ASW Podcast Episode Notes
This is a collection of additional episode commentary, including many of the inspirations or reasons behind each episode’s intro. There’s also an index of show numbers, dates, and titles.
The full show notes are over at the main site. There you’ll find summaries of the interview segment as well as links for all the articles and tools we covered in the news.
-
WAFs, LLMs, and Secure Design
Hello Protocols, Packets, and Programs,
As everyone tightens budgets this year, look for some ways to deliver a refund on appsec taxes.
Skip that list of phishing terms,
Cut down that password strength calculator,
Hide that hardening guide,
Instead, spend time on making passkeys palatable,
Or adopting designs to defeat a class of vulns.
-
In Search of Secure Design
Hello Protocols, Packets, and Programs,
Every April I like to riff on the test given to Leon Kowalski in the movie Blade Runner.
You’re in a repo, walking along in the code, when all of a sudden you look down –
It doesn’t make any difference what repo. It’s completely hypothetical.
You look down and see a design. It’s crawling toward you…
You reach down and you flip the design over on its back.
The design lays on its back, its belly baking in the hot sun, beating its legs trying to turn itself over, but it can’t. Not without your help.
But you’re not helping.
Why is that?
Happy birthday, Leon. I got you a tortoise.
-
Worst Appsec Practices
Hello Protocols, Packets, and Programs,
We’ve mentioned many times the benefits of reading RFCs to learn about dusty corners, ambiguous requirements, and weird states that lead to vulns.
The catch is that lots of them are long and boring.
But there are also some fun RFCs out there!
Ones that propose outright silly things like evil bits, carrier pigeons, and IPv6.
-
Finding a Use for GenAI in Appsec
Hello Protocols, Packets, and Programs,
My love for interactive fiction hearkens back to the early days of role-playing games.
There were classic books like the Warlock of Firetop Mountain, which added an RPG element to the choose your own adventure concept.
Infocom produced computer text adventures like Zork, where you were likely to be eaten by a grue.
And today we have LLMs that can produce facts that aren’t even true.
-
Smart Contracts Top 10 List
Hello Protocols, Packets, and Programs,
I remain a firm believer that security awareness programs can replace expensive and boring slides with limericks.
For example,
A programmer learned Solidity,
Then had a spark of lucidity.
They thought, “Code is law”,
But missed a small flaw,
And now have zero liquidity.
-
CISA’s Secure by Design
Hello Protocols, Packets, and Programs,
This March let’s avoid the madness of infosec myths, misconceptions, and mistakes.
Let’s update our threat models.
Let’s pay attention to modern designs.
Let’s spend less time enumerating common vulns and more time eradicating vuln classes.
Let’s use public Wi-Fi with our up-to-date devices.
-
Keeping Curl Secure
Hello Protocols, Packets, and Programs,
Languages are important for telling computers what to do.
Computers are important for reminding humans how languages can be ambiguous, illogical, and incomplete.
That’s why the quality of a language isn’t so much about its syntax and semantics, but in the meaning that we can convey with it.
This holds true for most languages,
Even fictional ones like Klingon and Perl.
-
Developer Environments & Developer Experience
Hello Protocols, Packets, and Programs,
I am still searching for genAI’s value to appsec and whether it can handle the kind of security reviews that humans do. For example,
There once was an LLM created,
For the purpose of having code rated.
It looked at some C,
Saw so much malloc and free,
And now we have to have it sedated.
-
Top 10 Web Hacking Techniques of 2024
Hello Protocols, Packets, and Programs,
The number 10 is a base for many standards.
There’s obviously the metric system, developed by the French to bring sanity to measures of weight and length.
We use prefixes from the metric system in computing, with kilobytes, megabytes, and gigs.
That 10 also appears in cybersecurity and appsec’s love of listing 10 things.
Prefixes work for those lists, too.
If you had 10 lists, you’d have a deca-list.
If you had 100 lists, you’d have a hecto-list.
And, if you had 1,000 lists, you’d have OWASP.
-
.NET Code Scanning
Hello Protocols, Packets, and Programs,
Do you love code?
Do something special this Valentine’s Day.
Whether your love is constant or variable,
Whether you have a type,
And in whatever your language is,
Use a secure default, support passkeys, target a vuln class,
Do something that makes an appsec team feel lonely, forgotten, and unnecessary.
I spend a ridiculous amount of time tweaking these intros. A few, like the film noir ones, can take anywhere from an hour to eight hours to get just right. And that’s ignoring the time spent thinking of the initial idea.
I don’t code on a daily basis any more, but I’ve always enjoyed the creative outlet of writing – code or otherwise. In both case, I’m always editing and thinking of alternate solutions, whether it’s a better abstraction in code or a more engaging piece of text. As just one example, here’s how I’d tweak the above intro if I were to do it again:
Hello Protocols, Packets, and Programs,
Do you love code?
Do something special this Valentine’s Day.
Whether your love is constant or variable,
Whether you have a type,
And in whatever language you use,
Use a secure default, support a passkey, target a vuln class,
Do something that makes an appsec team feel lonely, forgotten, and unnecessary – the won’t mind.
-
Threat Modeling
Hello Protocols, Packets, and Programs,
It’s the shortest month, so let’s waste no time to ask,
“Conan! What is best in threat modeling?”
“To crush your SREs,
See them questioned before you,
And to hear the lamentations of their metrics.”
The Conan speech is a favorite theme of mine, but it’s been ages since I did the last one back in episode 230.
-
AI & SDLC Security
Hello Protocols, Packets, and Programs,
Welcome to the historic Application Security Theater here in downtown Devington!
As a reminder, please silence any devices and top ten lists.
Note that this venue has several exits.
In the event of an emergency, just keep shifting left until you reach one.
In tonight’s cast
– the role of Eliza will be played by ChatGPT,
– the role of FIDO2 will be played by 20 slides of phishing awareness,
Please be aware that C and C++ will be used during this performance. Patrons with sensitivities can Go.
Thank you and enjoy the show!
-
Cybersecurity & Privacy Predictions for 2025
Hello Protocols, Packets, and Programs,
It’s a new year, but appsec has some predictive lessons from the past.
In 1975, sci-fi author John Brunner predicted and named the computer worm in his novel, Shockwave Rider.
In the 80s, cyberpunk exploded and William Gibson’s short story, Burning Chrome, gave us the term and concept of cyberspace.
But even back in the 60s and well before the ubiquity of personal computers, there was the Star Trek communicator – which, of course, predicted that personal devices would always track and give away our location info.
To learn a bit more about Shockwave Rider, check out this old post.
-
Developers & Security Requirements
Hello Protocols, Packets, and Programs,
It’s a new year and a new chance for appsec to shine. So, …
Let’s set ablaze all the cliches.
No more shifting, no more lists,
Just good defaults in our midst.
No more chasing CVEs,
No more leaking secret keys.
Let’s have a secure design solution,
And avoid this appsec noise pollution.
-
DefectDojo
Hello Protocols, Packets, and Programs,
It’s a new year and a new vision for appsec.
Let’s have designs and defaults that minimize flaws,
And reduce the damage that an exploit can cause.
-
Identity, Usability, Transparency
Hello Protocols, Packets, and Programs,
And goodbye 2024.
What a year we’ve had,
With software that’s gone a bit bad.
XZ Utils gave us some thrills,
Crowdstrike gave us some chills.
We covered AI and vulns of all kinds,
Maybe next year we’ll talk about secure defaults and designs.
-
2024 Recap
Hello Protocols, Packets, and Programs,
Another year comes to a close,
And still I think nobody knows,
What it takes to make secure code,
Whether in C or Rust or Node.
We have all these lists of top ten,
Repeated again and again.
Let’s try a new appsec baseline
And talk about secure design.
-
Observability
Hello Protocols, Packets, and Programs,
We’re leaving November for the chill of December,
And hoping that appsec doesn’t dim to an ember.
That instead it burns brightly and begins to enshrine,
That good security comes by default and design,
That the page count of hardening guides will start dwindling,
And that all those top ten lists are used for just kindling.
-
A Scary Season of Appsec News
Hello Proto-ghouls, Dropped Packets, and Zombie Processes,
Halloween is almost here.
What scary costume will you wear this year?
Old-school Freddy Krueger?
A classic vampire?
A howling werewolf?
Client side validation?
Server side JavaScript?
A CVE?
Or,
A path traversal that goes dot, dot, slash?
-
Cloud Security
Hello Protocols, Packets, and Programs,
Welcome to October,
When tales of terror become timely and the days take a fearful turn towards Halloween.
I’m sure anyone could name a few horror movie tropes.
They can be entertaining,
But they’re often predictable and just a bit unrealistic, like
A cabin in the woods,
An abandoned medical building, or
Software written in C.
-
Appsec Fear in Three Words
Hello Protocols, Packets, and Programs,
Welcome to October,
When tales of terror become timely and the days take a fearful turn towards Halloween.
In horror movies, three words can be enough to strike fear into someone, like –
It’s behind you,
Check the basement, or
No cell service.
Appsec can also strike fear with its own three words, like –
Let’s deploy now,
Top Ten List,
Written in Perl, and
Cybersecurity awareness month.
-
Zed Attack Proxy
Hello Protocols, Packets, and Programs,
Welcome to October,
When tales of terror become timely and the days take a fearful turn towards Halloween.
Appsec has many monsters to fear.
Familiar ones, like anything written in C.
And unfamiliar ones and the unknown,
Like whatever it is password strength calculators are supposedly doing,
Whatever item 11 was that didn’t make a top ten list.
Or why phishing needs more than one term.
Because sometimes the unknown is more familiar than we realize,
Because sometimes –
Appsec is the monster.
-
News Round Up
Hello Protocols, Packets, and Programs,
As I noted last time, our episode numbers have moved into HTTP status code territory.
So with HTTP 301, where should appsec be moved permanently?
Does it develop lists for developers to develop secure code?
Does it maintain the proliferation of prefixes for types of phishing?
Does it become two more decades of dealing with CVEs?
I hope we find an answer soon, because there’s an ominous 404 not found in our future.
-
API Security & Bots
Hello Protocols, Packets, and Programs,
The HTTP 300 response code indicates multiple choices.
So, on this our 300th episode, we’d like to say thank you for making ASW your choice of podcasts about all things appsec.
Speaking of choices,
If you’re writing a parser, choose a memory safe language.
If you’re authenticating, choose a passkey.
And if you’re fixing every CVE, choose a better strategy.
-
Security Awareness
Hello Protocols, Packets, and Programs,
Does your security awareness training sound more like secure coding or The Silmarillion?
For example,
Does it sound like you’re explaining how brothers Elros and Elrond “were descended from the Three Houses of the Edain, but in part also both from the Eldar and the Maiar…” (p. 110)
Are you throwing around terms that are about as familiar as the line of Finwë, from Fingolfin and Finarfin to Finrod, sometimes Felagund, and sister Galadriel?
Because training needs to be more than taxonomy and trivia to be impactful.
After all, to write secure code, developers will need –
to go there and back again.
-
Lots of News
Hello Protocols, Packets, and Programs,
It is the ninth month of the year and, riffing on the nines of availability, every year has only one nine of official cybersecurity awareness – and it’s coming next month.
Instead of the nines of availability, what would the nines of security awareness look like?
Four nines as in 99.99% of lines of code in a repo are tested and secure?
Five nines as the percentage of apps supporting SSO or passkeys?
Or no nines, and we just keep counting to ten in the hopes that one day code becomes better.
-
IoT Security
Hello Protocols, Packets, and Programs,
IoT.
Three letters.
Two vowels, one consonant.
Zero reputation for security.
And a few million reasons why that’s a problem.
-
CrowdStrike Fiasco & Fallout
Hello Protocols, Packets, and Programs,
No more appsec noise pollution,
It’s time to find a secure design solution.
-
Appsec at Startups
Hello Protocols, Packets, and Programs,
The Olympics are over.
Black Hat and DEF CON are over.
And I still don’t know if appsec is winning yet.
-
Security Champions Programs
Hello Protocols, Packets, and Programs,
Time for more appsec calculus.
A developer implementing passkeys leaves Chicago at 10am on a train heading west.
An appsec team leaves at noon on a train heading east.
How many terms for phishing does the appsec team come up with by the time the developer is done?
-
Managing Paranoia
Hello Protocols, Packets, and Programs,
We can’t leave July without one more appsec math problem.
If a browser upgrades to HTTPS by default, and a site only supports HTTPS, how many public Wi-Fis does it take to look up secure communications over an insecure channel?
-
A Realist Approach to Generative AI & Appsec
Hello Protocols, Packets, and Programs,
Here’s today’s appsec math problem:
If you have X security tools and you shift Y of them left, how many secure designs do you have?
-
AI & Auto-Fixing Code
Hello Protocols, Packets, and Programs,
Let’s have another appsec calculus problem.
A CVE departs a station at 10am.
It has an unreachable destination.
At what time does an appsec team say it needs to be fixed?
-
Appsec Calculus
Hello Protocols, Packets, and Programs,
Let’s solve a time-traveling appsec calculus problem.
If we are at the halfway point of 2024,
And a SQL injection vuln departs from the past 20 years ago,
And a secure design departs for the future,
What year does the last SQL injection CVE arrive?
-
OAuth 2.0 and More!
Hello Protocols, Packets, and Programs,
I quite enjoyed Furiosa, the latest entry in the world of Mad Max.
It’s a dystopian future of scarce resources, outrageous vehicles, and more outrageous characters.
It also makes it sounds like Go and Rust are thematically perfect for a future that desires to be shiny and chrome.
So even if things turn out mediocre, at least they’ll be memory safe.
-
Just the News
Hello Protocols, Packets, and Programs,
We’re halfway through 2024 and all the way in on our promise to avoid appsec cliches.
And oh how we tempted fate in May, where we talked about AI, a top ten list, and JavaScript security.
And we still have six months to go.
-
Supporting Open Source Projects
Hello Protocols, Packets, and Programs,
It’s time for a six-month check-up.
Back in January I set a desire
To see cliches expire.
And instead see designs against vuln classes
And secure defaults for the masses
That give us a better solution
To reduce our appsec noise pollution.
-
Secure Coding in Node.js
Hello Protocols, Packets, and Programs,
There are famously hard problems in mathematics.
Like Fermat’s Last Theorem with his truly marvelous proof that a margin was too narrow to contain,
The shortest path for a traveling salesperson,
And dealing with integers in JavaScript.
-
OWASP Top 10 for LLMs
Hello Protocols, Packets, and Programs,
No AI walks into a bar this week, but I do have a limerick for you.
“I’m more than a math computation,”
An LLM said with elation.
It sounded like magic,
But then slightly tragic,
Being just a hallucination.
-
AI & Hype & Security (Oh My!)
An AI, an LLM, and a chatbot walk into a bar.
The bartender says, “What is this? A joke?” and asks for ID.
The AI says they’re 21, but can’t explain why,
The LLM says, “I don’t have an ID in the traditional sense.”
The chatbot says, “Do you need help with an ID?”
The bartender points to the exit and says, “Get out.”
The AI walks into a wall.
The LLM adds, “Now.”
The chatbot says, “Would you like to see other movies by Jordan Peele?”
The bartender thinks for a moment and says, “Nope.”
Since this episode had two interview segments, I added a short intro for the second one:
A machine learning algorithm walks into a barge, a barrio, a barracks, a barrel, a barbecue, a barn, and then a bar.
The bartender says, “What’ll it be?”
The algorithm looks around and says, “What is this? A joke?”
-
Software Supply Chains & AI
What if appsec wrote aviation safety scripts?
Welcome to flight ASW 283.
The captain has turned on the password strength sign, which means that your password must meet an annoying list of requirements as this flight is not equipped for passkeys.
There are several emergency exits on this aircraft.
Take a moment to locate the exit nearest you, keeping in mind that the default choice is probably insecure.
If there is a loss of cabin pressure, memory safety masks will drop down. To start the flow of code, pull the mask towards you.
To tighten the fit, address all the web app vulns that have nothing to do with unsafe memory.
In the unlikely event of a water landing, check beneath your seat for a top 10 list of aquatic dangers.
Thank you.
And please use caution when opening overhead dependencies, as contents may have shifted maintainers.
This is the second time I’ve imagined an appsec aviation script. The first time was back in episode 228.
-
Investing in Open Source
Hello Protocols, Packets, and Programs,
Why do we bother with security awareness programs when we have so many opportunities to summarize security concepts through limericks?
For example,
I suspect you write code for the thrills,
Open source doesn’t pay for your bills,
Don’t be a complainer,
Make me a maintainer,
And I’ll take care of XZ Utils.
-
Appsec Taxes
Hello Protocols, Packets, and Programs,
It’s tax day in the United States, where it’s said the only two certainties are death and appsec awareness programs delivered by Powerpoint.
So what about appsec taxes?
Are they making you remember five different names for phishing? You deserve a refund.
Are they making you satisfy a password strength calculator instead of offering you passkeys? You deserve a refund.
Are they making you listen to Application Security Weekly? You deserve – no, wait. That’s a good one. You deserve a thank you!
-
XZ Utils Backdoor
Hello Protocols, Packets, Programs, and…Problems,
I have some errata for our last episode that just so happened to fall on April Fool’s.
We covered articles from 2004 instead of 2024.
I apologize for the error and am reviewing how we could have mistaken appsec challenges from two decades ago as indistinguishable from today.
I understand now that it might take yet one more version of a top 10 list to raise enough awareness about SQL injection to eradicate it as a vuln class.
I realize now that calling for the death of passwords in 2004 was premature, since it’s apparently still important to make users read password composition instructions before they can handle better choices like passkeys and other hardware-backed solutions.
This intro was, of course, a nod to last week’s episode 279 where did a news segment as if it were 2004 instead of 2024.
-
Cybersecurity Awareness Limerick Month
Hello Protocols, Packets, and Programs!
We continue the cybersecurity awareness limerick month with…
My browser used HTTPS,
Configured from an HSTS,
But public WiFi,
Might have a bad guy,
Who can break Diffie-Hellman I guess?
Yep, this was an April Fool’s episode. It’s a rare occasion that April 1 falls on a Monday and we had to take advantage of it.
The infosec myths, mistakes, and misconceptions segment is a serious topic, though! I thought that talking about foolish ideas and why they’re harmful to users would fit well with the day’s theme.
Even the news segment has some educational bits to it. After all, a lot of the articles from 2004 either sound like they could be written today or they have the optimism that a security problem will be solved in a few years. Instead, we’re twenty years later and still dealing with a lot of the same problems.
It’s seeing those same problems that motivated me to use this theme for our show. After all, if appsec hasn’t made significant impacts in some areas twenty years later, it’s time to re-evaluate those strategies and find something better.
I’m not completely pessimistic or cynical on this topic. I think there have been some consequential shifts in appsec strategies. A few that come to mind are
- Building “paved roads” or solutions that meet developers needs and uphold the developer experience while making insecure designs difficult.
- The Infrastructure as Code possibilities of cloud environments, where resources, networks, and privileges can be expressed through (mostly) human-readable code in a way that can be linted, reviewed, and maintained.
- The phishing-resistant solutions of passkeys, WebAuthn, and FIDO2-based authentication.
- Adoption of memory-safe languages for critical system apps, device drivers in the Linux kernel, components of browsers, and lots of attention from Microsoft and Amazon.
- The (admittedly recent and still far to go) embrace of a secure by default attitude that treats hardening guides as anti-patterns.
- The (admittely recent and still far to go) push for secure design.
I purposefully didn’t mention a future of lists, whether they contain 10 items or not. For more on that, check out this post.
-
UX & Security
Hello Protocols, Packets, and Programs,
There’s only six months left to rewrite your cybersecurity awareness training into limerick form.
Remember, training should be about changing behaviors, not trivia.
For example,
There once was a scam for credentials,
Whose naming ignored the essentials.
Now everyone’s wishing
To relabel phishing
And forgetting passkeys’ potentials.
-
Cybersecurity Programs & Appsec
Hello Protocols, Packets, and Programs,
The limerick is an underused format for cybersecurity awareness training.
For example,
I once worked with some vuln scanning friends,
Who cared about the time that it spends.
Because so many flaws
Lack a threatening cause.
And the same goes for all your top tens.
-
The Case of Bad Appsec Advice
It was another Monday morning. The sign on the door said Private Investigator.
But the sign below that said closed and I was saying yes to a third cup of coffee.
It was cold and bitter, like a C++ programmer at a Rust conference.
My partner was out town, looking into a counterfeit fashions case, but that was like bad security metrics – a lot of questionable value and misleading labels.
I stared at a March Madness bracket, thinking appsec could use a tournament of its own to eliminate poor advice.
I thought about this some more as I walked down to my local donut shop to use their public WiFi, where I checked my email and scanned a QR code to see their menu.
In the last twenty years, donuts had become twice as expensive and appsec advice about half as useful.
After all, I had a patched device, HSTS, and WebAuthn.
-
Infosec Myths
Hello Protocols, Packets, and Programs,
Let’s begin a March Madness for infosec myths, misconceptions, and mistakes.
What are the recommendations that cause more harm than good?
What best practices are based on outdated threat models?
What advice sounds good, but wastes everyone’s time?
How many factors make a good MFA?
How many npm packages does it take to write “Hello, World?”
How many developers don’t care about security?
How many appsec checklists don’t care about developers?
-
Leap Day
Hello Protocols, Packets, and Programs,
It’s a leap year, which makes this coming Thursday the day that February goes off by one.
So on the day that overflows, have a bit of appsec fun.
Don’t treat it as an untyped Leap Day,
Do something like –
Fuzz your code for a Securing your Heap Day,
Try a Version and Patch Level Upkeep Day,
Or Choose a Bug Class to Put to Sleep Day.
You don’t have to pick something that can be completed,
But it should be something that’s worth being repeated.
-
Year of the Wood Dragon
Hello Protocols, Packets, and Programs!
Happy Lunar New Year!
Welcome to the year of the Wood Dragon, which is a cooler naming scheme than infosec uses for APT groups.
Whether your own element is code, cloud, or cyber, may this year bring you good fortune.
I will be celebrating the year of the dragon with lots of Dungeons and Dragons, which also has cooler names for creatures than infosec has for named vulns.
Let’s hope infosec does something cool this year.
Christien Rioux last joined us in episode 179.
-
The Case of the New Year
It was another Monday morning. The sign on the door said Private Investigator.
But the sign below that said closed and I was saying yes to a third cup of coffee.
It was hot and bitter, like a VPN admin keeping up with patch releases.
My partner was out of town, looking into a bad alibi, but that case was like a TLS handshake – a lot of hellos for just one secret.
My wall had a calendar for the new year, but my desk had a stack of old bills.
And my case log had the appeal of a code review where you couldn’t tell if a developer had sneezed or was using Perl.
In the case log, there was the MBA who made an OKR to close every CVE. It had a KPI that was DOA.
I could go on, but the world has enough lists already.
-
Application Security Theater
Welcome to the historic Application Security Theater here in downtown Codeville!
As a reminder, please silence any devices and top ten lists.
Note that this venue has several exits.
In the event of an emergency, just keep shifting left until you reach one.
In tonight’s performance
– the role of Eliza will be played by ChatGPT,
– the role of FIDO2 key will be played by 20 slides of phishing awareness,
– the role of XSS will be played by 20 years of mistaking input validation for secure frameworks.
For a PDF of tonight’s program, please provide your name, title, email address, and purchasing power.
Thank you and enjoy the show!
-
Appsec Noise Pollution
Hello Protocols, Packets, and Programs,
It’s a new year and a new vision for appsec.
Let’s set ablaze all the appsec cliches.
No more shifting, no more lists,
No more top tens in our midst.
No more chasing CVEs,
No more leaking secret keys.
Let’s talk about a real solution,
And leave behind this noise pollution.
Sandy last joined us in episode 243.
-
A New Vision for Appsec
Hello Protocols, Packets, and Programs,
It’s a new year and a new vision for appsec.
Maybe 2024 will lead to
Top 10s becoming delisted,
Hardening guides resisted,
Secure by design insisted,
And memory safety enlisted,
So that whole classes of vulns no longer existed.
-
Welcome to 2024
Hello Protocols, Packets, and Programs,
It’s a new year and a new vision for appsec.
Let’s have designs and defaults that minimize flaws,
And reduce the damage that an exploit can cause.
Let’s have designs and defaults built in a cloud,
And only use whatever least privileges are allowed.
Let’s have designs and defaults that kill off vuln classes,
And do away with secure coding guides pulled out of checklists.
-
Search for a Clue
Hello Protocols, Packets, and Programs,
As 2023 comes to a close,
I often wonder if anyone knows,
Exactly what appsec or devops means,
Or how it involves the code on our screens.
We have all these tools and lists of top ten,
Yet find the same vulns again and again,
So maybe it’s time to try something new.
We’ve got a whole show to search for a clue.
And that’s a wrap for 2023! Thanks again to all of our listeners!
-
Walks Into a Bar…
A Top Ten list, a hardening guide, and a password strength checker walk into a bar.
The bartender says, “What is this? A joke?”
The Top Ten list says, “I’ll tell you why it’s not.”
The hardening guide says, “I’ll tell you how to make it one.”
The password strength checker says, “You need a number.”
So the bartender says, “The three of you need to leave.”
To which the Top Ten list responds, “I’ll be back in a few years.”
The hardening guide shrugs, “I should have done that by default.”
And the password strength checker adds, “You need a special character.”
They leave and the appsec sitting at the bar breathes a sigh of relief.
The bartender notices and says, “Yeah, we have standards here.”
-
More Kindling
Hello Protocols, Packets, and Programs!
We’re leaving November for the cold of December,
And hoping that appsec doesn’t dim to an ember.
That instead it burns brightly and begins to enshrine,
That good security comes by default and design,
That the page count of hardening guides will start dwindling,
And that all those top ten lists are used for just kindling.
-
The Case of the Race Condition
It was another Monday morning. The sign on the door said Private Investigator.
But the sign below that said closed and I was saying yes to a third cup of coffee.
It was cold and weak, like a motto of shift left.
My partner was out of town, looking into an art forgery ring, but that was like a bad bug bounty – lots of duplicates and low pay.
When a process walked in.
They had a sob story about a suitcase of money, a horse track, and a con.
It was another sucker with a race condition.
That reminded me of the door. The closed sign has been up for weeks, but it still needed a lock.
Their story wandered, with a lot of callbacks to things I’d already heard.
Even so, I made them promise to tell me the whole thing.
I knew I should try to listen for clues, but my tab at the local donut shop needed attention.
The one catch was how much money they had left for my hourly rate.
-
The Case of the Menacing Slash
It was another Monday morning. The sign on the door said Private Investigator.
But the sign below that said closed and I was saying yes to a third cup of coffee.
It was a bitter, heavy roast, like an SEC lawsuit.
My partner was out of town, looking into a band’s kidnapped drummer, but that was like debugging a bad buffer overflow – too many symbols and on the wrong count.
When a file path walked in.
“I have a stalker,” they said, handing me a stack of letters.
Most were ambiguous, but their intent was clear – each one ended with a slash.
“I get these at home,” they continued. “Outside home. They follow me everywhere.”
I looked at more letters. Nothing about them was normal.
“I want you to get to the root of this,” they demanded.
“I can,” I said. “But not for free. Some of them are encoded, but 2e or not 2e, I charge by the hour.”
They dropped some cash on my desk, “Then put a stop to this. Period.”
-
The Case of the Greedy Characters
It was another Monday morning. The sign on the door said Private Investigator.
But the sign below that said closed and I was saying yes to a third cup of coffee.
It was cold and bitter, like an all critical patch Tuesday.
My partner was out of town, looking into a street racing ring, but that was like building a Linux desktop – lots of customizations and too many questionable drivers.
When a regex walked in.
I sighed. They usually fit a pattern of long on stories and short on cash.
“I need to find something,” they said.
“Why don’t you start at the end?” I suggested, hoping to hear a dollar sign.
“It’s a long story,” they continued. “With a lot of greedy characters.”
I knew those types, too.
“Then start at the beginning, but give me a carrot to follow.”
They paused, then asked, “Will you treat this case as sensitive?”
I nodded. And they proceeded to tell me their story, one line at a time.
-
Camp Crystal Lake Breach Notification
Hello Protocols, Packets, and Programs,
Welcome to October, when tales of terror become timely and horror marks our day to Halloween.
And what can be scarier than a breach notification.
Here at Camp Crystal Lake we take security seriously.
On Friday the 13th we identified adversarial activity that leveraged credentialed access to our counselors in training.
The threat actor was able to view several counselors in extracurricular activities. It should be noted that this only affected the camp reopening process.
The actor accessed some camp equipment and used it in an unauthorized manner.
Our investigation indicated one canoe was set adrift in the lake.
It has been recovered.
-
Jump Scares
Hello Protocols, Packets, and Programs,
Welcome to October, when tales of terror become timely and horror marks our days to Halloween.
We’ve seen the tropes of cars that won’t start and slashers that step out of the shadows,
The groups that split up and the characters who check out dimly lit basements.
The really fun movies turn those tropes into unexpected tension and misdirection,
And the really, really fun ones always have that one last scare –
Like the one just after the acceptance tests return success and code gets pushed to production.
Dan Moore joined us again to talk about the secure by design and secure by default aspects of OAuth and WebAuthn. He was last on in episode 225.
-
Scary Stories
Hello Protocols, Packets, and Programs,
Welcome to October, when tales of terror become timely and horror marks our days to Halloween.
Gather your scary stories and prepare to tell some spooky tales.
And if you need inspiration or are looking for a ghostly visitation,
Just peruse some code comments for TODOs or similar notation.
Search for patterns like hard-coded cryptographic material,
Because even well-tended repos have corners funereal.
-
Don’t Fear the Repo
Hello Protocols, Packets, and Programs,
Welcome to October, when tales of terror become timely and horror marks our days to Halloween.
When we look to version control for safety, but feel that tinge of dread
At seeing a branch with a force push
Or encountering a detached head.
We can try to revert, to restore, to stash,
But nothing will cast out a haunted SHA hash.
So this month when running the git CLI
Be cautious of things that cause Hell to stop by.
Our guest, Janet Worthington, last joined us in episode 213 to talk about the state of application security education.
-
Haunting Languages
Hello Protocols, Packets, and Programs,
Welcome to October, when tales of terror become timely and horror marks our days to Halloween.
We humans have so many ways to express fear,
From the simple horror of C to the supernatural horror of C++,
From serialized creatures with features like Java and Kotlin,
Or brain-eating zombies, like Perl.
We have psychological horror, like JavaScript integers,
And horror plus comedy, like Perl.
We have ghosts and thrillers like Go and Rust,
But however they promise us safety,
Or type checking that’s weak or strong,
They all, every one, begin with that simple phrase that haunts us for so long,
“Hello, World”
This was our second deep dive into crafting presentations and talking about communication skills. We talked with Josh Goldberg on this back in episode 251.
We last spoke with Lina back in episode 230.
-
Double the Byte!
Hello Protocols, Packets, and Programs,
We’ve rolled out of our 8-bit chapter into episode 256!
Along the way we’ve doubled our listeners.
So, A huge thank you to everyone who’s downloaded and shared an episode. Please continue to do that and also to let us know what topics you’d like to hear more of.
And don’t worry, more fun intros are coming.
It’s the same show, after all.
Only now it has double the byte.
This marks the 200th episode I’ve hosted, having started back in episode 56. You can find out a bit more about the history of ASW and its previous host in episode 200.
-
Leaving 8 Bits Behind
Hello Protocols, Packets, and Programs,
Today we leave 8 bits behind as we max out some powers of two to bring you an episode, unsigned –
At number 255.
In binary, that’s eight ones.
In hexadecimal, that’s two Fs –
Which is two more Fs than we have to give to cliches like, “Humans are the weakest link,” crypto that isn’t cryptography, or 32-page hardening guides.
I hope you’ve enjoyed every bit of my intros, they come from an 8-bit heart wanting to see our 64-bit present avoid the 2-bit security that has plagued appsec for more than 20 years.
So, help us take a byte out of insecure apps and see what the power of two hosts can do with interviews and news about the flaws we find in software.
It’s wild to look back at how many of these we’ve done. The last show number I celebrated was episode 200. And that’s quite distant from when I started hosting with episode 56.
The style of intros is just one of the things I’ve improved over all this time. We have more focused interviews and the news segments have more underlying themes to tie the articles together. But even so, there’s still a lot of opportunity to continue improving and making the show as educational and entertaining as possible. Stick around for more!
Oh, and in this episode we once again ventured into Top 10 lists. I still find them to be too vague and too disorganized for effective appsec education. We talked more about that in episode 242 and you can read more of my thoughts on it in this post.
-
The Case of the Sensitive Info
It was another Monday morning. The sign on the door said Private Investigator.
But the sign below that said wet paint and I was saying yes to a third cup of coffee.
It was cold and bitter, like a CISO saying they take security seriously.
My partner was out of town looking into a Hollywood murder plot, but that was like a bad threat model – too many actors and no lines of trust –
When a text walked through the door. They looked as if they wanted to blend into a crowd, but they were anything but plain.
They wore sunglasses and a hat with a brim the size of my tab at the local donut shop.
“I’m being blackmailed,” they said. “I don’t know who to trust.”
I’d heard this story before. I knew to be careful about timing my next words.
“I’ve got a public number, but I’m a private eye. I don’t share secrets.”
“It’s very personal. That’s my prime concern.”
“I’ll factor that in,” I said, mentally adding another digit to my usual fee.
“Only a finite field of people can ever know about this.”
“I’ve been thrown curves before. I can be discreet.”
Still, there was hesitation behind those sunglasses, so I added, “It’s secrecy from this point forward.”
They shifted nervously, but I could see we had reached an agreement.
“So,” I said. “Tell me your tale. One bit at a time.”
-
The Case of the Poisoned Model
It was another Monday morning. The sign on the door said Private Investigator.
But the sign below that said broken and I was saying yes to a third cup of coffee.
It was harsh and acidic, like an appsec team requiring a 90-day password rotation.
My partner was out of town looking into stolen antiquities. But that case was like a bad supply chain – lots of artifacts and no provenance –
When a model walked in.
I knew the type.
You could always tell they had a sob story, but you could never tell how they were going to choose their words.
“You don’t look,” they said, “like much of a private eye.”
“Ignore that,” I prompted, “and rephrase it like the sign says on the door.”
“You look broken?”
That might be more right than they knew, but I wasn’t going to let on.
“I think someone’s trying to poison me,” they continued.
I sighed. I’d heard this a thousand times before.
“I’m not making this up.”
“Ok, then”, I said. “Explain yourself.”
This was the third noir-styled opening, continuing the events from episodes 252 and 250.
-
The Case of Secure By Design
It was another Monday morning. The sign on the door said Private Investigator.
But the sign below that said closed and I was saying yes to a third cup of coffee.
It was hot, but left a bad aftertaste, like a vendor pitching AI to solve secure code.
My partner was out of town looking into a criminal trespass. But that case was like a bad API – all swagger and no authorization –
When there was a knock at the door.
“You’ve got some debts to pay,” grumbled a bulky silhouette. “And I know you’re in there.”
I looked at the door. The sign was still turned to closed and the bolt was still turned to locked.
I knew secure by default when I saw it.
They knocked again.
“Last warning,” they said, long on vowels, but short on patience.
Then before I could respond, a crowbar came through the door’s glass panel, held by a fist that looked ready for a conversation of its own.
And that’s how I learned about secure by design.
I revisited the noir style this week after having a lot of fun with it in episode 250.
-
The Rainbow Books Connection
Hello Protocols, Packets, and Programs,
40 years ago in August 1983 the DoD published the Orange Book.
So called for its orange cover, its official title was “Trusted Computer System Evaluation Criteria” and, quite unsurprisingly, was about security controls.
It was part of the Rainbow Series of computer security publications in the 80s and 90s, with each one having a uniquely colored cover.
The series always made me think of the song, “Rainbow Connection”, that opens The Muppet Movie.
Because there’s one line that feels apt for appsec –
“Rainbows are visions, but only illusions”
And where Kermit the Frog longs for the Rainbow Connection, we in appsec have been longing for 40 years or more to understand secure systems.
We last talked with Josh in episode 233.
-
Case Files of the AppSec Detective
It was another Monday morning. The sign on the door said Private Investigator.
But the sign below that said closed and I was saying yes to a third cup of coffee.
It was watered down and bitter, like a stale top 10 list.
My partner was out of town looking into a random shooting. But that case was like the slides of a bad security awareness program – too many bullets and no point –
When a string walked through the door, chewing their lip with the kind of concern we always see in troubled clients.
Their smile said ASCII, but their byte said UTF-8.
“I need you to find someone,” they said.
I could see by their expression that this wasn’t going to be a regular job.
“I’m being coerced,” they continued. “All I have are some numbers and this object.”
I nodded.
JavaScript.
I didn’t know the type, but I knew what it implied.
And I knew I had to be careful from this point on, because what they were telling me might not be strictly true.
This is one of my new favorite intros. I have some ideas and several notes on developing an appsec series based on a film noir detective.
-
Windows Not Today
Hello Protocols, Packets, and Programs,
Microsoft released Windows NT 30 years ago on July 27, unleashing a system whose default configuration and password storage would haunt networks for decades.
It required 12MB of RAM and 90MB of free disk space. Today’s Alpine Linux requires about 8MB of RAM and 130MB of disk space – although containers probably have larger hardening guides than NT ever did.
But what did NT really stand for?
Number Ten?
New Technology?
Negligible Trust?
Nothing Tangible?
Or, perhaps for the sysadmins who had to deal with NT security, it was always Not Today, Satan, Not Today.
Read more about the tragic history of Windows password security at “Selecting Secure Passwords” and “Frequently Asked Questions About Passwords”.
-
Come On, Barbie, Let’s Go Coding
Hello Protocols, Packets, and Programs,
In 1959 something was created that would haunt Y2K and that still underpins some of our modern critical infrastructure.
That was the dawn of COBOL.
1959 also brought us something quite different, yet similarly significant to our modern society.
That was the birth of Barbie.
And where COBOL was inspired by the work of a visionary like Grace Hopper, it wasn’t until 2010 that Barbie became a computer engineer.
She did at least have dual monitors and a Tux penguin.
But this weekend’s Barbie movie delivered heart, hilarity, and great dance numbers along with a message that, like with COBOL, women have been part of computing from its beginning –
And everyone should be aware of and take down the barriers that would exclude them from or stereotype them in this industry.
-
(Maybe Not) The Happiest Appsec On Earth
John and Akira ran this episode, with John crafting a wonderful ASW-style intro about Disneyland, appsec, and bug bounties.
Brian Glas came back as the guest. He talked about security non-election election systems (yes, the distinction makes sense) and revisited the topic of security education from when we first talked with him back in episode 197.
-
30 Years of Infosec Topics
Hello Protocols, Packets, and Programs,
July 9th marks 30 years since the first DEF CON back in 1993.
30 years ago is, of course, an ancient era of the internet.
So, what topics were on that ancient agenda? Let’s see…
A talk titled “Computer Privacy, 1st Amendment, Gender Roles, and Discrimination” that mentioned things like workplace monitoring.
An announcement about a new scanning tool.
A talk on “the law’s intersection with VR and liability in ‘simulated’ worlds” which noted how the hardware is moving to an interface that the user doesn’t notice. And that the law is untested against such worlds.
All of which sounds so very, very quaint and relevant and unresolved and from 30 days ago rather than 30 years.
-
Reinvigorating the Appsec Zombie
Hello Protocols, Packets, and Programs,
This week’s appsec inspiration comes from the 20th anniversary of the horror movie 28 Days Later.
Not because 28 days sounds like an SLA for patching vulns. Most severe vulns still aren’t patched 28 weeks later, which is the movie’s sequel by the way.
Not because the discourse it spawned around fast vs. slow zombies was about as useful as shifting left vs. right.
Not because it’s one of my favorite movies.
But because it reinvigorated the zombie genre.
And appsec has a bit of a stale zombie feel to it.
So, what should appsec be doing to reinvigorate secure software in order to leave a lasting impression 20 years from now?
-
Jurassic Threat Models
Hello Protocols, Packets, and Programs,
Let’s continue our hacking movie marathon.
This month marks the 30th anniversary of Jurassic Park.
It’s an excellent reference for threat modeling. Imagine –
Confidentiality with an insider selling trade secrets. Oh, Nedry…
Integrity of controls on dinosaurs breeding. To quote Malcolm, “Life, uh…finds a way.”
Availability in the electrified fence. Hello, velociraptors.
But what rings most true is that the park’s computer system has about two million lines of code and if a code review was the only way to turn the safety systems back on, everyone would have died.
-
Wargames 40th Anniversary
Hello Protocols, Packets, and Programs,
June 3rd marked the 40th anniversary of the movie Wargames.
Famous for its depiction of wardialing, hacking, Tab, tic-tac-toe, global thermonuclear war, and –
to quote character Stephen Falken, “…a computer enhanced hallucination!”
All of which sounds familiar today.
We still have AT commands in mobile devices.
We still have product placement.
And we’re still creating computer systems that hallucinate.
-
World Goth Day
Hello Protocols, Packets, and Programs,
And to the Post-Punks, the New Romantics, the Rivetheads, the lovers of New Wave, the dancers to Darkwave, and everyone who sways under the bat-emblazoned umbrella of Goth.
Because today is World Goth Day.
So whether you’re reading CVEs or securing CI/CDs, play some Siouxsie and the Banshees.
Write some code to The Cure.
Triage some bounties to Bauhaus.
And find that New Wave / Post-Punk sound.
I still haven’t mentioned Sisters of Mercy in any intro, but make sure to keep them in your music rotation.
During the discussions we also got some unofficial appsec in three words ideas from John:
- Tell me more
- Best of luck
-
Rust Turns Eight
Hello Protocols, Packets, and Programs,
After decades of buffers that bust
Appsec wants secure code it can trust
No more pointers to track
Or a double-free hack
So let’s wish happy birthday to Rust
Rust began at Mozilla, with its first v0.1 release on January 20, 2012. It finally reached version 1.0 on May 15, 2015. As an aside, that first release did include an important warning
It’s nifty, but it will still eat your laundry.
It’s now grown into a language that’s made inroads into the Linux Kernel, Android, and Windows. All strong indicators of a successful language that’s done the right things to make the developer experience a positive one – strong tooling support, info-rich debugging, and high performance. All while providing memory safety.
Plus, you can even learn and experiment with it right from the browser thanks to its ability to compile into WebAssembly.
-
Cosmos & Chaos
What if astronomer and science communicator Carl Sagan was also a CISO?
In discussing the large-scale structure of the cosmos, astronomers sometimes say that space is curved,
Or that the number of vulns is finite, but unbounded.
And that among these billions and billions of vulns, there may be intelligence.
But how shall we discover intelligent life?
Is it looking to CWEs? Giving CVSS scores more decimal points? Should our lists go to 100 instead of 10?
Perhaps the answer lies elsewhere.
And that the paths of evolution will take appsec in marvelous, different directions.
Find out more about Carl Sagan and his work at carlsagan.com. I also used a quote from his book, The Demon-Haunted World, in this old post.
In the interview segement, Kelly Shortridge talked about their new book, Security Chaos Engineering. It was a fun interview that touched on science and myth as it relates to appsec. At one point Kelly made a comment about how other domains handle resilience and safety, noting that airlines don’t approach safety the way appsec teams approach security. I even riffed on that idea back in episode 238.
But what I’m most excited about is that this episode marks a new intro and new music that has a more synthwave vibe to it.
-
Acceleration Security Weekly
You’re listening to radio KASW. That was “Overdrive” by Lazerhawk.
Time for the morning traffic report.
Vulns are backed up on the CVE expressway, as it just passed 200,000 records last week.
Major delays at the intersection of CI and CD due to an overturned truck carrying a bunch of CVSS scores. They’re all under 3.9, however traffic is still blocked by an appsec team checking out the scene.
There’s major construction down at the Infrastructure as Code, but once you’re past the onramp traffic is moving quickly.
It’s stop-and-go along C street due to memory safety activity. But they’re opening up new lanes so it’ll be rust-and-go pretty soon.
No delays on I-239. So shift gears and hit that pedal on the right.
This was one of my favorite openings and one of the easiest to write once I had the idea. I’ve riffed on the New Wave / Post-Punk Security Hour several times in the past and this was a chance to revisit that radio idea without being repetitive.
The title track and “Overdrive” from Lazerhawk’s album “Redline” were one of my first discoveries of synthwave and outrun. It was a new sound that immediately hooked me and pulled me into a universe of new, amazing music.
-
Appsec for Aviation Safety
What if old-school appsec wrote aviation safety scripts?
Welcome to flight ASW 238.
When the password sign illuminates, you must rotate your password.
There are several emergency exits on this aircraft. Please take a few moments now to locate your nearest egress filter. In some cases, your nearest one may be denied.
If there is a loss of cabin pressure, oxygen masks will drop down. To start the flow of oxygen, pull the mask towards you and submit a breathing review request.
Although the bag does not inflate, your vuln count will.
In the unlikely event of a water landing, check beneath your seat for a top 10 list of swimming techniques.
Thank you.
And please be careful opening overhead CI/CD tools, as contents may have shifted left.
We interviewed Jeff Moss, aka The Dark Tangent. He’s the founder of the DEF CON and Black Hat conferences.
Check out DEF CON’s Hacker Documentaries, Videos & Shorts page for more about the history of hacking, some of its personalities, and why it’s very much a “hacker’s conference” that intersects with technology, privacy, security, and civil society.
-
Bountiful Bugs
Hello Protocols, Packets, and Programs,
A coder once said with composure,
“We might have an unknown exposure.”
But someone protested,
“I thought it was tested.”
And that’s why we have vuln disclosure.
A limerick first appeared in episode 210.
In the news segment, we talked about Secure-by-Design and -Default from CISA and friends. I’m happy to see how explicitly the guide calls out the importance of security by default:
A secure configuration should be the default baseline.
And even has two paragraphs on hardening vs. loosening guides.
I also mentioned my desire to do away with hardening guides back in [episode 161]. They’re ancient relics that should be replaced by opinionated, secure defaults.
-
An Empathy Test
Hello Protocols, Packets, Programs, and Replicants,
You’re in appsec, walking along in the code, when all of a sudden you look down…,
It doesn’t make any difference what appsec, it’s completely hypothetical.
You look down and see a program. It’s crawling toward you…
You reach down and you flip the program over on its back.
The program lays on its back, its belly baking in the hot sun, beating its legs trying to turn itself over, but it can’t. Not without your help. But you’re not helping.
Why is that?
In Bladerunner, the Voight-Kampf test is designed to elicit an emotional response. It’s designed to test empathy, with the implication that doing so can distinguish between humans and replicants – what the Tyrell Corporation bills as more human than human.
The incept date for one of the replicants in the movie, Leon Kowalski, was April 10, 2017.
Happy birthday, Leon. I got you a tortoise.
As a bit of appsec history, we mentioned Heartbleed in the news segment. It dates back to April 7, 2014. It was an easy vuln to exploit and stressed out teams who had to scramble to update services and rotate keys. At the time, I was still deep in C++ and wrote a tool and blog post to demonstrate the vuln.
-
Fiercely Territorial
Hello Protocols, Packets, and Programs,
We’re visiting one of the few natural preserves left for wild processes.
Here amongst the user space, creatures like the north american reduced process roam free.
However, a species of belligerent protective fauna also inhabits this region.
These extended BPFs are fiercely territorial.
When they hear the call of an unfamiliar animal, they investigate and prepare to defend their space.
Let’s watch.
-
Stone Markup Languages
Hello Protocols, Packets, and Programs – and Ptolemaic subjects,
On this day of the year 196 BC, King Ptolemy V of Egypt decreed no taxes to keep his people happy.
We know this because of a large stone language model – the Rosetta Stone, that contained hieroglyphics, demotic (a cursive hieroglyphics), and Greek.
Of course, cuneiform was the original stone markup language, dating back to 3,500 BC.
It was eventually standardized into SGML in 1986.
And that in turn led to the equally ancient HTML, dating back to 1993.
So today, whatever language model or markup language you use,
Leave some documentation for the future.
I also riffed on markup languages back in 2011 and 2012 when I was looking at the changes HTML5 was introducing.
-
Violator
Let’s look at another New Wave influence on our appsec world.
Yesterday marked the anniversary of Depeche Mode’s “Violator”, whose track listing sounds like a journey through software development.
Starting with an idea from the “World in My Eyes” to the “Sweetest Perfection” of a design.
Then on to “Enjoy the Silence” – of build warnings, I think. I hope the line, “words are very unnecessary” doesn’t refer to documentation.
And ending with a deploy to prod that’s “Clean”.
I just can’t get enough.
Like episode 231, I went deep on a single album again. There’s a wealth of New Wave bands to draw from and I try to avoid too many repeats, but Depeche Mode is always going to get a mention at least once a year.
This episode was also a celebration of Curl’s 25th anniversary. And in ASW style I celebrated with a limerick:
This one time when my browser did die
I thought, “Why not give libcurl a try?”
I typed dash dash help all
And then watched as a wall
Of 200+ options scrolled by
The first official version of Curl appeared on March 20, 1998. Two weeks later version 4.1 fixed three bugs. Twenty-five years later it’s fixed a several thousand bugs. But that’s just the nature of software development.
Most importantly, libcurl and its command-line counterpart are premier tools present on every operating system and in countless apps. It’s proven to be one of the most successful open source tools.
A lot of that success lays with its maintainer, Daniel Stenberg, who shepherds the C code through thoughtful design and has built a positive community around the project. Almost 3,000 people have contributed code or feedback to the project. All of these are strong indicators of success.
Read more about its releases and its history to find out about its origins in Brazil and why the first release was 4.0.
Congratulations on version 8.0.0! May we see another 25 years of handling protocols.
-
Simulations
Hello Protocols, Packets, and Programs,
Since today is the 13th, add “The Thirteenth Floor” to your list of cybersecurity movies.
It came out the same year as “The Matrix” and both deal with simulations as a stylish menace, born from green fonts on a black screen.
“The Thirteenth Floor” was even based on a sci-fi novel from the 60s, which posited the use of Simulectronics for marketing research.
Of course, neither captured the reality of virtual reality like the Metaverse.
After all, the movies embellished things like dying while connected and avatars having legs.
I like how the OWASP ASVS organizes steps devs can take to create secure apps. I find it far more useful than the OWASP Top 10. So I enjoyed this chance to talk with one of the project’s leads and learn how they emphasize outreach to devs.
-
The Hurting
Let’s look at another New Wave influence on our appsec world.
Tears for Fears released their debut album “The Hurting” 40 years ago this week.
The tracks combine a synth-pop appeal with a stylish gloom.
And they also sound like chapter titles in a book on git branching with names like,
“Ideas as Opiates”
“Change”
“Start of the Breakdown”
“Mad World”
And “Memories Fade”
It makes me want to shout.
-
Contemplate This
Hello Protocols, Packets, and Programs,
It’s that time when once again we must ask,
“Conan! What is best in DevOps?”
“To crush dependencies,
To see them versioned before you,
And to hear the compilation of their source code.”
Conan’s proclamations on DevOps are one of my favorite themes. Check out episodes 137, 149, and 220 for similar riffs.
Our guest this time was Lina Lau, who talked about her view of appsec as an incident responder. She returned in episode 257 to talk about techniques for crafting presentations and training.
-
Compile a Poem
Hello Protocols, Packets, and Programs,
Tomorrow is Valentine’s Day, created by the big compiler companies to sell more code.
Whether you declare your love as constant or variable, I hope you find your type.
And regardless of what language you choose, keep them safe in your memory.
-
Pick a Card
Hello Protocols, Packets, and Programs,
I love magic. The sleight of hand, misdirection, the wonder.
I love its affinity with cons and deception.
Ricky Jay was an historian of every one of those topics, as well as a master himself at sleight of hand and cards.
He was instrumental to the movie, “House of Games”, in which a conman explains to a mark, “It’s called a confidence game. Why? Because you give me your confidence? No. Because I give you mine.”
I also mentioned the three of clubs, which is the card that Penn & Teller always prefer.
This felt like a nice complement to the “Myths and Lies in Infosec” that our guest, Adrian Sanabria, talked about. Adrian hosts Enterprise Security Weekly and has joined ASW as a co-host in episodes 143 and 181.
I love magic that tells a story. Sleight of hand and card tricks are impressive, but a trick that manages to deliver an emotional impact on top of skill is what I love the most. Those ideas also served as a metaphor in my introduction to AHT4.
The topic of breach responses came out of our discussion about how to get beyond myths and lies in infosec. Two points were transparency and speaking in plain language.
I also noted this doc about external communication during a breach. It even has the phrase, “Public comments should demonstrate that you are taking the issue seriously…”
But the important part is to explain how you’re taking security seriously, not just repeating the platitude that you do.
-
I Am Not A Number!
“Where am I?”
“In the village.”
“What do you want?”
“Information.”
That’s part of the intro to one of my favorite shows, The Prisoner, whose last episode originally aired February 1st, 1968.
It was a somewhat surreal series about individualism and surveillance with a cryptic main character known only as Number Six.
The intro ended with the show’s famous line, “I am not a number. I am a free man!”
It’s a well told story and, fifty-five years later, its themes hold up well.
After all, advertising identifiers are just slightly larger numbers.
Here’s an article from the BBC on the 50th anniversary of when The Prisoner started filming.
I recommend going into the series as fresh as possible. The only bit of context that might be helpful is that the star, Patrick McGoohan, played a spy in a series prior to this called Danger Man. You can find the full series at ShoutFactoryTV.
Once you’ve watched the entire series (the 17 episodes go quickly), check out this Twitter thread (spoilers!) from J. Michael Straczynski about some of the meaning behind the show and its two-part ending.
Be seeing you.
-
Year of the Rabbit
Happy Lunar New Year and welcome to the Year of the Rabbit!
Let’s see some rabbit-related references in presentations this year.
No more Sun-Tzu stock phrases or Clausewitz cliches.
Where are the leadership lessons from Watership Down?
The social engineering tricks of El-ahrairah?
Or the appsec-like premonition from Fiver, “There isn’t any danger here, at this moment. But it’s coming…”
This week Marudhamaran Gunasekaran joined us to talk about his experience in customizing secure code training for #DevSecOps teams.
One of the points was that teaching pentesting concepts and tools is useful for building awareness on how apps are compromised, but developers don’t spend their day pentesting. They need resources that help them design and implement code, which is why threat modeling can be such a valuable security practice.
Marudhamaran mentions a few tools, including the Microsoft Threat Modeling Tool. I still prefer a tool-less approach where security moderates a discussion among a development team that walks through the questions of
- What are we building?
- What could go wrong?
- What should we do about it?
And if a tool is necessary, it’s just a loosely structured document that captures points made and recommended actions that came out of that discussion.
-
Already in Progress
Hello Protocols, Packets, and Programs,
We are now tuning in to a year already in progress.
So far, someone has taken security seriously.
A few thousand CVEs are in the wings.
AI is the new ML.
And supply chain has just entered the chat.
Let’s see what happens next.
-
Welcome to 2023
Welcome to 2023.
May your code have safe memory,
Your bugs have fair bounty,
Your artifacts be signed,
Your threat models defined,
May your clouds and your pods have least privilege in place,
But however the year goes,
Please join us,
For a new season of shows.
This month also marks the podcast’s 5th anniversay. Keith Hoodlet launched episode 0 with Paul Asadoorian on January 5, 2018.
We last spoke with Keith in episode 200.
-
Pure Energy
Welcome back to the New Wave / Post-Punk Security Hour.
Where we’re listening for appsec lessons in electronic sessions.
This time, from Information Society’s, “What’s on Your Mind,” which begins:
“I wanna know
What you’re thinking
There are some things you can’t hide”
Which hits the needs for explainability in AI and transparency in its training data.
But, there’s also a lesson for me,
As the lyrics include:
“Here I am in silence
Looking ‘round without a clue”
We covered a lot of articles on AI code generation and chat issues in the news segment. Here’s the article about AlphaCode that I mentioned. It’s a competing system to OpenAI’s Codex.
This was the last episode of 2022! Thank you for listening. We’ll be back on January 2, 2023 for a whole new year of appsec, New Wave, synthwave, and more.
-
Thank You!
Hello Protocols, Packets, and Programs,
The year is almost over, which means everyone’s creating their top 10 and best of lists.
I don’t know what my top 10 list is quite yet,
But I do know that the top of my best of list is our listeners.
Thank you!
It makes these Monday mornings worthwhile.
We still need candidates for this year’s appsec top 10…
I really liked this interview segment because our guest, Aviv Grafi, talked about the technical side of securing potentially malicious files as well as the product emphasis on having a tool get out of the user’s way. It’s nice to see modern appsec approaches do away with old, unhelpful premises like “Users are the weakest link” or “Users are the enemy”.
Plus, I like the preventative approach of rewriting files into a known good state. It’s like handling user-generated content like image files, where the system resizes, strips metadata, and rewrites images into a new format in order to avoid attacks against image parsers or leaking a user’s personal information. And I got to sneak in a reference to one of my favorite tongue-in-cheek RFCs, RFC 3514, the Evil Bit.
My over favorite April Fool’s standard is RFC 1149, “A Standard for the Transmission of IP Datagrams on Avian Carriers.” – I suppose I’ll have to do a new intro for “Pigeons, Packets, and Programs” in a future episode.
-
Elementary
Hello Protocols, Packets, and Programs,
It’s episode 221-B as in Baker Street and Sherlock Holmes.
The famous detective who solved mysteries with his companion Watson,
And in one such story, provided a lesson to appsec with the warning,
“…how dangerous it always is to reason from insufficient data.”
The interview segment with Kenn White talked about queryable encryption – a way to maintain confidentiality of data while still being able to run common queries like equality, ranges, or partial string matching.
We didn’t wade into deep cryptographic details, but touched on some principles like modes of operation for block ciphers. A great resource to learn more about common cryptographic principles and constructions is the online cryptography course from Dan Boneh.
-
Conan the (Borrow-Checking) Barbarian
Hello Protocols, Packets, and Programs,
I realize it’s been a while since we’ve asked,
“Conan, what is best in DevOps?”
“To crush your memories,
To see control flows before you,
And to hear the sanitations of their pointer.”
The Conan riff is one of the most fun to return to. My first one was back in episode 137. The second was in episode 149. And now a year and a half later I’ve come up with a third.
The Rust programming language takes a “borrowing” approach to memory safety that focuses on ownership rules for values. It might not feel intuitive at first, but I find its semantics force thoughtful considerations about the use of objects and data structures. I’ve always been a fan of correctness first, so I’m willing to trade up front mental effort for compile-time guarantees.
The Go programming language relies on a garbage collector to achieve memory safety. I’ve done a little bit of Go. The syntax feels different, but some brief exposure to OCaml helped me get a sense of it rather quickly.
The C programming language relies on pure luck. And LLVM’s AddressSanitizer.
The C++ programming language relies on scoped std::pure luck, reference counting, and LLVM’s AddressSanitizer.
Regarding the news segment, the Top 10 CI/CD security risks is now an official OWASP project.
And as another note on the news segment, the nod to “Outpost 31” is a reference to the movie, The Thing. It’s one of my all time absolute favorite films. I couldn’t pass up a mention of Antarctica without noting it.
-
Ghosts of October
Hello Protocols, Packets, and Programs,
We leave the ghosts and goblins of October behind us.
And take a moment to recover from the tales of horror, madness, and danger that only a cybersecurity awareness month can bring.
In the news segment, we covered some high-level details of the OpenSSL punycode vuln. I didn’t manage to summarize it in 10 words or less, but used the opportunity to mention the sending spell from D&D that’s limited to 25 words or less. We might have to come up with a “Sending Stone” mini-segment where we describe a topic according to that spell’s restrictions – it’s hard to do so on the spot without long pauses, but it sounds like a fun challenge for a prepared segment.
We also touched on writing skills. I had forgotten to add the plainlanguage.gov site to the show notes. It’s a great resource for clear, concise writing.
Security through obscurity came up in this episode. I see the use of obscurity as an anti-pattern when it’s used to distract from or hide an underlying flaw and that flaw is otherwise left unaddressed. It relies on hoping that an attacker won’t find a flaw rather than trying to make the flaw more difficult or exploit.
-
They Live
Hello Protocols, Packets, and Programs,
We’re coming to you live from Cable 54 where we’re celebrating Halloween.
That time of year where we hear those adorable phrases like,
“Trick or treat!”
“They’re coming to get you, Barbara.”
And,
“We take your security seriously.”
This episode landed right on Halloween, which was perfect timing to talk about web3 security and, more importantly, add some subtle references to one of my favorite movies – They Live. The movie came out on November 4, 1988, which is also perfect timing to celebrate it on the show. Not only does the movie show John Carpenter’s skill in visual storytelling, its social commentary still holds up.
We also welcomed Akira Brand as a co-host in this episode. She was previously a guest on episode 215.
-
Horror’s Subgenres
Hello Protocols, Packets, and Programs,
This month we celebrate horror –
Especially its subgenres.
Like hauntings, slashers, found footage, zombies, NPM packages,
And pretty much anything that keeps you awake at night.
-
Abandoned Places
Horror movies have a trope of abandoned locations that includes a reveal about the dreadful testing that occurred there to make them so haunted.
Places like abandoned hospitals, orphanages, or even underground bunkers.
But also places closer to us, places like abandoned code repos.
-
They’re Coming to Get You, Appsec
Hello Protocols, Packets, and Programs,
I love zombie movies. And in my favorite ones, the real monsters aren’t the living dead, but many of the humans who remain alive.
So, when I think of appsec, I think more about how we could collaborate to find and fix vulns, rather than worry about just how many vulns are out there.
In the news segment we talked about the Linux kernel’s merge of Rust support into the mainline branch. That code officially appeared on Dec. 11, 2022 in the v6.1 release. For more details on the journey to bring Rust into the kernel, check out Miguel Ojeda’s blog.
-
Countdown to Halloween
Hello Protocols, Packets, and Programs,
We begin our countdown to Halloween with a notice of tropes to expect.
Your phone is going to lose signal.
Your car is going to have trouble starting.
And your business continuity plan will rely on an unmanaged shell script.
-
October Is Almost Here
Hello Protocols, Packets, and Programs,
October is almost here, when we get to tell the scariest stories, read the most horrifying code, and try to survive yet another powerpoint presentation on cybersecurity awareness.
October is the time of cybersecurity awareness. It’s good to have an explicit call to attention for security topics, but it’s terrible when that call to attention is squandered on boring, static presentations or empty recital of top 10 lists or warnings to “Don’t click that link.”
Links are designed to be clicked. If your security awareness and security models rely on some sort of manual scrutiny to distinguish a “good” link from a “bad” one, then you’re two decades behind modern appsec and you’re wasting your audience’s time.
Appsec checklists and standards always include “Secure Coding” or, worse, just declare, “Write secure code.” But where do developers learn about fundamentals of secure coding or what secure code even looks like?
Janet Worthington joined us in the interview segment to talk about how universities cover infosec topics and what the industry can do to improve that education. She returned later in episode 258 to talk about DevSecOps and focusing security efforts on design instead of vulns.
-
Pwn of the Living Dead
They say when there’s no more room in powershell, credentials will walk the earth.
Coming this Halloween: Pwn of the Living Dead.
In sneak previews now.
It’s my nod to George Romero’s living dead movies, specifically Dawn of the Dead.
-
Thank You For Sharing
Hello Protocols, Packets, and Programs,
I’m taking a moment to say thank you to everyone who’s been sharing episodes and kindly giving us good ratings.
We’ll keep bringing you entertaining and informative episodes!
-
Hell-LVM
In a world where CVEs are documented and every bug has a bounty,
A DevOps team will test in prod –
And awaken an ancient evil.
Coming this Halloween: Hell-LVM
The compiler has given its last warning.
A developer carelessly passes the
-fsatanize=addressflag toclang, turning the compiler into a demon who seeks vengeance on all who ever fed it bad code.In the news segment we covered the Twitter whistleblower report, which I summarized in limerick form:
A hacker named Mudge blew the whistle
Causing Twitter execs to bristle
He said they were lacking
Protection from hacking
And they replied, “Here’s your dismissal.”
And a backup version that I also liked:
In the 90s some hackers from l0pht
Warned Congress that networks were too soft
Now two decades later
The risk is much greater
And apparently Twitter just scoffed
-
Captain’s Log
These are the episodes of the podcast ASW.
Its continuing mission: to explore strange new clouds.
To seek out new flaws and new implementations.
To boldly go where no one has gone before!
I first riffed on this in episode 163 and plan to return to it every August now in memory of Gene Roddenberry’s birthday.
Live long and prosper! 🖖
-
Void Stars
Do you enjoy battling threats with weird names?
Manipulating characters and classes?
Handling polymorphic types and void stars?
Appsec is the right place for you.
But if you want all that plus rolling dice – check out the Dungeons & Dragons Spelljammer update. It comes out tomorrow.
Sure, C programmers are familiar with
void *, but the far more exciting version of a void star is in the D&D Spelljammer setting. It’s a setting rife with giant space hamsters (yes, these are canonical creatures), mind flayers, and other bizarre creatures.Speaking of mind flayers, I’d far prefer to replace the phrase, “…hit by a bus” with “…brain eaten by a mind flayer” to convey the danger of not writing down the institutional knowledge carried in the minds of appsec and devops folks.
Plus, the news segment has my absolute favorite thumbnail image.
-
The Natural History of Appsec
These majestic rustaceans have just spawned on the shores of ASW. Driven by evolution, they know instinctively how to reference each variable they will ever encounter within their lifetime.
However, evolution also leaves vestigial organs like FFI. As the other newborn processes rush to safety, this one returns to C and exposes a dangling pointer.
Drawn by this unpredictable behavior, a swarm of exploits appears.
I first riffed on this intro in episode 205.
-
The “M” Stands for Music…Mostly
MTV – Music Television – debuted August 1, 1981 promising 24 hours of music videos leading to shows like Headbanger’s Ball and 120 Minutes, which was 120 – about 90 minutes of videos because of commercials.
It launched with “Video Killed the Radio Star” and the lyrics
Rewritten by machine and new technology
And now I understand the problems you can see
Which sounds more like DevOps killing Appsec…actually
-
The Natural History of Appsec
We’re watching a zero-day in the wild as it approaches a buffer that’s been separated from its pointer authentication code.
Neither the buffer nor the nearby stack canaries, which enjoy a symbiotic relationship with these regions of memory, have noticed the approach.
Unaware of this danger, the buffer consumes data.
What if we approached appsec with the same wonder as that towards the natural world?
This was, of course, a nod to David Attenborough and his documentaries on nature, dinosaurs, and Earth. He has the most amazing ability to evoke the wonder and drama of nature through narration that educates as much as it entertains. He has produced, written, and narrated several documentaries. One of the most popular is BBC Earth.
In the news segment, Joe South joined us to talk about path traversal (my favorite vuln) and an article about OAuth flaws that referenced the movie Dirty Dancing – another sure way to get my attention.
-
Tainted Love
Once again we dip into New Wave / Post-Punk history for appsec inspiration.
This time with Soft Cell’s “Tainted Love”, which they released in July 1981, with the line
“Once I ran to you
Now I run from you”
Which could be a theme for
Thread safety
Input validation
CISO roles
Or really anything summed up by the lyric
“For I toss and turn, I can’t sleep at night”
We covered an article in the news segment about the US military’s interest in software supply chain, code constributors, and brittle projects. Brittle projects are those critical to others and prone to the bus factor, which is a common phrase that roughly means in this case, “Does this whole project fall apart if just one person gets hit by a bus?”
As an aside, I’d love to do some archaeological (and anthropological) digging to find that phrase’s origin.
I’m always suspicious of metaphors in infosec. They tend to diverge from or obfuscate underlying principles of an issue, although they can provide an illuminating or humorous reference. The “bus factor” is pretty tame, commonly understood, and fits well with the article.
But why make public transportation the menace here? Why can’t we be more creative with something like, “Brain eaten by a mind flayer?”
-
Fight For The Users
Hello Protocols, Packets, and Programs,
It’s the 40th anniversary of my favorite hacking movie, Tron.
It has visual style, music by synth pioneer Wendy Carlos, and one of the best quotes to summarize my favorite type of appsec,
“That’s Tron. He fights for the Users.”
-
A Palindrome
Hello Protocols, Packets, and Programs,
Today’s episode number is a palindrome – something that reads the same backward as it does forward.
But given some of the CVEs we’ve covered this year, it’s hard to tell if appsec is moving forward at all.
-
Free RPG Day
Hello Protocols, Packets, and Programs,
Role-playing games involve small groups of people making things up, lists and tables, communication skills, and random events – it’s like appsec, but with better tabletop exercises.
This Saturday June 25th is free RPG day.
So if you know VI, but not the eye of Vecna, check it out.
-
The Difference Engine
It’s episode 200 and I’m thinking back 200 years ago to June 14, 1822 when Charles Babbage presented a machine that could efficiently calculate polynomials.
The difference engine, as he called it, is considered one of the pioneering works of computing.
He later designed an improved difference engine number 2. But, it was never built in his lifetime.
Not built until 1991, when the Science Museum, London finished the first ever implementation of the calculating engine – only four years before JavaScript’s invention.
The museum completed the full engine’s design in 2002, weighing in at 5 tons of iron, steel, and bronze with 8,000 parts spanning 11 feet long and 7 feet high.
And, to be fair, 8,000 parts for 5 metric tons of computing sounds like the physical manifestation of today’s NPM package dependency trees.
In addition to riffing off 200 years of computing history, we had Keith Hoodlet join in as a co-host. He’s responsible for starting the ASW podcast in the first place, having hosted it from episode 0 through 55. I dove in at episode 56 to continue the journey.
-
Response Codes
Hello Protocols, Packets, and Programs,
HTTP response codes from 100 to 199 are informational responses.
And, since this is episode 199, it’ll be the most informational one possible.
Luckily, the next response codes from 200 to 299 are for success.
It only gets better from here.
-
Seven Seasons
Hailing frequencies open, because on this day in 1994 the series finale of Star Trek: The Next Generation aired, concluding seven seasons of boldly going where no one has gone before.
There are still more Star Treks than there are OWASP Top 10 versions, but that gap is narrowing.
So if you don’t mind acronyms, some predictable villains, and jumping around in time, check out the OWASP Top 10.
-
SuperFlowerBloodMoon2
Hello Protocols, Packets, and Programs,
Last night was the super flower blood moon, which in other circumstances wouldn’t make for a bad passphrase.
But now that everyone knows about it, I have to change mine to super flower blood moon 2.
But blood moon 2 isn’t as good as FIDO2, which uses public key cryptography that avoids the need for memory of super flowery entropy when it can just be a credential ID between that server and me.
-
Five Nines
Hello Protocols, Packets, and Programs,
Today’s date is five nine, just like we strive to bring you five nines of quality appsec news and interviews every week.
Heh, this may be one of the shortest intros.
-
The Robots
Hello Protocols, Packets, and Programs,
In May 1978 electronic music legends Kraftwerk released “The Robots”. It’s a model of the band’s hypnotic rhythms and sparse lyrics.
And if you listen carefully, there’s an appsec message in
“We are programmed just to do
Anything you want us to”
-
Approaching 200
Hello Protocols, Packets, and Programs,
We’re approaching our 200th episode, so how should we celebrate?
200 hardening steps for Kubernetes, 200 XSS payloads, the 200 Java CVEs that have come out in the past six months?
We’ll see.
-
Dangerous Binary Thinking
Hello Protocols, Packets, and Programs,
Whatever category you fall into, we’re glad you’re listening.
Because the only binary thinking around here comes from computers.
And if you’ve been counting CVEs or calculating CVSSes, then you know just how dangerous that binary thinking can be.
-
Beyond Top 10
Hello Protocols, Packets, and Programs,
Every week we bring you interviews and news on application security.
We go beyond top 10 lists and CVEs with fancy names to find interesting angles and insights.
So whether your appsec knowledge is zero-days or in its early days, join us for another dive into DevOps and security.
-
Poisson
I far prefer the French approach to April Fool’s with their Poisson D’Avril – slap a paper fish on the back of an unsuspecting victim.
Much like appsec slaps a bunch of checklists on unsuspecting code.
But maybe the joke’s on us?
After all, we still have CVEs week after week after week.
Maybe it’s the term appsec itself – it starts with apps and whatever good intentions you might have, but it nevertheless always ends in C.
-
Tell Me Now
We’re back with the New Wave / Post-Punk Security Hour.
Just imagine Duran Duran providing the theme for breach notification requirements.
They released, “Is there something I should know?” in March 1983 with the opening lyrics of
“Please, please tell me now
Please, please tell me now”
-
Clue
Hello Protocols, Packets, and Programs,
I love role-playing games like D&D and board games like Clue.
Clue is a game about solving mysteries.
Like –
Who killed the kernel with the dirty pipe in the code library?
Where was the Java stack killed with a JNDI?
But where the movie Clue gave us mystery and comedy and an amazing cast including Tim Curry,
Appsec just gives us a cast of CVEs with curious names and patching SLAs that far too many people laugh at.
-
Friday
Hello Protocols, Packets, and Programs,
The Cure have a famous song about Friday, with the lyrics:
“Monday you can fall apart
Tuesday, Wednesday, break my heart
Thursday doesn’t even start
It’s Friday, I’m in love”
Which, honestly, sounds like someone messing up their git branch,
Trying to resolve merge conflicts in a rebase gone wrong,
Dealing with a force push to the wrong branch,
Then finally just deleting it all and starting with a new git clone.
In December 2022 The Cure re-released a documentary of their 1991 tour, Play Out. It comes 30 years after Wish, the album that included “Friday I’m in Love.”
Instead of an interview segment for this episode, John and I talked about resources and tools for learning appsec. It’s an extension of a previous webcast on “DIY: Building a Security Lab at Home.”
-
Internal Jokes
Hello Protocols, Packets, and Programs,
You know I love music references and, being February, it’s a chance to mention Janet Jackson’s album Control, released in February 1986.
Its themes of self-determination and respect are something any Trust and Safety team should be mindful of.
And with all this supposed security shifting left, it’s a good time for DevOps teams to turn to appsec and invoke one of my favorite songs, “What have you done for me lately?”
-
Perfect Direction
Hello Protocols, Packets, and Programs,
As we start a new year, let’s review the recent decades.
1982 gave us the Commodore 64
1992 gave us Windows 3.1 with Apple’s TrueType font support
2002 gave us the Blackberry 5810, the first smartphone…-ish device
2012 gave us the Raspberry Pi, which can run that Commodore 64 or Windows 3.1 with an emulator.
So, 2022, whatever hardware or software innovations or emulations you have in store.
Make them cool like Blackberries, Raspberries, or the Commodore.
-
Cheesy Tomato Dreams
Hello Protocols, Packets, and Programs,
In the movie 2001: A Space Odyssey, the infamous AI, HAL 9000, tells us it became operational in January 1992.
JavaScript didn’t become operational until 1995.
The HTTP/1.1 standard didn’t become operational until 1997.
DARPA ran its Cyber Grand Challenge Final Event at BlackHat in 2016.
And today? 54 years after the movie came out and 21 years from when it was set?
Companies are still trying to put AI into appsec and developers are still trying to deal with monoliths.
-
Big Smiles
Hello Protocols, Packets, and Programs,
You’re listening to Application Security Weekly, where we present interviews and news on all things appsec, appsec-adjacent, or just cool things that DevOps teams should know about.
We occasionally venture into the past to help us understand the present –- and to see whether appsec has made any progress.
Because some of that “shift left” motto might translate to “We didn’t so hot. You try it.”
This episode also introduced my most common greeting to all our Protocols, Packets, and Programs.
-
I Need an Exit
Unfortunately, no one can be told that we take security seriously.
You have to see it for yourself.
You take the blue pill – the story ends, you change your password,
And have credit monitoring for the rest of your life.
You take the red pill – and have your eyes opened,
Mostly because you’ll be looking for that Yubikey you always misplace,
And I show you how deep the appsec goes.
Remember…all I’m offering is the truth. Nothing more.
Dan Guido talked about why Trail of Bits engages in its particular style of consulting. Dan and crew are well known for impactful security research, tools, and projects. They’re not interested in poking at random software for vulns, they want to eliminate entire classes of vulns. He also talked about fuzzing for efficient vuln discovery and what happened when one of the team re-animated a 30-year old fuzzer to run it against modern code.
The Matrix was released March 31, 1999.
It’s a story about humans and machines, which makes it easy to see the metaphor for appsec. But it’s also about identity and self-determination – themes that even the machines deal with in Resurrections.
And, of course, it’s about style. Style in clothing, in hair, and in self-expression. This is the more important metaphor for appsec – collaboration and community building that welcomes self-expression, including gender, and embraces the diversity of groups.
This wraps up another year of the podcast. Thank you listeners!
-
Vulnerability Phone
(phone dialing)
Hello! And welcome to vulnerability phone.
If you know the name of the vuln you’d like to see, press one.
(beep)
Please enter the CVE now
(2021-44228)
You have selected log4j. If that is correct, press one.
(beep)
Log4j is playing at Minecraft, cloud services, security vendors, iCloud, Amazon, Apache Struts, your toaster, small children, puppies, and –
Well, you get the point.
If you also get the reference to moviefone, then not only do you have to update log4j, it’s probably time to move out of the past and update your JVM to a version that was released this decade as well.
This was a fun intro to come up with. Of course, I had to use the correct DTMF tones for all of the numbers. I’ll leave the opening phone number as a puzzle to solve. (A puzzle that’s neither difficult nor all that mysterious, but one who’s attention to detail will hopefully generate a smile.)
I wanted to find some humor in the topic that didn’t involve mocking developers or making light of the work that security and DevOps teams are putting into addressing the vuln – that’s the lazy path. Being smug about software design or programming languages never helped anyone in the first few decades of appsec. It’s certainly not going to be productive now. And it’s not very entertaining.
Log4j will be an infosec topic for the next several years. It’ll also highlight – once again – the importance of maintaining an asset inventory and having a process for identifying supply chain issues. If 2021 was the year everyone used the incident that rhymes with Polar Fins to talk about why supply chain security is so important, 2022 will be the year of Log4Shell.
The show notes have more details on how this specific vuln fits into the larger picture of application security. One thing I didn’t include was a timeline to put this into more context (see below). I find it interesting to think of this vuln as a type of recurring event as opposed to a single fire to extinguish. Chasing zero-days isn’t a strategy – creating hardened software architectures and layered security controls is. It’s easy to recommend asset inventories and egress proxies; it’s harder to implement them effectively. But that’s one of the goals of modern appsec, to shift from the burn-out of BugOps to the emergent security of DevOps.
My presentation from DevSecCon London 2017 talks more about the idea of BugOps vs. DevOps.
Finally, here’s a rough timeline of the Log4j vuln, with Hearbleed and Shellshock noted for reference:
- Shellshock bug introduced to Bash in August 1989, appears in 1.03 release in September 1989.
- Heartbleed bug introduced to OpenSSL in December 2011, appears in 1.0.1 release in March 2012.
- Log4j devs add the JNDILookup plugin to Log4j 2.0-beta9, which appears in September 2013.
- Heartbleed (CVE-2014-0160) disclosed in April 2014 (~2 years after bug introduced to code).
- Shellshock (CVE-2014-6271) disclosed a few months later in September 2014 (~25 years after bug introduced to code).
- Researchers discuss JNDI LDAP manipulation that leads to RCE at BlackHat in August 2016.
- Researcher Chen Zhaojun of Alibaba Cloud Security Team discloses log4j flaw in December 2021 (~8 years after bug introduced to code).
-
Eyes Open
Remember Flash? That free browser plugin?
In November 1996 Macromedia unleashed it upon the world. Then Adobe acquired it, keeping the thing alive with critical patch after critical patch.
In November 2011, after Apple refused to allow Flash on iOS, Adobe announced the end of support for mobile.
Yet it wasn’t until January 2021 that Flash officially died on the desktop.
So, maybe now when you hear the phrase, “Gone in a Flash”, it might not actually be referring to how your system was compromised.
-
Schools of Magic
It’s the eighth day of the month and there’s an appsec journey in the number eight.
Like the rise of personal computing with the 8-bit Commodore 64.
Modern HTML requires character encoding with utf-8.
Chrome’s JavaScript engine is called v8.
Number 8 in the new OWASP Top Ten is about software and data integrity failures.
And an 8 on its side looks like infinity, which is about how long it’ll take for appsec to get that top ten down to zero.
The schools of magic is another nod to Dungeons & Dragons. The game defines eight schools, a number that fit nicely with the intro’s theme. I’ve always been partial to playing wizards. Two favorites over the last few years have been an illusionist and a necromancer. I plan to try a diviner next – the spells aren’t as uniformly combat-related like the classic evoker, but that just feels like a fun challenge and a chance for creativity.
-
Horror Stories
It’s almost Halloween, so why not celebrate with an appsec adaptation of the opening of Edgar Allan Poe’s The Raven.
Once upon a midnight dreary, while I pondered, weak and weary,
Over many a quaint and curious volume of forgotten lore—
Which I coded, error trapping, suddenly there came a tapping,
As of testing gently flapping, flapping I could not ignore—
“’Tis some insecure,” I muttered, “tapping at my logic for—
Buffer size and nothing more.”
It took me a while to settle on phrasing I liked. The following version was a close runner up. It hinted at SQL injection instead of memory safety, but it didn’t feel like it captured an injection flaw just right.
Once upon a midnight dreary, while I pondered, weak and weary,
Over many a quaint and curious volume of forgotten lore—
Which I coded, error trapping, suddenly there came a tapping,
As of input gently snapping, snapping at my datastore—
“’Tis some insecure,” I muttered, “tapping at my datastore—
Using AND instead of OR.”
-
Highly Technical
In the days leading to Halloween, what could be spookier than spending time in a haunted house?
How about a haunted codebase?
With the sound of TODOs dragging their Jira backlogs down dusty hallways, parsers conducting demented operations on their pointers, let alone trying to safely test an execution path?
So when you lock the door behind you, use a FIDO key.
In the interview segment, Nuno and Tiago talked about integrating web scanners into the CI/CD pipeline. The discussion focused on DAST, but the success criteria and the attention to developer experience generalizes to any security tool, whether it’s SAST, SCA, or YOLO.
-
Opposite Direction
Welcome to October, my favorite and spookiest month.
A month of haunted code and HTM-Hell.
You may find yourself in Java’s Crypt or encountering the horror of Ruby EntRails.
If so, please enable automatic updates now and use only a FIDO key for MFA.
After all, you wouldn’t want your code editor to become ID-Evil…
-
Strange New Clouds
Captain’s log, stardate 41153.7.
Our destination is planet AppSec, beyond which lies the great unexplored mass of secure code.
My orders are to examine the news, and what’s been built there by the inhabitants of that world.
These are the episodes of the podcast ASW.
Its continuing mission: to explore strange new clouds.
To seek out new life and new DevOps migrations.
To boldly go where no one has gone before!
I was inspired this August by memory of Gene Roddenberry’s birthday. That stardate comes from “Encounter at Farpoint”, the very first episode of ST:TNG. To this day, I remember my surprise at seeing the character Zorn (Michael Bell), then hearing the voice of Duke from the “G.I. Joe” cartoons. It was like a collision of worlds that for some reason left an impression on me.
Live long and prosper! 🖖
-
Time Traveling
Let’s journey back in time to August 1995.
Internet Explorer has just been released, beginning a battle of browsers and a war of HTML standards.
Speaking of…
Garbage released their self-titled album also in August 1995.
With both browser and band giving us the lines “Not My Idea” and “Fix Me Now”.
I’ll take Garbage’s album over IE quirks mode any day.
After all, they had the better version 2.0.
And today, one is on tour and one is headed for retirement.
-
Thinking Alike
It’s that time when people head to the desert, where several factions will vie for attention and information.
You’ll find arguments about the future of technology and culture.
You’ll find discussions about the consequences of computers from 10,000 years ago.
You have to be careful in large groups, you’ll need to wear a mask and–
No. Hold on.
Those are plot points from the book Dune.
DEF CON started barely 30 years ago, Black Hat and BSides Las Vegas even less than that.
They do have the same point about computers, though.
Dune is one of my favorite books. I love how well it builds a history of civilizations and leaves so many aspects of that history ambiguous or to the reader’s imagination. I also love its political strategies and all the interior voices of the characters.
This episode also marked one of my early desires to do away with hardening guides. In this case, we were talking about a Kubernetes Hardening Guidance from NSA and CISA. But at 50 pages, it feels like k8s could benefit from better defaults.
Hardening guides feel like a modern anti-pattern. The appsec world should have moved on from them and emphasized secure defaults, with “loosening guides” provided for those who want to deliberately increase their attack surface or enable features that pose more risk.
-
Shrug & Move On
Eight years ago this week Firefox killed the blink element.
Every year since, I enjoy dancing on its grave.
And that’s in spite of all you out there resurrecting blink with CSS animations.
Because as fans of the New Wave / Post Punk security hour know,
‘Cause your friends don’t dance and if they don’t dance
Well they’re no friends of mine
-
Policy of Truth
Depeche Mode took us to a “sea of love” with Strangelove
The Cure took us “into the sea” with Lovecats
The Eurythmics “want to dive into your ocean”
Siouxsie and the Banshees carried us on “Sea Breezes”
But it’s Ocean Rain from Echo & the Bunnymen that feels most like appsec’s sad longing for success with the lyrics:
My ship’s a sail
Can you hear its tender frame
Screaming from beneath the waves
Screaming from beneath the waves
-
Dead Simple
“3, 2, 1. Let’s jam!”
Anime fans know that opening from Cowboy Bebop.
They also know the show’s first Astral Gate was built in 2021, only to blow up a year later.
Given how this year is going, I put equal odds as the cause being either a supply chain vuln or ransomware. And, hey, that code could’ve used a security review for backdoors, too.
I’m not sure if this is the first time I used the phrase, “dead simple”, but it’s one that I’ve used many times since.
-
Alert Your Stardestroyers
It’s that time in May when people start talking about that movie from the 80s. The one with James Earl Jones as the villain. Came out in May 1982.
That’s right. Once again we must ask, “Conan, what is best in DevOps?”
“To crush CI/CDs,
to see supply chains before you,
and to hear the attestation of their SBOM.”
Since this episode aired on May 3rd, it was a chance to acknowledge Star Wars Day, aka May 4th – as in, may the fourth (force) be with you.
The Empire Strikes Back came out in 1980. Conan didn’t appear until two years later. But, wonderfully, James Earl Jones plays the villain in both. We only hear him in Empire (David Prowse wore Vader’s suit), but we see him – with long hair no less – as the evil Thulsa Doom in Conan.
I first riffed on this quote in episode 137.
-
Minimum Safe Distance
What would a breach notification look like in the aftermath Aliens?
Weyland-Yutani takes the security of our systems and data seriously and we have implemented numerous safeguards to protect them.
When we learned of a nearby derelict, our investigation determined it was something for you to explore.
Because of our commitment to trust and transparency, we have worked diligently to make LV-426 important to
building better worlds
with you – our families at Hadley’s Hope.
We recorded this episode on April 26, which was fortuitous for a fan of 80s movies and horror. April 26 has been adopted as “Alien Day” to celebrate the Alien movie franchise. The date, as 4/26, is a nod to LV-426, the moon from Aliens. Weyland-Yutani established a terraforming colony, Hadley’s Hope, on that moon. Things didn’t turn out well for the colony and Ellen Ripley, now rescued from her escape shuttle long after the events on the Nostromo, has a pretty clear idea of what must have happened.
As a final note, if you check the bookshef in the background of the video, I have a copy of the Alien RPG propped up.
-
Always Interesting
Friends, DevOps, SREs, lend me your ears.
I come to bury appsec, not to praise it…
Ooh, this opening Shakespeare bit isn’t going in the right direction.
And that’s why you should beware the developer IDEs of March.
Noted.
-
Goose Egg
Welcome to the Mars Federal Colony.
For your safety and comfort, domes have been installed to protect you from the vacuum outside.
Please do not touch exterior windows or airlocks.
And remember, it took a team of rocket scientists to deploy Linux on this planet.
Thank you and enjoy your stay on Mars.
-
Total Recall
Listen and understand.
That Compiler is out there.
It can’t be bargained with.
It can’t be reasoned with.
It doesn’t feel pity, or remorse, or fear.
And it absolutely will not stop, ever, until you are…
No, hold on. I’m thinking of the Terminator.
Compiled code is fine. Just fine. Nothing to worry about.
-
The Sound of Silence
Welcome to February, named after the Roman festival of purification,
making it a perfect metaphor for appsec –
after all, it’s the shortest month and occasionally off by one.
-
A Tree of Woe
Earlier I asked, “Conan, what is best in DevOps?”
“To crush your CVEs,
to see threat models before you,
and to hear the automation of their workflows.”
This quote comes from the 1982 film, Conan the Barbarian, where Arnold Schwarzeneggar delivers it with his distinct Austrian accent. It’s one of the many films that made 1982 such a high point in movie history.
I revisited this quote in episode 149.
-
Breaking John
As Kermit and friends might say,
it’s time to play the music,
it’s time to light the lights,
it’s time to talk some appsec on the appsec show tonight.
-
Pokémon & Synthwave & Hair & Hats
A new year calls for new resolutions, such as exiting vim on the first try, remembering which git rebase, reset, or revert is useful, securing your supply chain, and subscribing to ASW.
(Of which, only one of those is actually achievable.)
We started off the year with a deep dive into privacy by design – a topic that’s appsec-adjacent, but one that carries its own threat models and design patterns. Notably, it’s also a relatively new topic when you consider how slowly “privacy engineering” teams have grown throughout the industry.
And, being January 2021, it was a chance to commemorate the 25th anniversary of Lawnmower Man 2: Beyond Cyberspace. It’s a title that’s been criminally left off of far too many lists of hacker movies.
-
Underlying Capabilities
Ah, my first time hosting. The intro is barely three sentences and barely engaging. How far we’ve come. But it does have one small artifact that I’ve preserved through all of the following intros. The teaser for the news segment always ends with a change in intonation and the promise of…
– and more.
I’ve also changed around the camera setup and computer. I enjoyed lurking behind my laptop with its prominent D&D sticker and, later on, a DNA Lounge sticker. Alas, the screen size and CPU weren’t conducive to improving the quality of show. I’ve since upgrade to an M1 iMac.
Keith Hoodlet started the podcast at episode 0 and was the main host up through 55. He still drops in on the Security Weekly family, including ASW episodes 200 and 224. Check out his blog at securing.dev.