-
I mostly don’t care about known vulns in dependencies. I appreciate code quality and want to maintain a recency of at least 1-2 semver minor versions for packages. But so many of those vulns are distractions that don’t require prioritization over normal maintenance – things like XSS in unused code paths, reDoS, malicious config files, and exploit scenarios that require the planets to align in a great conjunction.
I’d rather know about one version to upgrade to than a list of security issues with questionable impact whose remediation spans a range of versions. (I also wish scanners would roll up findings into a single “apply this patch” recommendation.)
What I wish existed was a scaleable, well-supported scanner that enumerated all runtime dependencies and let me define alerting rules based on:
- the distance from the most recent semver minor version
- the distance from the most recent semver major version
- the days since that most recent major/minor version
- the days until a known EOL such as tracked in endoflife.date
Then for the dimension of known vulns I’d prioritize the CISA KEV along with malicious packages, i.e. packages delivered from a trusted source, but whose contents have been compromised. For the latter, think of packages from package repo, such as XZ Utils or an NPM package that included a malicious commit.
Yes, not every package follows a clean semver, but I’d love to bury the patch-all-the-vulns mentality that comes from being able to identify every single CVE in existence and instead raise a regular maintenance routine that accommodates the meaningful vulns.
We can even keep the SCA vendor category – just call it Semver Creation Analysis or maybe Semver Curation Approach instead. ;)
• • • -
September was the month we hit our 8-bit milestone on Application Security Weekly.
The first week we went to the vault for an episode from January 2022 where Christien Rioux talked about how appsec needs to move beyond its past – vulns, checklists, hardening guides – and into a future of sandboxed apps and decorated data.
Then we talked with Simon Bennetts about how and why he started ZAP. As a long-time fan of the project, I enjoyed learning more about its past (it’s been decades since I last heard mention of Paros Proxy!) and, more importantly, to hear about its future with The Software Security Project.
One of the takeaways that I didn’t emphasize enough was Simon’s outreach and interaction with developers – we need more appsec folks speaking at developer conferences.
Next up was Karl Triebes, who gave us a chance to go beyond the all-too-vague label of “business logic” attacks to understand why they’re hard to pin down – by appsec team and developers alike. For me, that’s where the real interesting security flaws are, where human creativity can look at the workflow intended by an app and then come up with ways to abuse it.
Last up was a return to supply chains with Kirsten Newcomer. The SBOMs have been around for a while – SPDX is over a decade old. Which makes it seem like there are so many things that we need to do that aren’t new. But that’s probably also because they’re not easy to do and, I think, because appsec gets too wrapped up in vulns and the cliche of fixing vulns early at the expense of spending time on more strategic work.
Subscribe to ASW to find these episodes and more! Also check out the August 2023 recap.
-480x320.png)
• • • -
August brought some sun from the summer conferences and some darkness from some noir-style intros.
Our first interview was with Merritt Baer, who put ArchSec – Architecture Security – on our roadmap. One of my favorite things about this discussion was the idea of getting beyond appsec, especially the stale, boring version of appsec that’s preoccupied with vulns. ArchSec represents a step towards making security scale better by focusing on design. She also points out how a secure architecture process isn’t just another security review in disguise, it’s a partnership in creating resilient systems.
The second week was one of the longer (maybe longest) interviews we’ve recorded. Josh Goldberg talked about communication skills, putting together presentations, and the stumbles he’s made along the way. It’s a topic that should appeal to anyone who wants to speak at conferences – or even just giving presentations at work.
No one wants to sit through a boring presentation. No one wants to deliver a boring presentation, either! Josh shares tips and techniques for creating abstracts for CFPs and drafting slides for success. John Kinsella helped round out the segment with several stories and advice of his own.
For week three we ran two shorter interviews recorded at BlackHat. Shout out to Mandy Logan for conducting these at the conference.
But don’t skip our news segment – I kicked off the show with another dash of noir.
August closed with a visit from Jeff Pollard to cover how security can be smart about using AI. No cliches here about Skynet or magical thinking about robot overlords, just a lot of discussion about what AI and ML seems to be good at, where that helps security teams, and where people remain key parts of processes.
Subscribe to ASW to find these episodes and more!
• • •