• Reasonable Application Security
  • Posts
  • Reasonable 🔐AppSec #27 - Five Security Articles, S Bomb, self-destruction of value, or operational darling?, and Podcast Corner

Reasonable 🔐AppSec #27 - Five Security Articles, S Bomb, self-destruction of value, or operational darling?, and Podcast Corner

A review of application security happenings and industry news from Chris Romeo.

Author

Chris Romeo
November 03, 2023

Hey there,

In this week’s issue of Reasonable Application Security:

  • Five security articles 📰 that are worth YOUR time

  • Featured focus: S Bomb, self-destruction of value, or operational darling?

  • Application Security Podcast 🎙️Corner

  • Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

  1. Transitive Supply Chain Vulnerabilities: Transitive dependencies are the hidden challenge underneath the software supply chain. Complexities and risks are associated with transitive dependencies in software development, highlighting how indirect dependencies can introduce vulnerabilities and compliance issues. It emphasizes the importance of reachability and exploitability assessments in managing these risks. It suggests using static and dynamic analysis tools to understand codebase utilization and potential security implications comprehensively. (I am not so sure about DAST being the answer to anything but to each their own opinion.)

  2. Testing the 'Hacky Path': "Hacky path" testing evaluates an application as if it were attacked by a malicious user, going beyond conventional happy and unhappy path testing. Examples of hacky path testing scenarios are provided, highlighting its importance for both functional and non-functional aspects of software quality and encouraging its integration into the software development lifecycle for improved application security and resilience.

  3. Oh-Auth - Abusing OAuth to take over millions of accounts: There are vulnerabilities associated with OAuth implementations, demonstrating how attackers could take over millions of accounts on popular websites like Grammarly, Vidio, and Bukalapak. Secure OAuth implementation is emphasized, providing technical details of the vulnerabilities and urging web service owners to verify access tokens to protect user data and prevent account takeovers.

  4. Sickened by Software? Changing The Way We Talk About 0Days: There is an urgent need to improve software quality and address the pervasive issue of exploitable software that poses risks to consumers, communities, and businesses. The article emphasizes the necessity to change our perspective and language regarding software-based risks, drawing parallels between software vulnerabilities and food safety and advocating for stringent quality assurance practices similar to those in the food industry to mitigate software vulnerabilities.

  5. Survey Sees Spike in Untested Code Leading to a DevOps Crisis: The survey highlights a significant increase in the deployment of untested code within DevOps, leading to potential crises. The lack of proper testing is attributed to the pressure of meeting deadlines, compromising code quality and security.

Featured focus: S Bomb, self-destruction of value, or operational darling?

I dove into the SBOM deep end again this past week with a LinkedIn post, “S Bomb? Because it self-destructs before generating actual operational value inside an Enterprise?” I appealed for someone to explain the operational value of SBOM to me.

And the person that I was most hoping would answer jumped into the conversation, Steve Springett: 

You can think about it this way. An SCA product identifies components and determines various forms of risk (license, security, operational, etc) in those components. An SBOM abstracts the identity away from SCA, essentially making a modular SCA solution. When developing Dependency-Track, I had to figure out a way to "compete" with SCA products without actually doing SCA, and the solution (which was eventually called SBOM) was to decouple component identity into a portable and sharable inventory format. I could then use NVD, OSS Index, and other vulnerability databases. The overwhelming majority of SBOM adoption (upwards of 10K Dependency-Track installations, for example) leverage SBOM in this way. So yes, they're getting a ton of operational value from SBOM, just like they were previously with SCA. A better question would be, "Is there operational value in "sharing" SBOMs as framed by the U.S. government, which has led to the frenzy of SBOM startups. Sharing is hard, and I'm not convinced there's a ton of value in doing that today.

I enjoyed processing Steve’s explanation for the problem he was solving when he built Dependency Track. SBOM, as a method of operationalizing and tracking what was previously created by SCA, makes sense to me. Having all that data for a specific organization within a Dependency Track database makes excellent sense. Because you control all of the inputs via policy and process, you can ensure that you have a solid set of data upon which to take action.

I was happy to see that even Steve, who has been at the forefront of SBOM, is not convinced that “there is a ton of value in [sharing] today.” This has been my complaint all along. What value is generated by those who consume public SBOMs? How are those consumers operationalizing the data to make it worth the effort producers put into building SBOM factories? The easy answer is that they are doing nothing to operationalize the external data and are wasting everyone’s time pushing the sharing of SBOM.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

  • Application Security Podcast

    • Steve Wilson and Gavin Klondike -- OWASP Top Ten for LLM Release (Audio only; YouTube)

      • We discuss the OWASP Top 10 for Large Language Model (LLM) Applications, addressing AI challenges like prompt injection and secure AI development practices. On the YouTube version, we share the document as we walk through it.

  • Security Table

    • Matt, Izar, and Chris were at ThreatModCon this past weekend, so we could not record a new Table; enjoy a reference to an earlier episode.

    • Software bill of materials -- what is it good for? (Audio only; YouTube)

      • The gang considers the software bill of materials (SBOM) approach and asks hard questions about what SBOM is for and whether it improves security. Note the gang believes in SBOM. We ask the hard questions to help us expand our minds and truly understand the value propositions.

  • Threat Modeling Podcast

    • A new episode, "Privacy and Threat Modeling in Practice,” is coming soon.

Where to find Chris? 🌎

  • November 8 — ISC2 Secure Software Webinar

  • The rest of 2023 — relaxing in Raleigh, NC, building new features supporting the Devici beta, and preparing for a busy 2024.

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.