logo
Dates

Author


Conferences

Tags

Sort by:  

Conference:  Defcon 31
Authors: Thomas Chauchefoin Vulnerability Researcher @ Sonar, Paul Gerste Vulnerability Researcher @ Sonar
2023-08-01

Developers are threat actors' targets of choice because of their access to business-critical services. After compromising a single developer, they could push code changes or obtain sensitive information. For instance, a recent campaign attributed to North Korea set up social network profiles to social engineer and infect prominent figures of the developer community with malicious Visual Studio projects and browser exploits. At the same time, modern development tools offer increasingly advanced features and deep integration with ecosystems, sometimes at the cost of basic security measures. Code editors tried to counterbalance it by introducing new lines of defense (e.g., "Workspace Trust"), leading to a cat-and-mouse game to restrict access while keeping most features available by default. In this talk, we present the state of the art of Visual Studio Code's security. We go in-depth into its attack surface, how its extensions work, and the technical details of two vulnerabilities we found in Visual Studio Code. These findings, CVE-2021-43891 and CVE-2022-30129, led to a $30.000 bounty with an unexpected twist. We also present 1-days discovered by other researchers to develop the audience's intuition. These concepts apply to most IDEs of the market so everybody will now think twice before opening third-party code!
Authors: Altaz Valani
2022-11-17

tldr - powered by Generative AI

The importance of threat modeling in cybersecurity and the need for developers to prioritize security in their projects
  • Developers often prioritize functional aspects over security in their projects, but security should be given equal importance
  • Threat modeling is a continuous learning experience that requires effort and investment
  • Developers should use the search modeling approach to understand potential risks and prevent attacks
  • Experience is fundamental in threat modeling and developers should apply it to real-life scenarios
  • Investing in security allows for the reduction of potential losses as a result of a compromise of the solution
Authors: Mohan Atreya
2022-10-24

tldr - powered by Generative AI

The presentation discusses the challenges of managing RBACs and access control in Kubernetes at scale and introduces an open-source project called Periscope to automate the process.
  • Managing RBACs and access control in Kubernetes at scale is a challenge for organizations with hundreds of clusters and developers.
  • Manual management of RBACs is impractical and requires automation to ensure the right people have access to the right things.
  • Periscope is an open-source project that automates RBAC management and access control in Kubernetes.
  • Periscope allows for secure access to clusters behind a firewall and dynamically injects RBACs just in time.
  • Periscope also provides strong authentication for all user access and allows for governance and compliance by tracking commands run against clusters.
Authors: David Wheeler, Brian Behlendorf, Trey Herr, Amelie Koran
2022-06-22

tldr - powered by Generative AI

The panel discussion summarizes the OpenSSF summit held in May 2022, which aimed to develop a mobilization plan for securing the open source ecosystem. The discussion focuses on the attitudes and progress of open source software security in the federal government and the input of developers and maintainers to the OpenSSF summit and mobilization plan.
  • The panelists introduce themselves and their backgrounds in technology and policy.
  • The Cyber Statecraft Initiative at the Atlantic Council has been working on software supply chain issues since 2019 and is collaborating with OpenSSF to bring more policy attention to open source security.
  • The OpenSSF mobilization plan includes ten work streams that prioritize different areas of open source security.
  • The panelists discuss the importance of prioritization and government demand signals in the mobilization plan.
  • The panelists also emphasize the need for more community engagement and volunteer contributions to the work streams.
  • The panelists reflect on the historical context of open source security and the usefulness of an S-bomb in incident response.
Authors: Naveen Srinivasan, Laurent Simon
2022-06-21

tldr - powered by Generative AI

Scorecard is a tool that helps users assess the security of their open source projects and dependencies on GitHub.
  • Scorecard checks for good practices, authentication, and over-privileged CI runs.
  • Scorecard flags empty patterns and warns about secrets in pull requests.
  • Scorecard can be installed as a GitHub action for projects and dependencies.
  • Scorecard alerts users to potential risks, such as unmaintained dependencies.
  • Scorecard is configurable and can be used to enforce policies at scale.
  • Scorecard plans to add support for more languages and improve configurability.
Authors: Tushar Kulkarni
2021-09-24

Abstract:We have seen developers move from traditional 2 tier application architecture to a 3 tier architecture which involves an API talking to front end and backend services.The API used or developed might ease the development process but a lot of vulnerabilities can come up if not developed or configured properly. vAPI is a Vulnerable Interface in a Lab like environment that mimics the scenarios from OWASP API Top 10 and helps the user understand and exploit the vulnerabilities according to OWASP API Top 10 2019.It might be useful for Developers as well as Penetration Testers to understand the type of vulnerabilities in APIs. The lab is divided into 10 exercises that sequentially demonstrate the vulnerabilities and give a flag if exploited successfully.