Check out the show notes for links to articles we covered.

The Case of Bad Appsec Advice

It was another Monday morning. The sign on the door said Private Investigator.

But the sign below that said closed and I was saying yes to a third cup of coffee.

It was cold and bitter, like a C++ programmer at a Rust conference.

My partner was out town, looking into a counterfeit fashions case, but that was like bad security metrics – a lot of questionable value and misleading labels.

I stared at a March Madness bracket, thinking appsec could use a tournament of its own to eliminate poor advice.

I thought about this some more as I walked down to my local donut shop to use their public WiFi, where I checked my email and scanned a QR code to see their menu.

In the last twenty years, donuts had become twice as expensive and appsec advice about half as useful.

After all, I had a patched device, HSTS, and WebAuthn.