to measure the value of security.2. 5 ways to prevent code injection in JavaScript and Node.jsJavaScript is susceptible to code injection via several different code constructs. Stop using these, please. Code securely!3. Do app sec like a boss: The top 25 pros to followTwitter is where security congregates to argue and share. Join the discussion.4. Why Vulnerability List Methodologies Matter (And why we trust CWE & OWASP)Use all applicable lists as a guide but base your priority on your vulnerability and threat data.5. Securing Your PostgreSQL DatabaseSecure those databases as a proactive defense in depth measure. Attackers enjoy the weakest link.
1. PHP's Git server hacked to add backdoors to PHP source codeSupply chain attacks are bigger than vulns in open source; when the attack is deliberate, the stakes are higher.2. Redefining Threat Modeling: Security team goes on vacationWe can all agree that threat modeling is non-negotiable; use Segment’s model as a reference for how to do threat modeling using a self-service approach.3. Software Security at Rocketship Pace SAST is table stakes, but your SAST solution must eliminate the frustrations that many developers feel with loud tools that provide limited value.4. SSRF Attack Examples and Mitigations Let’s get ahead of the OWASP Top Ten 2021 edition and start dealing with SSRF now!5. Deprecating TLS 1.0 and TLS 1.1Goodbye, old friends! We don’t and won’t miss you at all, TLS 1.0 and 1.1.
1. Post-Spectre Web Development The web is changing, and we must adapt our threat model and our mitigations across the board to prepare for future attacks.2. The security scanner that cried wolf Keep your eyes focused on the results of your container scanners and use additional tools besides trivy to scan for vulnerabilities in your workloads.3. Understanding Private KeysWhile we don’t recommend that you dig into the depths of crypto, a software engineer should understand how crypto works at a high-level.4. ShellCheck - A shell script static analysis toolUse static analysis tools against all the things, shell scripts included!5. Alyssa Miller -- Bringing security to DevOps and the CI/CD pipeline DevOps is here to stay – let’s embrace DevOps + security is standard operating procedure.
Stop forcing security and engineering to collaborate! Security and engineering must collaborate in a seamless approach to protecting customer data. We’ve tried silos for the past twenty years, and that hasn’t worked. Let’s try collaboration for five and see who wins.The top open-source tools to secure your app sec pipelineOpen-source provides a solid set of application security tools. We’ve only used a handful of these, and we’ll be diving in right alongside you!Leveraging your Role as Technical Product/Project Manager to Improve Application Security A strong security culture extends beyond the developers and encompasses the product adjacent. Work with your product/project managers to instill security principles and best practices, something as simple as the key questions for them to ask about security.Docker Security Cheat SheetAn OWASP Cheat Sheet is an invaluable nugget of application security goodness. This one covers Docker, but there are around seventy others.New Old Bugs in the Linux Kernel Flaws may lie dormant for decades before manifesting as vulnerabilities. For those that think their code will be retired before them, think again.
1. Can a Programming Language Reduce Vulnerabilities? A programming language can reduce vulnerabilities, and the future of application security must walk in lock step with improving the languages and frameworks to eliminate classes of vulns.2. “Zero Data App – Own your data, all of it.” Is this an app we can download and use now?To move personal privacy forward, we need app options that let us keep our data in a secure enclave instead of in a cloud service.3. Someone Is Hacking the Hackers Attackers use their techniques against themselves from time to time.4. Fuzzing Java in OSS-FuzzFuzzing is an underutilized technique for finding vulns, and we need to lean into it more.5. 8+ open-source Kubernetes vulnerability scanners to considerK8s is a modern staple of application delivery, and it can also be a source of security vulnerability due to cluster or pod misconfiguration.
1. Top 10 web hacking techniques of 2020( https://portswigger.net/research/top-10-web-hacking-techniques-of-2020 )While the OWASP Top 10 is more high level, this list gives you the down and dirty for how attackers are using the web to break applications.2. What your DevOps team needs to know: 4 lessons from exploited vulnerabilities( https://techbeacon.com/security/what-your-devops-team-needs-know-4-lessons-exploited-vulnerabilities )Learn from security past to prevent vulnerabilities in security future.3. Security Chaos Engineering: How to Security Differently( https://www.verica.io/blog/security-chaos-engineering-how-to-security-differently/ )Security chaos engineering is a discipline that can have a large impact on improving your security posture and culture.4. Introducing sigstore: Easy Code Signing & Verification for Supply Chain Integrity( https://security.googleblog.com/2021/03/introducing-sigstore-easy-code-signing.html )Code signing reduces or even eliminates many classes of software supply chain vulns.5. Nuclei: Fast and customizable vulnerability scanner based on simple YAML based DSL( https://github.com/projectdiscovery/nuclei/ )Nuclei is a new tool for security engineers, developers, pen testers, and bug bounty hunters to consider adding to their arsenal.
1. Finding Evil Go Packageshttps://michenriksen.com/blog/finding-evil-go-packages/Go is better protected from a software supply chain issue, but nothing is 100% safe.2. Shifting Engineering Right: What security engineers can learn from DevSecOps https://segment.com/blog/shifting-engineering-right/All security people need to learn to practice developer empathy – walk a mile in your developer’s shoes.3. Hacking is not a crime – and the media should stop using 'hacker' as a pejorativehttps://www.theregister.com/2021/03/03/debate_hackers_for/Hacking is not a crime, so stop using the term in a negative connotation, and PLEASE stop using pictures of men in basements wearing black hoodies with bright computer screens!4. Hackers hack at unhackable new chip for three months. Chip remains unhackedhttps://www.pcgamer.com/unhackable-chip-not-hacked-yet/If a room of primates can create all the works of Shakespeare on typewriters given infinite time, then nothing is unhackable.5. What hacking attacks can teach us about defending networks https://www.zdnet.com/article/what-hacking-attacks-can-teach-us-about-defending-networks/Reminder for us as Application Security people that the stakes of a specific vulnerability are high! Push MFA everywhere.
Each week our CEO, Chris Romeo, will take you through the five articles he thinks are worth your time. Check out the video and links to each article below! 1. Shifting Left on Security: Solutions, Google Cloud(https://cloud.google.com/solutions/sh...)2. Best Practices for REST API Design(https://stackoverflow.blog/2020/03/02...)3. The Future of Web Software is HTML Over WebSockets(https://alistapart.com/article/the-fu...)4. Be Afraid of the Ruby on Rails Supply Chain(https://www.securityjourney.com/post/...)5. NurseryCam Hacked, Company Shuts Down IoT Camera Service(https://www.theregister.com/2021/02/2...)
1 - An exploration of JSON interoperability vulnerabilities 2 - Alexa installed skills can double-cross their users3 - Common Nginx misconfigurations that leave your web server open to attack4 - Attacks turn struggling software projects into trojan horses5 - Cloud Native application security with Liran Tal
1 - Just 2.6% of 2019's 18,000 Tracked Vulnerabilities Were Actively Exploited in the Wild2 - Python Wheel-Jacking in Supply Chain Attacks3 - Firefox 86 Introduces Total Cookie Protection4 - Supply Chain Security In The Shadow Of Centreon And Solarigate5 - DevOps Security Culture: 12 Fails Your Team Can Learn From