November turned the podcast to a film noir narrative.
A lot of appsec conferences have presentations for appsec audiences – but that’s not often the group that’s building apps. What if more developer conferences had #appsec content? We talked with Josh Goldberg, an Open Source developer, about security from the developer’s point of view, both as an audience hearing about it and as a presenter talking about it. We discussed the importance of knowing your audience and finding the hooks in security tools and topics that resonate with developers.
We had another repeat guest with Karl Triebes, who talked about what 2023 brought to appsec and what appsec teams can bring to 2024. Several of the headline-grabbing attacks were old-school flaws, but that’s also because there’s a lot of legacy code out there. Other attacks were bots doing things users do – just at a bigger scale. In other words, attacks based on scraping and scalping and credential stuffing had nothing to do with input validation. They were all about finding workflows that benefited the attackers, whether an account takeover or hoarding concert tickets.
The month’s third episode took us to the vault for an episode from August 2021 where Maggie Jauregi talked about firmware security. She shared tips on getting into hardware and firmware security on a small budget – something that can broaden the community of researchers in this area. She talked about that community and how welcoming it’s been. Hacking is a creative endeavor and it’s fun to interact with physical devices, whether it’s triggering a glitch with walkie talkies like in her first DEF CON presentation or playing with Raspberry PI and Arduinos.
We ended the month with a conversation on starting things – like starting an appsec program and starting an appsec career. Akira and John shared their questions and insights on how to decide when to specialize, when a startup might consider hiring for an appsec role, and how to figure out if you want that role to take on more engineering or more security testing responsibilities. While there was an unspoken theme of maturity models, there was quite a fun theme of music and being a virtuoso!