- #Tayasui sketches keeps crashing how to#
- #Tayasui sketches keeps crashing pdf#
- #Tayasui sketches keeps crashing free#
I then became a detractor thinking it didn't really fit into automation and am now a fan again. I was a big proponent of threat modelling while at Microsoft, and used to spend afternoons in JD Meiers office, sketching out ways to do it better and simpler on a whiteboard.
#Tayasui sketches keeps crashing pdf#
I can’t believe you can still download that book in PDF from Microsoft for free. When I was at MSFT, I owned one of the threat modelling tools, and was involved in writing Improving Web Application Security: Threats and Countermeasures. One CSO said that he needs to be able to know what to work on Now, Next or Never, something they just couldn’t do today. Maybe we still aren’t able to focus on the right things? Last year when John and I interviewed CSOs, there was a clear message that they can’t keep up. We educated them and put in tools and checkpoints so I guess that's what worked for us but as a security company I don't think we were in any way typical.
#Tayasui sketches keeps crashing free#
They initially pulled open source libraries off the internet without any thought for security, and given a free hand would put features together at a lightning pace without any thought for security.
They were great developers and had come from very credible companies with strong developer cultures, but initially, security wasn't even a thought in their mind.
Plaid shirts, moustaches and vinyl records. These were San Francisco hipsters, who lived and breathed JavaScript. Maybe the current generation of developers just cares less than the previous generation? I had a bit of a culture shock when we first hired front end developers at SourceClear.
#Tayasui sketches keeps crashing how to#
It seems unreasonable to expect a developer to know about how to secure “all the things”, and unreasonable to expect a security professional to know how to secure “all the things”. Today you will more likely have a front-end built on one stack, a set of backend services built on another and even more likely services not even written by yourself. Maybe the explosion of tech is the reason we can’t keep up? Back in the old days you controlled the architecture, the way connectivity and integration happened and lots more. Maybe generic training about specific issues, and then expecting a developer to translate that to the technology that they work on day-to-day doesn’t work? Expecting a Node developer to go from learning about an issue like XSS to creating robust defences in their app may be too hard. Logic says training people about the issues surely helps people avoid them, but perhaps the amount of time you can reasonably expect a developer to undertake training doesn't actually have the impact we need or expect ? Perhaps the sheer variety of potential issues means that “top ten” style training doesn’t work? Again logic would also say that you wouldn't then expect the same old issues to show up time and time again if you did this. Maybe developer training doesn't actually work? People have been doing it for years, and many companies spend millions a year on it. If you look at the 2022 annual reports from bug bounty companies BugCrowd and HackerOne, and you consider that the OWASP Top Ten has hardly changed in the last decade, you might be wondering like me, why are the same old appsec issues still a thing in 2023? I am not going to claim I have a good thesis, yet alone a strong opinion, but I do have a lot of questions. This article is cross-posted on our blog. As always, you can subscribe to our newsletter at It’s just like hitting the like button on a youtube video.
0 kommentar(er)
