25 min listen
Lessons That The XZ Utils Backdoor Spells Out - Farshad Abasi - ASW #280
Lessons That The XZ Utils Backdoor Spells Out - Farshad Abasi - ASW #280
ratings:
Length:
32 minutes
Released:
Apr 9, 2024
Format:
Podcast episode
Description
We look into the supply chain saga of the XZ Utils backdoor. It's a wild story of a carefully planned long con to add malicious code to a commonly used package that many SSH connections rely on. It hits themes from social engineering and abuse of trust to obscuring the changes and suppressing warnings. It also has a few lessons about software development, the social and economic dynamics of open source, and strategies for patching software. It's an exciting topic partially because so much other appsec is boring. And that boring stuff is important to get right first. We also talk about what parts of this that orgs should be worried about and what types of threats they should be prioritizing instead. Segment Resources: https://tukaani.org/xz-backdoor/ https://news.risky.biz/risky-biz-news-supply-chain-attack-in-linuxland/ https://www.zdnet.com/article/this-backdoor-almost-infected-linux-everywhere-the-xz-utils-close-call/#ftag=RSSbaffb68 https://therecord.media/malicious-backdoor-code-linux-red-hat-cisa https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094 https://duo.com/decipher/carefully-crafted-campaign-led-to-xz-utils-backdoor https://boehs.org/node/everything-i-know-about-the-xz-backdoor Show Notes: https://securityweekly.com/asw-280
Released:
Apr 9, 2024
Format:
Podcast episode
Titles in the series (100)
OWASP Application Security Verification Standard - Application Security Weekly #04: This week, Paul and Keith discuss OWASP Application Security Verification Standards! Full Show Notes: Subscribe to our YouTube channel: Visit our website: Follow us on Twitter: by Application Security Weekly (Video)