-
May was hectic! It was light on news segments since our second segments were mostly occupied with short interviews from RSA Conference 2024.
But that means you might be interested in our April Fools episode where we covered some stories from the RSA Conference 20 years ago in 2004. Although this year was almost all AI, the other security topics didn’t sound much different from those two decades ago. Give it a listen in [episode 279].
In the first interview segment, Caleb Sima demystified some of the hype around AI and pointed out how a lot of its security needs match its mundane predecessors. We didn’t get into defining all the different types of AIs, but we did identify the need for more focus on identity and authenticity in a world where LLMs craft user-like content.
Then Keith Hoodlet stopped by to talk about his first-place finish in the DoD’s inaugural AI Bias bug bounty program. He showed how manipulating prompts leads to unintentional and undesired outcomes. Keith also explained how he needed to start fresh in terms of techniques since there’s no deep resources on how to conduct these kinds of tests.
Be sure to check these out for my “walks into a bar” intros ;)
The AI conversations continued with Sandy Dunn, who shared how the OWASP Top 10 for LLMs came about and how it continues to evolve. We talked about why this Top 10 has a mix of items specific to LLMs and items that are indistinguishable from securing any other type of software. It reinforced a lot of the ideas that we had talked about with Caleb the week before.
The next week we noted techniques in secure coding for Node.js. Liran Tal shared concepts from his new book and discussed how he approaches secure coding classes in general. He comes from a development background, which is always a plus when bringing appsec concepts into code.
Episode 235 (from the vault)
For the final week, we pulled an episode from April 2023 with Ben Sadeghipour. His background in building communities around bug bounties, not to mention bagging some significant bounties himself, remains just as relevant today. After all, there’s still plenty of insecure software out there and a ton of web sites waiting for review.
Subscribe to ASW to find these episodes and more! Also check out the April 2024 recap.
-480x320.png)
• • • -
April brought shenanigans, limericks, an appsec version of aviation safety, and other intros that demonstrate how much we take security seriously.
April 1st fell on a Monday this year and I couldn’t let the opportunity for fun go by.
First, we revisited many infosec myths and misconceptions with Adrian Sanabria. We had talked with him last year on the same subject and wanted to find out if anything has improved (you can already guess the answer). Adrian walks through some examples and talks about why these might often be silly, but can also be harmful.
Then we had our usual news segment. Well…usual for appsec events and articles from 2004 instead of 2024. You’d be surprised how relevant 20-year old topics can be – and how little progress we’ve made on several of them. Give it a watch.
Next up Farshad Abasi kindly returned to talk about the technical and social aspects of the XZ Utils backdoor. One thing we focused on was how organizations can put processes and controls in place now to defend against compromised packages. And, of course, that even though the social aspects of the XZ Utils attack were an impressive long con, that’s not the only way we’ve seen packages compromised. Nor is the challenge of malicious maintainers unique to open source.
Then we changed direction to career paths and advice from Karan Dwivedi on starting your appsec engineering career. He shared some of the technical skills he sees orgs value in modern appsec, as well as the social aspects (there’s that word again) of building relationships to learn about different roles. This is a topic we’ll definitely return to.
Speaking of open source, Mark Curphy and Simon Bennetts joined us to talk about how Crash Override’s Open Source Fellowship is helping Zed Attack Proxy shape its own future. Simon talked about the challenges in maintaining an open source project, especially in how the industry does – and notably does not – support such tools. Mark gave insights on finding a funding model for projects like ZAP and the trade-offs in approaches that orgs like OWASP and OpenSSF take.
We wrapped up the month with Melinda Marks, who talked about her study on supply chain security. One of the takeaways is that companies seem to like to buy lots of tools, self-assess that they’re mature, then go on to list all sorts of challenges that cast doubt on how well they’re actually coordinating tools and processes.
I also had fun with this intro, imaging if appsec wrote the aviation safety script you hear before takeoff. Check it out.
Subscribe to ASW to find these episodes and more! Also check out the March 2024 recap.
• • • -
March kicked off our planning for a Cybersecurity Awareness Limerick Month. If top 10 lists and powerpoint presentations aren’t delivering, then maybe it’s time to try a new format for delivering awareness. Stay tuned and stay CALM. ;)
Emily Fox walked us through the mistakes orgs make with vuln management, how they can manage risk without burning out devs, and why the boring basics make everything easier. She explains how orgs can be more comfortable with eventually fixing vulns instead of fighting every fire they see.
Lebin Cheng gave us an update on the state of API security and why they will remain a profitable target. After all, a lot of successful attacks have all the patterns of normal traffic – exercising business logic vulns rarely relies on the obvious payloads that stand out in things like XSS and other injection attacks.
Tyler Von Moll gave us a perspective on starting a cybersecurity program and how appsec fits into that. We’re neither surprised nor disappointed (honestly!) that appsec isn’t the first thing every org should be doing. It’s eventually important and one of the things we try to do here is figure out how to define eventually.
Benedek Gagyi closed out the month with our first in-depth discussion on how user experience (UX) impacts security. Despite being one of my favorite topics, we hadn’t given this nearly the attention it deserves. Benedek walks through some examples of bad UX leads to behaviors that are against users interests and how good UX makes apps better.
Subscribe to ASW to find these episodes and more! Also check out the February 2024 recap.
• • •