AI fixes everything, C++ the actual worst, IAM is hard – ASW #308
This week, in the Application Security News, we dismiss magical thinking and discuss what generative AI will actually be able to do for us.
We also discuss whether Secure by Design's goals are practical or not.
OSC&R releases a report on software supply chain that should be interesting, though neither of us had time to read it yet.
Also, Watchtowr has some fun with Citrix VDI!
Announcements
Want to shape the future of identity? Identiverse 2025 is looking for dynamic speakers like you to share groundbreaking ideas with over 3,000 identity and access management leaders. Join the most influential voices in IAM and help drive innovation in our industry. Submit your presentation proposal today at securityweekly.com/idvcfp
Hosts
- 1. Lessons From OSC&R on Protecting Software Supply Chain
- 2. How Does AI Improve Digital Experience Monitoring?
If you read very closely... between the lines... you'll find it.
The magical thinking.
- 3. The US government wants devs to stop using C and C++
Good luck with that.
- 4. Prompt Injecting Your Way To Shell: OpenAI’s Containerized ChatGPT Environment
I was floored that this was possible, and then even more floored that OpenAI knows about it, and that it's not really a security issue.
It very much FEELS like a security issue, and that I'm playing around with command injection that shouldn't be allowed. As long as it doesn't break out of the sandbox that exists around every ChatGPT chat session though, they don't seem to care.
- 5. Zero Standing Privileges: Vendor Myths vs. Reality
A lot to talk about here, both in the practicality of security principals that require you to remove 100% of unnecessary privileges, and some of the excellent examples they include of situations where ZSP won't save your bacon (which is a kosher alternative to salted pork, according to AI).
- 6. Centrally managing root access for customers using AWS Organizations
I uh, need some tips here. For a friend. I'm hoping John has some advice. Again, for a friend, not me.
- 1. Insecure use of message queue results in RCE of Citrix Virtual Apps and Desktops
Another fun writeup from Watchtowr, where they pick a product they haven't explored before, did some thinking, decided something this complex probably has a vulnerability in it, and then find one.
- 2. Will prompt engineering replace software development?
To answer the title question - no. But interesting to think about how even going from chatgpt4 to o1 requires revisiting prompts and how they work with one's LLM of choice.
This whole space is very brittle...
- 3. US politician wants to eliminate CISA
I'll try to stay away from politics, and Mr. Paul's efforts do not have much chance of success, but he wants to "eliminate" CISA due not to their appsec work, but attempts to debunk myths around US presidential elections
- 4. Google using “hardened” libc++ to improve memory security in their codebase
Yes - another memory safety story, but really...I'm only sharing about 30% of those that I'm seeing right now; This is a really busy space at the end of 2024.
While we've seen some new standards for safe C, and several different compiler projects, Google is moving to use a hardened version of libc++ in their codebase. They're seeing only a 0.3% slowdown in performance - which isn't bad compared to some other projects claiming 2-5x reduction in speed.
