October was the month when tales of terror were timely and horror marked our days to Halloween.
We started with a topic that instills fear into everyone at some point – public speaking. Lina Lau returned to give us examples of how she crafts and delivers presentations. We talk about what kinds of presentations keep our attention and the kinds that put us to sleep. Not only does Lina excel at delivering engaging presentations, she puts those skills to work in creating multi-day training courses for incident responders.
Lina first joined us back in February of this year to give an incident responder’s view of appsec. Check out episode 230.
Our second week brought another returning guest, Janet Worthington. She covered the conversations she’s had with developers and appsec teams about tools like SCA and SAST. More importantly, she highlighted that how those tools are used is really a side-effect of a good DevSecOps program. Trust and the “no look pass” is one part of a good program. Seeing DevSecOps teams focus their attention on design – securing what they sell – is a much better indicator of success than forever focusing on finding and fixing flaws.
It was just over a year ago that Janet joined us to talk about appsec education in universities. Check out episode 213.
Week three was OT. Huxley Barbee gave us some background on how insecure OT devices have been in the last few decades. But we also turned to what might help OT devices be more secure for the next few decades. It’s still hard to emulate and test many of these systems, which limits the amount of security researchers that take the time to understand and test them. It’s also still hard to find development toolchains that provide robust security feedback and testing. We’ve seen great improvements for C and C++ code with features like LLVM’s sanitizers. Hopefully we’ll see those and more applied to these OT devices as well.
Then Dan Moore returned to talk about the secure by design and secure by default aspects of OAuth and WebAuthn. I was curious about how OAuth added more capabilities and extensions to deal with new design patterns like single-page apps and the proliferation of mobile apps. The two standards aren’t directly comparable in terms of problems they solve, but they share many goals in making adoption easier by developers and countering certain threats to users. There’s also a lesson in what they don’t cover, like account recovery, and why that remains an area that attackers continue to successfully exploit.
Our show just before Halloween covered an appropriately scary topic – how security tools must evolve. Dan Kuykendall talked about the struggle of scanners to keep up with modern app designs and why being beholden to industry categories isn’t providing modern dev teams with the solutions they need. That took us into dev leadership and how to inspire security teams to build effective tools.