Episode #251

This week on the 251st episode of Absolute Appsec, Seth and Ken return with recent headlines from the world of application security. Specifically, the most recent episode covers tools that perform passive scanning, exploitation of Google Chrome extensions, recent vulnerabilities in the CocoaPods ecosystem, and the national vulnerability database (NVD). You can watch the full episode here:

https://youtube.com/live/Oq6ijTZdtdM 

Seth and Ken start by discussing Mozilla’s new HTTP Observatory tool for scanning and analyzing website security headers. It currently analyzes cookie configurations, CORS, HSTS, referrer policies, sub-source integrity, and content types. This tool makes it easy to ensure headers are up-to-date on publicly accessible sites by identifying low-hanging fruit in web security. However, Seth and Ken stress the importance of using the tool with context; not as a substitute for thorough security testing and penetration testing. Like many of the new rising technologies in the security world, there are concerns about the misuse of these passive analysis tools based on reports that they often lack context, leading to a misprioritization of risks. This highlights the importance of interpreting scan results correctly, especially when they impact business decisions or compliance. 

Next, our duo expands upon real-world experiences with various passive analysis tools. Many companies use this type of automated scan to assess third-party vendors out of convenience, but this can be misleading and exaggerate security concerns. Examples of this include failing security scans for minor issues, like missing CAPTCHA or non-login pages. These automated reports can cause unnecessary panic and resource allocation to address non-critical issues. To counteract this, businesses spend time and effort to refute incorrect or irrelevant findings. This discussion goes hand-in-hand with discussion on the future of continuous penetration testing and the potential role of AI in security testing, prompting individuals to prioritize maintaining context and accurate representation in security reports.

Ken does an in-depth review of an exploit writeup on Universal Code Execution by Chaining Messages in Browser Extensions from Eugene Lim. This technique uses Chromes’s built-in API for messages passing between frames to break out of the web context and run code on the user’s machine via an installed browser extension.

To round out the episode, there is a brief conversation around package repository with the vulnerability discoveries within the CocoaPods ecosystem from E.V.A. Securities recent article. This leads to further discussion on the CVE ecosystem and problems reviewing exploit and vulnerability validation by NIST in the National Vulnerability Database (NVD).

As always, there is deeper conversation over in Slack. Support the podcast by joining and getting some cool new Merch from the updated store at merch.absoluteappsec.com.

Stay Secure,

Seth & Ken

Related Episodes

https://youtube.com/live/_ENIbLadfZQ - Episode #201 - Breaches, Package Managers, Audit Logs

https://youtu.be/j093mOfawiU - Episode #168 - Secure Code Review, Package Confusion, Privacy Acts

https://youtu.be/fnm3mz01kFQ - Episode #165 - Portswigger 2021 Top 10, Supply Chain Attacks, TLS Certs

Absolute AppSec Happenings

https://www.blackhat.com/us-24/spotlight.html - DryRun Security is a finalist for the Black Hat Startup Spotlight Competition. Congrats to Ken & James!

https://owasp.org/blog/2024/07/09/new-coi-and-bylaws.html - New Articles of Incorporation and Bylaws for the OWASP Foundation. This will have an effect on how industry can use the OWASP name and project. Keeping our eye on this.

https://www.tessl.io/blog/will-ai-follow-cloud-native-and-reach-ai-native-development - Conjecture that AI Native Development methods may mirror the cloud native rollout.