Trail of Bits

For ops folks, security audits can seem resource-intensive. Is the ROI really there? Don't we have this capacity in-house? Trail of Bits provided an actionable roadmap for - What to expect - What to ask - How to gauge ROI https://lnkd.in/eYXjJUXj

Memory safe code was having an unsafe design week this week. We covered some #appsec articles about: - Next.js middleware and where to place security controls - ruby-saml authentication bypass and how many different parsers a library should have - an NTLM hash leak and when a UX feature becomes a security liability Keith Hoodlet and Kalyani Pawar shared their ideas on better designs and better defaults. We also pondered just how much more secure the world might be if there was no more XML... News articles and notes at https://lnkd.in/geG2NWyP https://lnkd.in/gffj4Awq

"A proper threat model exposes design-level weaknesses (of which individual vulnerabilities are symptoms) so they can be remediated." This insight from Trail of Bits recent article on their TRAIL methodology perfectly captures why threat modeling deserves more attention. Three things I learned: 1) TRAIL groups components that share trust boundaries into "trust zones" to better visualize security controls. 2) It's good to create both lightweight threat models for high-level guidance and comprehensive models for detailed findings. 3) Threat modeling should identify both architecture-level and operational risks throughout the system. What stands out is how TRAIL findings trace the impact of flawed trust assumptions through architectures, potentially eliminating entire classes of vulnerabilities at once. When was the last time your organization performed a comprehensive threat model? What unexpected insights did it reveal? #Cybersecurity #ThreatModeling Link to the Trial of Bits blog post in the comments

Security Leadership Weekly is out! In this issue: ? Millions of records are at risk in a breach involving Oracle Cloud, which Oracle denies despite mounting evidence to the contrary ? Researchers at North Carolina State University and Yahoo find gaps in several supply chain security frameworks ? A new report by Europol highlights growing collaboration between state-sponsored adversaries and criminal threat actors ? My SANS Institute colleague ???? Dean Parsons ????kicks off a blog series on securing ICS/OT in pharma and healthcare ? Trail of Bits publishes details about its TRAIL threat modeling methodology #securityleadership #cybersecurity #infosec #infosecurity #securitymanagement #ciso #cso #supplychainsecurity #supplychain #apt #oraclecloud #oraclebreach #databreach #incident #sans #threatmodeling #cybercrime SANS Security Leadership

I had the pleasure of chatting with Mike Shema?and Kalyani Pawar?on this week’s episode of Application Security Weekly (ep. 323) ???? You can listen here:?https://lnkd.in/ehA3Wsav Or you can watch here:?https://lnkd.in/eNSnbd3W And you can read my blog post here:?https://lnkd.in/ezQSphy2

Catch Security Risks Early and Stay Ahead Imagine identifying hidden vulnerabilities early, streamlining development, and avoiding costly setbacks. A security design review provides immediate feedback, reduces costs, and builds a secure foundation from the start. Join Trail of Bits experts for key insights and a live Q&A. ?? Happening tomorrow – register now: https://buff.ly/7TzriBt

?? TRAIL - Threat Modeling the Trail of Bits way How to do it. Questions to ask to know when you should update your threat model. Two posts. 1?? Threat modeling the TRAIL of Bits way Kelly Kaoudis introduces TRAIL (Threat and Risk Analysis Informed Lifecycle), a threat modeling process developed by Trail of Bits that combines elements from existing methodologies like Mozilla's Rapid Risk Assessment (RRA) and NIST guidelines. TRAIL analyzes connections between system components to uncover design-level weaknesses and architectural risks, going beyond individual vulnerabilities. The process involves building a detailed system model, identifying threat actor paths, and documenting threat scenarios, as well as including short-term mitigation options and long-term strategic recommendations. The post gives examples from ToB’s assessments of Arch Linux Pacman and Linkerd. ?? https://lnkd.in/gnnffVmV 2?? Continuous TRAIL Follow-up post to the above describing how to further tailor a TRAIL threat model, how to maintain it, when to update it as development continues, and how to make use of it. Focus on keeping up to date: - The trust zones - Threat actors - Trust zone connections - Security-relevant assumptions Questions to consider when deciding when to update your threat model: - Does this change add a new system component (e.g., microservice, module, major feature, or third-party integration)? - Does this change add a new trust zone (e.g., by adding a new network segment)? - Does this change introduce a new threat actor (e.g., a new user role)? - Does this change add a new connection between system components that crosses a boundary between trust zones (e.g., a new application service on an existing server instance that can be called by a service in a different zone)? ?? https://lnkd.in/gEjGYDuW #cybersecurity #threatmodeling

In this blog post, we detail newly discovered authentication bypass vulnerabilities in the ruby-saml library used for single sign-on (SSO) via SAML on the service provider (application) side. Users of ruby-saml should update immediately to version 1.18.0. https://lnkd.in/gknx5Qej

Security is only as strong as what we can see. A security audit isn’t just a checkpoint—it’s a commitment to transparency and trust. We partnered with Trail of Bits for a thorough review, and today, we’re sharing the results. Read more: https://lnkd.in/eYpqPQUK

If you're fuzzing C/C++ code and need more customizability, our new Testing Handbook chapter shows you exactly how to set up and use LibAFL - both as a libFuzzer drop-in and as a Rust library. LibAFL Chapter: https://lnkd.in/d7UX25yC LibAFL vs. alternatives: Modular architecture enabling custom fuzzer development Superior performance with near-linear scaling across cores Advanced features like structured fuzzing with AST mutations ???What is the Testing Handbook? Our Testing Handbook is a resource that guides developers and security professionals in configuring, optimizing, and automating many of the static and dynamic analysis tools we use at Trail of Bits. The handbook covers Burpsuite, Semgrep, CodeQL, Fuzzing, and much more!