- This Week on Absolute AppSec
- Posts
- Episode #265 with Scott Norberg
Episode #265 with Scott Norberg
Static Analysis
Seth Law
November 01, 2024
This week, on episode #265 of Absolute AppSec, Scott Norberg joins Seth (@sethlaw) and Ken (@cktricky) for a discussion all about Static Application Security Testing, specifically related to C# applications. Watch at https://www.youtube.com/watch?v=1Al7EpSIvrU or wherever you get your podcasts.
To start out, Ken and Seth are excited to announce a new virtual training course on harnessing LLMs for Application Security. Set for November 7-8, this course will guide participants through threat modeling, code analysis, and efficient AppSec practices using LLMs. For those curious about tools like LangChain and Retrieval-Augmented Generation (RAG) in AppSec, register at https://training.absoluteappsec.com.
The guest for this episode, Scott, is an ASP.NET Security Consultant, Author, Researcher, and Speaker. In addition to running his Opperis Technologies consultancy, Scott has recently begun working as lead application security architect at CDW. Before that he worked as Lead Application Security Engineer at Gallagher and was a Senior Consultant with the AppSec team at Coalfire. While his original path included a degree in music and early experience in instrument repair, Scott transitioned into software development, teaching himself coding and becoming a specialist in C# and .NET. His journey into application security began with a passion for improving software resilience, and he has since become a dedicated advocate for integrating secure coding practices within development teams. Known for his developer-centric approach, Scott emphasizes clear communication and actionable remediation advice, bridging the gap between security and development. His current work at CDW focuses on building a scalable, effective AppSec program that goes beyond traditional scanning to include continuous improvement and developer training.
“Having been a developer, security is basically just a different language […], and I think some people don’t even know enough to ask questions.”
AppSec has a core tension: resource limitations versus a high volume of applications to secure. At CDW, Scott’s team consists of only three security engineers tasked with securing over 1,000 applications. This scale requires prioritizing high-impact tasks and finding ways to multiply the team’s effectiveness. Scott shared that while he can do a deep dive on individual apps with developers, such one-on-one work isn’t sustainable across the board. To counteract this, Scott focuses on empowering developers with secure coding knowledge, helping them handle basic security tasks, and avoiding introducing vulnerabilities in the first place. This approach underscores the importance of scalability in AppSec, advocating for a program that includes training and resources for development teams to share the responsibility of security.
In accompaniment to developing teams having security knowledge, it is also important for AppSec professionals to have coding experience. Scott emphasized that many security engineers come from penetration testing backgrounds and may lack hands-on coding skills, showing the industry’s focus on exploitation over remediation. As a result, they sometimes struggle to communicate effectively with developers. According to Scott, developers often find security advice too generic or even irrelevant, which can create friction and frustration. For example, advising developers to “parameterize SQL queries” is outdated in environments using Object-Relational Matters (ORMs), where SQL queries are often auto-generated. Instead, Scott believes security professionals with coding experience are better equipped to offer actionable, framework-specific advice. His insights highlight the need for AppSec engineers to stay updated on modern development practices and adapt their advice accordingly, helping bridge the gap between security findings and effective developer solutions. AppSec professionals’ willingness to widen their skill sets— through knowledge of secure coding, proactive testing, or developer training— can help strengthen application defenses from the ground up.
“When we’re doing code reviews, especially in those languages that we’re unfamiliar with, we spend a huge amount of time building applications [and] throwing away applications just to see how things work. Researching, looking into documentation, into recommendations. I spend so much time with Stack Overflow, or even with ChatGPT nowadays, just asking how things are structured, how things are put together. Because without that advice, I can’t [] go to a developer in good conscience and say this is a vulnerability, this needs to be fixed. […] Most code reviews are a research project.”
Scott and the hosts shared insights on conducting thorough, effective code reviews, especially when dealing with multiple frameworks. They noted that AppSec engineers must often work with languages and frameworks they may not be deeply familiar with, which turns code reviews into a research-intensive task. Scott highlighted that when security engineers lack this in-depth understanding, it can lead to generic or outdated advice, which may frustrate developers and undermine security goals. The hosts advocated for a research-based approach to code review, where engineers spend time building small applications, consulting documentation, and researching specifics for unfamiliar frameworks to ensure precise recommendations. Scott added that a good AppSec engineer develops a methodology for spotting “anti-patterns” in code— patterns that might not be inherently insecure but, based on experience, suggest potential vulnerabilities. By investing time in understanding frameworks and maintaining a growth mindset, Scott believes AppSec professionals can provide more effective guidance to developers.
This episode is sponsored by Redpoint Security. Redpoint specializes in “Code Security. By Coders,” which is bolstered by years of experience testing applications and conducting code reviews against all types of applications, including AI, web, and mobile. Redpoint also offers secure code training to help ground your teams in better security practices across the development lifecycle. So check out redpointsecurity.com for more information and put your company on a path to better security.
If you haven’t yet, show your support of Absolute AppSec by visiting the merch store and picking up our limited edition Halloween items. Stay spooky! As always, join Seth and Ken in Slack.
Stay Secure,
Seth & Ken
https://youtu.be/yjsE_DSnK5w - Episode #115 - Clint Gibler’s first appearance on the podcast (yes, he’s coming back). We discuss static analysis and using semgrep to find vulnerabilities in code.
https://youtu.be/tMRH5M0rKYQ - Episode #113 - Mark Feferman joins the duo to talk about static analysis approaches with some more mature tools.
https://youtu.be/U_7zoVhVtsQ - Episode #96 - A deeper dive into the use of static analysis tools for fuzzing and instrumentation.
Absolute AppSec Happenings
https://www.dryrun.security/blog/one-year-of-using-llms-for-application-security-what-we-learned - Ken goes into detail with his experience and lessons learned utilizing LLMs for application security.
https://corgea.com/Learn/understanding-ai-and-large-language-models-(llms)-a-guide-for-security-engineers - Ahmad of Corgea brought this primer on LLMs to our attention. Good explanations for various AI components and how it all works together.
https://www.anshumanbhartiya.com/posts/the-future-of-appsec - Great article on practical use of LLMs for various application security tasks. We have been saying and performing similar tasks with LLMs for the past year and this article breaks down a methodical approach and experience for their use.
Upcoming Events
Can you spot the individuals wearing crocs and socks?
November 7-8, 2024 - Harnessing LLMs for Application Security - Virtual Training, dates may change - A newly developed course that focuses on strategies for using more than just the chat interface of an LLM to secure software.
November 21-22, 2024 - DeepSec, Vienna, Austria - Seth will be presenting “Modern vs. 0ld 5k00l” where everything old is new again.
February 14-15, 2024 - CactusCon 13, Mesa, AZ - Both Seth & Ken have submitted here and will most likely attend even if the talks and panels don’t get picked up. A great regional conference that has been running for over a decade!