- This Week on Absolute AppSec
- Posts
- Episode #275
Episode #275
OpenGrep Summary, Secure by Design, Confusion Attacks
Seth Law
February 14, 2025
This week on episode #275 of Absolute AppSec, Seth (@sethlaw) and Ken (@cktricky) return once again to their discussion on the Semgrep/OpenGrep break and its implications for the security community, building upon the significant response last week’s discussion sparked across various industry channels. Several misconceptions have been cleared since last weeks episode by OpenGrep representatives, particularly about whether Semgrep-powered companies were driving the initiative. This is followed by Google’s recent article on their protections within the browser and a discussion on it’s relevancy to most application security programs. Finally, a discussion of Orange Tsai’s research on Confusion Attacks within Apache that was number one in Portswigger’s Top 10 Web Hacking Techniques of 2024. To watch this episode, go to https://www.youtube.com/live/TudqDd9H2_k, or find Absolute AppSec wherever you get your podcasts.
“As a practitioner, I think [Semgrep] was one of the best things that someone could have done pre-AI. […] It’s not the best thing we can hope for now. We have to [ask], how do I take this technology we built our entire company around, and make it relevant for this new foundational technology while also protecting our interests. That’s a hard thing to do. I’m really giving the benefit of the doubt. […] I’m sure they’re going to come up with something really, really innovate and cool for what’s next.”
OpenGrep has already proved to have a broad effect on the security ecosystem. Ken and Seth clarify that OpenGrep isn’t merely about rule-sharing, but involves significant changes to how the security community collaborates on open-source security tools. They discuss how Indoor Labs, a company involved in OpenGrep, confirmed they do not use Semgrep in their product, countering previous assumptions about the project’s motivations. Another significant revelation is that changes to Semgrep affected not only rule-sharing but also the core engine, which had certain features moved to its commercial version, creating friction among the community. There are broader implications of the licensing changes and experimental features. Seth and Ken acknowledge that businesses have to make decisions that align with their profitability and growth, particularly when under investor pressure. This leads to a discussion about Semgrep’s recent Series D funding round of $100 million and how that investment might be influencing decisions around open-source vs. commercial offerings. While OpenGrep provides a short-term solution for maintaining services as an open-source security analysis tool, the long-term evolution of security tooling is likely moving towards AI-powered solutions. Our hosts predict that in coming years, rule-based systems will become less relevant as the industry pivots towards more intelligent and context-aware analysis methods.
“Not all of us are serving up millions, right? […] So all of those inherent risks that are in there are going to be different for Google than it is for a company that is doing loan applications or is a social media site.”
Ken and Seth go on to analyze Google’s recently announced high-assurance web framework, which is designed to systematically reduce the occurrence of security vulnerabilities, particularly cross-site scripting (XSS). Google claims that this framework, along with its broader security strategy, has significantly decreased the number of XSS vulnerabilities reported in its Vulnerability Rewards Program over the years. Google’s approach to security is significantly distinct from other organizations, as their infrastructure revolves primarily around vulnerabilities affecting client-side web browsers. From the announcement it’s become clear that Google has heavily invested in building secure-by-design frameworks that prevent entire classes of vulnerabilities at the development stage. Seth notes that this aligns with the long-standing vision of security professionals like Jim Manico, who have advocated for “the one true framework”—a security architecture that ensures developers inherently produce secure code without needing deep security expertise. Google’s approach involves several layers of defense, including safe response types, contextual auto-escaping, strict CSP enforcement, secure-by-default APIs, automated security testing and observability. Ken and Seth stress that Google’s security-first development model represents the future of application security. Security professionals should advocate for similar secure-by-default approaches in their own organization but caustion against adopting Google’s framework wholesale without considering their own threat landscape.
This episode is sponsored by Redpoint Security. Redpoint specializes in “Code Security. By Coders,” which is bolstered by years of experience testing applications and conducting code reviews against all types of applications. Redpoint also offers secure code training to help ground your teams in better security practices across the development lifecycle. So check out redpointsecurity.com for more information and put your company on a path to better security.
Hey you! Yes, you! It’s time to support the podcast by repping a t-shirt or two. Visit the merch store to pick your desired color. Or just join Seth and Ken in Slack.
Stay Secure,
Seth & Ken
https://youtu.be/iQZgJTPM6SU - Episode #144 - Fuzzing, Radamsa, Property Testing - Seth and Lojikil’s discussion of fuzzing may be of interest for people thinking of potential creative paths, a la Orange Tsai, to pull out new vulnerabilities from fairly well tested systems. We did pull out that discussion for a special "tips and topics in AppSec: clip from Absolute AppSec, but the whole show has some great technical insights.
https://youtu.be/h1kyoDYVVNg - Episode #27 - Jim Manico - Our episode with Jim presents a in-depth discussion of prerequisites and obstacles to achieving the goal of the “one true framework.”
https://youtu.be/BylkLExiiLc - Episode #149 - Facebook outage, Phrack release, and Paved Paths - The discussion of paved paths as part of the security improvements in DevSecOps pioneered by the Netflix team relates to Google’s new attempts to make security easy, but then it was on the product security side. Check out the rest of this episode from the good old days.
Absolute AppSec Happenings
https://www.landh.tech/blog/20250211-hack-supply-chain-for-50k/ - albinowax pointed out this write-up via r/netsec - which we can only assume means it would have been in the Daily Swig were it still with us (*sniff sniff*). It’s a very interesting, read the whole thing, but here is a one takeaway nugget: “[I]t is [critical] to secure not just the code you publish, but also every layer of your build process and every artifact your developers pull from external sources.”
https://www.kaspersky.com/blog/supply-chain-attacks-in-2024/52965/ - A recap of supply chain attacks in 2024 from Kaspersky. With everything else going on, good to review what really went on when anticipating attacks for the next year.
https://labs.watchtowr.com/8-million-requests-later-we-made-the-solarwinds-supply-chain-attack-look-amateur/- And finally s3 buckets and the “abandoned infrastructure” class of weakness. Challenge here is to try to read through this series of discoveries without oof-ing or involuntarily covering your eyes a couple of times.
Upcoming Events
Where in the world are Seth and Ken?
February 14-15, 2025 - CactusCon, Mesa, AZ - (Ongoing) Ken is speaking, you may have missed Seth already though. Did you escape the snow and cold for a trip to CactusCon? Any insights you want to share will happily be fielded in the Absolute AppSec Slack.
February 20-21, 2025 - Harnessing LLMs for Application Security - Virtual Training - Next opportunity for the new course that focuses on strategies for using more than just the chat interface of an LLM to secure software.
March 6-7, 2025 - Apres-Cyber Slopes Summit - Seth will be presenting his Modern vs. 0ld 5k00l talk, where all the old vulnerabilities are new again.
March ??, 2025 - Practical Secure Code Review - Virtual Training - The course that started it all! We will reprise this online with a training in Q1, if you have specific dates you would like to see, please reach out (via email or Slack).
June 28-29, 2025 - DEF CON Trainings, Seattle, WA - Seth and Ken will present one of the courses. Watch this space for additional details once it is fully posted.