Check out the show notes for links to articles we covered.

Horror Stories

It’s almost Halloween, so why not celebrate with an appsec adaptation of the opening of Edgar Allan Poe’s The Raven.

Once upon a midnight dreary, while I pondered, weak and weary,

Over many a quaint and curious volume of forgotten lore—

Which I coded, error trapping, suddenly there came a tapping,

As of testing gently flapping, flapping I could not ignore—

“’Tis some insecure,” I muttered, “tapping at my logic for—

Buffer size and nothing more.”

It took me a while to settle on phrasing I liked. The following version was a close runner up. It hinted at SQL injection instead of memory safety, but it didn’t feel like it captured an injection flaw just right.

Once upon a midnight dreary, while I pondered, weak and weary,

Over many a quaint and curious volume of forgotten lore—

Which I coded, error trapping, suddenly there came a tapping,

As of input gently snapping, snapping at my datastore—

“’Tis some insecure,” I muttered, “tapping at my datastore—

Using AND instead of OR.”