Episode 258

Engaging Developers, ALBeast, Dangerous TLDs

This week on episode #258 of Absolute AppSec, Seth (@sethlaw) and Ken (@cktricky) discuss the disconnect between security and developers based on news of OWASP's San Francisco Developer Days cancellation. This also spurs some reflection on ways to encourage the evolution of security alongside application development. Finally, discussion of the recent ALBeast vulnerability and the article on dangerous internally-used TLDs from Brian Krebs. You can see the whole episode at https://youtube.com/live/lhuNdwyGbro

In the evolving landscape of application development, security is often treated as an afterthought—something that’s handled only once code is written, and features are implemented. This has created a growing divide between security professionals and developers, a problem that was highlighted recently when OWASP canceled its Developer Days due to low interest and participation. 

In recent episodes, Seth and Ken have delved more into this gap. Security teams are focused solely on safeguarding applications, while developers are often incentivized to prioritize feature development and speed of delivery. This misalignment has resulted in security often being seen as a bottleneck rather than a core component of the software development lifecycle. 

“Unless companies give you space to go in and look at authorization, authentication, and gives you space to go learn that stuff, then you’re not going to do it. I think the whole reason why we have such a hard time getting security talks into developer-specific conferences is [because] it’s not the highest priority for most organizations and most developers.” 

Ken

Contrary to popular belief, developers do care about security—but they aren’t always given the time and resources to prioritize it. Many developers understand that insecure code could lead to vulnerabilities, data breaches, and serious business risks. However, with tight deadlines and a constant push for new features, security is often sidelined unless management creates spaces for it. 

To close this gap, security and developer communities need to collaborate more closely. This can be achieved by integrating security training and awareness programs directly into the environments where developers are already engaged, such as PyCon, RubyConf, and other developer-centric conferences. 

“Most of these authorization schemas are not some library that you’ve plugged into or something that’s well vetted. It’s more often than not your own custom authorization.”

Seth

Seth and Ken emphasize the importance of identifying and supporting “security champions” within development teams to encourage passion surrounding security and help bridge this gap. These champions can help educate their peers and embed security into the development process. Identifying and nurturing these champtions, whether through CTFs or internal recognition, should be a priority for every organization. 

This episode was sponsored by DryRun Security. DryRun Security delivers near-instant security code reviews and feels as if you’ve just hired a team of the best AppSec code reviewers. It gathers security context in just seconds after a developer makes a change. From that gathered context, the company’s proprietary code review process interrogates each code change based on behaviors, not just static patterns. Try it free for yourself at https://dryrun.security.

Be sure to catch this episode on your preferred platform, and support the podcast by repping some merch. Join us in Slack.

Stay Secure

Seth & Ken

https://youtu.be/z05p8XlNjJw - Episode #129 - Rey Bango discusses developer relations with the duo.

https://youtube.com/live/TJyl4CESnMk - Episode #218 - Cole Cornford of Galah Cyber talks about Developer Training.

https://youtube.com/live/f1Jfxze7sfk - Episode #208 - The .zip TLD is discussed, including possible problems like the current issues from KrebsOnSecurity.

Absolute AppSec Happenings

https://www.slideshare.net/slideshow/hard-truths-your-ciso-won-t-tell-you-pdf/271536326 - Yes, the slideshare.net site is awful, but the general consensus on Travis McPeak’s presentation is agreement. No one in channel is pushing back on any of the analysis. Are we just resigned to it?

https://tldrsec.com/p/tldr-every-ai-talk-bsideslv-blackhat-defcon-2024 - We always seem to link to Clint’s work, but this resource of all the AI-related talks from #hackersummercamp is a good starting spot on current research and activity so you can stay up-to-date.

https://ian.sh/tsa - Bypassing Airport Security via SQL Injection. Feeling a little torn on this as outdated software exists in most Fortune 500 companies. Overall a good gut-check and research. It is definitely irresponsible to have something publicly available and this vulnerable, but we could also point at a multitude of other organizations that suffer with similar outdated applications.

Upcoming Events

September 12, 2024- AppSec & DevSecOps Summit Melbourne 2024 - Melbourne, Australia

September 26-27, 2024 - OWASP Global AppSec San Francisco - San Francisco, CA

October 2-3, 2024 - Practical Secure Code Review - AI Enhanced - Virtual Training