Security Weekly Podcast Network (Audio) Discussing Useful Security Requirements with Developers - Ixchel Ruiz - ASW #313
Jan 14, 2025
In this engaging discussion, Ixchel Ruiz, a seasoned software developer since 2000, delves into the myth that developers disregard security. She highlights how clear communication of security requirements is essential for code quality. Ixchel emphasizes the need to embed security from the ground up in the development lifecycle and explores innovative strategies like project quarantine for PyPI to combat malware. Additionally, she sheds light on the transition of FishShell to Rust, revealing how these shifts can bolster security awareness in software development.
AI Snips
Chapters
Transcript
Episode notes
Specific Security Requirements
- Provide specific security requirements, such as authorization or privilege levels, rather than vague ones.
- Include context, like API requirements or third-party interactions, for clearer direction.
Contextual Security
- Security context matters: an app for kids has different needs than one for expert users.
- Consider the worst-case scenarios and design for survival in challenging environments.
Open Source Risks
- Open-source packages can introduce widespread vulnerabilities, as seen with the exeutils backdoor.
- Unlike SolarWinds, this was not a social engineering attack but a direct compromise.