Exploring Common Weakness Enumeration (CWE) and Software Vulnerabilities

In this episode Joe introduces us to more security items you should be aware of in the world of CWE’s, Michael bends to the will of Joe and Allen in his favorite portion of the show, and Allen pontificates on the time spent setting up IDE’s and environments.

Reviews – Thank You!

• iTunes: Vlad Bezden, Mom in VA, Make1977
• Spotify: chutney3000, Xuraith

Upcoming Events

• Atlanta Dev Con
  September 7th, 2024
  https://www.atldevcon.com/

Topics

Open Telemetry

• The backend matters
  https://opentelemetry.io/ecosystem/integrations/
  • Some backends are more fully featured than others
    • Splunk Trace Analyzer
      https://docs.splunk.com/observability/en/apm/apm-spans-traces/trace-analyzer.html
    • Google Trace Explorer
      https://cloud.google.com/trace/docs/finding-traces
    • Azure OTel Guide
      https://learn.microsoft.com/en-us/azure/azure-monitor/app/opentelemetry-enable?tabs=aspnetcore
    • AWS OTel Information
      https://aws.amazon.com/otel/
• The processor can decouple you
  https://opentelemetry.io/docs/collector/configuration/#processors

CNCF – Cloud Native Computing Foundation

• If you’re working in a cloud environment, you should know the projects here
  https://www.cncf.io/projects/
• Super cool visualization tool for the projects
  https://landscape.cncf.io/

Llama 3 – the next version of Meta’s AI engine

• “Now available with both 8B and 70B pretrained and instruction-tuned versions to support a wide range of applications”
  https://llama.meta.com/llama3/

Environmental concerns over the processing required for AI

• Power requirements for processing some of the LLM’s
  https://www.nnlabs.org/power-requirements-of-large-language-models/
• The Microsoft underwater datacenter
  https://news.microsoft.com/source/features/sustainability/project-natick-underwater-datacenter/

Setting up IDE’s and environments

• IDE vs old school debugging
• Setup can require a significant amount of time
  • Is it worth it?
  • What if you’re just working on a bug?

Security Resources

• What’s the difference between CWE and OWASP?
• CWE (Common Weakness Enumeration) is a community-developed list of common software and hardware weaknesses.
  • It’s similar to OWASP, but older (1999 vs 2001) and more general – including non web apps and (more recently) hardware
• The infamous “NVD” database links CVE (Common Vulnerabilities and Exposures) to CWE
  https://nvd.nist.gov/vuln/detail/CVE-2021-44228
  https://cwe.mitre.org/top25/archive/2023/2023_trends.html

Tips

Pre-warning – probably wouldn’t recommend installing this!

Saw a cool Windows utility called “Windrecorder” that records video and text from your desktop, and lets you rewind and search.

• Uses ffmpeg to record screen into small 15-minute fragment files
• Search(by window titles, text keywords, or descriptions of images)
• Everything happens should only on your computer
• Cons: No instant rewind (have to be out of the window), Storage is unencrypted, Not much LLM / ML fancy stuff…and security
  https://tonoko.notion.site/I-made-an-open-source-app-to-rewind-search-everything-happened-on-your-screen-on-Windows-184d1a9d5edb494dba0c2f46d311ec5c
  https://github.com/yuka-friends/Windrecorder

MacOS’s Spotlight is more powerful than you maybe knew
https://www.intego.com/mac-security-blog/spotlight-secrets-15-ways-to-use-spotlight-on-your-mac/ 
https://beebom.com/spotlight-tips-tricks/

If you’re grep command isn’t working like you thought it should, you might be a victim of content getting kicked out of the buffer
grep --line-buffered

iOS – get text from images
https://support.apple.com/guide/iphone/use-live-text-iphcf0b71b0e/ios