Starting with Appsec — Is It More of a Position or a Process? – ASW #264
Full Audio
View Show IndexSegments
1. Starting with Appsec — Is It More of a Position or a Process? – ASW #264
This year we've talked about vulns, clouds, breaches, presentations, and all the variations of Dev, Sec, and Ops. As we end the year, let's talk about starting things -- like starting an appsec program or an appsec career. But is there still a need for an appsec team? Or has it turned into specializations for areas like cloud security and bug bounty programs? We'll cover careers and coding, with an eye towards figuring out what modern software development looks like and where application (or product!) security fits in that model.
Segment resources
Announcements
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
Hosts
2. Randstorm, Nothing Chats, Platform Engineering, PyPI Security Audit – ASW #264
Weak randomness in old JavaScript crypto, lack of encryption in purported end-to-end encryption, a platform engineering maturity model, PyPI's first security audit, vision for a Rust specification, and more!
Hosts
- 1. Randstorm: You Can’t Patch a House of Cards — Unciphered
- 2. Rivian Pushes Software Update That Breaks Infotainment System
- 3. Platform Engineering Maturity Model | CNCF TAG App Delivery
- 4. Sunbird / ‘Nothing Chats’ is Not Secure. – Texts.blog, the blog of Texts.com
- 5. GitHub – yunuscadirci/DIALStranger: details about DIAL protocol vulnerabilities
- 6. PyPI has completed its first security audit – The Python Package Index
- 7. Visual Studio Code Security: Deep Dive into Your Favorite Editor (1/3) | Sonar
- 8. Our Vision for the Rust Specification | Inside Rust Blog
- 1. Weaknesses found in wintel laptops fingerprint readers
Blackwing Intelligence dug into several laptop fingerprint readers at Microsoft's request. While the readers were correctly designed to perform fingerprint matching on the reader module, they had other worrisome flaws: One sensor communicated in plaintext, others were not being properly validated by the laptop. The result, either way, is potential for bypass.
(Are they still referred to as "Wintel"?)
- 2. Reptar – the latest Intel microcode bug
A collection of folks at Intel and Google (including Tavis Ormandy) figured out a new bug where a opcode that was previously ignored now causes...CPU strangeness (my words, but that's the theme).
Interesting to me that Intel didn't catch this...the bug surfaced when new functionality was added to improve performance on "repeat moves" - used for string copying, as an example. One would imagine that there's a test suite that gets executed after enhancements are merged in - why wasn't this caught? It sounds like Google's testing is better than Intel's...