Greeting from FelixGreeting from Felix

Shift Security Left #3

Hi folks! Sharing is caring—this lies at the core of my newsletter. The articles below will help you build meaningfully secure products, thus making your days less stressful. Read what my team wants to share and do not forget to follow me on Twitter. Enjoy.

AppSec

Obstacles in Dart decompilation & the impact on Flutter App Sec

Interesting things you should know about Flutter in a mobile security context.

Previously, Boris Batteux demonstrated that tools for reverse engineering of Flutter apps are, in fact, not very hard to develop. This time, he explores whether decompiled Flutter code can be cleaned up to make it easier to read and reverse engineer. Heh, who wants to make their decompiled code look better?

guardsquare.com

Cryptography

Cryptographic failures in RF encryption allow stealing robotic devices

With cryptographic bugs, it’s often hard to cross the mental bridge between “it is theoretically broken” to “it can be easily exploited”.

Well, take a look at what can happen with home-brewed cryptosystems in the wild: numerous bugs in the cryptography implementation allow locating, tracking, and even stealing other people’s "toy cars"!

cossacklabs.com

Planning Go 1.20 Cryptography Work

An overview of the coming updates that will be in Go 1.20. It will include the crypto/ecdh package, making progress on moving math/big out of the security perimeter, and a batch of crypto/tls work.

If you didn't know, Filippo Valsodo has been in charge of cryptography and security on the Go team at Google and now becoming a professional Open Source maintainer. So if your company depends on Go and its cryptography libraries, consider sponsoring Filippo's maintenance work.

filippo.io

Vulnerabilities

Hunting for mass assignment vulnerabilities using GitHub CodeSearch and grep.app

A thought-provoking way to identify vulnerable code without hardcore and machine learning.

Following the beta release of GitHub’s new CodeSearch tool, Laurence Tennant decided to find vulnerabilities through querying for specific antipatterns across the GitHub projects. He focused on mass assignments and managed to generate a bunch of signed freeCodeCamp certifications, each one supposedly requiring 300 hours of work. What a hard work!

includesecurity.com

DevOps

Why we run managed CockroachDB on Kubernetes

One of the main complaints about Kubernetes is that it is complicated. At Cossack Labs, we are not into K8s because of its complexity and fragility, but our friends from Cockroach Labs know how to steer a ship.

P.S. that's not an ad :)

cockroachlabs.com

Incidents

Go malware on the rise

Go is getting more popular. It's even used to create malware, especially malware targeting Unix/Linux operating systems. Some of the malicious tools are being open sourced on GitHub and reused by different threat actors. Check it out.

avast.io

Tools

Cloud-native observability and security analytics with SysFlow

SysFlow is a cloud-native system telemetry framework that helps to be build analytics datasets. SysFlow is quite young (~1yo), but it's scalable, pluggable and open-source.

Falco, the cloud-native runtime security project, aka Kubernetes threat detection engine, uses SysFlow under the hood. Take a look on how it works.

falco.org

P.S.

Enjoy the playlist of the day. See y'all in two weeks!

No spam, ever. We'll never share your email address and you can opt out at any time.