A 2024 Appsec Report, Preparing for the AIxCC, Secure Design and Post-Quantum Crypto – ASW #291
Cloudflare's 2024 appsec report, reasoning about the Cyber Reasoning Systems for the upcoming AIxCC semifinals at DEF CON, lessons in secure design from post-quantum cryptography, and more!
Announcements
Maximize your investment at BlackHat 2024 with a 1:1 on-site interview. Drive thought leadership and boost brand awareness with CyberRisk Alliance's expert editorial team from Security Weekly and SC Media. Act now, limited interview slots available - secure yours today at https://securityweekly.com/blackhat2024
Hosts
- 1. Application Security report: 2024 update
- 2. AI Cyber Challenge (AIxCC) and the Needle Linux Kernel Vulnerability – Part 1
- 3. WebAssembly components: the next wave of cloud native computing
- 4. Quantum is unimportant to post-quantum | Trail of Bits Blog
Forget about quantum computers -- which is easy, since they haven't yet arrived. A cryptographer talks about how post-quantum algorithms are designed to be resistant to implementation error and developer confusion.
This is the kind of article that makes me wonder what the appsec equivalent would be. What has appsec done to improve a design reference for developers? Does something as simple as prepared statements count, even if SQL injection CVEs still get reported in 2024? ReactJS could be an example, but that's also old and just one framework. Cloud architectures seem to have been improving design patterns, is that where appsec should be looking for inspiration?
- 5. New Articles of Incorporation and Bylaws for the OWASP Foundation!
- 1. Demonstrating power analysis attacks with an Arduino
When we've looked at power analysis attacks in the past, the setup to reproduce this at home would cost a significant chunk of money. In this example, someone has created a GitHub project that walks through setting up the hardware and software to study power analysis attacks on RSA encrypted data with an Arduino.
- 2. Pythonmonkey
As they say themselves, "A Mozilla SpiderMonkey JavaScript engine embedded into the Python VM, using the Python engine to provide the JS host environment."
- 3. Another OpenSSH vuln found
As I talk about "finger holds" when attacker find one vulnerability, and then escalates that to a bigger attack, we humans do similar things with research. After Qualys found the RegreSSHion vulnerability several weeks ago, researcher Solar Designer decided to look further and found what is now CVE-2024-6409. While a similar race condition to regreSSHion, this vulnerability is on the lower side of the ssh privilege separation, but still has potential for exploitation.
- 4. Header parsing bug in exim could result in delivering malicious attachments
While browsing through the vuln reports of the week, this one caught my eye. Nothing particularly exciting - another vuln in mail server software (which Censys claims powers 74% of public mail servers), but as it's open source, the patch is available to see how the team fixed the vuln.
Vulnerability patch is at https://github.com/Exim/exim/commit/6ce5c70cff8989418e05d01fd2a57703007a6357