DefectDojo and Bringing Quality Appsec Tools to Small Appsec Teams – Greg Anderson – ASW #312
Full Audio
View Show IndexSegments
1. DefectDojo and Bringing Quality Appsec Tools to Small Appsec Teams – Greg Anderson – ASW #312
All appsec teams need quality tools and all developers benefit from appsec guidance that's focused on meaningful results. Greg Anderson shares his experience in bringing the OWASP DefectDojo project to life and maintaining its value for over a decade. He reminds us that there are tons of appsec teams with low budgets and few members that need tools to help them bring useful insights to developers.
Segment Resources:
- https://owasp.org/www-project-defectdojo/
- Three-quarters of CISOs surveyed reported being "overwhelmed" by the growing number of tools and their alerts: https://www.darkreading.com/cloud-security/cisos-throwing-cash-tools-detect-breaches
- As many as one-fifth of all cybersecurity alerts turn out to be false positives. Among 800 IT professionals surveyed, just under half of them stated that approximately 40% of the alerts they receive are false positives: https://www.securitymagazine.com/articles/97260-one-fifth-of-cybersecurity-alerts-are-false-positives
- 91% of organizations knowingly released vulnerable applications, 57% of vulnerabilities are left unresolved by developers, 32% of CISOs deploy vulnerable code in the hopes it won’t be discovered, 56% of developers struggle to prioritize vulnerability fixes: https://info.checkmarx.com/future-of-application-security-2024
Announcements
Paul's Security Weekly has been nominated for a SANs Difference Maker Award for Podcast, Livestream, or Video Series of the year! Thank you to all of our listeners for helping us continue this podcast for the past 19 years! We would appreciate it if you'd vote for us before October 4th by visiting https://securityweekly.com/DMA
Want to shape the future of identity? Identiverse 2025 is looking for dynamic speakers like you to share groundbreaking ideas with over 3,000 identity and access management leaders. Join the most influential voices in IAM and help drive innovation in our industry. Submit your presentation proposal today at securityweekly.com/idvcfp
Guest
Greg Anderson is the founder, creator, and CEO of DefectDojo. His mission is to prevent breaches by making visibility and scalability a reality for all in security.
Greg is a seasoned security practitioner and an active participant in the global community, having served as a member of the Board of Directors for the OWASP Foundation, performed assessments for the United States Department of Defense (Pentagon), and presented research on compromising CI/CD pipelines at DEFCON. Greg has also presented at AppSec USA and AppSec EU.
Greg started his career as a penetration tester with a focus on unconventional attack vectors and how to maximize their impact before focusing on DefectDojo.
Hosts
2. Removing Rust, Double Clickjacking, h3i CLI, JWT Mistakes, Reviewing Recursion – ASW #312
Curl removes a Rust backend, double clickjacking revives an old vuln, a new tool for working with HTTP/3, a brief reminder to verify JWT signatures, design lessons from recursion, and more!
Hosts
- 1. dropping hyper | daniel.haxx.se
After four years, Curl's effort to bring a Rust-based HTTP/1 backend into the library has ended. The reasons provide good lessons for the appsec industry's push for memory safety and secure code.
- 2. DoubleClickjacking: A New Era of UI Redressing
An iteration on the clickjacking technique bypasses the pervasive browser-based solutions that effectively eradicated clickjacking. Fortunately, there are equally simple countermeasures for this version.
Given appsec's naming habits, what "double" will we see next? Double SQL injection? Double XSS? Double prompt injection?
- 3. Bad Likert Judge: A Novel Multi-Turn Technique to Jailbreak LLMs by Misusing Their Evaluation Capability
The last jailbreak research of 2024. It shows more clever testing for edge cases. There'll surely be more prompt injection and jailbreak techniques by the end of January. Still looking for that compelling and successful use of genAI in appsec.
- 4. Open sourcing h3i: a command line tool and library for low-level HTTP/3 testing and debugging
Building libraries for an RFC vs. building libraries to test RFC design and implementations.
- 5. Finding Critical Flaws in Secure Systems | Trail of Bits
To emphasize from the start, many of these vulns "...result in little or no real-world harm in most contexts."
However, there's still something to learn from parsing and handling user-supplied data. They provide opportunities to talk about recursion, edge cases, malicious input, and secure design choices.
- 6. How to Avoid JWT Security Mistakes in Node.js
Short and simple: Verify the signature of signed blobs. But also some challenges in dealing with stateless session tokens.
Here's a bonus JWT CVE about JWT algorithm confusion.
- 1. Compiling C to Safe Rust, Formalized
Some researchers came up with a simplified version of the C language, and then use that to port programs before converting to Rust. This allows them to be assured that the ported program is safe
- 1. Hackers Weaponize Visual Studio Code Remote Tunnels for Cyber Espionage
The attackers exploited SQL injection vulnerabilities in internet-facing applications and database servers using SQLmap.
- 2. Nuclei flaw lets malicious templates bypass signature verification
