Intro
Hi!
The first edition of email-based DevSec Selection articles is here!
This is actually the fourth iteration of the series, with previous editions published via LinkedIn. I hope you will enjoy this new format, with articles and their short summaries. I’m more than happy to get some feedback from you.
Additionally, I plan to launch an open-source project: a vulnerable Web API challenge tailored for developers and ethical hackers. This challenge, aimed at fixing security vulnerabilities, adopts a game-like nature. Developers will progress through a story, tackling levels and resolving identified issues. Furthermore, this vulnerable application might be also exploited in a hack-the-box manner, escalating from a low privileged API user to root access on the machine.
Materials
📄 A Look at Software Composition Analysis
The article presents a comparison of three popular Software Composition Analysis (SCA) tools – Snyk, Semgrep, and Dependabot. Doyensec, a security engineering firm specialized in application security audits, conducted an unbiased head-to-head analysis to determine the most efficient tool for detecting vulnerable third-party libraries.
📄 Scanning Login-Protected Targets with Nuclei v3.2
The blogpost introduces the release of Nuclei v3.2.0 with an emphasis on improved authenticated scanning capabilities based on provided file with secrets. Nuclei is fast and customisable vulnerability scanner based on simple YAML based DSL. The post presents static and dynamic authentication mechanisms from a perspective of Nuclei, and various authentication methods implemented and how to use them.
🛠️ WeAudit: Collaborative code review tool for VSCode
WeAudit is a collaborative code review tool for VSCode. It allows users to bookmark and highlight code regions, add notes, manage findings, create Github issues, and track audit progress. Key features include detailed findings, resolving/restoring issues, daily log, and customizable settings for better code auditing workflow.
📄 Fixing Debug Log Leakage with Safe Coding
The article presents a secure approach to creating debug logs for development purposes and discusses possible logging mistakes. The post is focused on safe-by-default API approach for logging.
📄 Security Flaws within ChatGPT Ecosystem Allowed Access to Accounts On Third-Party Websites and Sensitive Data
This article presents security vulnerabilities identified in ChatGTP ecosystem. The identified vulnerabilities could allow access to user accounts and sensitive data on third-party websites. Attackers could exploit OAuth authentication flaws and conduct account takeovers on third-party websites. Vulnerabilities were disclosed to responsible vendors and fixed as presented on the attached timeline.
📄 Google paid $10M in bug bounty rewards last year
Google awarded $10 million to 632 researchers worldwide in 2023 through its Bug Bounty Program, with the highest reward being $113,337. Android received over $3.4 million. Rewards included $70,000 for critical discoveries in Wear OS and Android Automotive OS. Additional enhancements were made, such as Bonus Awards and V8CTF focusing on Chrome’s V8 JavaScript engine. Google continues to invest in security generative AI products like Google Bard.
📄 Magnet Goblin targets publicly facing servers using 1-day vulnerabilities
Magnet Goblin, a financially motivated threat actor, exploits 1-day vulnerabilities such as CVE-2024-21887 in devices like Ivanti Connect Secure VPN. They deploy custom Linux backdoors like for financial gain, targeting platforms such as Magento and Apache ActiveMQ. The article investigates their methods and campaigns, emphasizing recent Ivanti exploitation activities. Magnet Goblin’s activities show a quick adaption to vulnerabilities by utilising various tools.
Also, you may want to take a look at Python for DevSecOps and Any Security Engineer article which I initially released via Medium but now it’s available on my blog.