The Case of Bad Appsec Advice

It was another Monday morning. The sign on the door said Private Investigator.

But the sign below that said closed and I was saying yes to a third cup of coffee.

It was cold and bitter, like a C++ programmer at a Rust conference.

My partner was out town, looking into a counterfeit fashions case, but that was like bad security metrics – a lot of questionable value and misleading labels.

I stared at a March Madness bracket, thinking appsec could use a tournament of its own to eliminate poor advice.

I thought about this some more as I walked down to my local donut shop to use their public WiFi, where I checked my email and scanned a QR code to see their menu.

In the last twenty years, donuts had become twice as expensive and appsec advice about half as useful.

After all, I had a patched device, HSTS, and WebAuthn.


Check out this episode's show notes for links to the articles we covered. And please take a moment to subscribe.