The ASW April 2024 Recap
April brought shenanigans, limericks, an appsec version of aviation safety, and other intros that demonstrate how much we take security seriously.
April 1st fell on a Monday this year and I couldn’t let the opportunity for fun go by.
First, we revisited many infosec myths and misconceptions with Adrian Sanabria. We had talked with him last year on the same subject and wanted to find out if anything has improved (you can already guess the answer). Adrian walks through some examples and talks about why these might often be silly, but can also be harmful.
Then we had our usual news segment. Well…usual for appsec events and articles from 2004 instead of 2024. You’d be surprised how relevant 20-year old topics can be – and how little progress we’ve made on several of them. Give it a watch at https://youtu.be/WjvdyketvyQ.
Next up Farshad Abasi kindly returned to talk about the technical and social aspects of the XZ Utils backdoor. One thing we focused on was how organizations can put processes and controls in place now to defend against compromised packages. And, of course, that even though the social aspects of the XZ Utils attack were an impressive long con, that’s not the only way we’ve seen packages compromised. Nor is the challenge of malicious maintainers unique to open source.
Then we changed direction to career paths and advice from Karan Dwivedi on starting your appsec engineering career. He shared some of the technical skills he sees orgs value in modern appsec, as well as the social aspects (there’s that word again) of building relationships to learn about different roles. This is a topic we’ll definitely return to.
Speaking of open source, Mark Curphy and Simon Bennetts joined us to talk about how Crash Override’s Open Source Fellowship is helping Zed Attack Proxy shape its own future. Simon talked about the challenges in maintaining an open source project, especially in how the industry does – and notably does not – support such tools. Mark gave insights on finding a funding model for projects like ZAP and the trade-offs in approaches that orgs like OWASP and OpenSSF take.
We wrapped up the month with Melinda Marks, who talked about her study on supply chain security. One of the takeaways is that companies seem to like to buy lots of tools, self-assess that they’re mature, then go on to list all sorts of challenges that cast doubt on how well they’re actually coordinating tools and processes.
I also had fun with this intro, imaging if appsec wrote the aviation safety script you hear before takeoff. Check it out.
Subscribe to ASW to find these episodes and more! Also check out the March 2024 recap.