Cybersecurity Awareness Limerick Month

Hello Protocols, Packets, and Programs!

We continue the cybersecurity awareness limerick month with…

My browser used HTTPS,

Configured from an HSTS,

But public WiFi,

Might have a bad guy,

Who can break Diffie-Hellman I guess?

Yep, this was an April Fool’s episode. It’s a rare occasion that April 1 falls on a Monday and we had to take advantage of it.

The infosec myths, mistakes, and misconceptions segment is a serious topic, though! I thought that talking about foolish ideas and why they’re harmful to users would fit well with the day’s theme.

Even the news segment has some educational bits to it. After all, a lot of the articles from 2004 either sound like they could be written today or they have the optimism that a security problem will be solved in a few years. Instead, we’re twenty years later and still dealing with a lot of the same problems.

It’s seeing those same problems that motivated me to use this theme for our show. After all, if appsec hasn’t made significant impacts in some areas twenty years later, it’s time to re-evaluate those strategies and find something better.

I’m not completely pessimistic or cynical on this topic. I think there have been some consequential shifts in appsec strategies. A few that come to mind are

  • Building “paved roads” or solutions that meet developers needs and uphold the developer experience while making insecure designs difficult.
  • The Infrastructure as Code possibilities of cloud environments, where resources, networks, and privileges can be expressed through (mostly) human-readable code in a way that can be linted, reviewed, and maintained.
  • The phishing-resistant solutions of passkeys, WebAuthn, and FIDO2-based authentication.
  • Adoption of memory-safe languages for critical system apps, device drivers in the Linux kernel, components of browsers, and lots of attention from Microsoft and Amazon.
  • The (admittedly recent and still far to go) embrace of a secure by default attitude that treats hardening guides as anti-patterns.
  • The (admittely recent and still far to go) push for secure design.

I purposefully didn’t mention a future of lists, whether they contain 10 items or not. For more on that, check out this post.

Check out this episode's show notes for links to the articles we covered. And please take a moment to subscribe.