meta_pixel
Tapesearch Logo
Log in
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

ISC StormCast for Tuesday, March 12th 2019

SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

SANS ISC Handlers

Tech News, News, Technology

4.9696 Ratings

🗓️ 12 March 2019

⏱️ 5 minutes

🧾️ Download transcript

Summary

Daily 5 min cyber security news summary. News, patches, vulnerabilities and trends in information and network security. StackStorm Vulnerability; Secure Coding Study; Game Developer Supply Chain Attack

Transcript

Click on a timestamp to play from that location

0:00.0

Hello, welcome to the Tuesday, March 12th, 2019 edition of the Sansonet Storm Center's

0:07.0

Stormcast. My name is Johannes Ulrich and I'm recording from Jacksonville, Florida.

0:13.0

Of course, DevOps is the way to develop software these days and part of the DevOps paradigm is to automate a lot of actions

0:24.6

and there are a number of systems that can be used to automate for example the built process

0:30.9

of software and one tool that does this is Stackstorm. Stackstorm is sort of event-based

0:37.3

so you can code basically

0:39.2

if something happens then do something else in order to, for example, keep software built

0:45.3

or run it through different checks and balances before actually building it or making it

0:51.8

life. In order to do all of this, the software of course has to run at elevated privileges.

0:58.4

And typically DevOps tools not only run at elevated privileges, but even if they don't,

1:04.1

they do have access to your source code and quite a bit of power when it comes to actually building and also modifying your software.

1:15.6

So it isn't good that Stackstorm had cross-set scripting vulnerability due to the way they

1:22.1

actually sanitized and echoed back the cross-origin request service headers or course headers.

1:30.8

And as a result, an attacker could trick a victim that's logged into Stackstorm to essentially

1:37.6

execute arbitrary actions, which almost then would become remote code execution vulnerability via cross-site scripting.

1:47.3

So first of all, don't underestimate cross-site scripting.

1:50.4

I mentioned that before.

1:52.5

And then watch these DevOps tools.

1:56.0

I think this is really still a lot more to come.

1:59.0

You already have seen some vulnerabilities in other popular tools like Jenkins and the like.

2:04.0

So access to these tools should be tightly controlled and also make sure that you monitor

2:10.3

how these tools are being used.

...

Please login to see the full transcript.

Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.

Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.

Copyright © Tapesearch 2025.