Security Weekly
Application Security WeeklySubscribe
Application security, DevSecOps

BBPLR, API Security Trends, Memory Unsafety, & Patching 0-Days – ASW #139

Funding bounties or finding bugs, how should we invest? Talks from Enigma Conference on memory unsafety and 0-days. Coming trends in API security and a review of research from 2020.

Full episode and show notes

Announcements

  • Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

  • Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

Hosts

Mike Shema
Mike Shema
Tech Lead at Block
  1. 1. Bug Bounty Program of Last Resort
    This paper answers what it might cost to fund bounties for critical open-source projects. Which also raises a question of what might it cost to fund code refactoring and hardening for critical open-source projects. It also references a paper from WEIS 2019 (https://weis2019.econinfosec.org/wp-content/uploads/sites/6/2019/05/WEIS_2019_paper_36.pdf). We talked about this conference and a few papers back in episode 136.
  2. 2. Google’s Payout to Bug Hunters Hits New High
    As a bug bounty of first resort, Google pays quite a bit for software flaws in Android, Chrome, and its other properties. But it's nowhere near the scale suggested in the other article this week about the bounty of last resort.
  3. 3. API Security Trends
    Another vendor state of security report, this time with a focus on what incidents have been hitting APIs. Read it along with their take on "OpenAPI Specification: Perception vs. Reality" (https://devops.com/openapi-specification-perception-vs-reality/) and how the industry might improve API security.
  4. 4. NCC Group’s 2020 Annual Research Report
    A wealth of reading for research, tools, and presentations from 2020. Each item has helpful context so you can choose what appeals to your interests or what might be relevant to your organization.
  5. 5. Establishing a Scalable Collaboration Between Security and DevOps
    A discussion of research on DevOps skillsets, what organizations are worried about, where containers fit within a DevOps strategy, and where Security sits among all this. And for bonus reading material, check out their other article about keeping Availability on the Security radar (https://capsule8.com/blog/bringing-your-a-game-availability-for-security-people-2/).
  6. 6. Quantifying Memory Unsafety and Reactions to It
    A talk from Enigma 2021 that brings data to the journey of understanding the implications of C and C++. How much does programming language choice affect software security? How much _has_ programming language choice impacted the population of vulns?
  7. 7. The State of 0-Day in-the-Wild Exploitation
    A talk from Enigma 2021 that brings data to the discussion of finding vulns and patching them. Check out the companion article on Project Zero at https://googleprojectzero.blogspot.com/2021/02/deja-vu-lnerability.html
  8. 8. Privacy and Security Nutrition Labels to Inform IoT Consumers
    A talk from Enigma 2021 that brings visualization and communication of security and privacy issues in IoT to consumers. Find out more about these labels on their site at https://www.iotsecurityprivacy.org.
John Kinsella
John Kinsella
Co-founder & CTO at Cysense
  1. 1. Apple patches 28 code execution vulnerabilities
    Apple released updated info about what was patched in last week's ios/watchos/tvos/macos updates. Quite a few bugs...
Matt Alderman
Matt Alderman
VP, Product at Living Security

Related

Application security
All the News — Just Six Months Later – ASW #265

We cover appsec news on a weekly basis, but sometimes that news is merely about the start of a new project, sometimes it's yet another example of a vuln class, and sometimes it's a topic we hope doesn't become a trend. So, what themes have we seen and where do we see them going? Here are a few headline topics that have alternately generated yays a...