Lessons That The XZ Utils Backdoor Spells Out - Farshad Abasi - ASW #280 - podcast episode cover

Lessons That The XZ Utils Backdoor Spells Out - Farshad Abasi - ASW #280

Apr 09, 20241 hr
--:--
--:--
Download Metacast podcast app
Listen to this episode in Metacast mobile app
Don't just listen to podcasts. Learn from them with transcripts, summaries, and chapters for every episode. Skim, search, and bookmark insights. Learn more

Episode description

We look into the supply chain saga of the XZ Utils backdoor. It's a wild story of a carefully planned long con to add malicious code to a commonly used package that many SSH connections rely on. It hits themes from social engineering and abuse of trust to obscuring the changes and suppressing warnings. It also has a few lessons about software development, the social and economic dynamics of open source, and strategies for patching software.

It's an exciting topic partially because so much other appsec is boring. And that boring stuff is important to get right first. We also talk about what parts of this that orgs should be worried about and what types of threats they should be prioritizing instead.

Segment Resources:

OWASP leaks resumes, defining different types of prompt injection, a secure design example in device-bound sessions, turning an ASVS requirement into practice, Ivanti has its 2000s-era Microsoft moment, HTTP/2 CONTINUATION flood, and more!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw-280

For the best experience, listen in Metacast app for iOS or Android
Open in Metacast
Lessons That The XZ Utils Backdoor Spells Out - Farshad Abasi - ASW #280 | Application Security Weekly (Audio) podcast - Listen or read transcript on Metacast