September was bookended by news-heavy segments, with some security awareness and bot defenses squeezed in between.

Lots of News (ep. 298)

Our first episode of the month gave us a chance to catch up on a backlog of news articles. We talked about the engineering decisions that go into paying down tech debt – particularly when and why. Then some lessons learned in implementing SSO. Refactoring into Rust has been a repeated topic, but this time I used a vuln in Rust-based code to talk about expectations of behavior for an API, and John found an example of refactoring into…OCaml (!?).

Security Awareness (ep. 299)

Dustin Lehr walked us through why an OWASP Dev Day was canceled and some constructive steps to make outreach and engagement for developers more successful. One thing I’d love to see is more appsec appearances at developer conferences. We also talked about where the impact of security awareness can be most effective, such as targeting architects and frameworks.

API Security & Bots (ep. 300)

Next, David Holmes joined us in a sponsored interview about the interconnected challenges of securing APIs and swatting away bots. We talked about the impacts of both, with a highlight on how bots target where the value lies within an app, why that’s closely related to business logic, and why it’s so important to use threat models to identify weaknesses in business logic. After all, such attacks rarely rely on the obviously unnatural payloads of SQL injection and cross-site scripting.

News Round Up (ep. 301)

Technically, the final episode of September was recorded in October, but that feels like the kind of redirect appropriate for an episode number matching an HTTP status code. This time around Farshad Abasi joined me to talk about cars, CUPS, cloud native checklists, and password composition.

August added one more appsec calculus intro. I had to carry the one over from July.

Security Champions Programs (ep. 294)

What a fun start to have Marisa Fagan talk about the OWASP Security Champions Guide! She’s been building security cultures and security champions programs for a while. There are some familiar angles like aligning incentives, but also important items that orgs often overlook, such as what a security champion is in the first place and the skills important to curating a program.

Appsec at Startups (ep. 295)

Next up, Kalyani Pawar talked about appsec at start-ups and what it looks like to go from no security to some security – and how to make that “some security” effective. Some of her insights hearkened back to the previous week, particularly on setting up security so it scales.

CrowdStrike Fiasco & Fallout (ep. 296)

In week three, we turned from scaling security to a security-related outage of significant scale. Allie Mellen and Jeff Pollard shared insights and lessons learned from the CrowdStrike outage. It was a chance to talk about secure design, security requirements, and software quality.

IoT Security (ep. 297)

Finally, Paddy Harrington wrapped up the month with a discussion about IoT security, which also touched on secure design (and, unsurprisingly, the lack thereof). But we also talked about security labeling, what burdens the consumer should bear, and just how old is too old for a device?

July might be summer break, but we shouldn’t let our appsec calculus skills degrade. Each week’s intro presented a different appsec word problem, starting with

A CVE departs a station at 10am.

It has an unreachable destination.

At what time does an appsec team say it needs to be fixed?

Make sure to show your work.

Appsec Calculus (ep. 290)

Shout out to Sandy Carielli and Janet Worthington for not only returning to the show, but bringing a wonderfully titled topic to discuss, “Ludicrous Speed — Because Light Speed Is Too Slow To Secure Your Apps”. They covered pre-release and post-release code concerns, such as secure design, DevOps maturity levels, business logic, and bots. Their research comes from talking with a range of practitioners across several industries, which grounds their insights and ideas in reality.

AI & Auto-Fixing Code (ep. 291)

Stuart McClure walked through the implications in trusting AI and LLMs to find flaws and fix code. The fixing part is compelling – as long as that fix preserves the app’s intended behavior. He explained how LLMs combined with agents and RAGs have the potential to assist developers in writing secure code.

A Realist Approach to Generative AI & Appsec (ep. 292)

We talked even more AI with Allie Mellen, who pointed out where elements of LLM might help with reporting and summarizing knowledge and where they fall short of basic security practices. LLMs won’t magically create an asset inventory, nor will they have context about your environment or your approach to risk. She also noted where AI has been present for years already – we just call it machine learning as applied to things like fraud detection and behavioral analysis.

Managing Paranoia (ep. 293)

Then we checked our appsec formulas against a CISO’s perspective with Paul Davis. He talked about driving behavioral change at the org level – a different and more challenging prospect than individuals. But he also focused on the security problems that individuals in dev teams and appsec teams alike face, whether it’s figuring out where to fit in AI or how to get beyond chasing CVEs one by one.

June sped by! We had one more interview segment from RSA and lots of discussions about open source supply chain and standards.

Supporting Open Source Projects (ep. 287)

Luis Villa talked about how the unsteady and unpredictable support for open source projects underscores the challenge faced not only by XZ Utils, but by many other projects – even popular ones. He talked about efforts to support open source projects financially. And, XZ Utils was topical, we walked through some of a project maintainer’s responsibilities and how to lessen that burden over time.

Just the News (ep. 288)

Next up was news! We had the full crew together with Akira Brand and John Kinsella. We covered some vulns in unusual places – laundry machines and modems. We covered some unusual design gaps in Microsoft’s Recall. And I marked the anniversary of PHP version 1.0 that first appeared on June 8, 1995.

OAuth 2.0 and More! (ep. 289)

We closed out the month with OAuth. Aaron Parecki explained that not only is OAuth 2.0 more than a single spec, it’s not always interoperable and not always secure. The good news is that there are new specs that attempt to refine interoperability and define defaults that make it more secure. Aaron shared a lot of great insights from following these specs for over a decade!

May was hectic! It was light on news segments since our second segments were mostly occupied with short interviews from RSA Conference 2024.

But that means you might be interested in our April Fools episode where we covered some stories from the RSA Conference 20 years ago in 2004. Although this year was almost all AI, the other security topics didn’t sound much different from those two decades ago. Give it a listen in [episode 279].

AI & Hype & Security (Oh My!) (ep. 284)

In the first interview segment, Caleb Sima demystified some of the hype around AI and pointed out how a lot of its security needs match its mundane predecessors. We didn’t get into defining all the different types of AIs, but we did identify the need for more focus on identity and authenticity in a world where LLMs craft user-like content.

Then Keith Hoodlet stopped by to talk about his first-place finish in the DoD’s inaugural AI Bias bug bounty program. He showed how manipulating prompts leads to unintentional and undesired outcomes. Keith also explained how he needed to start fresh in terms of techniques since there’s no deep resources on how to conduct these kinds of tests.

Be sure to check these out for my “walks into a bar” intros ;)

OWASP Top 10 for LLMs (ep. 285)

The AI conversations continued with Sandy Dunn, who shared how the OWASP Top 10 for LLMs came about and how it continues to evolve. We talked about why this Top 10 has a mix of items specific to LLMs and items that are indistinguishable from securing any other type of software. It reinforced a lot of the ideas that we had talked about with Caleb the week before.

Secure Coding in Node.js (ep. 286)

The next week we noted techniques in secure coding for Node.js. Liran Tal shared concepts from his new book and discussed how he approaches secure coding classes in general. He comes from a development background, which is always a plus when bringing appsec concepts into code.

Fiercely Territorial (ep. 235, replay)

For the final week, we pulled an episode from April 2023 with Ben Sadeghipour. His background in building communities around bug bounties, not to mention bagging some significant bounties himself, remains just as relevant today. After all, there’s still plenty of insecure software out there and a ton of web sites waiting for review.