Application Security WeeklySubscribe
Vulnerability Management, Application security, AI/ML, Security Staff Acquisition & Development, Training

Pointers and Perils for Presentations – Josh Goldberg – ASW #251

Full Audio

View Show Index

Segments

1. Pointers and Perils for Presentations – Josh Goldberg – ASW #251

A key part of modern appsec is communication. From interpersonal skills for fostering collaborations to presentation skills for delivering a message, the ability to tell a story and engage an audience is a skill that doesn't appear on top ten lists and that doesn't come up in secure coding checklists.

Josh shares his path to becoming a presenter on technical topics, including stumbles he's made along the way and how he helps others develop their skills for slides.

Resources:

Announcements

  • Security Weekly listeners: Now is your chance to join the infosec community as they come together at InfoSec World 2023, September 23 – 28, 2023 at Disney's Coronado Spring Resort in Lake Buena Vista, FL. Hear keynotes from Scott Shapiro, Founding Director at Yale CyberSecurity Lab’s and Rachel Wilson, Managing Director and Head of Cybersecurity at Morgan Stanley.
    As a Security Weekly community member, you’re able to receive 20% off your InfoSec World 2023 tickets using code ISW23-SECWEEK20! Register today: securityweekly.com/infosecworld2023

Guest

Open Source Developer

Josh Goldberg is a frontend developer with a passion for open source, static analysis, and the web. He is the author of O’Reilly’s Learning TypeScript and a full time open source maintainer who contributes regularly to TypeScript and open source projects in its ecosystem, such as typescript-eslint and TypeStat. His past work includes spearheading Codecademy’s usage of TypeScript and helping create its Learn TypeScript course, and architecting rich client applications at Microsoft. His projects range from static analysis to meta-languages to re-creating retro games in the browser. Also cats.

Hosts

Tech Lead at Block
Senior Engineering Leader at AWS

2. DARPA’s AI Challenge, CISA Wants Secure Open Source, 5 Years of Vuln Research – ASW #251

DARPA unleashes an AI Cyber Challenge to find flaws, CISA asks for input on securing open source software and memory safety, what five years of vuln research shows for vuln management programs, siphoning security tokens from VS Code, and more!

Announcements

  • Join us at an upcoming Official Cyber Security Summit in a city near you! This series of one-day, invitation-only, executive level conferences are designed to educate senior cyber professionals on the latest threat landscape.

    We are pleased to offer our listeners $100 off admission when you use code SecWeek23 to register.

    Visit securityweekly.com/cybersecuritysummit to learn more and register today!

Hosts

Tech Lead at Block
  1. 1. DARPA Launches 2-Year Contest to Build AI Tools to Fix Vulnerabilities

    A new challenge to coax AI into figuring out how to identify and fix software flaws. The challenges will be across many programming languages, but have half of them focused on memory-safety issues in C and C++.

    I'd be curious to see a challenge that rewrote a program in C into Rust.

    Check out the OpenSSF announcement.

    Keep an eye on the contest's home page.

  2. 2. Microsoft’s red team has monitored AI since 2018. Here are five big insights | ZDNET

    We covered comments from Google's red team targeting AI back in episode 248. Here's a similar article from Microsoft.

    A few things stand out from "normal" red team exercises. One, this testing is more expensive. Two, it requires repeated attempts. Three, and more interesting to me, is testing how such systems might generate harmful content for average users. In other words, the testing is just figuring out what a malicious actor might do, but what the system might do to a benign user.

  3. 3. White House, CISA call for help with security of open source software

    CISA wants to push the industry to secure by default and secure by design. A big part of this is moving towards memory-safe languages. Another part is asking the industry where they think major investments in effort should go.

    Check out the Request for Information. You have until October 9, 2023 to respond.

  4. 4. The Pithy P2P: 5 years of vulnerability remediation & exploitation research

    There's a lot in here about what vulnerability management programs should focus on and how they can be efficient and effective. For example, focusing on high-risk vulns (as indicated by CVSS) combined with exploitation. It's important to have good visibility into the vulns across an org, but it's also important to realize that not all of those vulns require remediation.

  5. 5. ‘Downfall’ Bug in Billions of Intel CPUs Reveals Major Design Flaw

    Yet another look at CPU-related security, this time in memory leaks in the Linux kernel and what a user space program can get out of it -- like encryption keys.

    Mostly including this just to show how exploits improve and emerge over time. This research points out that bugs that were seemingly unexplainable (in terms of an RCE) or that lead to a DoS now have an additional security consideration.

  6. 6. VS Code’s Token Security: Keeping Your Secrets… Not So Secretly – Cycode

    We've got secrets managers in the cloud, secure enclaves on user systems, and lots of API security tokens floating around that need protection.

    This is also a chance to talk about API security and different models like shared secrets, asymmetric signing keys, and HMACs.

  7. 7. Badge of Shame – Breaking Into Secure Facilities with… | Bishop Fox

    Another example of an "install mode" that may persist after the install and consequently be used to obtain encryption keys.

  8. 8. FYI: NSA: Codebreaker Challenge Helps Drive Cybersecurity Education

    "This year's Codebreaker Challenge will center around a simulation in which the US Coast Guard identifies a signal about 30 miles off the coast of the continental US; participants will be asked to interpret and find the origin of the signal."

    Keep an eye on the official site. The challenge runs from Sept. 28 through Dec. 21.

  9. 9. Smashing the state machine: the true potential of web race conditions
Senior Engineering Leader at AWS
  1. 1. Shamir Secret Sharing, or how to break your fancy encryption setup

    Max Levchin tells a story about how he used Shamir Secret Sharing to protect encryption on Paypal's database - and how it first broke when they put it into production.

    (h/t Bill)

  2. 2. Satellite CTF at defcon

    Always nice to see my curiosity with space appsec filter over to to the side my political nerd side also reads ????

  3. 3. Parsing vulnerability in Python’s urllib.parse()

    Turns out urlsplit() and urlparse() don't do input validation. Whoops.

  4. 4. Google launching LLM-powered IDE

    I'm on the waiting list so haven't gotten to play with it, but Google's announced IDX - a Visual Studio-based IDE with some of Google's flavor of LLM built into it to assist in coding. I keep hoping these things will produce more secure code...

  5. 5. Stability AI announces open source model for generative AI coding

    The folks who funded most of the development of Stable Diffusion (one of the first to kick off the current generative AI fashion period) have released Stablecode - a LLM focused on software development. The model's up on huggingface - start your coding!

  6. 6. AI won’t replace humans – but humans with AI will replace humans without

    This interview over on HBR includes a message I can really get behind: Don't worry so much about AI/computers taking over the world, but if you don't understand how to leverage these new tools, you may find it difficult to keep up with those who do.

  7. 7. IOT maker warns malware attack cycles increasing

    This is an interesting read of how an IOT manufacturer could take a more proactive stance about understanding the threats against their products, and spend some resources working to improve the security situation.

    (apologies if this is paywalled - it seems available to me)

  8. 8. New Intel patches will be the downfall of your fancy CPU’s performance

    Intel got patches out for Downfall fairly quickly, but they'll take up to 39% of your CPU's performance, unfortunately.

    (thanks to Phoronix for always creating great low-level Linux articles)

  9. 9. VSCode isn’t keeping secrets so secret

    The folks at cycode developed a POC extension for VSCode which doesn't just get security tokens from other plugins, but also the GitHub/Microsoft tokens for login/sync functionality. They went beyond that and provided a great writeup about how they worked through figuring out how to get their POC extension to do what they want

Related

Fortinet, Palo Alto, VMWare – PSW #852

Fast cars kill people, Apple 0-Days, memory safety, poisoning the well, babble babble and malware that tries really hard to be stealthy, Palto Alto and Fortinet have some serious new vulnerabilities, open-source isn't free, but neither is commercial software, get on the TPM bus, find URLs with stealth, stealing credentials with more Palto Alto and ...