Intro
Hi!
In this edition of DevSec Selection, I explore key topics in application and infrastructure security. We delve into the broken authentication security vulnerabilities. Next, an article compares EPSS with CVSS, offering a formula to prioritize vulnerability remediation at scale. I also included an article about less known Dependency Confusion supply chain attack where author shares details about breaches at Apple and Microsoft, emphasizing the need for robust dependency management.
Furthermore, you will find details about one of the high severity GitLab vulnerabilities publicly released and fixed in January. Last but not least, take a look at common vulnerability pattern identified by Microsoft in Android applications and AWS cloud security best practices.
Materials
📄 Web API Security Champion Part II: Broken Authentication (OWASP TOP 10)
This is a continuation of Web API Security Champion series focused on OWASP TOP 10 API Security Risks. This time, I present broken authentication security vulnerabilities and a list of recommendations based on my experience. Furthermore, you can find there one of the high severity vulnerabilities from Damn Vulnerable RESTaurant explained with a PoC!
📄 Prioritising Vulnerabilities Remedial Actions at Scale with EPSS
This article is focused on automated vulnerability remedial actions prioritisation with EPSS and CVSS. I explain EPSS vs CVSS differences and present Python code obtaining the EPSS from CVE. Also, there is a formula proposed to prioritise vulnerabilities in a more effective way. Highly recommend this one if you’re working with a large scale security.
📄 Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies
It’s a quite old article explaining one of the most underrated and still not widely known (by developers) supply chain attack – Dependency Confusion. The article discusses the attack, where the author hacked into major companies like Apple and Microsoft by uploading malicious packages to public repositories. By exploiting internal package names, the attacker gained remote access and potential backdoor entry. The success rate was high, with multiple companies being vulnerable. Root causes and mitigation strategies are explored, highlighting the importance of secure dependency management. This attack highlights the critical need for organizations to secure their software supply chains.
📄 Cisco Releases Security Updates Addressing ArcaneDoor, Vulnerabilities in Cisco Firewall Platforms
Cisco has released security updates to address ArcaneDoor vulnerabilities in Cisco Firewall Platforms, known for active exploitation. Users are strongly encouraged to apply updates, hunt for malicious activity, report findings to CISA, and review provided articles for more information.
📄 Devfile file write vulnerability in GitLab – GitLab Security Tech Notes
This article dives deep into a CVE-2024-0402 high severity security issue identified in GitLab in January 2024, showcasing layers of vulnerabilities leading to arbitrary file write & command execution. Cool writeup for more offensive security enthusiasts.
📄 “Dirty stream” attack: Discovering and mitigating a common vulnerability pattern in Android apps
Microsoft discovered a vulnerability in Android apps allowing malicious apps to overwrite files, steal tokens, and execute code. They identified vulnerable apps on Google Play, collaborated with developers like Xiaomi and WPS Office, and shared guidance to prevent similar issues.
📄 AWS cloud security best practices
This article outlines 11 essential AWS security practices for protecting your AWS infrastructure. It emphasizes the shared responsibility model, security building blocks, compliance benchmarks, and best practices like educating your team, embedding security into your architecture, and enforcing the principle of least privilege. Automated tools like AWS GuardDuty and AWS Security Hub can help monitor and remediate security risks.