Security from a Developer’s Perspective – Josh Goldberg – ASW #262
A lot of appsec conferences have presentations for appsec audiences -- but that's not often the group that's building apps. What if more developer conferences had appsec content? We talk with Josh about security from the developer's point of view, both as an audience hearing about it and as a presenter talking about it. We discuss the importance of knowing your audience and finding the hooks in security tools and topics that can resonate with developers.
Segment resources:
Details of the Citrix Bleed vuln, exploitation of the Atlassian improper authorization vuln, so many jQuery installations to upgrade, the price of bounties and the cost of fixes, Microsoft's Secure Future Initiative, and more!
Visit https://securityweekly.com/asw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/secweekly
Like us on Facebook: https://www.facebook.com/secweekly
Full Audio
Segments
1. Security from a Developer’s Perspective – Josh Goldberg – ASW #262
A lot of appsec conferences have presentations for appsec audiences -- but that's not often the group that's building apps. What if more developer conferences had appsec content? We talk with Josh about security from the developer's point of view, both as an audience hearing about it and as a presenter talking about it. We discuss the importance of knowing your audience and finding the hooks in security tools and topics that can resonate with developers.
Segment resources:
Announcements
You can now find us on Instagram! Follow us for highlight reels, giveaway announcements, and more at SecWeekly.
Guest
Josh Goldberg is a frontend developer with a passion for open source, static analysis, and the web. He is the author of O’Reilly’s Learning TypeScript and a full time open source maintainer who contributes regularly to TypeScript and open source projects in its ecosystem, such as typescript-eslint and TypeStat. His past work includes spearheading Codecademy’s usage of TypeScript and helping create its Learn TypeScript course, and architecting rich client applications at Microsoft. His projects range from static analysis to meta-languages to re-creating retro games in the browser. Also cats.
2. Citrix Bleed, Atlassian Authz Vuln, OpenJS & jQuery, Secure Future Initiative – ASW #262
Details of the Citrix Bleed vuln, exploitation of the Atlassian improper authorization vuln, so many jQuery installations to upgrade, the price of bounties and the cost of fixes, Microsoft's Secure Future Initiative, and more!
Hosts
- 1. Citrix Bleed: Leaking Session Tokens with CVE-2023-4966
This is a very Heartbleed-like vuln with a very informative write-up from Assetnote. It's also a good reminder that rewriting code to use more secure functions (like sprintf to snprintf) doesn't always make code more secure.
- 2. CVE-2023-22518 – Improper Authorization Vulnerability In Confluence Data Center and Server | Atlassian Support
I grabbed this more as an example of vendor-driven emphasis on risk and its degree of transparency. Maybe it's even a chance to experiment with how CVSS 4.0 would represent this vuln.
- 3. OpenJS Foundation Warns Consumer Privacy and Security at Risk in Three-Quarters of a Billion Websites
To quote from the article, they “...estimated that of the 1.9 billion websites worldwide, almost 90% use the open source software jQuery, and one-third of those, over three-quarters of a billion sites, require an upgrade.”
I don't know that those upgrades have a direct security consequence, but the prospect of upgrading a few billion sites seems daunting.
- 4. Hackers Surpass $300 Million in All-Time Earnings on the HackerOne Platform
This is a lot of money to find flaws. I'm still curious how the cost to fix those flaws compares
- 5. A new world of security: Microsoft’s Secure Future Initiative – Microsoft On the Issues
Microsoft is moving to embrace more secure design choices and memory safe languages in an initiative reminiscent of the Trustworthy Computing push from 20 years ago.
Check out more of the engineering ideas at https://www.microsoft.com/en-us/security/blog/2023/11/02/announcing-microsoft-secure-future-initiative-to-advance-security-engineering/.
- 6. FUN: Caricatures of Security People
Hopefully you won't recognize yourself in this list, but you probably recognize someone you've worked with. (And maybe ask a friend if they think you're on the list.)
