Week09

Waterfall 🌊 vs agile 🏃

• Systematic/design vulnerabilities are much harder to solve than simple coding/logic errors.

• This is exacerbated in the waterfall approach, as you don’t really go back to the design phase.

Waterfall 🌊

• exponentially more $$$ to fix bugs later into SDLC
• we want to shift security left <<<

💻 vms vs containers 🐳

CVEs

Common Vulnerability Enumerations

It’s really important that the security community works together

where to find em

Application Security Testing

SAST vs DAST tools

• SAST: full access to source-code (white box)
• DAST: just have the application (black box)
• IAST: runtime specific (e.g. only specific times)

who’d be dumb enough to…

me lol (it’s not a pub-key…)

top 10 images taken moments before after disaster

maybe check your old projects to see if you’ve made similar dumb mistakes?

The fundamentals

• Availability 💰
• Reliability 💰
• Scalability 💰
• Security 🙈 🙉 🙊

At a high level

• UX/UI (e.g. meme meme2)
• load speed
• load balancing

not doing this

Supply chain attacks

dependency stuffs

Trusting code we didn’t write ourselves

• npm
• pip/pypi
• pacman/aur
• cargo

Vulnerabilities

• log4j (2 billion devices!!!)

• pac-resolver (3 million weekly downloads)

Malicious developers

• node-ipc / lovenotwar

Dependency confusion

• npm install xyz
• how does it resolve xyz
• public & private version of xyz
• higher version number

read more

Typosquatting

• pip install falsk
• package named falsk:

read more

Vulnerability in the package manager

I don’t have an example 🤷