Shostack + Friends Blog


Application Security Roundup - September

Interesting appsec posts: machine learning, performance, and C4 An attack tree

The most interesting #appsec articles I read this month included a sad, lawyerly response to an appsec failure, an application of STRIDE to a hotel minibar, perspective on devsecops, attack trees, human factors and more:

  • URLs Are NOT Passwords, and Sadly, That Needed to Be Said (Dissent Doe, Discusses an issue with sequential URLs and lacking access controls, which wasn't fixed for three years. (A former employee accessed the information to whistleblow, and was prosecuted for CFAA violations.)
  • STRIDE as applied to a hotel minibar (Miguel Llamazares, Linkedin)
  • You’re probably doing devsecops wrong (Kymberlee Price, Diginomica) Kymberlee brings the 🔥: “DevSecOps is popular with engineers because security teams are not.”
  • Taxonomy of Attacks on Open-Source Software Supply Chains (Piergiorgio Ladisa et al, Arxiv). An interesting taxonomy, and features one of the larger attack trees I've seen, with an interactive version. Even if you're not an attack tree fan, or currently focused on supply chain security, the user interface is worth playing with. (Documentation)
  • Poor customer service is our greatest cybersecurity vulnerability (Bob Sullivan on his blog) Tells a predictably sad story of a scam, made possible in part by godawful customer service and eroded trust. This is an engineering problem. Designing so that customers trust your system, designing your customer-facing service so customers can always call the number on the back of their card (or initiate contact through your website) and get to a person who can actually see the relevant information in a reasonable time without being transferred six times... As Bob points out, these are engineering tasks with security implications.
  • Warning: PyPI Feature Executes Code Automatically After Python Package Download (Ravie Lakshmanan, The Hacker News) Documents how PyPi has a feature that runs when you pip install or pip download code, and related the, torch.load function of the PyTorch open source ML framework does the same thing. It even has a big red warning, right there in the docs. It’s RCE-as-a-Service.
  • Which brings me to the Wikipedia entry for Auguste Kerckhoffs. It contains a banner that “This article may be expanded with text translated from the corresponding article in Volapük.” It turns out that in addition to his work in cryptography, Kerckhoffs was an outspoken proponent of the constructed language Volapük (even the Director of the Academy of Volapük), and that article has more detail than the English one.
  • Last, but not least, we announced a return of the Medical Device Threat Modeling Boot Camps, organized with the Medical Device Innovation Consortium.