Across our community engagements, we consistently heard requests for more content. That’s why we’re thrilled to bring you the first issue of The Hacker's Guide series.
The Hacker's Guide is meant to be a carefully curated publication compiling product security and fuzz testing content, whether it be open source tools, technical stuff to read, tutorials to watch, and stories to listen to. Thanks to your feedback on wanting more resources readily available and accessible, we’re venturing into new territory. We hope we can count on your support and suggestions on how we can continuously improve to bring you compelling content directly to your inbox.
Welcome to your first The Hacker's Guide issue. This quarter we're tackling spring cleaning -- not your house, but your code. Enjoy! - ForAllSecure
The Hacker's Guide is a quarterly newsletter that aims to make security related news, podcast, content, and tools available and accessible. Our academic roots have made us advocates of education, especially around our passion for fuzz testing, and this is one of the few ways we aim to connect with our community. Share Feedback
Restocking on Cleaning Tools
It's all about sweeping smart, not sweeping hard -- those bugs that is. Check out these newly released tools to sweep out those creepy crawlers right outta your code.
Atheris Python Fuzzer Google announced the release of their Atheris fuzzing engine. Atheris is an open source coverage-guided fuzzer that can be used to find bugs in Python code and native extensions in Puthon 2.7 and 3.3+.
Mayhem for API ForAllSecure announces a brand new API fuzzer. Mayhem for API is an easy-to-use API testing solution that provides performance and reliability results through continuous testing practices. The product is available for a 30-day commitment free trial. That's right -- no credit card information required.
Whether we like it or not, our code will get fuzzed, either maliciously, proactively, or organically. Through use and abuse of code out in the wild, here are the vulnerabilities and bugs found by fuzz testing.
Details public on Windows zero-day vulnerability On Dec 24, 2020, Google Project Zero disclosed details on a zero-day security vulnerability in Windows print spooler API that could allow a bad actor to execute arbitrary code. Originally tracked as CVE-2020-0986, the flaw was reported to Microsoft by an anonymous user working with Trend Micro's Zero Day Initiative (ZDI) back in Dec 2019. With no patch in sight for roughly six months, ZDI released a public advisory in May after it was exploited in the wild. Although Microsoft eventually addressed the vulnerability in June, Google shared the flaw has not been fully remediated Microsoft expects to resolve the issue on Jan 12, 2021.
Critical bug found in six-library vulnerability in NGA ForAllSecure's fuzz testing research team uncovered an uninitialized value vulnerability in a U.S. government software library called six-library, designed to parse and manipuated satellite imagery and data for both internal and public use.
It's time to refresh our minds: out with the old and in with the new trend. Now, let's get sparking on some joy.
Fuzzing cited as #3 on top 10 most common website attacks Behind XSS and Injection attacks (no surprises here), fuzzing or fuzz testing as one of the most common website security attacks to find and exploit vulnerabilities in sites or servers. Behind fuzz testing's place on the list is zero-day attacks. which is an extension of fuzzing attacks.
Whether it's by you, attackers, or your users our code will get fuzzed. Only in one of those situations, do you come out the winner. Learn what the other 6 attacks are, and how they rank.
Telecommunications leader announces 3PPP's Security Assurance Specification (SCAS) Testing Huawei touts its product security by announcing that they are the first 5G and LTE vendors to pass the GSMA's NESAS evalution, which includes test in network product general security, air interface security, and basic vulnerability testing, such as data and information protection, air interface ciphering and integrity protection, robustness adn fuzz testing. The evaluation was conducted by DEKRA.
Over the years, we have and continue to observe an increasing number of standards requiring or recommending fuzz testing. Looks like we can now add NESAS to the list.
Overcoming the challenges of securing cloud-native applications Cindy Blake, Senior Security Evangelist at GitLab, shares the steps you can take to ensure the security of your cloud-native apps (and they don't require a lot of time and resources). Find out what those six steps are.
David Lenoe, Director of Secure Software Engineer at Adobe, shares tips gathers from his first-hand experience not only launching and maturing application security programs, but also building hyper-collaborative security teams. Here are his top 5 tips:
1. Adapt quickly AppSec teams need to stay ahead of the curve on the changing landscape of technology, arguably more than other security teams.
2. Use testing, scanning, and modeling Take a proactive approach. Build a PSIRT, or vulnerability response program, so third-party security researchers can report issues with products and services.
3. Maximize Automation Automation friendliness decreases as the company moves left in the SDLC. Adopt an "improve the left by learning from the right" mentality.
4. Collaborate with Engineering teams Work towards being an extended part of those teams -- not an external team that casts judgement on the service under development.
5. Keep stakeholders in mind AppSec teams work most closely with engineering and product development, but don't forget other relevant stakeholders, including compliance, operations, and legal.
The result of more than a decade of research and development within the NSA, the Ghidra platform was developed to address some of the agency's most challenging reverse-engineering problems. With the open-source release of this formerly restricted tool suite, one of the world's most capable disassemblers and intuitive decompiles is now in the hands of cybersecurity defenders everywhere -- and The Ghidra Book is the one and only guide you need to master it.
Stop manually analyzing binary! Practical Binary Analysis is the first book of its kind to present advanced binary analysis topics, such as binary instrumentation, dynamic taint analysis, and symbolic execution, in an accessible way.
An accessible resource for anyone seeking to incorporate, from the beginning of the System Development Life Cycle, best security practices in software development. This book covers all the basic subjects such as threat modeling and security testing, but also dives deep into more complex and advanced topics for securing modern software systems and architectures.