Uniting software development and application security – Jonathan Schneider, Will Vandevanter – ASW #342
Maintaining code is a lot more than keeping dependencies up to date. It involved everything from keeping old code running to changing frameworks to even changing implementation languages. Jonathan Schneider talks about the engineering considerations of refactoring and rewriting code, why code maintenance is important to appsec, and how to build confidence that adding automation to a migration results in code that has the same workflows as before.
Resources
Then, instead of our usual news segment, we do a deep dive on some recent vulns NVIDIA's Triton Inference Server disclosed by Trail of Bits' Will Vandevanter. Will talks about the thought process and tools that go into identify potential vulns, the analysis in determining whether they're exploitable, and the disclosure process with vendors. He makes the important point that even if something doesn't turn out to be a vuln, there's still benefit to the learning process and gaining experience in seeing the different ways that devs design software. Of course, it's also more fun when you find an exploitable vuln -- which Will did here!
Resources
Jonathan is the visionary who founded OpenRewrite, an open-source auto-refactoring tool, at Netflix and went on to found the Micrometer project as a member of the Spring Team. He was a Senior Software Engineer at Gradle and a Senior Engineering Manager at Pivotal. Jonathan is the author of “SRE with Java Microservices” and a co-author of “Automated Code Remediation: How to Refactor and Secure the Modern Software Supply Chain,” (both from O’Reilly).
Will Vandevanter is a Security Engineer at Trail of Bits on the AI/ML team, where he specializes in identifying security gaps in AI/ML systems for industry-leading companies. Will has previously spoken at Blackhat, DEFCON, OWASP Global AppSec and a number of other conferences. He has also released popular open source tools and trained hundreds through in-person and online courses.
Mike Shema
- Project Zero: Policy and Disclosure: 2025 Edition
- Who’s SHA is it Anyway: Bypassing Google Cloud Build Comment Control for $30,000 | Adnan Khan’s Blog
- We Asked 100+ AI Models to Write Code. Here’s How Many Failed Security Tests. | Veracode
- FYI: NEW FREE Course: Introduction to JavaScript Security (LFS184) – Linux Foundation – Education
- FYI: An important update (and apology) on our PoisonSeed blog | Expel
An update on the article we covered back in episode 340. In the episode we used the opportunity to talk about the problem of account recovery (and noted that even the article indicated there was no FIDO bypass), but it's still important to note the transparency in updating the article.
It's always useful to use the nuances of account recovery and supporting multiple authentication methods to discuss user experience and secure design.
