-
October was the month when tales of terror became timely and the days took a fearful turn towards Halloween.
I love Halloween and horror movies. A favorite recent series is “The Edge of Sleep” (which originated as a podcast). The found footage genre is near and dear to my heart, so I also have to recommend “Deadstream” as another recent-ish favorite.
We started a new month with an old friend. Simon Bennetts returned, along with Ori Bendet, to talk about ZAP’s new collaboration with Checkmarx.
We first talked about building ZAP and its community with Simon over a year ago in episode 254. Then he and Mark Curphy stopped by in April to talk about finding sustainable funding for the project. It’s great to see ZAP now have long-term support and, as Simon explained, how that support will create new opportunities for ZAP to expand its features.
Then Kalyani Pawar joined as a new co-host! We celebrated episode 303 by having the three of us talk about striking appsec fear in three words – like, “written in Perl” or “cybersecurity awareness month”…
There was plenty of news to cover, from how many vulns legacy code can hold to how many parsers you can pack into a package. As always, John Kinsella added his insights on secure defaults, isolating resources, and wrangling repos.
Scott Piper shared some advice on how to ratchet up security within an org’s environment, why securing clouds (and creating those guardrails) remains complex, and some tips on tracking down shadow clouds.
Creating guardrails within clouds has become a favored appsec design pattern that increases security without sacrificing development – when they’re done well.
Despite all those clouds, he shed lots of light onto strategies for enacting change that makes secure defaults better for everyone!
Adrian Sanabria stopped by for our almost-Halloween episode.
The two of us talked about some appsec lessons inspired from the slow transition to IPv6, fun hardware hacking stories, and my hypothesis that on a CPU-cycle-per-CPU-cycle basis fuzzing will outshine LLMs for finding flaws.
It was also nice for Adrian to stop by since I’ll be out for a few episodes in November and he’ll be stepping in.
We won’t have to change a thing. Just think of ASW as Adrian Sanabria Weekly…
Subscribe to ASW to find these episodes and more! Also check out the September 2024 recap.
-480x320.png)
• • • -
September was bookended by news-heavy segments, with some security awareness and bot defenses squeezed in between.
Our first episode of the month gave us a chance to catch up on a backlog of news articles. We talked about the engineering decisions that go into paying down tech debt – particularly when and why. Then some lessons learned in implementing SSO. Refactoring into Rust has been a repeated topic, but this time I used a vuln in Rust-based code to talk about expectations of behavior for an API, and John found an example of refactoring into…OCaml (!?).
Dustin Lehr walked us through why an OWASP Dev Day was canceled and some constructive steps to make outreach and engagement for developers more successful. One thing I’d love to see is more appsec appearances at developer conferences. We also talked about where the impact of security awareness can be most effective, such as targeting architects and frameworks.
Next, David Holmes joined us in a sponsored interview about the interconnected challenges of securing APIs and swatting away bots. We talked about the impacts of both, with a highlight on how bots target where the value lies within an app, why that’s closely related to business logic, and why it’s so important to use threat models to identify weaknesses in business logic. After all, such attacks rarely rely on the obviously unnatural payloads of SQL injection and cross-site scripting.
Technically, the final episode of September was recorded in October, but that feels like the kind of redirect appropriate for an episode number matching an HTTP status code. This time around Farshad Abasi joined me to talk about cars, CUPS, cloud native checklists, and password composition.
Subscribe to ASW to find these episodes and more! Also check out the August 2024 recap.
• • • -
August added one more appsec calculus intro. I had to carry the one over from July.
What a fun start to have Marisa Fagan talk about the [OWASP Security Champions Guide]! She’s been building security cultures and security champions programs for a while. There are some familiar angles like aligning incentives, but also important items that orgs often overlook, such as what a security champion is in the first place and the skills important to curating a program.
Next up, Kalyani Pawar talked about appsec at start-ups and what it looks like to go from no security to some security – and how to make that “some security” effective. Some of her insights hearkened back to the previous week, particularly on setting up security so it scales.
In week three, we turned from scaling security to a security-related outage of significant scale. Allie Mellen and Jeff Pollard shared insights and lessons learned from the CrowdStrike outage. It was a chance to talk about secure design, security requirements, and software quality.
Finally, Paddy Harrington wrapped up the month with a discussion about IoT security, which also touched on secure design (and, unsurprisingly, the lack thereof). But we also talked about security labeling, what burdens the consumer should bear, and just how old is too old for a device?
Subscribe to ASW to find these episodes and more! Also check out the July 2024 recap.
• • •