September was the month we hit our 8-bit milestone on Application Security Weekly.
The first week we went to the vault for an episode from January 2022 where Christien Rioux talked about how appsec needs to move beyond its past – vulns, checklists, hardening guides – and into a future of sandboxed apps and decorated data.
Then we talked with Simon Bennetts about how and why he started ZAP. As a long-time fan of the project, I enjoyed learning more about its past (it’s been decades since I last heard mention of Paros Proxy!) and, more importantly, to hear about its future with The Software Security Project.
One of the takeaways that I didn’t emphasize enough was Simon’s outreach and interaction with developers – we need more appsec folks speaking at developer conferences.
Next up was Karl Triebes, who gave us a chance to go beyond the all-too-vague label of “business logic” attacks to understand why they’re hard to pin down – by appsec team and developers alike. For me, that’s where the real interesting security flaws are, where human creativity can look at the workflow intended by an app and then come up with ways to abuse it.
Last up was a return to supply chains with Kirsten Newcomer. The SBOMs have been around for a while – SPDX is over a decade old. Which makes it seem like there are so many things that we need to do that aren’t new. But that’s probably also because they’re not easy to do and, I think, because appsec gets too wrapped up in vulns and the cliche of fixing vulns early at the expense of spending time on more strategic work.