Crafting Security Training for Secure Code and Security Culture – Marudhamaran Gunasekaran – ASW #226
Developers write code. Ideally, secure code. But what do we mean by secure code? What should secure code training look like?
Marudhamaran Gunasekaran is a Security Consultant at Practical DevSecOps with strong passion for securing software development through training and consulting.
He enjoys working with Engineering and Operations teams to seamlessly imbibe the security mindset even before a single line of code is written. He is the developer and maintainer of the OWASP ZAP Dot Net API and you would find him speaking at various meet up groups and conferences on topics related to Agile Software Development and Security. Some of his certifications include Azure Certified Security Engineer, Microsoft Certified Trainer, ISO 27001 Lead Auditor, Professional Scrum Master I, II, and III, Certified DevSecOps Professional. His specialties are DevSecOps, Agile Coaching, Scrum, Microsoft Stack, threat modelling, and Auditing. He is a part of TUDelft Universities’ MOOC courseware for Global software engineering, and an author at Pluralsight.
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
Breach Disclosures, SSRF in Azure, Integer Flaws, Top 10 Web Hacking Techniques – ASW #226
Breach disclosures from T-Mobile and PayPal, SSRF in Azure services, Google Threat Horizons report, integer overflows and more, Rust in Chromium, ML for web scanning, Top 10 web hacking techniques of 2022
Mike Shema
- T-Mobile hacked to steal data of 37 million accounts in API data breach
- PayPal Breach Exposed PII of Nearly 35K Accounts
- How Orca Found Server-Side Request Forgery (SSRF) Vulnerabilities in Four Different Azure Services
- Examples of problems with integers
Integer overflow in .gitattributes handling CERT-EU-SA2023-002
- LLMs: a bleak future ahead? – lcamtuf’s thing
- Project Bishop: Clustering Web Pages – NCC Group Research
- Google Online Security Blog: Supporting the Use of Rust in the Chromium Project
- Top 10 web hacking techniques of 2022 – nominations open | PortSwigger Research
- TOOL: Explainshell
John Kinsella
- Google Threat Horizons Report – Anton Chuvakin’s summary
Dr. Chuvakin does a nice summary of Google's 26 page report. Looks like we haven't quite solved the IAM issues in the cloud, quite yet...
- Guy scans all of PyPi, finds 57 live AWS keys
We've covered not storing credentials in git repos. Everybody has. OK so this is slightly different, but stop doing it, dammit.
This means you too, Amazon.
- Stroustrup: C++ is plenty safe!
The creator of C++ claims that modern C++ isn't necessarily unsafe, and asks what does safety mean in a programming language, anyways.
BTW he's displeased that nobody from the NSA reached out to the ISO C++ working group, where apparently even short missives about how a language isn't dying require being published as a PDF.
- Pwning the “all Google phone” – with a non Google bug
This article is part supply-chain related, part deep-dive into GPU memory management, part one large corp taking a dig at another large corp that has a history of punching people in the nose over security disclosure timelines. But really, a good deep dive on android security and GPU memory management.
- Git patches 2 remote code execution flaws
