Application Security Roundup - October and Nov
Interesting reads this month include signals from the administration, a history of appsec by one of the originals, and a longread from Apple about kernel memory design.
- U.S. Officials Say Tech Companies Must Build Secure Products (James Rundle, The Wall St Journal) National Cyber Director Chris Inlgis implies that we'll see liability in the next National Cybersecurity Strategy, and Anne Neuberger says "tech providers must make fundamentally secure products, starting at the earliest design phases, at no extra cost to buyers." I expect to see a lot more in this area.
- A Personal History of the AppSec Industry (John Viega, Crash Override blog) John's been in appsec as long as I have, and his personal recollections are a fascinating view into how the industry has changed.
- Towards the next generation of XNU memory safety: kalloc_type (Apple Security Engineering) Exposes the design of Apple's new allocator, compares it with other choices. Part of how the industry has changed? Not only is Apple doing this work, they're sharing it.
- The Hybrid Approach to Threat Modeling (Chris Romeo, Kerr Secure) Interesting discussion of mandatory versus voluntary threat modeling.
- PyPI Feature Executes Code Automatically After Python Package Download (Ravie Lakshmanan, Hacker News). Unexpected that a package manager unavoidably results in code execution. I might want to install code to inspect it for suitability or other reasons.
- Threat Modeling with EoP (on Miro) (Brett Crawley, Miroverse) What it says, and Brett guest blogged about it here.
- Threat Modeling Connect is a new community site, powered by Iriusrisk.
Also, I’m formalizing an informal approach I’ve had: I won't include anything behind a paywall in these roundups. I’ve lost track of the time I’ve wasted trying to get access to papers whose authors have chosen to lock them away. I have library access at the University of Washington, and despite that, I can’t figure out how to get access to IEEE, Elsevier, and others, and you know? I’m done working extra hard to get workable links. “The literature” is open access.
If you have something open access you'd like to nominate, send it along!