Application Security WeeklySubscribe
Application security, DevSecOps

New Wave Post Punk Security Hour – ASW #141

Full Audio

View Show Index

Segments

1. Hackable; How to do Application Security Right – Ted Harrington – ASW #141

In looking at how to do application security right we talk about understanding the difference between defining types of security testing and the goals that security testing should be aiming for. Plus, we highlight how doing security right also means shifting left in terms of addressing security issues in the design phase. And throughout all this is the importance of being able to communicate security principles and how your design and testing reduces risk.

Register for the DevSecOps eSummit for which Ted will be a panelist:

https://onlinexperiences.com/Launch/QReg.htm?ShowUUID=5673DA7C-B8C2-4A3E-B675-C6BBF45DC04F

Announcements

  • Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

  • If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!

Guest

Executive Partner at Independent Security Evaluators

Ted Harrington is the #1 best selling author of HACKABLE: How to Do Application Security Right, and the Executive Partner at Independent Security Evaluators (ISE), the company of ethical hackers famous for hacking cars, medical devices, web applications, and password managers. He’s helped hundreds of companies fix tens of thousands of security vulnerabilities, including Google, Amazon, and Netflix. Ted has been featured in more than 100 media outlets, including The Wall Street Journal, Financial Times, and Forbes. His team founded and organizes IoT Village, an event whose hacking contest is a three-time DEF CON Black Badge winner.

Hosts

Tech Lead at Block
Senior Engineering Leader at AWS
Chief Product Officer at CyberSaint

2. JSON, OpenSSL, Educational Resources, & Flaws in CodeQL – ASW #141

This week on the Application Security News, Implementation pitfalls in parsing JSON, finding all forms of a flaw with CodeQL, more educational resources for hacking apps, engineering and product management practices for DevOps, & more!

Announcements

  • Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

  • We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!

Hosts

Tech Lead at Block
  1. 1. An Exploration of JSON Interoperability Vulnerabilities
    A good look into the differences between the standard for a format and the variations in how it's implemented. Think of quirks as an elementary particle of security that combine to form flaws and vulns. Then check out this other article about "JSON With Commas and Comments" to see some other ways JSON has been extended. And, importantly, the point it makes about the relative success of readable vs. unreadable code. https://nigeltao.github.io/blog/2021/json-with-commas-comments.html
  2. 2. Engineering Practices Can Overcome DevOps Challenges
    Even if DevOps is striving for automation, you can't neglect the practices that are trying to make it more human than human.
  3. 3. Announcing the First-Ever Veracode Hacker Games
    Hands-on exercises will always be a better path to understanding appsec than memorizing top 10 lists. Veracode wades into this arena with resources for new appsec practitioners. You can also check out their "forever free" community edition at https://info.veracode.com/security-labs-community-edition-signup.html
  4. 4. Developer Velocity at work: Key lessons from industry digital leaders
    More examples, some familiar, of what it takes to make security a successful part of software development. And some important lessons for Security teams to understand what it takes to make their products and services successful for their consumers -- especially for internal Security teams whose consumers are the company's own development teams.
  5. 5. The little bug that couldn’t: Securing OpenSSL
    You don't need to dive into the C code internals of OpenSSL to appreciate how this article presents both a developer and researcher perspective on analyzing a bug, and the the specific technical details aren't as important as the concept of variant analysis and using tools to help answer the question, "Where else is this bug in our code?" Microsoft took a slightly different approach in sharing CodeQL queries related to the Solarigate campaign. The premise is similar though, "Where else does this type of compromise appear?" Find more details in their article at https://www.microsoft.com/security/blog/2021/02/25/microsoft-open-sources-codeql-queries-used-to-hunt-for-solorigate-activity/ and the backdoor detections they created at https://github.com/github/codeql/pull/5083
  6. 6. OWASP’s 20th Anniversary Celebration
    The CFP opens soon for OWASP's 20th anniversary celebration in September. There's a lot of appsec from 20 years ago that looks familiar to today. What could appsec do to make the next 20 years more successful?
Senior Engineering Leader at AWS
Chief Product Officer at CyberSaint

Related

AI fixes everything, C++ the actual worst, IAM is hard – ASW #308

This week, in the Application Security News, we dismiss magical thinking and discuss what generative AI will actually be able to do for us. We also discuss whether Secure by Design's goals are practical or not. OSC&R releases a report on software supply chain that should be interesting, though neither of us had time to read it yet. Also, Wat...