Philip Wadler - Propositions as Types
This is rather enjoyable to watch.
I tend to assume that mature products eventually reach the point where they do not have basic vulnerabilities any more, but evidently that is not true. In this talk, Julien Vehent of Firefox talks about receiving bug bounty reports that include basic XSS attacks. He then reveals how Firefox is trying to address these with Test Driven Security, which sounds a bit like it was inspired by either a less strict version of Test Driven Development & Behavioral Driven Development https://www.youtube.com/watch?v=e2axToBYD68
@mathfreedom I used to work on Debian systems with a policy to use unattended-upgrade. It's a piece of software that upgrades system on a periodic basis. We were applying security patches immediately on testing environments and every week on production systems. We were under a regulation and had to apply security patches in 3 weeks and wouldn't have been able able to review all of them within this time. So we did checks, yes, but no full code review.
NSA TAO Chief on Disrupting Nation State Hackers - https://www.youtube.com/watch?v=bDJb8WOJYdA
There is some advice in this talk that companies use systems that push automatic updates without interaction. I feel the need to point out that an automatic update could be malicious and that the NSA could demand that a company push such an update.
Given this, I would amend this talk to say that this advice mostly works if your company:
- Only uses products by US companies
- Is OK with the NSA having access to systems
Failure points in estimating the amount of time it will take to complete a task. https://www.usenix.org/conference/srecon18europe/presentation/pennarun
I'm starting over. I am switching away from Google, Apple, and Microsoft. I am slowly going to switch to free software. I have chosen Mastodon as the new social network I will use. #introductions
A Mastodon instance for info/cyber security-minded people.