-
July might be summer break, but we shouldn’t let our appsec calculus skills degrade. Each week’s intro presented a different appsec word problem, starting with
A CVE departs a station at 10am.
It has an unreachable destination.
At what time does an appsec team say it needs to be fixed?
Make sure to show your work.
Shout out to Sandy Carielli and Janet Worthington for not only returning to the show, but bringing a wonderfully titled topic to discuss, “Ludicrous Speed — Because Light Speed Is Too Slow To Secure Your Apps”. They covered pre-release and post-release code concerns, such as secure design, DevOps maturity levels, business logic, and bots. Their research comes from talking with a range of practitioners across several industries, which grounds their insights and ideas in reality.
Stuart McClure walked through the implications in trusting AI and LLMs to find flaws and fix code. The fixing part is compelling – as long as that fix preserves the app’s intended behavior. He explained how LLMs combined with agents and RAGs have the potential to assist developers in writing secure code.
We talked even more AI with Allie Mellen, who pointed out where elements of LLM might help with reporting and summarizing knowledge and where they fall short of basic security practices. LLMs won’t magically create an asset inventory, nor will they have context about your environment or your approach to risk. She also noted where AI has been present for years already – we just call it machine learning as applied to things like fraud detection and behavioral analysis.
Then we checked our appsec formulas against a CISO’s perspective with Paul Davis. He talked about driving behavioral change at the org level – a different and more challenging prospect than individuals. But he also focused on the security problems that individuals in dev teams and appsec teams alike face, whether it’s figuring out where to fit in AI or how to get beyond chasing CVEs one by one.
Subscribe to ASW to find these episodes and more! Also check out the June 2024 recap.
• • • -
June sped by! We had one more interview segment from RSA and lots of discussions about open source supply chain and standards.
Luis Villa talked about how the unsteady and unpredictable support for open source projects underscores the challenge faced not only by XZ Utils, but by many other projects – even popular ones. He talked about efforts to support open source projects financially. And, XZ Utils was topical, we walked through some of a project maintainer’s responsibilities and how to lessen that burden over time.
Next up was news! We had the full crew together with Akira Brand and John Kinsella. We covered some vulns in unusual places – laundry machines and modems. We covered some unusual design gaps in Microsoft’s Recall. And I marked the anniversary of PHP version 1.0 that first appeared on June 8, 1995.
We closed out the month with OAuth. Aaron Parecki explained that not only is OAuth 2.0 more than a single spec, it’s not always interoperable and not always secure. The good news is that there are new specs that attempt to refine interoperability and define defaults that make it more secure. Aaron shared a lot of great insights from following these specs for over a decade!
Subscribe to ASW to find these episodes and more! Also check out the May 2024 recap.
• • • -
May was hectic! It was light on news segments since our second segments were mostly occupied with short interviews from RSA Conference 2024.
But that means you might be interested in our April Fools episode where we covered some stories from the RSA Conference 20 years ago in 2004. Although this year was almost all AI, the other security topics didn’t sound much different from those two decades ago. Give it a listen in [episode 279].
In the first interview segment, Caleb Sima demystified some of the hype around AI and pointed out how a lot of its security needs match its mundane predecessors. We didn’t get into defining all the different types of AIs, but we did identify the need for more focus on identity and authenticity in a world where LLMs craft user-like content.
Then Keith Hoodlet stopped by to talk about his first-place finish in the DoD’s inaugural AI Bias bug bounty program. He showed how manipulating prompts leads to unintentional and undesired outcomes. Keith also explained how he needed to start fresh in terms of techniques since there’s no deep resources on how to conduct these kinds of tests.
Be sure to check these out for my “walks into a bar” intros ;)
The AI conversations continued with Sandy Dunn, who shared how the OWASP Top 10 for LLMs came about and how it continues to evolve. We talked about why this Top 10 has a mix of items specific to LLMs and items that are indistinguishable from securing any other type of software. It reinforced a lot of the ideas that we had talked about with Caleb the week before.
The next week we noted techniques in secure coding for Node.js. Liran Tal shared concepts from his new book and discussed how he approaches secure coding classes in general. He comes from a development background, which is always a plus when bringing appsec concepts into code.
Episode 235 (from the vault)
For the final week, we pulled an episode from April 2023 with Ben Sadeghipour. His background in building communities around bug bounties, not to mention bagging some significant bounties himself, remains just as relevant today. After all, there’s still plenty of insecure software out there and a ton of web sites waiting for review.
Subscribe to ASW to find these episodes and more! Also check out the April 2024 recap.
• • •