Security Friendliness Engineering

Join myself (@shellsharks) and Scott Contini (from https://littlemaninmyhead.wordpress.com) as we discuss cryptography, AppSec, Log4J and more! Show Notes Main Show Little Man In My Head: https://littlemaninmyhead.wordpress.com Java Cryptography Architecture (JCA) Reference Guide - https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html NaCl: Networking and Cryptography library: https://nacl.cr.yp.to Don’t Roll Your Own Crypto: https://www.vice.com/en/article/wnx8nq/why-you-dont-roll-your-own-crypto Sony Playstation Hardcoded Key: https://www.engadget.com/2010-12-29-hackers-obtain-ps3-private-cryptography-key-due-to-epic-programm.html Cryptology vs Cryptography vs Cryptanalysis: https://militaryembedded.com/comms/encryption/cryptology-cryptography-and-cryptanalysis Deprecating MD5: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf Ron Rivest: https://people.csail.mit.edu/rivest/ Quantum Cryptography: https://csrc.nist.gov/projects/post-quantum-cryptography AppSec Australia: https://www.meetup.com/en-AU/appsec-australia/ Grover’s Algorithm: https://en.wikipedia.org/wiki/Grover%27s_algorithm Internet Communications - TLS: https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/ DevSecOps: Just one definition - https://www.devsecops.org OWASP: https://owasp.org CAPTCHA: https://support.google.com/a/answer/1217728?hl=en reCAPTCHA: https://www.google.com/recaptcha/about/ Analyzing the OWASP Top 10: https://shellsharks.podbean.com/e/analyzing-the-owasp-top-10-2021/ OWASP Top 10: https://owasp.org/www-project-top-ten/ OWASP ASVS: https://owasp.org/www-project-application-security-verification-standard/ SAST: https://www.synopsys.com/glossary/what-is-sast.html Microservices: https://microservices.io DAST: https://www.whitesourcesoftware.com/resources/blog/dast-dynamic-application-security-testing/ OWASP Zap: https://owasp.org/www-project-zap/ SCA: https://www.synopsys.com/glossary/what-is-software-composition-analysis.html Inception: https://www.imdb.com/title/tt1375666/ Checkmarx Codebashing: https://checkmarx.com/product/codebashing-secure-code-training/ Security Champions: https://www.synopsys.com/blogs/software-security/security-champions-program-appsec-culture/ NIST SP 800-63B, Digital Identity Guidelines: https://pages.nist.gov/800-63-3/sp800-63b.html TruffleHog: https://trufflesecurity.com/trufflehog Log4Shell: https://log4shell.com/ CISA on Log4J Issue: https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability Heartbleed: https://heartbleed.com Shellshock: https://nvd.nist.gov/vuln/detail/CVE-2014-6271 The Morris Worm: https://www.fbi.gov/news/stories/morris-worm-30-years-since-first-major-attack-on-internet-110218 ETERNALBLUE: https://nvd.nist.gov/vuln/detail/CVE-2017-0143 WANNACRY: https://www.cisa.gov/uscert/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_WannaCry_Ransomware_S508C.pdf Mandiant’s Report on Solarwinds Incident: https://www.mandiant.com/resources/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor BurpSuite: https://portswigger.net/burp     Postshow Domain Squatting: https://www.godaddy.com/garage/what-is-domain-squatting-and-what-can-you-do-about-it/