These are certainly strange times we are living in. None of us will ever forget what’s happening and we will all retell stories for the rest of our days. Many of us asked “tell me about the depression grandma”, similar questions will be asked of us someday. The whirlwind of confusion and chaos got me thinking about advice and who we listen to. Most of us know a staggering number of people who are apparently experts in immunology. I have no intention of talking about the politics of the current times, goodness knows nobody in their right mind should care what I think. What all this does have me pondering is what are experts and how can we decide who we should listen to? ...

Josh and Kurt talk about building a talent ecosystem. What starts out as an attempt by Kurt to talk about Canada evolves into a discussion about how talent can evolve, or be purposely grown. Canada’s entertainment industry and Unit 8200 are good examples of this. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_190_Building_a_talent_ecosystem.mp3 Show Notes SCTV Red Team Project Moon Shot book AvE channel Turning a tree root into a bowl Mailing the Hope Diamond The Ecosystem Show Tags #securitytalent #talentecosystem Comment on Twitter with the #osspodcast hashtag ...

Josh and Kurt talk about video games and hacking. Specifically how speed runners are really just video game hackers. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_189_Video_game_hackers_speedrunning.mp3 Show Notes Developer speedrun commentary Super Mario World end credits glitch explained Mario 3 RCE Breath of the Wild speedrun Super Metroid reverse boss order TMR beats every NES game Comment on Twitter with the #osspodcast hashtag

Well, we’ve made it to the end. What started out as a short blog post ended up being 7 posts long. If you made it this far I commend you for your mental fortitude. I’m going to sum everything up with these 4 takeaways. Understand the problem we want to solve Push back on scanner vendors Work with your vendors Get involved in open source Understand the problem we want to solve In security it’s sometimes easy to lose sight of what we’re really trying to do. Running a scanner isn’t a goal in itself, the goal is to improve security, or it should be if it isn’t. Make sure you never forget what’s really happening. Sometimes in the excitement of security, the real reason we’re doing what we do can be lost. ...

If you just showed up here, go back and start at the intro post, you’ll want the missing context before reading this article. Or not, I mean, whatever. I’ve spent the last few posts going over the challenges of security scanners. I think the most important takeaway is we need to temper our expectations. Even a broken clock is right twice a day. So assuming some of the security flaws reported are real, how can we figure out what we should be paying attention to? ...

We’ve already discussed the perils of code and composition scanning. If you’ve not already read those, you should go back to the beginning. Now we’re going to discuss application scanning. The basic idea here is we have a scanner that interacts with a running application and looks for bugs. The other two scanners run against static content. A running application is dynamic and ever changing. If we thought code scanning was hard, this is even harder. Well it can be harder, it can also be easier. Sometimes. ...

Josh and Kurt talk about video games. Yeah, video games. Specifically about cheating in video games. There’s a lot of other security themes in the discussion. With the news being horrible these days, we needed to talk about something fun. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_188_Depressing_news_sucks_were_talking_about_cheating_in_video_games.mp3 Show Notes Penny Arcade Banned from Fortnite Apollo Robbins, world’s best pickpocket Comment on Twitter with the #osspodcast hashtag

Josh and Kurt talk about Wireguard. There have been a lot of recent conversations about it and if it’s better or worse than other VPN solutions. It’s safe to say in our modern age, less is usually more, especially when it comes to security. Wireguard has a lot going for it, it can’t be ignored. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_187_Wireguard_vs_IPsec_the_OK_Boomer_of_security.mp3 Show Notes Replacing a Nintendo Switch fan WireGuard Hacker News discussion Show Tags #wireguard #IPSec Comment on Twitter with the #osspodcast hashtag ...

If you just showed up here, go back and start at the intro post, you’ll want the missing context before reading this article. In this post we’re going to talk about a newer type of scanner called a composition scanner. The idea here is when you build an application today it’s never just what you wrote. It also includes source code from a large number of other sources. Usually these other sources are open source. ...

If you just showed up here, go back and start at the intro post, you’ll want the missing context before reading this article. The first type of scanner we’re going to cover are source code scanners. It seems fitting to start at the bottom with the code that drives everything. Every software project has source code. It doesn’t matter what language you use. Some is compiled, some interpreted, it’s all still source code. The idea behind a source code scanner is to review the code a human wrote and find potential security problems with it. This sounds easy enough in theory, but it’s extremely difficult in practice. ...