Scribbler Logo

    You have 4 summaries left

    Application Security Weekly (Audio)

    What's the Deal with API Security? - Sandy Carielli - ASW #243

    Tue Jun 06 2023
    API securityPHP-based applicationsWordPress pluginsEncryptionPassword managementMemory representationDNSAWS infrastructuresML model drift detectionThinkscapes quarterly

    Description

    The episode covers a range of topics including the 40th anniversary of the movie War Games, API security challenges and solutions, vulnerabilities in PHP-based applications and WordPress plugins, encryption and password management considerations, understanding memory representation and building DNS from scratch, detecting anomalies in AWS infrastructures, real-time ML model drift detection, highlights from Thinkscapes quarterly, and community pledges.

    Insights

    API security is a dominant topic in the industry

    Application security is a dominant topic in the industry, with numerous vendors and sessions dedicated to it. API security is gaining importance as applications increasingly rely on APIs for functionality.

    Challenges in managing API-based applications

    Managing API-based applications presents challenges due to scale and tracking traffic destinations. The challenge with API-based applications is the scale of managing tens of thousands or hundreds of thousands of APIs.

    Discovery and governance are key in API security

    Discovery is a key challenge for organizations, but as they mature, governance becomes important to manage APIs effectively. Existing tooling like web application firewalls and API gateways can address some API security needs, but there may be gaps that require additional processes or tools.

    Collaboration and risk prioritization in API security

    Collaboration with development and providing information about risks is important for successful API security. Making testing and remediation easy for developers is crucial for effective API security.

    Vulnerabilities in PHP-based applications and WordPress plugins

    The Printer Logic disclosure highlighted vulnerabilities in a PHP-based application, raising questions about the presence of basic vulnerabilities in modern code bases. Finding and fixing vulnerabilities in WordPress plugins raises the question of whether similar patterns can be identified and addressed proactively.

    Security considerations in encryption and password management

    There are potential issues with PGP signatures, such as expired or weakly generated keys, leading to questions about its future use in securing software. Bcrypt, a commonly recommended encryption method, may not always be the best choice as computers get faster and new technologies emerge.

    Understanding memory representation and building DNS from scratch

    Memory Spy by Wizardzines is a tool to visually understand how variables are represented in memory by C programs. Implementing DNS in a weekend is a project that allows you to learn about protocols and gain insights into how RFCs are turned into services.

    Detecting anomalies in AWS infrastructures and real-time ML model drift detection

    An article discusses how to detect anomalies in AWS infrastructures using Python for stream processing. Pinterest discusses real-time detection of ML model drift to avoid being woken up at night.

    Highlights from Thinkscapes quarterly and community pledges

    Highlights from the newest thinkscapes quarterly include topics on compromising real world LLM integrated applications with prompt injection and server side prototype pollution. There are two pledges in the community: stop silly security words to discourage pay-to-play security work, and ethics and security to promote doing the right thing.

    Chapters

    1. The 40th anniversary of the movie War Games
    2. API security showcased at RSA conference
    3. Challenges in managing API-based applications
    4. The importance of discovery and governance in API security
    5. Integration of API security testing into the development pipeline
    6. Collaboration and risk prioritization in API security
    7. Vulnerabilities in PHP-based applications and WordPress plugins
    8. Security considerations in encryption and password management
    9. Understanding memory representation and building DNS from scratch
    10. Detecting anomalies in AWS infrastructures and real-time ML model drift detection
    11. Highlights from Thinkscapes quarterly and community pledges
    Summary
    Transcript

    The 40th anniversary of the movie War Games

    00:01 - 07:26

    • The 40th anniversary of the movie War Games was celebrated on June 3rd, highlighting its relevance to today's technology.

    API security showcased at RSA conference

    00:01 - 07:26

    • Sandy Kerry-Elley discusses the API security showcased at this year's RSA conference.
    • Application security is a dominant topic in the industry, with numerous vendors and sessions dedicated to it.
    • API security is gaining importance as applications increasingly rely on APIs for functionality.
    • Managing API-based applications presents challenges due to scale and tracking traffic destinations.

    Challenges in managing API-based applications

    06:58 - 14:44

    • The challenge with API-based applications is the scale of managing tens of thousands or hundreds of thousands of APIs.
    • API security involves complexity in discovery, authentication, and authorization.
    • The 2023 API security top 10 list focuses on discovery, inventory, broken authorization, and broken authentication.
    • Organizations struggle with getting authentication and authorization right.
    • API breaches often occur due to unauthenticated API endpoints or lack of awareness about APIs.
    • There is a common problem of asset inventory for APIs, especially in service-to-service interactions.
    • The vendor landscape for API security includes API gateways, WAF vendors, and specialized API security vendors.
    • The industry needs consolidation to address the challenges in API security.
    • Asset inventory remains a challenge as organizations adopt more APIs.
    • Many organizations are still early in their API security journey and struggle with basic discovery.

    The importance of discovery and governance in API security

    14:17 - 21:56

    • Near term, organizations are struggling with API security and many are still early in their API security journey.
    • Discovery is a key challenge for organizations, but as they mature, governance becomes important to manage APIs effectively.
    • In the next three to five years, there may be more optimism about API security.
    • Questions about API security often revolve around discovery tools and building an API security program.
    • Existing tooling like web application firewalls and API gateways can address some API security needs, but there may be gaps that require additional processes or tools.
    • API developers do not need to write APIs differently when using tools like RASP or IAST, but web application firewalls can help keep specifications updated.
    • API-heavy organizations are creating specific API centers of excellence and taxonomies to classify APIs based on their purpose and level of protection needed.
    • API security tools should ideally be integrated into the development pipeline, similar to other testing tools like SAST and DAST.

    Integration of API security testing into the development pipeline

    21:28 - 29:22

    • API security testing should be integrated into the pipeline like other application security testing methods.
    • Some API security vendors offer API-specific security testing that can be incorporated into the pipeline.
    • DAST testing tools can also perform some API security testing and integrate with the pipeline.
    • The maturity of integration into the pipeline varies among different tools.
    • Developers are responsible for remediation based on the test results.
    • API security vendors are starting to offer more left-shifting functionality.
    • Discovery tooling can help identify and classify data handling in APIs.
    • API management tools bridge the gap between security and development, providing governance features.
    • Governance is implied in several items on the OWASP Top 10 list, such as discovery and authorization failures.
    • Most of the work on authorization is done by API gateways.
    • There aren't many other tools available for authorization beyond gateways.

    Collaboration and risk prioritization in API security

    28:57 - 36:29

    • The average consumer of top 10 lists may not understand the governance built into them.
    • API management had some level of governance, but the security team may not have been aware of it.
    • The growth of APIs can make security more manageable if security is involved in governance and management.
    • Collaboration with development and providing information about risks is important for successful API security.
    • Making testing and remediation easy for developers is crucial for effective API security.
    • API security should be treated as a risk and prioritization exercise, building it into the pipeline.
    • A report on API security will be released in the next few months, covering key components and holistic approach.
    • AppSec can be described as trust, collaboration, integration.

    Vulnerabilities in PHP-based applications and WordPress plugins

    42:43 - 49:28

    • The Printer Logic disclosure highlighted vulnerabilities in a PHP-based application, raising questions about the presence of basic vulnerabilities in modern code bases.
    • The Jetpack vulnerability was discovered in a decade-old code base, prompting curiosity about how it was found after so long.
    • Jetpack's support team has impressively patched 102 versions of their software, demonstrating dedication to security updates.
    • Examining the fixed vulnerabilities in Jetpack's code could provide valuable insights for other software vendors.
    • Finding and fixing vulnerabilities in WordPress plugins raises the question of whether similar patterns can be identified and addressed proactively.

    Security considerations in encryption and password management

    49:04 - 55:46

    • GitLab has had multiple path traversal issues and could benefit from linting and code scanning to find similar patterns and fix them.
    • PyPy is now requiring multi-factor authentication to protect user accounts for package managers.
    • There are potential issues with PGP signatures, such as expired or weakly generated keys, leading to questions about its future use in securing software.
    • The industry is moving away from supporting PGP or GPG in crypto libraries.
    • Bcrypt, a commonly recommended encryption method, may not always be the best choice as computers get faster and new technologies emerge.
    • The best choice for security and crypto today may not be the best choice in the future as computers get faster.
    • Consider sun-setting B-crypt and thinking about what's next in encryption.
    • Moving to web off end and using past keys instead of passwords could improve user experience.
    • Certificate transparency and Sigstore can enhance trust in software signatures.
    • KeyPass had a vulnerability where the plain text of the master password could be accessed if KeyPass was running.
    • Developers should pay attention to frictions between writing code and compiler optimizations that may compromise security.
    • A secure password generator based on Kenny Loggins lyrics was mentioned as a fun way to promote security awareness.
    • There is a SAS service for generating secure passwords, but the domain name used for it was random and amusingly long.
    • Memory Spy by Wizardzines, created by Julia Evans, is an educational resource worth exploring.

    Understanding memory representation and building DNS from scratch

    55:17 - 1:02:05

    • Memory Spy by Wizardzines is a tool to visually understand how variables are represented in memory by C programs.
    • It can be used as a fun introduction to basic concepts like signed versus unsigned integers and integer overflows.
    • Implementing DNS in a weekend is a project that allows you to learn about protocols and gain insights into how RFCs are turned into services.
    • Building DNS from scratch is complex but provides great learning opportunities for pen testing and security-minded thinking.
    • AMD's epic chipset, the AMD epic Rome, was found to crash after running for 1444 days due to an integer overflow issue.
    • Unit testing software is crucial to catch potential bugs and show customers that efforts are being made to ensure quality.

    Detecting anomalies in AWS infrastructures and real-time ML model drift detection

    1:07:55 - 1:14:39

    • An article discusses how to detect anomalies in AWS infrastructures using Python for stream processing.
    • The article walks through setting up the production infrastructure, getting data from Amazon, and using software to detect anomalies in system logs.
    • The process involves running Kubernetes, setting up namespaces, cert manager, red panda cluster, exporting CloudWatch data, and using Bitewax's Python code.
    • There are books available on anomaly detection for security professionals.
    • Pinterest discusses real-time detection of ML model drift to avoid being woken up at night.
    • It is important to focus on feedback loops and continuous learning when using machine learning in production.
    • Increasing visibility by throwing more data into an ML model can lead to burnout or unnecessary alerts if the training quality is not considered.
    • Thinkscapes quarterly highlights interesting topics such as compromising LLM integrated applications with prompt injection and server-side prototype pollution.

    Highlights from Thinkscapes quarterly and community pledges

    1:14:13 - 1:17:14

    • Highlights from the newest thinkscapes quarterly include topics on compromising real world LLM integrated applications with prompt injection and server side prototype pollution.
    • Other interesting articles cover high risk users and where to find them, the benefits of writing security tooling for personal education and documentation, and finding performance improvements in C++ with code QL.
    • There are two pledges in the community: stop silly security words to discourage pay-to-play security work, and ethics and security to promote doing the right thing.
    • Positive feedback is encouraged, as well as suggestions for other tools to highlight.
    • Subscribe, like, check out the show notes, and listen to Anomaly by Starfare.
    1