Appsec Roundup - Feb 2025

New releases from DEF CON, the UK’s NCSC, some entertaining AI news, and more!

DEF CON, the Harris School of Public Policy (and yours truly) released The DEF CON 32 Hackers Almanack, reviewing some of the key policy lessons from DEF Con 32 talks and villages.

The UK’s NCSC has a new whitepaper, Eradicating trivial vulnerabilities, at scale. It sets forth a way of assessing if a vulnerability is “unforgiveable:” it’s fully documented, cheap to implement, and there aren’t many prerequisites. And it’s in the appsec section this month because they’re releasing a technical paper. But the blog post clearly says “It will begin as voluntary code, but further policy interventions to support its uptake and impact are currently being explored,” and so I expect it’ll be in the regulation section soon.
It Is Time to Standardize Principles and Practices for Software Memory Safety is the Inside Risks column version of a longer tech report of the same name.

Defining LLM Red Teaming by Leon Derczynski, Rich Harang and Sadaf Khan is an Nvidia blog post. It builds on Summon a demon and bind it: A grounded theory of LLM red teaming by Nanna Inie, Jonathan Stray, and Leon Derczynski.
1,156 Questions Censored by DeepSeek is a blog by PromptFoo that explores what topics the Deepseek “safety” and “alignment” teams worked on. This is important — not to point fingers at China — but to put a mirror in front of AI boosters. Those terms are frequently used if they’re simple and obvious. But the question of what’s “safe” is a cultural one, and the passive voice of “alignment” literally begs the question of “aligned with what?” It’s almost like they’re trying to make a case for mandating that STEM majors take humanities courses.

Ron Ross is retiring. Ron has served as the primary force behind the NIST-800 series for a long time. His contributions were huge (it’s tempting to say ‘literally voluminous’) and he will be missed. I wish him all the best in his next adventures.
The MAGA Case for Software Liability, by Jim Dempsey.

Adam will be running a game session for the Threat Modeling Hackathon (March 19, distributed).
Adam will be keynoting BSides Seattle (April 18/19, Seattle)
Adam and Erik will be training at OWASP Global Appsec Barcelona (May 27-28)

Image by Midjourney: “a photograph of a robot, sitting in a library, working on a jigsaw puzzle”

Originally published by Adam on 03 Mar 2025
Categories: application security software engineering security