Pull requests are a core part of collaboration, whether in open or closed source. GitHub has documented some of the security consequences of misconfiguring how PRs can trigger actions. But what happens when repo owners don't read the docs? Bar Kaduri and Roi Nisimi walk through their experience in reading docs, finding vulns, demonstrating exploits, and working with repo owners to improve their security. Their work highlights the challenges in maintaining good security guidance, figuring out secure defaults, and how so many orgs still struggle with triaging external security reports -- something that's becoming even more challenging when orgs are being flooded with low-quality reports from LLMs.

Segment Resources:

• https://orca.security/resources/blog/pull-request-nightmare-github-actions-rce/
• https://orca.security/resources/blog/pull-request-nightmare-part-2-exploits/

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw-355

The post quantum encryption migration is going to be a challenge, but how much of a challenge? There are several reasons why it is different from every other protocol and cypher iteration in the past. Is today's hardware up to the task? Is it just swapping out a library, or is there more to it? What is the extent of software, systems, and architecture that have to be updated or replaced to complete the migration? Can we get it all done by 2030?

Sandy Carielli and Martha Bennett join us to answer these questions and dive into one area of tech that hasn't been discussed much when it comes to post-quantum encryption: blockchain.

Relevant Forrester Reports:

• Quantum Computing isn't a Threat to Blockchains - Yet
• The Architect's Guide to Quantum Security

In the news, high standards for open source software, trends in self-hosting, doing the cloud wrong, and is it really always DNS?

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw-354

Ransomware attacks typically don't care about memory safety and dependency scanning, they often target old, unpatched vulns and too often they succeed. Rob Allen shares some of the biggest cases he's seen, what they have in common, and what appsec teams could do better to help them. Too much software still requires custom configuration to make it more secure. And too few software makers are embracing secure by default, let alone secure by design.

In the news, passively monitoring geosynchronous satellite communications on the cheap, successful LLM poisoning of any size model with a single size dose, security engineering lessons from Signal's post-quantum crypto work, improving security for JavaScript in the browser, and more!

This segment is sponsored by ThreatLocker. Visit https://securityweekly.com/threatlocker to learn more!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw-353