March meandered through C code, mused about secure design, marked a new top ten list, made space for machines, and finally descended into a bit of madness. And every single moment was fun!

SW logo

Keeping Curl Successful and Secure Over the Decades (ep. 320)

Our month kicked off with curl’s continuous curator, Daniel Stenberg, explaining the project’s approach to appsec. It has had to deal with bad bug bounty reports from LLMs and inflated CVSS scores from CVEs.

It’s also had positive experiences and established itself as a positive model for security, which is especially impressive given its steadfast commitment to C. About 40% of its security bugs are attributable to a memory safety issue. But the library supports a massive set of protocols, many of which date back to ancient or ambiguous RFCs. Dealing with protocol state machines and parsing complex data introduces a whole set of security challenges and the potential for logic flaws.

Curl’s longevity is commendable. It’s been going for over 27 years now. The project fosters a wide community of contributors, maintains a consistent standard of quality (of which security is just one part), and has created such a fundamentally useful tool that it’s no surprise to find it on billions of devices worldwide – or worlds-wide if you include Mars!

CISA’s Secure by Design Principles, Pledge, and Progress (ep. 321)

CISA has been pushing for more software to be secure by design and secure by default. Jack Cable shared how CISA chose to frame their Secure by Design principles and encourage businesses to improve their software quality.

It’s not like vuln classes and countermeasures are unknown. Phrack 54 covered SQL injection vulns in 1998. All the major databases supported prepared statements by 2004. Yet in 2025 we already have a few hundred CVEs for SQL injection (and XSS and a few other usual suspects).

But one of the important qualifiers for “easy” fixes is that they have to be “easy to implement and deploy”. Not everyone has Google’s budget for appsec.

Redlining the Smart Contract Top 10 (ep. 322)

There’s no better place to discover the impact of logic flaws than in the cryptocurrency space, where every token is its own self-funding bug bounty and every contract is a gamble in code correctness.

Shashank went into the details of the 2025 edition of the Smart Contract Top 10, how it has changed over the past two years, and how security improvements in Solidity might change it again (for the better!) in another two years.

I appreciate this particular Top 10 list because it’s not repetitive of all the others and its entries are domain-specific to crypto. Shashank provided lots of technical background and real examples across familiar appsec flaws like integer overflows and reentrancy problems. More importantly, he talked about the logic problems behind oracle manipulations and flash loan attacks.

Crypto is rife with rug pulls, scams, and questionable tokens. But it’s also a great learning space for classes of attacks that aren’t memory safety flaws or the dusty XSS and SQL injection of the web.

Thanks again to Shashank for making this topic accessible and engaging!

Finding a Use for GenAI in Appsec (ep. 323)

Sure, LLMs are helping devs write code, but is it secure code? How are LLMs helping appsec teams?

Keith Hoodlet returned to talk about those questions and put the capabilities of LLMs into perspective.

There are notable areas where LLMs prove to be helpful assistants, like having better contextual seeds to craft a fuzzing corpus. There are areas where LLMs could quite directly prove their value in bug bounty hunting. But there are also areas where we’ve been underwhelmed (so far!) by the generic LLM responses to threat modeling and security reviews.

We also discussed the importance of reading beyond the headlines of research papers in order to avoid hype and better understand what’s improving – and what’s not – in terms of code generation and security capabilities.

I always enjoy talking with Keith. Regardless of how much of a future we’ll have with appsec toasters, he’ll always be a human I turn to for insights in this area.

Avoiding Appsec’s Worst Practices (ep. 324)

We entertained some foolish notions about the worst ways to approach appsec. But out of that chaos emerged some debate about tracking tons of vulns, using LLMs, and what secure design means.

Does vibe coding need vibe appsec? Do those words mean anything? Why does infosec love bad metaphors? What’s the best direction to shift? What are we even shifting in the first place?

Shout out to Jackie McGuire and Adrian Sanabria for joining John Kinsella and me in this discussion.

We didn’t get a chance to finish our top ten list of emojis to use in LinkedIn posts, so this recap will have to be several paragraphs, a bunch of links, and a ton of thank yous to everyone who’s been watching the show!

Subscribe to ASW to find these episodes and more! Then check out the recap for February 2025.

ASW on Apple Podcasts