Shostack + Friends Blog


Application Security Roundup - July

Interesting appsec posts: machine learning, performance, and C4 A set of puzzle pieces

The most interesting #appsec articles I read this month included a deep dive into attacks on machine learning, Spotify's post aboutthe C4 model, and a rant that's nominally about performance, but applies equally to security.

  • Practical Attacks on Machine Learning Systems (Chris Anley, NCC) A 40 page review, including a new taxonomy, how traditional attacks impact ML systems and a set of categorized references.
  • Software Visualization — Challenge, Accepted (Renato Kalman and Johan Wallin) Spotify discusses how they've adapted and extended the C4 model to help them understand and track their system architecture. I've been aware of C4 for a while, and most of the discussion I see is "this looks interesting," not "we adopted this."
  • A Few Good Performance Men (Rico Mariani) Nominally about performance, but in truth — you can't handle the truth! — it's also about security.