Application Security This Week for December 20

So, hey, yeah, how are all of you.  Clearly SolarWinds has completely overwhelmed the news this week, so I have a couple of notes about that. To those of you who are having to deal with this, I am with you in spirit. Doing what I can here from The Bunker to help you out.

 

Here was my first indication there was a problem, I believe.  It's pretty old news now.

https://thehackernews.com/2020/12/new-evidence-suggests-solarwinds.html

I spoke about Supply Chain problems at the Central Ohio .NET Developer's group in March.  Oddly timed.

https://www.youtube.com/watch?v=KWt0Brcc2Ag

MicroSolved has a good writeup you should read.

https://media.microsolved.com/SolarWindsBrief.pdf

This is Microsoft's breakdown on DLL Injection.  For the record, I attended a BoF session on this at DefCon 15(!) and everyone I talked to blew it off.  Guess not.

https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/

 

Some other news, thank goodness.

 

Github is gonna ban passwords.

https://www.theregister.com/2020/12/17/github_bans_passwords/

 

The NSA finally figured out that authentication systems are under attack.

https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2451159/nsa-cybersecurity-advisory-malicious-actors-abuse-authentication-mechanisms-to/

 

And finally, a short article about memcpy. 

https://r2c.dev/blog/2020/when-devsecops-goes-wrong-a-short-lesson-from-huaweis-source-code/

 

That's the news, folks, have a great holiday and end-of-year. May your systems be secure and your code be frozen.

 

Add comment

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList