Bridging the Security Gap with Scott Arciszewski

In this weeks episode we are lucky to be joined by Scott Arciszewski to discuss all things Security. We start off by chatting about a recent talk he gave at DEF CON 25 and the importance of secure API design. From here we highlight Google Tink, misunderstandings of how PHP has changed over the years and what CVE’s are. This leads us on to delve into the tools and processes used within the reconnaissance phase of a security engagement. Finally, we briefly mention Quantum Computing and its impact on cryptography - followed by best practises for securely managing secrets within web applications.

Show Links

• Paragon Initiative Enterprises
• Scott Arciszewski on Twitter
• NaCl - Networking and Cryptography library
• google/tink
• PHP Implementation? - google/tink - GitHub
• PHP RFC - Flexible Heredoc and Nowdoc Syntaxes
• Common Vulnerabilities and Exposures (CVE)
• Common Weakness Enumeration
• Shodan
• Nmap - the Network Mapper
• Burp Suite Scanner
• Puppy Linux
• klange/ponyos - My Little Unix, Kernels are Magic!
• Fiddler - Web Debugging Proxy
• Charles Web Debugging Proxy
• OWASP Zed Attack Proxy Project - OWASP
• How and Why Developers Use Asymmetric (Public Key) Cryptography in Real-World Applications
• Secrets, Secrets, Are No Fun - PHP Roundtable
• Keeping Credentials Secure in PHP
• Securing Credentials for PHP with Docker
• Vault by HashiCorp
• AWS Secrets Manager