Bringing Secure Coding Concepts to Developers – Dustin Lehr – ASW #299
Full Audio
View Show IndexSegments
1. Bringing Secure Coding Concepts to Developers – Dustin Lehr – ASW #299
When a conference positioned as a day of security for developers has to be canceled due to lack of interest from developers, it's important to understand why there was so little interest and why appsec should reconsider its approach to awareness. Dustin Lehr discusses how appsec can better engage and better deliver security concepts in a way that makes developers not only feel like their time is well used, but that the content appeals to them.
Segment Resources: - The Security Champion Program Success Guide -- A free guide that includes all steps necessary to build a successful security champion program, with real-world recommendations and examples: https://securitychampionsuccessguide.org/ - Let's Talk Software Security -- A free global virtual community where we host monthly open discussions on appsec topics: https://www.meetup.com/lets-talk-software-security/
Guest
Dustin Lehr is an accomplished software engineer turned executive cybersecurity leader who designs security programs that reinforce proactive behavior to avoid security incidents. He is the Co-founder and Chief Product and Technology Officer at Katilyst, a company dedicated to helping organizations enhance their culture by building engaging security champion programs. Dustin is also the driving force behind the Security Champion Program Success Guide (https://securitychampionsuccessguide.org/) and possesses a wealth of experience in application security, providing innovative coaching and consulting services. In addition, he is a prominent community thought leader, speaker, and founder of the “Let’s Talk Software Security” monthly open discussion meetup group (https://www.meetup.com/lets-talk-software-security/).
Hosts
2. A TLD Takeover, An LLM CTF, A Firmware Flaw, 6 Truths of Cyber Risk – ASW #299
A takeover of the MOBI TLD for $20, configuring an LLM for a CTF, firmware flaw in an SSD, Microsoft talks kernel resilience, six truths of cyber risk quantification, and more!
Announcements
Don’t lose access to the Security Weekly content you know and love - make sure that you subscribe to your favorite podcasts feeds on an alternative platform like Spotify, YouTube Music, Amazon Music, Apple Podcasts, or anywhere else you listen to podcasts! Visit securityweekly.com/subscribe to find the buttons to subscribe to each show now! We love to see your ratings and feedback so make sure to tell us what you think of the latest episodes.
Hosts
- 1. We Spent $20 To Achieve RCE And Accidentally Became The Admins Of .MOBI
Fun read about the journey from a what-if scenario to a much larger impact than the scenario anticipated.
- 2. Taking steps that drive resiliency and security for Windows customers
Not much technical depth here, but it reinforces a secure by design principle of taking responsibility for customer outcomes -- in this case, responsibility of Microsoft to provide feature-equivalent alternatives to kernel drivers and responsibility of vendors to use those alternatives. It also makes a nice (albeit unsurprising) call-out to resiliency. Back in May 2023 we spoke with Kelly Shortridge about the relationship of chaos engineering and resiliency to security. Check it out episode 240.
- 3. Exploring Large Language Models: Local LLM CTF & Lab | Bishop Fox
I know we've seen lots of CTFs around prompt injection. It's the XSS (or SQL injection) of the LLM world.
I liked how this write up focused on a description of how they tuned the LLM and what safeguards they put in place -- including the steps to make the LLM's behavior more deterministic. It reads like the type of steps and details that would be relevant to real-world chatbots.
- 4. 6 Truths of Cyber Risk Quantification
We don't always get into risk discussions, but regular listens will know that some of my common interview questions relate to measuring impact of an appsec activity or putting an exploit into context (which is another way of saying risk). We don't dwell on CVSS scores and we prefer threat modeling discussions to talk about scenarios in ways that include context, realistic consequences, and what audiences are affected. In other words, I usually lean on the risk communication aspects -- and this article goes into many of the ways that risk communication can be better grounded with feedback loops, experience, and even some data.
- 5. RESPOND: Share your feedback about developing with Go – The Go Programming Language
We've been talking a lot about Rust lately, so it's only fair to give Go some attention. Here's a chance to influence the direction of the language and its development environment.
- 6. Node.js Security Newsletter | Node.js Secure Coding | Liran Tal
A new newsletter on Node.js and secure coding from Liran Tal. We spoke with Liran on those topics back in episode 286. He follows a nice hands-on approach to secure coding education with relevant examples from real code and with a focus on the developer's perspective.
- 1. Buffer overflow in Crucial SSDs ????
Some folks figured out that a particular version of Crucial's SSDs, with a particular firmware version have a few vulnerabilities, including a buffer overflow
