-
August added one more appsec calculus intro. I had to carry the one over from July.
What a fun start to have Marisa Fagan talk about the OWASP Security Champions Guide! She’s been building security cultures and security champions programs for a while. There are some familiar angles like aligning incentives, but also important items that orgs often overlook, such as what a security champion is in the first place and the skills important to curating a program.
Next up, Kalyani Pawar talked about appsec at start-ups and what it looks like to go from no security to some security – and how to make that “some security” effective. Some of her insights hearkened back to the previous week, particularly on setting up security so it scales.
In week three, we turned from scaling security to a security-related outage of significant scale. Allie Mellen and Jeff Pollard shared insights and lessons learned from the CrowdStrike outage. It was a chance to talk about secure design, security requirements, and software quality.
Finally, Paddy Harrington wrapped up the month with a discussion about IoT security, which also touched on secure design (and, unsurprisingly, the lack thereof). But we also talked about security labeling, what burdens the consumer should bear, and just how old is too old for a device?
Subscribe to ASW to find these episodes and more! Also check out the July 2024 recap.
• • • -
July might be summer break, but we shouldn’t let our appsec calculus skills degrade. Each week’s intro presented a different appsec word problem, starting with
A CVE departs a station at 10am.
It has an unreachable destination.
At what time does an appsec team say it needs to be fixed?
Make sure to show your work.
Shout out to Sandy Carielli and Janet Worthington for not only returning to the show, but bringing a wonderfully titled topic to discuss, “Ludicrous Speed — Because Light Speed Is Too Slow To Secure Your Apps”. They covered pre-release and post-release code concerns, such as secure design, DevOps maturity levels, business logic, and bots. Their research comes from talking with a range of practitioners across several industries, which grounds their insights and ideas in reality.
Stuart McClure walked through the implications in trusting AI and LLMs to find flaws and fix code. The fixing part is compelling – as long as that fix preserves the app’s intended behavior. He explained how LLMs combined with agents and RAGs have the potential to assist developers in writing secure code.
We talked even more AI with Allie Mellen, who pointed out where elements of LLM might help with reporting and summarizing knowledge and where they fall short of basic security practices. LLMs won’t magically create an asset inventory, nor will they have context about your environment or your approach to risk. She also noted where AI has been present for years already – we just call it machine learning as applied to things like fraud detection and behavioral analysis.
Then we checked our appsec formulas against a CISO’s perspective with Paul Davis. He talked about driving behavioral change at the org level – a different and more challenging prospect than individuals. But he also focused on the security problems that individuals in dev teams and appsec teams alike face, whether it’s figuring out where to fit in AI or how to get beyond chasing CVEs one by one.
Subscribe to ASW to find these episodes and more! Also check out the June 2024 recap.
• • • -
June sped by! We had one more interview segment from RSA and lots of discussions about open source supply chain and standards.
Luis Villa talked about how the unsteady and unpredictable support for open source projects underscores the challenge faced not only by XZ Utils, but by many other projects – even popular ones. He talked about efforts to support open source projects financially. And, XZ Utils was topical, we walked through some of a project maintainer’s responsibilities and how to lessen that burden over time.
Next up was news! We had the full crew together with Akira Brand and John Kinsella. We covered some vulns in unusual places – laundry machines and modems. We covered some unusual design gaps in Microsoft’s Recall. And I marked the anniversary of PHP version 1.0 that first appeared on June 8, 1995.
We closed out the month with OAuth. Aaron Parecki explained that not only is OAuth 2.0 more than a single spec, it’s not always interoperable and not always secure. The good news is that there are new specs that attempt to refine interoperability and define defaults that make it more secure. Aaron shared a lot of great insights from following these specs for over a decade!
Subscribe to ASW to find these episodes and more! Also check out the May 2024 recap.
• • •