Conference:  Black Hat Asia 2023

Authors: Xu Yuanzhen, Peter Mularien

2023-05-12

It is known to us that Java language has an integrated ecosystem. With the development of cloud computing, more and more cloud-native systems increasingly consist of Java applications. In the meanwhile, the potential new attack surface for Java applications exposes stealthily. Some cloud data platforms supply users with customized database management services, so the users are able to utilize the services flexibly. Java Database Connectivity (JDBC) is the fundamental component of the Java environment and is used to implement database connection and manipulation. I paid close attention to this scenario, and then I discovered the new attack surface. We took a long time to research the mainstream vendors and their JDBC drivers, like Google, IBM, etc. In our research, we will elaborate on both the static and dynamic source code analysis experience with the juicy techniques, like locating the accurate sinks and then we will demonstrate the new gadgets for SSRF and RCE vulnerabilities. We will render the real-world scenario attacking illustrations and detection evasions as well.

Conference:  Global AppSec Dublin 2023

Authors: Clemens Hübner

2023-02-15

Passkeys are the next evolution step of web authentication, solving problems with passwords and making authentication more secure. They are included in the app ecosystem and allow for smoother authentication between different clients. However, using passkeys binds users to existing oligopolies of big user providers, and it is unclear how independent web authentication can remain from these platforms in the future.

• Passkeys solve problems with passwords and make authentication more secure
• Passkeys are included in the app ecosystem and allow for smoother authentication between different clients
• Using passkeys binds users to existing oligopolies of big user providers
• It is unclear how independent web authentication can remain from these platforms in the future

Conference:  SupplyChainSecurityCon 2022

Authors: Daniel Nebenzahl

2022-06-21

The presentation discusses the implementation of the Salsa standard in supply chain security and the challenges faced in complying with its requirements.

• Salsa is an emerging standard that puts many requirements on the table for supply chain security implementation
• Compliance-driven implementation of the framework may result in minimal value and negotiation with suppliers is necessary
• Provenance documents can be built from APIs and log files to avoid opening up all pipelines
• Level three of Salsa promises better protection from developer workstations and adjacent build systems
• Strongly authenticated actors and retention of sources indefinitely are challenging requirements to comply with
• The Salsa standard provides solutions but they are hard to implement and may result in loss of accreditation