Reasonable šŸ”AppSec #7 - Five Security Articles, The API is the Heart, Photo, and Podcast Corner

A review of application security happenings and industry news from Chris Romeo.

Author

Chris Romeo
June 16, 2023

Hey there,

In this weekā€™s issue of Reasonable Application Security:

  • Five security articles šŸ“° that are worth YOUR time

  • Featured thought: The API is the Heart ā¤ļø of the Modern Web

  • Photo of the week šŸ“·

  • Application Security Podcast šŸŽ™ļøCorner

Five Security Articles šŸ“° that Are Worth YOUR Time

  • The OWASP API Security Top Ten dropped their 2023 album, which needs your eyes on it. I look to the API document as second to only the OG Top Ten. They sprinkled in some new attack styles for your consumption. (more)

  • Occasionally we have to go deep into the technical deep end, and here it is. Akamai researchers have identified potential threats and trends associated with the use of JSON Web Tokens (JWTs) in API security, highlighting risks such as account takeover, privilege escalation, and data leaks due to improper implementation or weak secret keys, and providing best practices to mitigate these threats. (more)

  • Itā€™s the week's ChatGPT/LLM/AI/Security post. What a lead-in! Youā€™ll learn about discovering the first exploitable Cross Plugin Request Forgery in ChatGPT plugins, highlighting the potential for prompt injections and unauthorized access to private data and providing mitigation strategies for these security threats. (more)

  • Hmmm, does someone else share my lack of fancy for SBOMs? Hear about the challenges and slow progress in implementing Software Bills of Materials (SBOMs), highlighting issues such as lack of precise specifications, the vast scale of open source software, and the need for more explicit guidance or regulation. (more)

  • I often use the AppSec Map, forgetting that not everyone knows its existence. Use it to find products within a given AppSec category. (more)

Featured thought: The API is the Heart of the Modern Web

As I reflect on the release of the new OWASP API Security Top Ten and its new categories, it strikes me that the API is the heart of the modern web. In a conversation within this weekā€™s Application Security Podcast episode with Steve Wilson, we discussed how LLM/AI applications are accessed using standard web applications with backend APIs. The AI tech stack has fancy LLMs behind the scenes, but the modern web is the front door.

Glancing at one of the new items, ā€œAPI3:2023 - Broken Object Property Level Authorization,ā€ we see that it combines two issues from the 2019 list: Excessive Data Exposure and Mass Assignment.

The API endpoint exposes properties of an object considered sensitive and should not be read by the user, previously named: "Excessive Data Exposure" This one is simple for me ā€” the API endpoint is spewing extra data. Think of a scenario where you call toJSON() without carefully considering the properties of an object. You now get extra properties from the object exposed to the client side.

Now attackers have gained knowledge of application internals and can attempt to manipulate them via the most poorly named concept in AppSec: Mass Assignment. The API endpoint allows a user to change, add/or delete the value of a sensitive object's property which the user should not be able to access, or Mass Assignment. I donā€™t know where the ā€œMassā€ is coming from. I get the assignment. Perhaps we call it an Unauthorized Assignment or Private Value Assignment? šŸ¤”

Give the new API Top Ten a read, and share it with your development teams. They need to know what has changed. Internalize it, and share it with them.

Photo of the week šŸ“·

I asked DALLĀ·E 2 to generate an image to celebrate the new API Top Ten for 2023 as an album cover. Iā€™m not sure we need to worry about AI taking our jobs for the foreseeable future.

Podcast šŸŽ™ļø Corner

I love making podcasts. In Podcast Corner, you get a single place to see what Iā€™ve put out this week. Sometimes they are my podcasts. Other times they are podcasts that have caught my attention.

  • Application Security Podcast

    • Steve Wilson -- OWASP Top Ten for LLMs

      • Steve Wilson is leading a team in the development of a standardized guideline, the OWASP Top Ten for Large Language Models (LLMs) like ChatGPT, to address security issues in AI applications, with the anticipation of a new discipline of AI security engineering and the upcoming release of the 1.0 version of the guidelines.

  • Security Table

    • Privacy and the creepiness factor of collecting data

      • Privacy compliance expert Ally O'Leary discusses the intersection of privacy and security, the importance of understanding personal information, the challenges of data governance, and the need for collaboration between security professionals and privacy experts in protecting personal data.

  • Threat Modeling Podcast

    • A new episode is coming next week ā€” Engineering-led threat modeling.

  • Security Champions: Overcoming Program Challenges

    • I was a guest on Jacob Garrisonā€™s podcast with my friend Dustin Lehr, discussing Security Champions. Dustin is one of these folks that challenges me every time we chat in the most positive of ways.

šŸ¤” Have questions, comments, or feedback? I'd love to hear from you!

šŸ”„ Reasonable AppSec is brought to you by Kerr Ventures.

šŸ¤ Want to partner with Reasonable AppSec? Reach out, and letā€™s chat.