Show Notes
SpecterOps and Tim Tomes are giving training at WorkshopCon [ Ссылка ]
Rob Cheyne Source Boston - [ Ссылка ]
Architecture is not an implementation, but a way of thinking about a problem that has potentially many different answers, and no one single "correct" answer.
[ Ссылка ]
“is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. “
ASVS team:
Daniel Cuthbert @dcuthbert Andrew van der Stock Jim Manico @manicode Mark Burnett Josh C Grossman
[ Ссылка ]
[ Ссылка ]
Don’t post these links in show notes
ASVS list (google sheet): [ Ссылка ]
ASVS PDF: [ Ссылка ]
[ Ссылка ] - old version
[ Ссылка ] - Older BrakeSec Episode
ASVS Page 14 - “If developers had invested in a single, secure identity provider model, such as SAML federated identity, the identity provider could be updated to incorporate new requirements such as NIST 800-63 compliance, while not changing the interfaces of the original application. If many applications shared the same security architecture and thus that same component, they all benefit from this upgrade at once. However, SAML will not always remain as the best or most suitable authentication solution - it might need to be swapped out for other solutions as requirements change. Changes like this are either complicated, so costly as to necessitate a complete re-write, or outright impossible without security architecture.”
What are the biggest differences between V3 and V4?
Why was a change needed?
[ Ссылка ] - famous XKCD password comic
David Cybuck: Appendix C: IoT
Why was this added?
These controls are in addition to all the other ASVS controls?
How do they see section 1 architecture and section 14, configuration --- in the context of rapid deployment, infrastructure as code, containerization.
You added IoT, but not ICS or SCADA?
[ Ссылка ]
BrakeSec IoT Top 10 discussion:
[ Ссылка ]
[ Ссылка ]
Seems incomplete… (Section 1.13 “API”)
Will this be added later?
What is needed to fill that in? (manpower, SME’s, etc?)
3 levels of protection… why have levels at all?
Why shouldn’t everyone be at Level 3?
I just don’t like the term ‘bare minimum’ (level 1)--brbr
Threat modeling blog (leviathan): [ Ссылка ]
Adam Shostack ThreatModeling Book: [ Ссылка ]
[ Ссылка ]
[ Ссылка ]
Cost to get to L2? L3?
[ Ссылка ] secure coding education
[ Ссылка ]
Check out our Store on Teepub! [ Ссылка ]
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com
#Brakesec Store!:[ Ссылка ]
#Spotify: [ Ссылка ]
#RSS: [ Ссылка ]
#Youtube Channel: [ Ссылка ]
#iTunes Store Link: [ Ссылка ]
#Google Play Store: [ Ссылка ]
Our main site: [ Ссылка ]
#iHeartRadio App: [ Ссылка ]
#SoundCloud: [ Ссылка ]
Comments, Questions, Feedback: bds.podcast@gmail.com
Support Brakeing Down Security Podcast by using our #Paypal: [ Ссылка ] OR our #Patreon
[ Ссылка ]
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : [ Ссылка ]
#Stitcher Network: [ Ссылка ]
#TuneIn Radio App: [ Ссылка ]
![Английские межзубные звуки: [θ] & [ð]](https://s2.save4k.su/pic/2ws4gtgecG4/mqdefault.jpg)
