Code Scanning That Works With Your Code – Scott Norberg – ASW #317
Code scanning is one of the oldest appsec practices. In many cases, simple grep patterns and some fancy regular expressions are enough to find many of the obvious software mistakes. Scott Norberg shares his experience with encountering code scanners that didn't find the .NET vuln classes he needed to find and why that led him to creating a scanner from scratch. We talk about some challenges in testing tools, making smart investments in engineering time, and why working with .NET's compiler made his decisions easier.
Segment Resources:
Scott Norberg is a web security specialist with almost 20 years of experience in various technology and programming roles, specializing in web development and web security using Microsoft technologies. He has a wide range of experience in security, from working with development teams on secure code techniques, software security assessments, and application security program building . He also has an interest in building plug-and-play software libraries that developers can use to secure their sites with little-to-no extra effort. His latest project was building a source code scanner to find vulnerabilities more easily than products currently on the market.
Scott holds several certifications, including Microsoft Certified Technology Specialist (MCTS) for ASP.NET and SQL Server from Microsoft and the Certified Information Systems Security Professional (CISSP) and Certified Cloud Security Professional (CCSP) certifications from ISC2. He also has an MBA from Indiana University.
Scott is currently working as a Principal Application Security Engineer at CDW.
Unforgivable Vulns, DeepSeek iOS App Security Flaws, Memory Safety Standards – ASW #317
Identifying and eradicating unforgivable vulns, an unforgivable flaw (and a few others) in DeepSeek's iOS app, academics and industry looking to standardize principles and practices for memory safety, and more!
Security Weekly listeners save $100 on their RSAC Conference 2025 Full Conference Pass! RSA Conference will take place April 28 to May 1 in San Francisco and on demand. To register using our discount code, please visit securityweekly.com/rsac25 and use the code 5U5SECWEEKLY! We hope to see you there!
Mike Shema
- Common OAuth Vulnerabilities · Doyensec’s Blog
Last week we covered RFC 9700, the "Best Current Practice for OAuth 2.0 Security".
This article is a nice companion that explains some of the vulns called out in that RFC.
- A method to assess ‘forgivable’ vs ‘unforgivable’ vulnerabilities
Shaming as an infosec tactic has rightly fallen out of favor, as it's rarely effective and often misdirected. For example, shaming users who fall prey to phishing scams tends to reduce their collaboration with security teams and centers the burden for security on end users when there's a lot of designs, defaults, and mitigations that security teams could be putting in place instead.
But the point of this article is very much a constructive call to action on eradicating vuln classes. It attempts to help orgs identity and prioritize classes to go after, and calls on the cybersecurity industry to make mitigations easier to implement.
For me, the real challenge is in the section, Assessing ‘ease of implementation', since that requires insights and (shock!) engagement with developers to understand the kinds of technical and architectural constraints they encounter.
Another way to think about this article is as a reference for how to approach threat modeling. Ask what always goes wrong, how bad the consequences are, and how easy a mitigation could be.
- NowSecure Uncovers Multiple Security and Privacy Flaws in DeepSeek iOS Mobile App
This ties in nicely with the article on "unforgivable" flaws. After all, the very first problem the researchers list is "Unencrypted Data Transmission" because the app disable App Transport Security (ATS) on iOS. In other words, the secure design is the default option. Disabling that is easily unforgivable.
The last point, "Data Sent to China & Governed by PRC Laws", highlights that appsec can't be a purely technical consideration. It's like the physics joke about, "First, assume a spherical cow in a vacuum..."
- Avoiding mistakes with AWS OIDC integration conditions
I often lump OAuth 2.0 and OIDC into the same blob of IAM problems. Just like RFC 9700 showed how the design and implementation of OAuth 2.0 ran into ambiguities and complexities that turned into vulns, this article shows how similar complexities in AWS come from ambiguities and variance in what vendors describe for their OIDC integrations.
- CODE WHITE | Leaking ObjRefs to Exploit HTTP .NET Remoting
We talked about .NET security in the guest segment, so why not have a .NET security example in the news?
Despite touring on parsing, it's...not really exciting. But there's one important line that's on theme and speaks to me: "The security updates in January 2024 changed the default behavior of parsing HTTP headers…and no longer allow overwriting of trusted values..."
There we are -- a default that improves security. That's much better than adding another bullet to a hardening guide.
- WATCH: Black Hat USA 2024 – YouTube
Videos are available now. Three that I'd highlight are:
- Project Zero: Ten Years of 'Make 0-Day Hard'
- Achilles' Heel of JS Engines: Exploiting Modern Browsers During WASM Execution
- Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server!
- FYI: Top 10 web hacking techniques of 2024 | PortSwigger Research
The list is live!
Stick around. We'll talk about this with James Kettle in the next episode.
- It is time to standardize principles and practices for software memory safety (extended version)
We had one article with a call for figuring out "unforgivable" flaws. Now this article calls for better defining what "memory safety" means and how to standardize that into software development.
Right now I'm really just including this as a parallel to the first article and as something I plan to check back on in six months.
Check out the announcement and call to action.
This also put the CHERI Alliance on my radar.
p.s. as a lovely gesture to one of my common (unending) reminders, the cert for the call to action link expired while I was writing this up. So, yes, memory safety is important in a Trusted Computing Base (TCB), but security problems don't end with memory safe software.
