If you just showed up here, go back and start at the intro post, you’ll want the missing context before reading this article. The first type of scanner we’re going to cover are source code scanners. It seems fitting to start at the bottom with the code that drives everything. Every software project has source code. It doesn’t matter what language you use. Some is compiled, some interpreted, it’s all still source code. The idea behind a source code scanner is to review the code a human wrote and find potential security problems with it. This sounds easy enough in theory, but it’s extremely difficult in practice. ...

This post is the first part in a series on automated security scanners. I explain some of the ideas and goals in the intro post, rather than rehashing that post as filler, just go read it, rehashing content isn’t exciting. There are different kinds of security scanners, but the problem with all of them is basically the same. The results returned by the scanners are not good in the same way catching poison ivy is not good. The more you have, the worse it is. The most important thing to understand, and the whole reason I’m writing this series, is that scanners will get better in the future. How they get better will be driven by all of us. If we do nothing, they will get better in a way that might not make our lives easier. If we can understand the current shortcomings of these systems, we can better work with the vendors to improve them in ways that will benefit everyone. ...

Are you running a security scanner? It seems like everyone is doing it, maybe it’s time to get with it. It’s looking like automated security scanning is the next stage in the long winding history of the security industry. If you’ve never run one of these scanners that’s OK. I’m going to explain what they are, how they work, how we’re not using them correctly, and most importantly, what you can do about it. If you are running a scanner I’m either going to tell you why you’re doing it wrong, or why you’re doing it REALLY wrong. If you’re a vendor who builds a security scanner I assure you I understand there is a high probability I am indeed an idiot and don’t know what I’m talking about. I’m sure everything will be fine. ...

Josh and Kurt talk to Tony Meehan from Elastic (formerly Endgame) about endpoint detection, response, protection, and even SIEM. Tony has a great history coming from the NSA and has a number of great stories to help understand the topics. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_186_Endpoint_security_with_Tony_Meehan.mp3 Show Notes Tony Meehan Rob Joyce on Disrupting Nation State Hackers Bobby Filar living off the land blog Dwell time graph Snowboarder vs Tree Show Tags #EndpointSecurity Comment on Twitter with the #osspodcast hashtag ...

Josh and Kurt talk about the Linux Foundation Census 2. There is a lot of talk around how to fix open source security, but the reality is we can’t fix it. We need to stop trying to fix what isn’t broken and engineering around the system we have, not the system we want. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_185_Is_it_even_possible_to_fix_open_source_security.mp3 Show Notes Linux Foundation Census 2 Core Infrastructure Initiative Comment on Twitter with the #osspodcast hashtag ...

Josh and Kurt talk about the sale of the corp.com domain. Is it going to be the end of the world, or a non event? We disagree on what should happen with it. Josh hopes an evildoer buys it, Kurt hopes for Microsoft. We also briefly discuss the CIA owning Crypto AG. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_184_Its_DNS_Its_always_DNS.mp3 Show Notes corp.com is for sale CIA owned Crypto AG Comment on Twitter with the #osspodcast hashtag ...

Josh and Kurt talk about a huge working from home experiment because of the the Coronavirus. We also discuss some of the advice going on around the outbreak, as well as how humans are incredibly good at ignoring good advice, often to their own peril. Also an airplane wheel falls off. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_183_The_great_working_from_home_experiment.mp3 Show Notes Work from home Hacker News discussion CDC advice How to wash your hands Air Canada flight without running wather Airplane wheel falling off Comment on Twitter with the #osspodcast hashtag ...

Josh and Kurt talk about open source maintainers and building communities. While an open source maintainer doesn’t owe anyone anything, there are some difficult conversations around holding back a community rather than letting it flourish. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_182_Does_open_source_owe_us_anything.mp3 Show Notes Actix-web story Lodash Possible Lodash security issue Javascript libraries are almost never updated Ularn Comment on Twitter with the #osspodcast hashtag

Josh and Kurt talk about SIM swapping. What is it, how does it work. Why should you care? There’s not a ton you can do to protect yourself, but we go over some of the basic concepts and what to watch out for. It’s unfortunate this is still a problem. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_181_The_security_of_SIM_swapping.mp3 Show Notes Five Major US Wireless Carriers Are Vulnerable to SIM Swapping Edmonton Police SIM swap website Show Tags #SIMSwap Comment on Twitter with the #osspodcast hashtag ...

Josh and Kurt talk about two recent vulnerabilities that have had very different outcomes. One was the Citrix remote code execution flaw. While the flaw is bad, the handling of the flaw was possibly worse than the flaw itself. The other was the Microsoft ECC encryption flaw. It was well handled even though it was hard to understand and it is a pretty big deal. As all these things go, fixing and disclosing vulnerabilities is hard. ...