Application and AI roundup - September

September was a big month in appsec for both memory safety and policy

September was a month big appsec month for both memory safety and policy, with a lot of sharp elbowed takes on C, and a lot of important developments in policy, including medical devices and open source.

C and Memory Safety

A tale of C/C++ development in three parts. Dana Jansens writes about adding a markdown parser to a program. Their blog is titled “An Update on Writing Memory Safety Bugs,” which is either amusing or frustrating.
C and C++ Prioritize Performance over Correctness, by Russ Cox.
Getting started with the Zig programming language, by Shalitha Suranga. I’ve been hearing about Zig a bunch lately. One of the interesting things is Zig’s focus on doing everything it can at compile-time, which means that everything in memory at runtime is tainted. This article doesn’t cover that, which is reasonable for a getting started, but I wanted to mention it.
Summary: MTE As Implemented from Google Project Zero. I believe MTE is the production name for the CHERI project. The aspects of it not addressing speculative execution are interesting regardless.
Safety and Security: the future of C and C++ (rough version) by Robert Seacord, a leader in C standards (and the security of C programming).

AI

There's a short article, Software Must Be Secure by Design, and Artificial Intelligence Is No Exception, Christine Lai and Jonathan Spring, at CISA. I like their diagrams, and this will probably influence policy going forward.

Policy

The FDA has released their new final guidance, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions. This formally replaces guidance that’s nearly 9 years old, my comments are here, and since I wrote that, an excellent interview with Jessica Wilkerson of FDA appeared on GovInfoSecurity. [Update: The FDA has announced a webinar on the Final Guidance.]
CISA has released their open source strategy. It opens with the importance of partnering with the community.
The Office of the National Cyber Director is seeking comments on Open-Source Software Security: Areas of Long-Term Focus and Prioritization by October 9.
The city of Seattle is suing Hyudnai and Kia for not installing certain anti-theft technology which is standard across other car makers. (Story at Vice, complaint.) The core legal theory is “Car thefts are expensive and dangerous; Measures to Prevent Vehicle Theft Have Existed for Over a Century; Adoption of Modern Engine Immobilizers is widespread; Defendants’ Deviation from the Industry Standard.” (Pulling from the table of contents of the complaint). While I’m not a lawyer, it seems to me that this theory could apply to many things we do in the software world.

Threat Modeling

Excalidraw is a new, simple, free drawing tool that produces sketch-like drawings. The default shapes don’t include a drum, I added the “IT Icons” set to get that.
Seats remain available for my Threat Modeling Intensive at OWASP Gloabl AppSec DC, Nov 1-2. (In person only).

Image by Midjourney: a set of star wars critters being rounded up by a bot. Updated to add FDA webinar.

Originally published by Adam on 04 Oct 2023
Last updated on 07 Oct 2023
Categories: application security software engineering security threat modeling