This is a collection of additional episode commentary, including many of the inspirations or reasons behind each episode’s intro.

The full show notes are over at the episode index. There you’ll find summaries of the interview segment as well as links for all the articles and tools we covered in the news.

  • ASW Episode 220

    Conan the (Borrow-Checking) Barbarian

    Hello Protocols, Packets, and Programs,

    I realize it’s been a while since we’ve asked,

    “Conan, what is best in DevOps?”

    “To crush your memories,

    To see control flows before you,

    And to hear the sanitations of their pointer.”

    The Conan riff is one of the most fun to return to. My first one was back in episode 137. The second was in episode 149. And now a year and a half later I’ve come up with a third.

    The Rust programming language takes a “borrowing” approach to memory safety that focuses on ownership rules for values. It might not feel intuitive at first, but I find its semantics force thoughtful considerations about the use of objects and data structures. I’ve always been a fan of correctness first, so I’m willing to trade up front mental effort for compile-time guarantees.

    The Go programming language relies on a garbage collector to achieve memory safety. I’ve done a little bit of Go. The syntax feels different, but some brief exposure to OCaml helped me get a sense of it rather quickly.

    The C programming language relies on pure luck. And LLVM’s AddressSanitizer.

    The C++ programming language relies on scoped std::pure luck, reference counting, and LLVM’s AddressSanitizer.

    p.s. The nod to “Outpost 31” in the news segment is a reference to the movie, The Thing. It’s one of my all time absolute favorite films. I couldn’t pass up a mention of Antarctica without noting it.

  • ASW Episode 219

    Ghosts of October

    Hello Protocols, Packets, and Programs,

    We leave the ghosts and goblins of October behind us.

    And take a moment to recover from the tales of horror, madness, and danger that only a cybersecurity awareness month can bring.

    In the news segment, we covered some high-level details of the OpenSSL punycode vuln. I didn’t manage to summarize it in 10 words or less, but used the opportunity to mention the sending spell from D&D that’s limited to 25 words or less. We might have to come up with a “Sending Stone” mini-segment where we describe a topic according to that spell’s restrictions – it’s hard to do so on the spot without long pauses, but it sounds like a fun challenge for a prepared segment.

    We also touched on writing skills. I had forgotten to add the plainlanguage.gov site to the show notes. It’s a great resource for clear, concise writing.

  • ASW Episode 218

    They Live

    Mike Shema

    Hello Protocols, Packets, and Programs,

    We’re coming to you live from Cable 54 where we’re celebrating Halloween.

    That time of year where we hear those adorable phrases like,

    “Trick or treat!”

    “They’re coming to get you, Barbara.”

    And,

    “We take your security seriously.”

    This episode landed right on Halloween, which was perfect timing to talk about web3 security and, more importantly, add some subtle references to one of my favorite movies – They Live. The movie came out on November 4, 1988, which is also perfect timing to celebrate it on the show. Not only does the movie show John Carpenter’s skill in visual storytelling, its social commentary still holds up.

    We also welcomed Akira Brand as a co-host in this episode. She was previously a guest on episode 215.

    They Live Subliminal Messages

  • ASW Episode 217

    Horror’s Subgenres

    Hello Protocols, Packets, and Programs,

    This month we celebrate horror –

    Especially its subgenres.

    Like hauntings, slashers, found footage, zombies, NPM packages,

    And pretty much anything that keeps you awake at night.

  • ASW Episode 216

    Abandoned Places

    Horror movies have a trope of abandoned locations that includes a reveal about the dreadful testing that occurred there to make them so haunted.

    Places like abandoned hospitals, orphanages, or even underground bunkers.

    But also places closer to us, places like abandoned code repos.

  • ASW Episode 215

    They’re Coming to Get You, Appsec

    Hello Protocols, Packets, and Programs,

    I love zombie movies. And in my favorite ones, the real monsters aren’t the living dead, but many of the humans who remain alive.

    So, when I think of appsec, I think more about how we could collaborate to find and fix vulns, rather than worry about just how many vulns are out there.

  • ASW Episode 214

    Countdown to Halloween

    Hello Protocols, Packets, and Programs,

    We begin our countdown to Halloween with a notice of tropes to expect.

    Your phone is going to lose signal.

    Your car is going to have trouble starting.

    And your business continuity plan will rely on an unmanaged shell script.

  • ASW Episode 213

    October Is Almost Here

    Hello Protocols, Packets, and Programs,

    October is almost here, when we get to tell the scariest stories, read the most horrifying code, and try to survive yet another powerpoint presentation on cybersecurity awareness.

    October is the time of cybersecurity awareness. It’s good to have an explicit call to attention for security topics, but it’s terrible when that call to attention is squandered on boring, static presentations or empty recital of top 10 lists or warnings to “Don’t click that link.”

    Links are designed to be clicked. If your security awareness and security models rely on some sort of manual scrutiny to distinguish a “good” link from a “bad” one, then you’re two decades behind modern appsec and you’re wasting your audience’s time.

    Appsec checklists and standards always include “Secure Coding” or, worse, just declare, “Write secure code.” But where do developers learn about fundamentals of secure coding or what secure code even looks like?

    Janet Worthington joined us in the interview segment to talk about how universities cover infosec topics and what the industry can do to improve that education.

  • ASW Episode 212

    Pwn of the Living Dead

    They say when there’s no more room in powershell, credentials will walk the earth.

    Coming this Halloween: Pwn of the Living Dead.

    In sneak previews now.

    It’s my nod to George Romero’s living dead movies, specifically Dawn of the Dead.

  • ASW Episode 210

    Hell-LVM

    In a world where CVEs are documented and every bug has a bounty,

    A DevOps team will test in prod –

    And awaken an ancient evil.

    Coming this Halloween: Hell-LVM

    The compiler has given its last warning.

    A developer carelessly passes the -fsatanize=address flag to clang, turning the compiler into a demon who seeks vengeance on all who ever fed it bad code.

    In the news segment we covered the Twitter whistleblower report, which I summarized in Limerick form:

    A hacker named Mudge blew the whistle

    Causing Twitter execs to bristle

    He said they were lacking

    Protection from hacking

    And they replied, “Here’s your dismissal.”

    And a backup version that I also liked:

    In the 90s some hackers from l0pht

    Warned Congress that networks were too soft

    Now two decades later

    The risk is much greater

    And apparently Twitter just scoffed

  • ASW Episode 209

    Captain’s Log

    These are the episodes of the podcast ASW.

    Its continuing mission: to explore strange new clouds.

    To seek out new flaws and new implementations.

    To boldly go where no one has gone before!

    I first riffed on this in episode 163 and plan to return to it every August now in memory of Gene Roddenberry’s birthday.

    Live long and prosper! 🖖

  • ASW Episode 208

    Void Stars

    Do you enjoy battling threats with weird names?

    Manipulating characters and classes?

    Handling polymorphic types and void stars?

    Appsec is the right place for you.

    But if you want all that plus rolling dice – check out the Dungeons & Dragons Spelljammer update. It comes out tomorrow.

    Sure, C programmers are familiar with void *, but the far more exciting version of a void star is in the D&D Spelljammer setting. It’s a setting rife with giant space hamsters (yes, these are canonical creatures), mind flayers, and other bizarre creatures.

    Speaking of mind flayers, I’d far prefer to replace the phrase, “…hit by a bus” with “…brain eaten by a mind flayer” to convey the danger of not writing down the institutional knowledge carried in the minds of appsec and devops folks.

    Plus, the news segment has my absolute favorite thumbnail image.

    asw-spelljammer

  • ASW Episode 207

    The Natural History of Appsec

    These majestic rustaceans have just spawned on the shores of ASW. Driven by evolution, they know instinctively how to reference each variable they will ever encounter within their lifetime.

    However, evolution also leaves vestigial organs like FFI. As the other newborn processes rush to safety, this one returns to C and exposes a dangling pointer.

    Drawn by this unpredictable behavior, a swarm of exploits appears.

    I first riffed on this intro in episode 205.

  • ASW Episode 206

    The “M” Stands for Music…Mostly

    MTV – Music Television – debuted August 1, 1981 promising 24 hours of music videos leading to shows like Headbanger’s Ball and 120 Minutes, which was 120 – about 90 minutes of videos because of commercials.

    It launched with “Video Killed the Radio Star” and the lyrics

    Rewritten by machine and new technology

    And now I understand the problems you can see

    Which sounds more like DevOps killing Appsec…actually

  • ASW Episode 205

    The Natural History of Appsec

    What if we approached appsec with the same wonder as that towards the natural world?

    We’re watching a zero-day in the wild as it approaches a buffer that’s been separated from its pointer authentication code.

    Neither the buffer nor the nearby stack canaries, which enjoy a symbiotic relationship with these regions of memory, have noticed the approach.

    Unaware of this danger, the buffer consumes data.

    This was, of course, a nod to David Attenborough and his documentaries on nature, dinosaurs, and Earth. He has the most amazing ability to evoke the wonder and drama of nature through narration that educates as much as it entertains. He has produced, written, and narrated several documentaries. One of the most popular is BBC Earth.

  • ASW Episode 200

    The Difference Engine

    A Note respecting the Application of Machinery to the Calculation of Astronomical Tables

    It’s episode 200 and I’m thinking back 200 years ago to June 14, 1822 when Charles Babbage presented a machine that could efficiently calculate polynomials.

    The difference engine, as he called it, is considered one of the pioneering works of computing.

    He later designed an improved difference engine number 2. But, it was never built in his lifetime.

    Not built until 1991, when the Science Museum, London finished the first ever implementation of the calculating engine – only four years before JavaScript’s invention.

    The museum completed the full engine’s design in 2002, weighing in at 5 tons of iron, steel, and bronze with 8,000 parts spanning 11 feet long and 7 feet high.

    And, to be fair, 8,000 parts for 5 metric tons of computing sounds like the physical manifestation of today’s NPM package dependency trees.

    In addition to riffing off 200 years of computing history, we had Keith Hoodlet join in as a co-host. He’s responsible for starting the ASW podcast in the first place, having hosted it from episode 0 through 55. I dove in at episode 56 to continue the journey.

  • ASW Episode 178

    I Need an Exit

    Unfortunately, no one can be told that we take security seriously.

    You have to see it for yourself.

    You take the blue pill – the story ends, you change your password,

    And have credit monitoring for the rest of your life.

    You take the red pill – and have your eyes opened,

    Mostly because you’ll be looking for that Yubikey you always misplace,

    And I show you how deep the appsec goes.

    Remember…all I’m offering is the truth. Nothing more.

    The Matrix was released March 31, 1999.

    It’s a story about humans and machines, which makes it easy to see the metaphor for appsec. But it’s also about identity and self-determination – something that progresses to even to the machines in Resurrections.

    And, of course, there’s style. Style in clothing, in hair, and in self-expression. This is the more important metaphor for appsec – collaboration and community building that welcomes self-expression, including gender, and embraces the diversity of groups.

    This wraps up another year of the podcast. Thank you listeners!

  • ASW Episode 177

    Vulnerability Phone

    (phone dialing)

    Hello! And welcome to vulnerability phone.

    If you know the name of the vuln you’d like to see, press one.

    (beep)

    Please enter the CVE now

    (2021-44228)

    You have selected log4j. If that is correct, press one.

    (beep)

    Log4j is playing at Minecraft, cloud services, security vendors, iCloud, Amazon, Apache Struts, your toaster, small children, puppies, and –

    Well, you get the point.

    If you also get the reference to moviefone, then not only do you have to update log4j, it’s probably time to move out of the past and update your JVM to a version that was released this decade as well.

    This was a fun intro to come up with. Of course, I had to use the correct DTMF tones for all of the numbers. I’ll leave the opening phone number as a puzzle to solve. (A puzzle that’s neither difficult nor all that mysterious, but one who’s attention to detail will hopefully generate a smile.)

    I wanted to find some humor in the topic that didn’t involve mocking developers or making light of the work that security and DevOps teams are putting into addressing the vuln – that’s the lazy path. Being smug about software design or programming languages never helped anyone in the first few decades of appsec. It’s certainly not going to be productive now. And it’s not very entertaining.

    Log4j will be an infosec topic for the next several years. It’ll also highlight – once again – the importance of maintaining an asset inventory and having a process for identifying supply chain issues. If 2021 was the year everyone used the incident that rhymes with Polar Fins to talk about why supply chain security is so important, 2022 will be the year of Log4Shell.

    BugOps vs. DevOps

    The show notes have more details on how this specific vuln fits into the larger picture of application security. One thing I didn’t include was a timeline to put this into more context (see below). I find it interesting to think of this vuln as a type of recurring event as opposed to a single fire to extinguish. Chasing zero-days isn’t a strategy – creating hardened software architectures and layered security controls is. It’s easy to recommend asset inventories and egress proxies; it’s harder to implement them effectively. But that’s one of the goals of modern appsec, to shift from the burn-out of BugOps to the emergent security of DevOps.

    If you’re curious about more of the BugOps vs. DevOps take, check out my presentation from DevSecCon London 2017.

    • Log4j devs add the JNDILookup plugin to Log4j 2.0-beta9, which appears in September 2013.
    • Heartbleed appears in April 2014.
    • Shellshock appears a few months later in September 2014.
    • Researchers discuss JNDI LDAP manipulation that leads to RCE at BlackHat in August 2016.
    • Researcher Chen Zhaojun of Alibaba Cloud Security Team discloses log4j flaw in December 2021.
  • ASW Episode 174

    Eyes Open

    Remember Flash? That free browser plugin?

    In November 1996 Macromedia unleashed it upon the world. Then Adobe acquired it, keeping the thing alive with critical patch after critical patch.

    In November 2011, after Apple refused to allow Flash on iOS, Adobe announced the end of support for mobile.

    Yet it wasn’t until January 2021 that Flash officially died on the desktop.

    So, maybe now when you hear the phrase, “Gone in a Flash”, it might not actually be referring to how your system was compromised.

  • ASW Episode 173

    Schools of Magic

    It’s the eighth day of the month and there’s an appsec journey in the number eight.

    Like the rise of personal computing with the 8-bit Commodore 64.

    Modern HTML requires character encoding with utf-8.

    Chrome’s JavaScript engine is called v8.

    Number 8 in the new OWASP Top Ten is about software and data integrity failures.

    And an 8 on its side looks like infinity, which is about how long it’ll take for appsec to get that top ten down to zero.

    The schools of magic is another nod to Dungeons & Dragons. The game defines eight schools, a number that fit nicely with the intro’s theme. I’ve always been partial to playing wizards. Two favorites over the last few years have been an illusionist and a necromancer. I plan to try a diviner next – the spells aren’t as uniformly combat-related like the classic evoker, but that just feels like a fun challenge and a chance for creativity.

  • ASW Episode 171

    Horror Stories

    It’s almost Halloween, so why not celebrate with an appsec adaptation of the opening of Edgar Allan Poe’s The Raven.

    Once upon a midnight dreary, while I pondered, weak and weary,

    Over many a quaint and curious volume of forgotten lore—

    Which I coded, error trapping, suddenly there came a tapping,

    As of testing gently flapping, flapping I could not ignore—

    “’Tis some insecure,” I muttered, “tapping at my logic for—

    Buffer size and nothing more.”

    It took me a while to settle on phrasing I liked. The following version was a close runner up. It hinted at SQL injection instead of memory safety, but it didn’t feel like it captured an injection flaw just right.

    Once upon a midnight dreary, while I pondered, weak and weary,

    Over many a quaint and curious volume of forgotten lore—

    Which I coded, error trapping, suddenly there came a tapping,

    As of input gently snapping, snapping at my datastore—

    “’Tis some insecure,” I muttered, “tapping at my datastore—

    Using AND instead of OR.”

  • ASW Episode 163

    Strange New Clouds

    Captain’s log, stardate 41153.7.

    Our destination is planet AppSec, beyond which lies the great unexplored mass of secure code.

    My orders are to examine the news, and what’s been built there by the inhabitants of that world.

    These are the episodes of the podcast ASW.

    Its continuing mission: to explore strange new clouds.

    To seek out new life and new DevOps migrations.

    To boldly go where no one has gone before!

    I was inspired this August by memory of Gene Roddenberry’s birthday. That stardate comes from “Encounter at Farpoint”, the very first episode of ST:TNG. To this day, I remember my surprise at seeing the character Zorn (Michael Bell), then hearing the voice of Duke from the “G.I. Joe” cartoons. It was like a collision of worlds that for some reason left an impression on me.

    Live long and prosper! 🖖

  • ASW Episode 149

    Alert Your Stardestroyers

    It’s that time in May when people start talking about that movie from the 80s. The one with James Earl Jones as the villain. Came out in May 1982.

    That’s right. Once again we must ask, “Conan, what is best in DevOps?”

    “To crush CI/CDs,

    to see supply chains before you,

    and to hear the attestation of their SBOM.”

    Since this episode aired on May 3rd, it was a chance to acknowledge Star Wars Day, aka May 4th – as in, may the fourth (force) be with you.

    The Empire Strikes Back came out in 1980. Conan didn’t appear until two years later. But, wonderfully, James Earl Jones plays the villain in both. We only hear him in Empire (David Prowse wore Vader’s suit), but we see him – with long hair no less – as the evil Thulsa Doom in Conan.

    I first riffed on this quote in episode 137.

  • ASW Episode 148

    Minimum Safe Distance

    What would a breach notification look like in the aftermath Aliens?

    Weyland-Yutani takes the security of our systems and data seriously and we have implemented numerous safeguards to protect them. When we learned of a nearby derelict, our investigation determined it was something for you to explore.

    Because of our commitment to trust and transparency, we have worked diligently to make LV-426 important to

    building better worlds

    with you – our families at Hadley’s Hope.

    We recorded this episode on April 26, which was fortuitous for a fan of 80s movies and horror. April 26 has been adopted as “Alien Day” to celebrate the Alien movie franchise. The date, as 4/26, is a nod to LV-426, the moon from Aliens. Weyland-Yutani established a terraforming colony, Hadley’s Hope, on that moon. Things didn’t turn out well for the colony and Ellen Ripley, now rescued from her escape shuttle long after the events on the Nostromo, has a pretty clear idea of what must have happened.

    As a final note, if you check the bookshef in the background of the video, I have a copy of the Alien RPG propped up.

  • ASW Episode 137

    A Tree of Woe

    Earlier I asked, “Conan, what is best in DevOps?”

    “To crush your CVEs,

    to see threat models before you,

    and to hear the automation of their workflows.”

    This quote comes from the 1982 film, Conan the Barbarian, where Arnold Schwarzeneggar delivers it with his distinct Austrian accent. It’s one of the many films that made 1982 such a high point in movie history.

    I revisited this quote in episode 149.

  • ASW Episode 135

    Pokémon & Synthwave & Hair & Hats

    Lawnmower Man 2

    A new year calls for new resolutions, such as exiting vim on the first try, remembering which git rebase, reset, or revert is useful, securing your supply chain, and subscribing to ASW.

    (Of which, only one of those is actually achievable.)

    We started off the year with a deep dive into privacy by design – a topic that’s appsec-adjacent, but one that carries its own threat models and design patterns. Notably, it’s also a relatively new topic when you consider how slowly “privacy engineering” teams have grown throughout the industry.

    And, being January 2021, it was a chance to commemorate the 25th anniversary of Lawnmower Man 2: Beyond Cyberspace. It’s a title that’s been criminally left off of far too many lists of hacker movies.

  • ASW Episode 56

    Underlying Capabilities

    Ah, my first time hosting. The intro is barely three sentences and barely engaging. How far we’ve come. But it does have one small artifact that I’ve preserved through all of the following intros. The teaser for the news segment always ends with a change in intonation and the promise of…

    – and more.

    I’ve also changed around the camera setup and computer. I enjoyed lurking behind my laptop with its prominent D&D sticker and, later on, a DNA Lounge sticker. Alas, the screen size and CPU weren’t conducive the improving the quality of show. I’ve since upgrade to one of the M1 iMacs.

    Keith Hoodlet started the podcast at episode 0 and was the main host up through 55. He still drops in on the Security Weekly family, including ASW episode 200. Check out his blog at securing.dev.