Issue #3 - AppSec Weekly 🛡️

Your go-to source for the latest in application security trends, tools, and insights!

Author

Shiva
February 01, 2025

AppSec Weekly

The software industrial revolution: AI agents for enterprise development

Sourcegraph has just launched its powerful AI agents, designed to revolutionize enterprise development! These agents automate repetitive tasks like code reviews and testing, helping teams move faster, reduce errors, and maintain high-quality codebases. Now developers can focus on what they do best—solving tough challenges—while the agents handle the routine work.

A new deep-dive on OAuth security reveals vulnerabilities in popular flows such as Implicit, Authorization Code (with and without PKCE), and Client Credentials. The report exposes threats like CSRF, redirect hijacking, mutable claims, and client confusion that could lead to token theft and account takeover. Mis-configurations in OAuth setups, especially around redirect_uri validation, are identified as a significant risk factor. Security experts advocate for robust countermeasures including state parameter usage and strict validation practices. A handy OAuth Security Cheat Sheet is now available to help developers and testers safeguard their implementations

Doyensec Blog post

Researchers identified a critical vulnerability in Lightning AI’s platform that allowed attackers to run commands with root privileges by exploiting a hidden URL parameter. The issue was promptly addressed following responsible disclosure, highlighting the need for robust input validation and secure development practices in AI environments.

Both the cURL project and the Go security teams have publicly criticized the CVSS framework, claiming it often misrepresents vulnerability severity by failing to consider context. They argue that the standardized scoring system can inflate risks, confuse users, and burden open source maintainers with unnecessary work. Instead, they advocate for more flexible, nuanced approaches to assessing vulnerabilities.

Wiz Research Uncovers Exposed DeepSeek Database Leaking Sensitive Information, Including Chat History

Wiz Research discovered a publicly accessible ClickHouse database belonging to DeepSeek that exposed over a million lines of sensitive logs, including chat history, API keys, and internal backend details, without authentication. The security team responsibly disclosed the issue, which DeepSeek promptly addressed. This incident highlights the critical importance of securing database infrastructures supporting AI services.

The application security community is grappling with how best to balance Application Detection and Response (ADR) with shift-left methodologies. ADR, which monitors and remediates vulnerabilities in live production environments, excels at providing real-time, actionable data while keeping false positives low. On the other hand, shift-left practices catch issues earlier in the development process, reducing costs and complexity down the line. Rather than pitting these approaches against each other, many experts advocate for a blended strategy that reaps the benefits of both.

🛠️ Code & Tools

Nosey Parker is a CLI tool that finds secrets and sensitive information in textual data. It is essentially a special-purpose grep-like tool for detection of secrets. It has been designed for offensive security (e.g., enabling lateral movement on red teams), but it can also be useful for defensive security testing. It has found secrets in hundreds of offensive security engagements at Praetorian.

The extension "Bypass Bot Detection" (which works really well) is now in the BApp Store 🥳

And that’s a wrap for this week! If you enjoy this curated issue, feel free to forward or share it with your appsec folks/team/hackerclub. For feedback, hugs, bugs or chats drop an email to [email protected]