Application Security This Week for August 12

Interesting idea - introducing bugs to make software more difficult to attackers to navigate.  Seems risky to me; I would rather see self-reporting software.

https://arxiv.org/pdf/1808.00659.pdf

 

Cloudflare has a really really good writeup on TLS 1.3.

https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/

 

Questionably ethical hacker steals credentials from the Homebrew repo and makes a commit.

https://medium.com/@vesirin/how-i-gained-commit-access-to-homebrew-in-30-minutes-2ae314df03ab

 

Viral tweet thread on the "voatz" software that WVa is planning on using for midterm elections. Vulnerabilityapalooza.

https://twitter.com/GossiTheDog/status/1026603800365330432

 

Portswigger posted a nice primer on cache poisoning.

https://portswigger.net/blog/practical-web-cache-poisoning

Application Security Weekly for August 5

Reddit Breach Highlights Limits of SMS-Based Authentication

https://krebsonsecurity.com/2018/08/reddit-breach-highlights-limits-of-sms-based-authentication/

 

One of my favorite people - Adam Caudill with AppSec Consulting - gives a breakdown of changes to the way Chrome handles HTTPS

https://www.appsecconsulting.com/blog/https-or-be-warned

 

Information disclosure is a thing - stop using Trello as a password manager

https://www.reddit.com/r/security/comments/93n6ln/stop_using_trello_as_a_password_manager_how_to?sort=confidence

 

One of my favorite companies (Duo) has been acquired by Cisco

https://arstechnica.com/information-technology/2018/08/heads-up-2fa-provider-duo-security-to-be-acquired-by-cisco-ugh/

I have been assured that everything is gonna be OK 

 

As nosqlmap has fallen a bit by the wayside, I'm glad to see a new NoSQL scanner show up

https://github.com/torque59/Nosql-Exploitation-Framework

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

PageList

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList