• Lake View at Engelsberg, Västmanland

    Curl is one of my favorite open source projects. We marked its 25th anniversary in the news segment of ASW episode 233.

    I’ve used Curl as a command-line tool, a library, and as a positive example of how to maintain a community. Daniel Stenberg has a done a wonderful job of maintaining the project and fostering a positive atmosphere around it. His blog provides lots of insights into the development process and how software engineers make informed decisions.

    Curl has wonderful documentation – a necessity for a tool with almost 250 command-line options. I also appreciate that it documents its own history. Its development has been consistent over the decades, with an ever-improving list of features and performance.

    Its development has also reflected major milestones in the web ecosystem, such as supporting HTTP/2 in 2014, becoming part of the OSS-fuzz effort to secure critical software in 2017, and supporting HTTP/3 in 2019.

    Curl is also an example of why C code will be around for quite a long time – many other languages rely on the library and can easily integrated with its C-based API. Curl is also an example of how C can be written securely. Two major security challenges of working with C are safely handling memory and concurrency. The code has had a few stumbles in both, but nothing to the degree that should cause anyone to lose confidence in its underlying design.

    Here’s to several more decades of developer-friendly code and user-friendly tools.

    • • •
  • D&D minis

    It can be fun to go into an interview cold – there’s an appealing energy that comes from the uncertainty of not knowing what’s going to happen next. That’s also why I enjoy role-playing games so much. As a DM, you can set up a combat encounter or introduce an NPC, then embrace the chaos as players hurl their characters in completely unexpected directions. Combine that with merciless randomness of dice rolls and you have a recipe for grand amusement.

    But it’s also helpful to plan for chaos, whether from a dungeoncrawl or interview.

    Prep calls are essential to making an interview entertaining and informative. Ideally, it’s a conversation that feels dynamic and natural. The worst thing to do is ask a question, passively wait for an answer, ignore the sense of that answer, and carry on to the next question.

    Here’s a rough outline of my approach:

    • Be flexible. Explore the topics the guest is passionate about and knowledgeable of. Sometimes we’ll start with one topic, only to discover a tangent that would be more interesting.
    • Use open-ended questions to prompt clear explanations or strong opinions. It takes practice to reformulate questions from yes/no formulas into “why” or “how” ones that generate conversations.
    • Probe for interesting or unique insights. This may also reveal areas to avoid. It’s hard to give specific examples here since it relies on the context of the topic, but I usually find questions based on “What does that mean for X?” or “Why does that matter?” works well.
    • Anecdotes are good. If responses tend to be generalities or platitudes, ask for examples of the topic in practice, such as how they’ve seen a problem solved, a tool implemented, or a strategy succeed.
    • Anecdotes of lessons learned from mistakes are also good. Plus, failures are often entertaining. Here I pay attention to the tone of the answer. Something like, “They were all idiots,” isn’t really helpful or educational. Something like, “We didn’t anticipate X” or “We tried to apply a process for X when it’s better for Y” is more useful.
    • Listen for themes or framing devices as they answer.

    During the prep I skip around a lot as I build a picture, but in the interview I’ll try to stick to themes and a flow that builds a story. Stories and conversations are more engaging than dry Q&A. This also means I may reorder questions from how we went through them in the prep call.

    Apple Podcast Icon

    Ultimately, I look for some sort of narrative in terms of problem, complication, and solution or background, conflicts, and resolution. Some examples might be:

    • What’s the problem? Why is it such a problem? How should we think of solutions?
    • You tried X, then Y. You learned Z. In hindsight, what would you do differently?

    One of the traps of asking too many followup questions or searching for a narrative is that it may constrain the guest to a rigid path. They have insights and knowledge to share. Let them reveal what that is rather than trying to guess it through questions. Thus, I always ask, “Is there something we didn’t cover that you want to mention?”

    If they seem likely to be nervous during the interview, I’ll repeat some seed questions so they have an idea of what to expect.

    Finally, I explain that we’ll close out the segment with a call to action or shout out of their choice. I’ll ask what they’re working on or what they want to draw attention to. Sometimes this also helps me refine questions during the interview so they build up to this point.

    To recap, I go into every prep call with a plan to:

    • Ask what they’re passionate about.
    • Ask many short questions to gather context and background so the subsequent interview can be a more natural conversation.
    • Develop a narrative arc.
    • During the interview, actively listen to the guest’s responses and use them to flow into followup questions.

    The way I prep for interviews is closely tied to the format we use on ASW. They’re intended to highlight the guest’s expertise, put them in a good light, understand their opinions, and draw out their personality. If the format were different, I’d keep many of the principles, but would adjust as necessary to the context. But in every case, being prepared makes for a better interview and, perhaps surprisingly, one that can be even more spontaneous.

    For more about how I approach the podcast, check out the style guide.

    • • •
  • Some Appsec Haikus

    Writing show intros provides a brief and enjoyable creative outlet. I have yet to present a haiku, although I have dipped into limericks – of which I have several more drafts in the queue. In one October episode I reimagined a stanza from The Raven.

    And now I have a few experiments with haikus.

    That popular web app security list
    Ten plagues on software OWASP documents them all Bug bounties prosper
    A vuln disclosure CVSS rating high Maybe I’ll fix it
    Hype or critical...
    A vuln disclosure CVSS version 3 Uncalculated
    Reading someone else's code
    Code review begins Visions of apocalypse A plus one appears
    Git. When things go right.
    Merge request is sent Git undertakes a commit A branch perseveres
    Git. A three-letter command for producing four-letter words.
    Git rebase push pull Force reset now detached head The branch defeats us
    lol lmao seriously so much lol and a little fraud
    Inspiring problems Decentralized solutions Ends in vaporware
    • • •