Application Security This Week for May 19

Container security is a big deal, with OWASP A9 showing up more and more.  Here is a tool that will help with container scanning, and it is compatible with your continuous integration builds.

https://github.com/knqyf263/trivy

 

WhatsApp had a bug, but that doesn't dismiss the importance of end-to-end encryption.  Discuss.

https://www.wired.com/story/whatsapp-hack-phone-call-voip-buffer-overflow/

 

Someone found a user after free vulnerability in the Linux kernal going alllll the way back.

https://www.bleepingcomputer.com/news/security/linux-kernel-prior-to-508-vulnerable-to-remote-code-execution/

 

And that's the news!

 

 

Application Security This Week for May 12

If you have been in my classes, you know that I often point to weev as my example for why not to hack live sites.  Well, now I have a new example.

https://thehackernews.com/2019/05/israel-hamas-hacker-airstrikes.html

 

DHS is putting a 15 day deadline on all critical patches.  Maybe that Windows NT4SP2 box will get a little sumpn sumpn, huh?

https://thehackernews.com/2019/05/dhs-patch-vulnerabilities.html

 

The Google CTF is coming up in a month or so.  Start doing those ZAP pushups.

https://security.googleblog.com/2019/05/google-ctf-2019-is-here.html

 

El Reg has a great article on the latest (of many) SQLite RCE flaws.

https://www.theregister.co.uk/2019/05/10/sqlite_rce_vuln/

 

Y'all know that cryptography is not my best subject, but this is important. SHA1 is now provably just as broken as MD5, so start scrubbing it from codebases, except in cases like HMAC.

https://eprint.iacr.org/2019/459

 

That's the news!

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList