The ASW February 2025 Recap
February should have been cybersecurity awareness month. It’s the shortest month and occasionally off by one.
We filled up every Monday with a fun new conversation.
Ep. 316 - Threat Modeling That Helps the Business
Threat modeling has been in appsec’s toolbox for decades. But it hasn’t always been used and it hasn’t always been useful. Sandy Carielli shared what she learned from interviewing orgs about what succeeded and what failed in their approaches to threat modeling. Akira Brand returned to talk about her direct experience in creating threat models with developers.
One of my biggest recommendations on threat modeling is to use it to talk about the features and workflows being built. Don’t go through every endpoint and ask if it’s vulnerable to XSS or SQL injection. Focus on what the app is intended to do and how the developers intended it to work. Save the endpoint enumeration for scanners.
Ep. 317 - Code Scanning That Works With Your Code
Code scanning is one of the oldest appsec practices. In many cases, simple grep patterns and a few fancy regular expressions are enough to find many obvious software mistakes. Scott Norberg shared his experience with encountering code scanners that didn’t find the .NET vuln classes he needed to find and why that led him to create a scanner from scratch. We talk about some challenges in testing tools, making smart investments in engineering time, and why working with .NET’s compiler made his decisions easier.
Scott’s approach to pentesting really resonated with me:
I view it as my job not to find all the instances of three different classes of vulnerabilities; it’s to find as many different classes of vulnerabilities as I can.
Ep. 318 - Top 10 Web Hacking Techniques of 2024
We’re close to two full decades of celebrating web hacking techniques. James Kettle shared his favorite ones, the list’s importance to the web hacking community, and what inspires the kind of research that makes it onto the list.
We discussed why eternal flaws like XSS and SQL injection keep showing up on these lists year after year and how clever research is still finding new attack surfaces in old technologies. He also explained how there’s a lot of new web technology still to be examined, from HTTP/2 and HTTP/3 to WebAssembly.
Ep. 319 - Developer Environments, Developer Experience, and Security
Understanding developer needs and what makes for a positive developer experience makes appsec more successful. Dan Moore stopped by to talk about what devs are doing to make their lives better and where security has the opportunity to assist.
I’m thankful to see appsec move on from checklists. However, a whole lot of the “shift left” concept sounds like a checklist by any other name. We discussed where it makes sense to run security tools and why trust boundaries need to be part of any discussion around securing dev environments and CI/CD pipelines.
Subscribe to ASW to find these episodes and more! Then check out the January 2025 recap.