appsec

Found this interesting list: https://list.latio.tech/

On the open source side, there is https://www.dependencytrack.org/

If you're interested in a way to implement Zero Trust principles like least-privilege access or make your access policies more granular without creating code bloat this is something to check out.

Cerbos Hub externalizes application permissions (RBAC/ABAC) and makes it easier to write and maintain fine-grained access policies without falling into a slow doom spiral of spaghetti code.

You write your policies in a central repo, and deploy as many containerized policy decision points as you need alongside the relevant services in your application. Policy checks are an API call. No single point of failure or lag issues.

You can maintain and monitor distributed policy decision points from one place. Make changes in Hub once and the changes are deployed everywhere. It supports PDPs deployed in serverless environments, at the edge or on device. There's a collaborative policy playground to write and test your policies. It has a central audit log of all the policy decisions that take place across your application.

cross-posted from: https://infosec.pub/post/8123190

Hello everyone,

I work in appsec, my manager would like to send us to a conference this year. We are based in Europe, and the company would like to across intercontinental travel.

I have OWASP Global 2024 in Lisbon on my radar, as well as the BlackHat EU in London, is there any other conference you guys would recommend?

cross-posted from: https://infosec.pub/post/5707149

I talk about a report I've made to MSRC in the beginning of the year regarding vscode.

It's a bit different. There's no in depth technical stuff, because I basically just reported the feature, not a bug.

Severity HIGH security problem to be announced with curl 8.4.0 on Oct 11

By Artem Dinaburg eBPF (extended Berkeley Packet Filter) has emerged as the de facto Linux standard for security monitoring and endpoint observability. It is used by technologies such as BPFTrace, Cilium, Pixie, Sysdig, and Falco due to its low overhead and its versatility. There is, however, a dark (but open) secret: eBPF was never intended…

PoC for CVE-2023-4911. Contribute to leesh3288/CVE-2023-4911 development by creating an account on GitHub.

elttam is an independent security company providing research-driven security assessment services. We combine pragmatism and deep technical insight to help our customers secure their most important assets.

The scenario is this: a brand new Ubuntu 22.04 server has an account which is restricted to running sudo logrotate *. Can we get root? Short answer: Yes. I couldn’t find much online about this type of exploitation of logrotate, so let’s document something for future use.

On September 27, 2023, the U.S. National Security Agency (NSA), the U.S. Federal Bureau of Investigation (FBI), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Japan National Police Agency (NPA), and the Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC) released a joint cybersecurity advisory (CSA) detailing activities of the cyber actors known as BlackTech.  For a description of this report, see People's Republic of China-Linked Cyber Actors Hide in Router Firmware. Cisco has reviewed the report. Cisco would like to highlight the following key facts:

The most prevalent initial access vector in these attacks involves stolen or weak administrative credentials. As outlined in the report, certain configuration changes, such as disabling logging and downloading firmware, require administrative credentials. There is no indication that any Cisco vulnerabilities were exploited. Attackers used compromised credentials to perform administrative-level configuration and software changes. Modern Cisco devices include secure boot capabilities, which do not allow the loading and executing of modified software images. For more information on secure boot, see the Cisco Trustworthy Technologies Data Sheet.   The stolen code-signing certificates mentioned in the report are not from Cisco. Cisco does not have any knowledge of code-signing certificates being stolen to perform any attack against Cisco infrastructure devices. 

These key points align with the Cisco consistent stance and messaging that advises customers to follow best practices as described in the Cisco blog post: Attackers Continue to Target Legacy Devices. Modern network infrastructure devices now contain numerous security features and capabilities that mitigate the aforementioned attacks. The Cisco Secure Development Lifecycle (SDL) applies industry-leading practices and technology to build trustworthy solutions that have fewer field-discovered product security incidents. As part of our ongoing commitment to network reliability, Cisco has recently launched an effort focused on network resiliency. For more information on this effort, see the Cisco Network Resilience portal. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csa-cyber-report-sept-2023

Checkly Director of Engineering Daniel Paulus take a deep dive into DNS debugging in his latest post for the Checkly blog.

A new WinRAR vulnerability, CVE-2023-38831 could allow attackers to take control of your computer so it's important to take action now

Using the open source programs/platform, anyone can scan millions of public buckets at once using certain keywords. Typically, buckets...

I’ve recently been looking into iRacing, which is an online racing simulation video game.