“SBOM” should not exist! Long live the SBOM. This article by Steve Springett, who is at the center of the software bill of materials universe, explains what an SBOM is and why they should exist. In defense of simple architectures As security professionals, we love simple because complex is hard to secure. This article is about a 1.7 billion dollar company that runs its web app as a Python monolith on top of Postgres and how this simplified architecture runs a successful application. Alex...

3 Cultural Obstacles to Successful DevSecOps Implementation When our goal is to change security culture we must consider how to influence our developers while still caring for their needs. This article shares helpful insight into implementing successful security culture change within an organization.  Brenna Leath -- Product Security Leads: A different way of approaching Security Champions Brenna Leath, head of product security at SAS, visited the Application Security Podcast to share her...

1. An Analysis of Open-source Automated Threat Modeling Tools and Their Extensibility from Security into Privacy -https://www.usenix.org/publications/l... We conducted our review of threat modeling tools in three main phases: Tool Discovery, Evaluation Criteria Selection, and Application of Evaluation Criteria. 2. In-depth research and trends analyzed from 50+ different concepts as code -https://www.jedi.be/blog/2022/02/23/t... •DevSecOps as code explosion •Data as code •Capturing...

1. Is it safe to use SECRETS_INTERNALS_DO_NOT_USE_OR_YOU_WILL_BE_FIRED? - https://datasociety.net/wp-content/up... This first story is a react development issue. A developer was asking if a specific property was safe to use. This shows the importance of naming in understanding the security risks when using specific properties. 2. Adam Shostack -- Fast, cheap, and good threat models -https://www.securityjourney.com/podca... Adam is very well known in the world of threat modeling as a...

Bounty Everything This ebook has in-depth explanations of how bug bounties work, how the economy works within the bug bounty, and how the researchers are paid and treated. Understanding Website SQL Injections A high-level deep dive into SQL injection, so even those that have no understanding of what an injection attack is can learn how they work. Mazin Ahmed -- Terraform Security Terraform is all the rage in the infrastructurous code world. Mazin walks through all things you need to...

5% of 666 Python repos had comma typos (including Tensorflow, PyTorch, Sentry, and V8)​ Out of a group of GitHub repositories that had been checked, 5% had a comma problem. Either too few or too many commas somewhere in the library. Advanced SQL Injection Cheatsheet​ This repository contains an advanced methodology of all types of SQL Injection.​ MySQL, PostgreSQL, Oracle, and MSSQL​ 10 Threats ebook Read about the eBook on 10 Greatest Threats to Your Application’s Security 2021 version....

1.Fuzzing for XSS via nested parsers condition-https://swarm.ptsecurity.com/fuzzing-... In this article web application security researcher, Igor Sak-Sakovskiy reveals a novel technique for finding sanitization issues that could lead to XSS attacks. 2.Anti-Patterns in Cybersecurity Management-https://systemweakness.com/anti-patte... In this article, this author walks through the most memorable anti-patterns he's seen recurring in cybersecurity management. 3.OWASP Top 10 Peer...

  ZAPping the OWASP Top 10 This document gives an overview of the automation and manual components provided by OWASP Zed Attack Proxy (ZAP) that are recommended for testing each of the OWASP Top Ten Project 2021 risks.  AWS Is the Internet's Biggest Single Point of Failure In December, several services on the internet ground to a halt because of an outage at some Amazon Web Services cloud servers. The outage affected Netflix, Disney Plus, PUBG, League of Legends, Ring security cameras, as...

Exploring Container Security: A Storage Vulnerability Deep Dive - https://security.googleblog.com/2021/... Recently, the GKE Security team discovered a high severity vulnerability that allowed workloads to have access to parts of the host file system outside the boundaries of the mounted volume. Remember, vulnerabilities can exist deep within the internals of Kubernetes. Really Stupid “Smart Contract” Bug Let Hackers Steal $31 Million In Digital Coin -...

How to Learn Stuff Quickly: https://www.joshwcomeau.com/blog/how-... Learning how to learn is a crucial skill of the security professional and developer Never Update Anything: https://blog.kronis.dev/articles/neve... "In my eyes, it could be pretty nice to have a framework version that's supported for 10-20 years and is so stable that it can be used with little to no changes for the entire expected lifetime of a system." Bridges fall down due to insecure design - make sure your web...

Protect your open source project from supply chain attacks - https://opensource.googleblog.com/2021/10/protect-your-open-source-project-from-supply-chain-attacks.html?m=1 This blog post walks through the quiz questions, answers, and options for prevention, and can serve as a beginner's guide for anyone who wants to protect their open source project from supply chain attacks. Trojan Source Attacks - https://trojansource.codes/ Some vulnerabilities are invisible - rather than inserting...

GitLab analysis of OWASP Top 10 changes from 2004 to 2021-https://public.flourish.studio/visual... Visualization of how OWASP Top Ten has changed over the years. To Learn a New Language, Read Its Standard Library-http://patshaughnessy.net/2021/10/23/... The best way to learn a new programming language, just like human language, is from example. To learn how to write code you first need to read someone else's code. Making sense of OWASP A08:2021 - Software & Data Integrity...

Minimum Viable Secure Product Minimum Viable Secure Product is a minimalistic security checklist for B2B software and business process outsourcing suppliers.  How to Secure Python Web App Using Bandit Bandit is a tool developed to locate and correct security problems in Python code. To do that Bandit analyzes every file, builds an AST from it, and runs suitable plugins to the AST nodes. Once Bandit has completed scanning all of the documents, it generates a report.  Explain Sigstore to me...

Commonjoe/ WrongSecrets - https://github.com/commjoen/wrongsecrets Improper secret storage is a common technology problem. Use this tool to expose your developers to how to do it wrong, so they can learn how to do it right List of IT Assets an Attacker is most likely to Extort -https://www.helpnetsecurity.com/2021/10/13/it-assets-target/ Attackers love IT assets; here are the top things they are targeting and exploiting. OWASP Top 10 2021: 7 action items for app sec teams...

How Yahoo Built a Culture of Cybersecurity- https://hbr.org/2021/09/how-yahoo-built-a-culture-of-cybersecurityCommentary: Security culture continues to grow as a non-negotiable piece of a security strategy. ​ minimaxir/big-list-of-naughty-strings​ – https://github.com/minimaxir/big-list-of-naughty-stringsCommentary: Safe list input validation is always our go to, but the big list of naughty strings is a nice input for testing! Have Trusted Types API built directly into the jQuery Core Files ·...

1. NIST Brings Threat Modeling into the Spotlight If you haven't heard about the NIST Executive Order about software security and supply chain, you've been living under a rock. Adam gives us the threat modeling perspective on the EO 2. How to ensure the highest quality of Software code Security or development, we all want the highest quality of software code. Explore linting, unit testing, SAST, and continuous monitoring of software. 3.  A cloud company asked security researchers to look...

1.  Application security tools ineffective against new and growing threats Outdated offerings, false positives, and ineffective blocking are among the main causes driving this global concern. 2. HTTP/2: The Sequel is Always Worse Attackers are learning HTTP/2. Developers and defenders must learn it as well. 3. AppSec Village Live Stream of DefCON 29 Check out AppSec Village as it is the perfect place to connect with those with related interests. 4. Mark Loveless -- Threat modeling in a...

1.  Empty npm package '-' has over 700,000 downloads — here's why There have been 720,000 downloads since its publication on the npm registry since early 2020. 2. Privacy – more than the icing on the cake Questions to consider: What are we working on? What can go wrong? and more. Give this a read to gain more context. 3. Jeroen Willemsen -- Security automation with ci/cd Jeroen joins us to unpack security automation in a DevOps world.​ 4. Why cybersecurity pros need to learn how to code Learn...

1. 16 of 30 Google results contain SQL injection vulnerabilities The dreadful quality of most of Google's search results. Several of these results were, simply put, SEO-optimized baloney. 2. A case against security nihilism Skepticism that we can guard against the NSO Group's Pegasus spyware, or similar products. 3. Why the password isn't dead quite yet It will take time and more experimentation to create a passwordless ecosystem that can replace all the functionality of passwords,...

1.  Jeevan Singh -- Threat modeling based in democracy Jeevan joins us to speak about self-serve threat modeling at Segment or threat modeling based in democracy.  2. joswha/Secure-Coding-Handbook Client side, Server Side, Auxiliary. 3. Security headers quick reference Security headers recommended for all websites, websites that handle sensitive user data, and websites with advanced capabilities. 4. Cyber insurance isn't helping with cybersecurity, and it might be making the ransomware...

1. How we're creating a threat model framework that works for GitLab While our Security team owns the framework, we don't "run" it. It is run by the people who are running the project. 2.Deciduous: A Security Decision Tree Generator Security decision trees are a powerful tool to inform saner security prioritization when designing, building, and operating software systems. 3.npm audit: Broken by Design I see the point, but I also disagree – SCA and finding/mitigating supply chain issues...

1. Groundhog day: NPM package caught stealing browser passwords The author intended to trick the targets into executing the malicious package. In cases of malware placed in package repositories, attackers usually rely on typo squatting. 2. TypeScript Doesn't Suck; You Just Don't Care About Security Security wins against the eleven popular reasons developers disapprove of TypeScript. 3.Recommended Minimum Standard for Vendor or Developer Verification of Code Threat modeling, automated...

1. Sonatype Catches New PyPI Cryptomining Malware Malicious packages continue to infect our public package repositories; all developers must understand these threats! 2. (Technical) Infosec Core Competencies While these core competencies stray slightly to the red team / pen test side, this is a solid list of what folks need to know as they grow. 3. SSRF Cheat Sheet & Bypass Techniques SSRF vulns are growing; application security people must understand SSRF and know how to properly...

1. Cybereason: 80% of orgs that paid the ransom were hit again Prevention of ransomware is a human and technology solution.​ 2. Introducing SLSA, an End-to-End Framework for Supply Chain Integrity​ Learn from Google’s eight years of protecting their supply chain. 3. Peloton Bike+ vulnerability allowed complete takeover of devices Secure your fitness equipment – seems strange that we have to say that, but hey, it is 2021. 4. Irish police to be given powers over passwords Privacy...