View More ASW Episodes

Starting with Appsec — Is It More of a Position or a Process? – ASW #264

This year we’ve talked about vulns, clouds, breaches, presentations, and all the variations of Dev, Sec, and Ops. As we end the year, let’s talk about starting things — like starting an appsec program or an appsec career. But is there still a need for an appsec team? Or has it turned into specializations for areas like cloud security and bug bounty programs? We’ll cover careers and coding, with an eye towards figuring out what modern software development looks like and where application (or product!) security fits in that model. Segment resources https://owaspsamm.org https://www.microsoft.com/en-us/security/blog/2023/11/02/announcing-microsoft-secure-future-initiative-to-advance-security-e...

Full Show Notes
Segment One

Starting with Appsec — Is It More of a Position or a Process? – ASW #264

This year we've talked about vulns, clouds, breaches, presentations, and all the variations of Dev, Sec, and Ops. As we end the year, let's talk about starting things -- like starting an appsec program or an appsec career. But is there still a need for an appsec team? Or has it turned into specializations for areas like cloud security and bug bounty programs? We'll cover careers and coding, with an eye towards figuring out what modern software development looks like and where application (or product!) security fits in that model.

Segment resources

Announcements

  • We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!

Segment Two

Randstorm, Nothing Chats, Platform Engineering, PyPI Security Audit – ASW #264

Weak randomness in old JavaScript crypto, lack of encryption in purported end-to-end encryption, a platform engineering maturity model, PyPI's first security audit, vision for a Rust specification, and more!

List of Articles

Mike Shema

  1. Randstorm: You Can’t Patch a House of Cards — Unciphered
  2. Rivian Pushes Software Update That Breaks Infotainment System
  3. Platform Engineering Maturity Model | CNCF TAG App Delivery
  4. Sunbird / ‘Nothing Chats’ is Not Secure. – Texts.blog, the blog of Texts.com
  5. GitHub – yunuscadirci/DIALStranger: details about DIAL protocol vulnerabilities
  6. PyPI has completed its first security audit – The Python Package Index
  7. Visual Studio Code Security: Deep Dive into Your Favorite Editor (1/3) | Sonar
  8. Our Vision for the Rust Specification | Inside Rust Blog

John Kinsella

  1. Weaknesses found in wintel laptops fingerprint readers

    Blackwing Intelligence dug into several laptop fingerprint readers at Microsoft's request. While the readers were correctly designed to perform fingerprint matching on the reader module, they had other worrisome flaws: One sensor communicated in plaintext, others were not being properly validated by the laptop. The result, either way, is potential for bypass.

    (Are they still referred to as "Wintel"?)

  2. Reptar – the latest Intel microcode bug

    A collection of folks at Intel and Google (including Tavis Ormandy) figured out a new bug where a opcode that was previously ignored now causes...CPU strangeness (my words, but that's the theme).

    Interesting to me that Intel didn't catch this...the bug surfaced when new functionality was added to improve performance on "repeat moves" - used for string copying, as an example. One would imagine that there's a test suite that gets executed after enhancements are merged in - why wasn't this caught? It sounds like Google's testing is better than Intel's...

Show More

Stay in the Know, No Smoke and Mirrors – Join Our Newsletter

Get expert insights and technical breakdowns straight to your inbox.
Join Now

Related Episodes

Related Content

You can skip this ad in 5 seconds