A collection of additional episode commentary.

Check out show notes at the episode index for links to articles and tools.

  • ASW Episode 178

    I Need an Exit

    Unfortunately, no one can be told that we take security seriously.

    You have to see it for yourself.

    You take the blue pill – the story ends, you change your password,

    And have credit monitoring for the rest of your life.

    You take the red pill – and have your eyes opened,

    Mostly because you’ll be looking for that Yubikey you always misplace,

    And I show you how deep the appsec goes.

    Remember…all I’m offering is the truth. Nothing more.

    The Matrix released March 31, 1999.

    The Matrix is about humans and machines, which makes it easy to see the metaphor for appsec. But it’s also about identity and self-determination – something that progresses to even to the machines in Resurrections.

    And, of course, there’s style. Style in clothing, in hair, and in self-expression. This is the more important metaphor for appsec – collaboration and community building that welcomes self-expression, including gender, and embraces the diversity of groups.

    This wraps up another year of the podcast. Thank you listeners!

  • ASW Episode 177

    Vulnerability Phone

    (phone dialing)

    Hello! And welcome to vulnerability phone.

    If you know the name of the vuln you’d like to see, press one.

    (beep)

    Please enter the CVE now

    (2021-44228)

    You have selected log4j. If that is correct, press one.

    (beep)

    Log4j is playing at Minecraft, cloud services, security vendors, iCloud, Amazon, Apache Struts, your toaster, small children, puppies, and –

    Well, you get the point.

    If you also get the reference to moviefone, then not only do you have to update log4j, it’s probably time to move out of the past and update your JVM to a version that was released this decade as well.

    This was a fun intro to come up with. Of course, I had to use the correct DTMF tones for all of the numbers. I’ll leave the opening phone number as a puzzle to solve. (A puzzle that’s neither difficult nor all that mysterious, but one who’s attention to detail will hopefully generate a smile.)

    I wanted to find some humor in the topic that didn’t involve mocking developers or making light of the work that security and DevOps teams are putting into addressing the vuln – that’s the lazy path. Being smug about software design or programming languages never helped anyone in the first few decades of appsec. It’s certainly not going to be productive now. And it’s not very entertaining.

    Log4j will be an infosec topic for the next several years. It’ll also highlight – once again – the importance of maintaining an asset inventory and having a process for identifying supply chain issues. If 2021 was the year everyone used the incident that rhymes with Polar Fins to talk about why supply chain security is so important, 2022 will be the year of Log4Shell.

    BugOps vs. DevOps

    The show notes have more details on how this specific vuln fits into the larger picture of application security. One thing I didn’t include was a timeline to put this into more context (see below). I find it interesting to think of this vuln as a type of recurring event as opposed to a single fire to extinguish. Chasing zero-days isn’t a strategy – creating hardened software architectures and layered security controls is. It’s easy to recommend asset inventories and egress proxies; it’s harder to implement them effectively. But that’s one of the goals of modern appsec, to shift from the burn-out of BugOps to the emergent security of DevOps.

    If you’re curious about more of the BugOps vs. DevOps take, check out my presentation from DevSecCon London 2017.

    • Log4j devs add the JNDILookup plugin to Log4j 2.0-beta9, which appears in September 2013.
    • Heartbleed appears in April 2014.
    • Shellshock appears a few months later in September 2014.
    • Researchers discuss JNDI LDAP manipulation that leads to RCE at BlackHat in August 2016.
    • Researcher Chen Zhaojun of Alibaba Cloud Security Team discloses log4j flaw in December 2021.
  • ASW Episode 171

    Horror Stories

    It’s almost Halloween, so why not celebrate with an appsec adaptation of the opening of Edgar Allan Poe’s The Raven.

    Once upon a midnight dreary, while I pondered, weak and weary,

    Over many a quaint and curious volume of forgotten lore—

    Which I coded, error trapping, suddenly there came a tapping,

    As of testing gently flapping, flapping I could not ignore—

    “’Tis some insecure,” I muttered, “tapping at my logic for—

    Buffer size and nothing more.”

    It took me a while to settle on phrasing I liked. The following version was a close runner up. It hinted at SQL injection instead of memory safety, but it didn’t feel like it captured an injection flaw just right.

    Once upon a midnight dreary, while I pondered, weak and weary,

    Over many a quaint and curious volume of forgotten lore—

    Which I coded, error trapping, suddenly there came a tapping,

    As of input gently snapping, snapping at my datastore—

    “’Tis some insecure,” I muttered, “tapping at my datastore—

    Using AND instead of OR.”

  • ASW Episode 149

    Alert Your Stardestroyers

    It’s that time in May when people start talking about that movie from the 80s. The one with James Earl Jones as the villain. Came out in May 1982. That’s right, once again we must ask, “Conan, what is best in DevOps?”

    To crush CI/CDs, to see supply chains before you, and to hear the attestation of their SBOM.

    Since this episode aired on May 3rd, it was a chance to acknowledge Star Wars Day, aka May 4th – as in, may the fourth (force) be with you.

    The Empire Strikes Back came out in 1980. Conan didn’t appear until two years later. But, wonderfully, James Earl Jones plays the villain in both. We only hear him in Empire (David Prowse wore Vader’s suit), but we see him – with long hair no less – as the evil Thulsa Doom in Conan.

    I first riffed on this quote in episode 137.

  • ASW Episode 148

    Minimum Safe Distance

    What would a breach notification look like in the aftermath Aliens?

    Weyland-Yutani takes the security of our systems and data seriously and we have implemented numerous safeguards to protect them. When we learned of a nearby derelict, our investigation determined it was something for you to explore.

    Because of our commitment to trust and transparency, we have worked diligently to make LV-426 important to

    building better worlds

    with you – our families at Hadley’s Hope.

    We recorded this episode on April 26, which was fortuitous for a fan of 80s movies and horror. April 26 has been adopted as “Alien Day” to celebrate the Alien movie franchise. The date, as 4/26, is a nod to LV-426, the moon from Aliens. Weyland-Yutani established a terraforming colony, Hadley’s Hope, on that moon. Things didn’t turn out well for the colony and Ellen Ripley, now rescued from her escape shuttle long after the events on the Nostromo, has a pretty clear idea of what must have happened.

    As a final note, if you check the bookshef in the background of the video, I have a copy of the Alien RPG propped up.

  • ASW Episode 137

    A Tree of Woe

    Earlier I asked, “Conan, what is best in DevOps?”

    To crush your CVEs, to see threat models before you, and to hear the automation of their workflows.”

    This quote comes from the 1982 film, Conan the Barbarian, where Arnold Schwarzeneggar delivers it with his distinct Austrian accent. It’s one of the many films that made 1982 such a high point in movie history.

    I revisited this quote in episode 149.