Appsec Roundup - Dec 2024
A virtual feast of appsec!
Secure by Design and threat modeling
- The secure by design coalition, this time with the Australians in the lead, released Choosing secure and verifiable technologies, it includes the procuring organization getting access to threat models, which is a tremendously important step. (See also Flaunt your Threat Models! by Loren Kohnfelder, which I mentioned last month.)
Appsec
- The C/C++ Renaissance: New Solutions for Memory Safety Without Starting Over, by Jacob Barkai, is what it says in the title.
- The International Obfuscated C Code Contest announced their return.
AI
Not appsec specific, but apparently OpenAI's Latest AI Can Cost More Than $1,000 Per Query, and Microsoft is bundling AI and price increases in Office; neither is a good sign for the business value from these tools.
Books
- Human Centered Security, by Heidi Trost.
- Medical Device Cybersecurity for Engineers and Manufacturers, Second Edition, by Axel Wirth, Christopher Gates, and Jason Smith. (They kindly sent me a copy.)
- Cybersecurity in Context: Technology, Policy, and Law, by Chris Jay Hoofnagle, Golden G. Richard III. (They also sent a copy.)
Shostack + Associates updates
Lots happened this month including many customer deliveries (including an interesting new mini course beta, I’m looking forward to the debrief on that), one accepted paper, and some really exciting progress “sharpening the saw” where we’re automating more of our course setup to make it more reliable and faster.
Image by Midjourney: “a photograph of a robot, sitting in a library, working on a jigsaw puzzle”