Writings about software: development and security| beny23.github.io
Writings about software: development and security| beny23.github.io
When I stumbled across a post that an encryption library offers a potential backdoor to SSH connectivity on Good Friday, my first thought was: why is it always on a Friday that these things drop? And then my second one: oh bugger, here goes my weekend. Now, I won’t go into the technical details, there are many, many, many, many better resources out there, but I can’t help thinking that this would/should force the software industry to think.| beny23.github.io
I describe myself as an Agile Fundamentalist because I really like the ideas of the Agile manifesto, and I also confidently state that I am an AppSec snooper, because in my day job I tend to look at other people’s code, logs and systems and break them. I happen to think that agile and application security go together rather well! I had two different Slack conversations recently. One was on the UK cross-governmental #security Slack channel and the other one was on the Equal Experts #securit-...| beny23.github.io
After BSides Lancs and Leeds, Newcastle was my third BSides, both of the year and ever. I got up early in the morning for a road trip from Preston to Newcastle, and setting off at 5:30 on Saturday turned out to be atmospheric and straightforward. So I was a bit early and got a glimpse of the chaos that is putting together a BSides. Later I found out that BSides Newcastle was traditionally more chaotic than some of the other BSides.| beny23.github.io
I was really positively and pleasantly surprised when I found out what HMRC Digital’s mission statement was. Normally, I am not a fan of mission statements. They usually read like this: Our mission is focused on six core aspirations the company continually strives to achieve… Or some such drivel. Verbal gymnastics to make a company sound like everything to everyone - without being offensive to anyone - which then gets used to “align” people on mandated fun days.| beny23.github.io
The question of automatic dependency updates came up in our Slack channel the other day. There was a lot of nodding on how it is a good thing. Tools like Dependabot and Renovate were mentioned. Yet I was a dissenting voice. Why? The case for automatic dependency updates is simple and seductive: A bot would automatically scan your dependencies in your source code and create pull requests to update your libraries to the latest versions, sometimes even automatically merging it in.| beny23.github.io
Let me tell you a story about Application Security (AppSec). It contains heroes and villains, and I’m not necessarily thinking about the defenders and attackers here. It contains lots of interesting technology that is often overemphasised. We’ve got whole industries that work on letting us know how scary it is out there, vulnerabilities that are marketed like rock stars and terminology that makes you quiver in your boots: who would want to fall victim to an Advanced Persistent Threat (APT)?| beny23.github.io
There’s a metaphor about the fight between attackers and defenders in the Denial of Service cybersecurity game. It’s an “arms race” between ever bigger attacks throwing huge amounts of traffic at ever more sophisticated defenses (e.g. AWS shield). Incidentally, I’ve just demonstrated an easy mistake: I’m not describing a Denial of Service (DoS) attack, it’s a Distributed Denial of Service (DDoS) attack. The aim is to overwhelm the infrastructure, either the networking infrastruc...| beny23.github.io