Recently there was a thread on Twitter I stuck my nose into about appsec and why it doesn’t work. I have a response in there that I believe is a nice way to explain my biggest problem with appsec. I would sum it up as “Appsec isn’t people”. Here is a clever image to help.Continue reading “Appsec isn’t people”
Category Archives: SecurityBlog
Why you can’t backdoor cryptography
Once again the topic of backdooring cryptography is in the news. The same people will fight the same fight. Again. So far sanity has prevailed every time we do this, but that doesn’t mean anyone should sit this one out. Make sure you tell everyone to pay attention and care. Trustworthy cryptography is too important.Continue reading “Why you can’t backdoor cryptography”
The security of dependencies
So you’ve written some software. It’s full of open source dependencies. These days all software is full of open source, there’s no way around it at this point. I explain the background in my previous post. Now that we have all this open source, how do we keep up with it? If you’re using aContinue reading “The security of dependencies”
Supplying the supply chain
A long time ago Marc Andreessen said “software is eating the world”. This statement ended up being quite profound in hindsight, as most profound statements are. At the time nobody really understood what he meant and it probably wasn’t until the public cloud caught on that it became something nobody could ignore. The future ofContinue reading “Supplying the supply chain”
Security isn’t a feature
As CES draws to a close, I’ve seen more than one security person complain that nobody at the show was talking about security. There were an incredible number of consumer devices unveiled, no doubt there is no security in any of them. I think we get caught up in the security world sometimes so weContinue reading “Security isn’t a feature”
Misguided misguidings over the EU bug bounty
The EU recently announced they are going to sponsor a security bug bounty program for 14 open source projects in 2019. There has been quite a bit of buzz about this program in all the usual places. The opinions are all over the place. Some people wonder why those 14, some wonder why not more.Continue reading “Misguided misguidings over the EU bug bounty”
2018 Christmas Special – Is Santa GDPR compliant?
Josh and Kurt talk about which articles of the GDPR apply to Santa, and if he’s following the rules the way he should be (spoiler, he’s probably not). Should Santa be on his own naughty list? We also create a new holiday character – George the DPO Elf! Show Notes David Sedaris Santaland Canadian Tire Ice TruckContinue reading “2018 Christmas Special – Is Santa GDPR compliant?”
What’s up with backdoored npm packages?
This is just how open source works, and that’s OK
Dependencies in open source
If you visit github.com to download code to include in your project, or you visit stack overflow for help, or if you find snippits using a search engine, you have open source dependencies
Targeted vs General purpose security
There seems to be a lot of questions going around lately about how to best give out simple security advice that is actionable. Goodness knows I’ve talked about this more than I can even remember at this point. The security industry is really bad at giving out actionable advice. It’s common someone will ask what’sContinue reading “Targeted vs General purpose security”
