Philip Wadler - Propositions as Types
This is rather enjoyable to watch.
In my experience: once you teach a developer how to properly fix a security vulnerability that they created and then have them fix it themselves, they will never again make that same mistake.
I tend to assume that mature products eventually reach the point where they do not have basic vulnerabilities any more, but evidently that is not true. In this talk, Julien Vehent of Firefox talks about receiving bug bounty reports that include basic XSS attacks. He then reveals how Firefox is trying to address these with Test Driven Security, which sounds a bit like it was inspired by either a less strict version of Test Driven Development & Behavioral Driven Development https://www.youtube.com/watch?v=e2axToBYD68
@mathfreedom I used to work on Debian systems with a policy to use unattended-upgrade. It's a piece of software that upgrades system on a periodic basis. We were applying security patches immediately on testing environments and every week on production systems. We were under a regulation and had to apply security patches in 3 weeks and wouldn't have been able able to review all of them within this time. So we did checks, yes, but no full code review.
Free yourself of this illusion that your systems will ever be safe from a nation state attack by the country in which either yourself or your servers reside.
Would you notice if an update contained malicious code? I don't know any system administrators that take the time to review the code of open source updates they roll out. Everything runs on trust and that trust can be a weakness.
Of course, most companies I have worked with would never allow their servers to automatically update with no interaction due to the reliability concerns with doing so. The moment an automatic update took something down, the practice would go out the window for good.
NSA TAO Chief on Disrupting Nation State Hackers - https://www.youtube.com/watch?v=bDJb8WOJYdA
There is some advice in this talk that companies use systems that push automatic updates without interaction. I feel the need to point out that an automatic update could be malicious and that the NSA could demand that a company push such an update.
Given this, I would amend this talk to say that this advice mostly works if your company:
- Only uses products by US companies
- Is OK with the NSA having access to systems
Failure points in estimating the amount of time it will take to complete a task. https://www.usenix.org/conference/srecon18europe/presentation/pennarun
I'm starting over. I am switching away from Google, Apple, and Microsoft. I am slowly going to switch to free software. I have chosen Mastodon as the new social network I will use. #introductions
A Mastodon instance for info/cyber security-minded people.