October was the month when tales of terror were timely and horror marked our days to Halloween.
We started with a topic that instills fear into everyone at some point – public speaking. Lina Lau returned to give us examples of how she crafts and delivers presentations. We talk about what kinds of presentations keep our attention and the kinds that put us to sleep. Not only does Lina excel at delivering engaging presentations, she puts those skills to work in creating multi-day training courses for incident responders.
Lina first joined us back in February of this year to give an incident responder’s view of appsec. Check out episode 230.
Our second week brought another returning guest, Janet Worthington. She covered the conversations she’s had with developers and appsec teams about tools like SCA and SAST. More importantly, she highlighted that how those tools are used is really a side-effect of a good DevSecOps program. Trust and the “no look pass” is one part of a good program. Seeing DevSecOps teams focus their attention on design – securing what they sell – is a much better indicator of success than forever focusing on finding and fixing flaws.
It was just over a year ago that Janet joined us to talk about appsec education in universities. Check out episode 213.
Week three was OT. Huxley Barbee gave us some background on how insecure OT devices have been in the last few decades. But we also turned to what might help OT devices be more secure for the next few decades. It’s still hard to emulate and test many of these systems, which limits the amount of security researchers that take the time to understand and test them. It’s also still hard to find development toolchains that provide robust security feedback and testing. We’ve seen great improvements for C and C++ code with features like LLVM’s sanitizers. Hopefully we’ll see those and more applied to these OT devices as well.
Then Dan Moore returned to talk about the secure by design and secure by default aspects of OAuth and WebAuthn. I was curious about how OAuth added more capabilities and extensions to deal with new design patterns like single-page apps and the proliferation of mobile apps. The two standards are directly comparable in terms of problems they solve, but they share many goals in making adoption easier by developers and countering certain threats to users. There’s also a lesson in what they don’t cover, like account recovery, and why that remains an area that attackers continue to successfully exploit.
Our show just before Halloween covered an appropriately scary topic – how security tools must evolve. Dan Kuykendall talked about the struggle of scanners to keep up with modern app designs and why being beholden to industry categories isn’t providing modern dev teams with the solutions they need. That took us into dev leadership and how to inspire security teams to build effective tools.• • •
September was the month we hit our 8-bit milestone on Application Security Weekly.
The first week we went to the vault for an episode from January 2022 where Christien Rioux talked about how appsec needs to move beyond its past – vulns, checklists, hardening guides – and into a future of sandboxed apps and decorated data.
Then we talked with Simon Bennetts about how and why he started ZAP. As a long-time fan of the project, I enjoyed learning more about its past (it’s been decades since I last heard mention of Paros Proxy!) and, more importantly, to hear about its future with The Software Security Project.
One of the takeaways that I didn’t emphasize enough was Simon’s outreach and interaction with developers – we need more appsec folks speaking at developer conferences.
Next up was Karl Triebes, who gave us a chance to go beyond the all-too-vague label of “business logic” attacks to understand why they’re hard to pin down – by appsec team and developers alike. For me, that’s where the real interesting security flaws are, where human creativity can look at the workflow intended by an app and then come up with ways to abuse it.
Last up was a return to supply chains with Kirsten Newcomer. The SBOMs have been around for a while – SPDX is over a decade old. Which makes it seem like there are so many things that we need to do that aren’t new. But that’s probably also because they’re not easy to do and, I think, because appsec gets too wrapped up in vulns and the cliche of fixing vulns early at the expense of spending time on more strategic work.• • •
August brought some sun from the summer conferences and some darkness from some noir-style intros.
Our first interview was with Merritt Baer, who put ArchSec – Architecture Security – on our roadmap. One of my favorite things about this discussion was the idea of getting beyond appsec, especially the stale, boring version of appsec that’s preoccupied with vulns. ArchSec represents a step towards making security scale better by focusing on design. She also points out how a secure architecture process isn’t just another security review in disguise, it’s a partnership in creating resilient systems.
The second week was one of the longer (maybe longest) interviews we’ve recorded. Josh Goldberg talked about communication skills, putting together presentations, and the stumbles he’s made along the way. It’s a topic that should appeal to anyone who wants to speak at conferences – or even just giving presentations at work.
No one wants to sit through a boring presentation. No one wants to deliver a boring presentation, either! Josh shares tips and techniques for creating abstracts for CFPs and drafting slides for success. John Kinsella helped round out the segment with several stories and advice of his own.
For week three we ran two shorter interviews recorded at BlackHat. Shout out to Mandy Logan for conducting these at the conference.
But don’t skip our news segment – I kicked off the show with another dash of noir.
August closed with a visit from Jeff Pollard to cover how security can be smart about using AI. No cliches here about Skynet or magical thinking about robot overlords, just a lot of discussion about what AI and ML seems to be good at, where that helps security teams, and where people remain key parts of processes.
Subscribe to ASW to find these episodes and more!• • •