Mastodawn

In my experience: once you teach a developer how to properly fix a security vulnerability that they created and then have them fix it themselves, they will never again make that same mistake.

mathfreedom Oct 3, 2018

I tend to assume that mature products eventually reach the point where they do not have basic vulnerabilities any more, but evidently that is not true. In this talk, Julien Vehent of Firefox talks about receiving bug bounty reports that include basic XSS attacks. He then reveals how Firefox is trying to address these with Test Driven Security, which sounds a bit like it was inspired by either a less strict version of Test Driven Development & Behavioral Driven Development https://www.youtube.com/watch?v=e2axToBYD68

USENIX Enigma 2017 — Test Driven Security in Continuous Integration

YouTube

mathfreedom Oct 2, 2018

Show thread

n0vember Oct 2, 2018

@mathfreedom I used to work on Debian systems with a policy to use unattended-upgrade. It's a piece of software that upgrades system on a periodic basis. We were applying security patches immediately on testing environments and every week on production systems. We were under a regulation and had to apply security patches in 3 weeks and wouldn't have been able able to review all of them within this time. So we did checks, yes, but no full code review.

Show thread

mathfreedom Oct 1, 2018

Free yourself of this illusion that your systems will ever be safe from a nation state attack by the country in which either yourself or your servers reside.

Show thread

mathfreedom Oct 1, 2018

Would you notice if an update contained malicious code? I don't know any system administrators that take the time to review the code of open source updates they roll out. Everything runs on trust and that trust can be a weakness.