Bill Sempf -- Development, Security, and Teaching the Next Generation

Show Notes

Robert is joined by Bill Sempf, an application security architect with over 20 years of experience in software development and security. Bill shares his security origins as a curious child immersed in technology, leading to his lifelong dedication to application security. They discuss CodeMash, a developer conference in Ohio, and recount Bill's presentation on the Veilid application framework, designed for privacy-driven mobile applications. Bill also explores his efforts in educating children about technology and programming, drawing on his experiences with Kidsmash and other initiatives. Additionally, they delve into the challenges of application security, particularly modern software development practices and the utility of languages like Rust for creating secure applications. Bill concludes with intriguing thoughts on application security trends and the importance of a diverse skill set for both developers and security professionals.

Helpful Links:

Bill's homepage - https://www.sempf.net/
CodeMash conference - https://codemash.org
Veilid Application Framework - https://veilid.com/

Math Without Numbers - https://www.amazon.com/Math-Without-Numbers-Milo-Beckman/dp/1524745545

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Chapters

• 0:00: Introduction
• 7:42: Giving Back: CodeMash and Other Conferences
• 12:27: Exploring Veilid: A Privacy-Driven Application Framework
• 16:17: Nurturing Tech-Savvy Kids
• 21:29: The Intersection of AppSec and Developer Conferences
• 26:36: Trends and Challenges in Application Security

Transcript

Robert Hurlbut: 0:00

Bill Sempf is an application security architect. His breadth of experience includes business and technical analysis, software design, development, testing, server management and maintenance, and security. In 20 years of professional experience, he has participated in the creation of well over 200 applications for large and small companies, managed the software infrastructure of two internet service providers, coded complex software happily in every environment imaginable, tested the security of all natures of applications and APIs, and made mainframes talk to cell phones. I spoke to Bill back in early 2019 for a podcast episode. Bill joins again in this episode to talk about CodeMash, an annual developer conference in northern Ohio. We talk about the Veilid application framework and Bill's experiences in teaching tech to kids over the years. We also discuss the latest trends in software languages and their relationships to application security. We hope you enjoy this conversation with Bill Sempf. Hey folks, welcome to another episode of the Application Security Podcast. This is Robert Hurlbut, and I'm an Application Security Architect and Threat Modeling Lead at Aquia. And I'm running solo today, uh, Chris is not with me, but I do have our special guest with us, uh, and that's Bill Sempf. Bill, welcome.

Bill Sempf: 2:09

Thank you very much. Pleasure to be here.

Robert Hurlbut: 2:11

Absolutely. And, you know, Bill, you and I did speak, uh, uh, before, and if listeners and watchers are interested in going back, back in April of 2019, uh, it was.

Bill Sempf: 2:22

history.

Robert Hurlbut: 2:23

history, right? It seems like it. Uh, we did have a podcast where you and I spoke and actually we spoke at, uh, one of our favorite, uh, conferences, uh, CodeMash up in Ohio and, um, really enjoyed that, uh, opportunity to talk with you and, and glad that it, it seems like it's, it's taken too long, but we're finally here, uh, after, after the world has changed in the last number of

Bill Sempf: 2:45

Yeah, a little bit here and there.

Robert Hurlbut: 2:47

Right? So, uh, so again, welcome, and, uh, we'd like to just start off, you know, I checked back and we didn't talk about your security origin story then, so I'd like to give you an opportunity to do that and tell us what's been going on since, but, uh, you know, what's your security origin story? How did you get started in this world of application security?

Bill Sempf: 3:05

So I've been a developer for a very long time. Um, I, uh, my dad was a science teacher and we had computers in the house from when you could have computers. I mean, he had earlier things, but the first one I remember was a, uh, TRS 80 that practically everybody of my specific, my very narrow generation had moved quickly into apples and whatnot. Um, but I showed a thing for programming early on. So I went and did some programming stuff and all throughout, um, I kept making the right choices as far as like what to specialize in, it seemed like. Um, I, BBS thing real early. Um, And actually wrote a, uh, uh, driver for, uh, an Apple Mac two, I don't think it was a two E that would support a onboard modem and an auxiliary modem both because we had two phone lines and I didn't realize that was a big deal at the time, but apparently it kind of is. Um, and then I was, I was into the internet working thing. I was into the communications bit. So that led me to internet stuff, which, um. Led me into, uh, I was, I was pre, way pre web, but eventually it did lead me into web related things. And, um, I helped OSU change their library system from Gopher to HTML. Um, back when, I mean, when you still had to download a web server from Cernic, and compile it. Um, so I've been, I've been in it real early. Um, and so I leveraged that professionally. Once I graduated, I, I started to do some stuff. Um, and one of the things I did was build web applications for people. I did a lot of that, as I'm sure many people that have a similar background with me do, did. Um, one particular site that I had. So I, I. I did some bigger things too, but one, uh, particular partnership I had was with a fellow here in Grove City named Fred Bollinger, a good buddy of mine, um, older guy, AT& T long lines man who'd retired, um, and, uh, he had a little, he did like networking for local businesses. dentist's office and lawyers and stuff like that. And, um, he also, he wanted to set up websites for them. And this is in 95, keep in mind, nobody had websites, right? Nobody could, I mean, practically nobody even knew what we were talking about, but he had a, uh, uh, one of the early fixed lines to the internet and, um, a server in the basement. And, um, I wrote some sites for his customers. And we also had this one thing that we built grovecity.Com, which was our, City site, our city is called Grove City, and we have like a thing where alumni can plan their you know, start the plan there, uh, whatever you call it, when you get back together. Um, and, um, the sports teams can put in their schedule, stuff like that. And one Saturday afternoon, I got a phone call from him, um, saying, Hey, there's something wrong with the web server. The hardware is completely full. And he, he, he wasn't, he wasn't just. He knew his way around Windows real well. So I came over, I, fortunately I could just drive to his house, which isn't something you do with your, your servers these days. Um, and, uh, as it turns out the entire, um, server was full of German porn because somebody had found a SQL injection flaw in grovcity. com and uploaded an FTP server and was using it as an FTP server. So a, at the time, massive machine was completely full of this junk. And it was also happened to be our name server too, for the, for his and people that he was providing stuff to. So that was my first time that I utterly, that I, the first time I'd ever heard of SQL injection. I didn't even know that any of this was possible. So I started looking into it and I was hooked from there. So it's just, I continued when the software development side for a long time, but I was always the security guy on the dev team and eventually, um, I got off on a long, tiring project and went looking for something else to do and vulnerability assessment was one of the options. And I went, okay, I'll give that a try. And then I was hooked. So I'm, I've been doing that ever since.

Robert Hurlbut: 7:42

Very cool. And now you've done pin testing. I know you've also, um, worked with OWASP and, and, uh, some other organizations just helping out with security and, and so forth. Um,

Bill Sempf: 7:52

to give back a little bit. It's, I mean, community has been awesome to me, so it's try to be awesome back as often as I can.

Robert Hurlbut: 7:59

excellent. Excellent. And so, um, you know, we just talked about CodeMash. So CodeMash is a developer conference. It's typically, uh, happening at the beginning of the year. I think it's the second week, around the second week

Bill Sempf: 8:11

Yeah, Robin Clayton would be January, done that way. So the idea behind CodeMash was that it would be a. Amalgamation of all the conferences that always take place along the, the, the, the coasts for, you know, back in, back in the day. Okay, so for, for the youngsters listening, it used to be the conferences were very platform driven. There was a Java conference or a NET conference or a Microsoft platform conference or a. You know, everything was very, very boxed in. CodeMash was supposed to be, we're just going to take the best of all those conferences, put them in the middle of what normally is a flyover state, and get all the Great Lakes region people a place to go meet. And, um, did it in the middle of January where there's no other conferences going on, um, on an indoor water park. In January, so you can walk around wearing shorts and a t shirt and flip flops, um, in when there's three foot of snow outside and, um, because of course it's in Cleveland, so lake effect snow. Yay. Um, and the, it was just supposed to draw together developers and we were supposed to basically trade ideas. I mean, it was, it was, it was an open forum. As much as anything else. I mean, normal speakers and stuff like that, but the LobbyCon was, is, were very much worth that.

Robert Hurlbut: 9:29

Yeah, definitely, definitely. Yeah, it's, it's been one of my favorite conferences. Um, I have to say, I think the last time I was there was 2020. I've been wanting to go back since it's come back again. Uh, but if I, I find that, uh, the last couple of times when I've, the opening for speakers is, is a time when I'm traveling. And so, unfortunately, I've had to miss it during the summer is typically end of summer is when they're looking for speakers. But, uh, um, how was this most recent one? So we're talking, it's, it's already a few weeks past, but how was this past one?

Bill Sempf: 9:59

It's good. Um, we, like many conferences, suffered from the, the, the lockdown blip. Um, we had to cancel a year, uh, because, well, everything was closed in January of 2021. It would have been, um, and then 2022, uh, it was real small. Um, and then, uh, 2023 was a normal one. And then, then, then this year's, of course it came in and, uh, it was, it's probably about half the size it was before. As far as number of people, but, and, and that sounds bad, uh, but really it's much easier to get around and stuff and, and find people you're looking for. It was impossible. There used to be 3000 attendees and a thousand staff speakers and miscellaneous people. Um, and the with, with it half that you can actually find people and have those hallway conversations that are interesting and stuff and go float the lazy river more easily and, and whatnot.

Robert Hurlbut: 11:05

Right. I've seen that similar for OWASP for example, I remember a couple of years ago going, uh, in San Francisco and it was, um, much, much smaller as you could imagine in, in, uh, 2022. And then in 2023, a much larger, But that's true. I think, you know, this year, 2024, we're going to see more come back and more people. But, you know, as it's smaller, sometimes you do have those more opportunities or better opportunities to be able to find people and talk to them that maybe you just missed when there was a much larger conference.

Bill Sempf: 11:38

yeah, absolutely. People, people got different hobbies and stuff too. So they have other, you know, through the lockdown, so that their interests may take them into a community other than their development community or their security community that they were sitting in before. And it's not like they don't want to go to conferences. It's just, they met another group of people and they're kind of sharing. That's, that's kind of the thing. That's something I've learned in lock sport. Um, Which is, uh, the, the, when, when we, obviously, that's a very touchy feely hobby. When we all get together, trying to get everybody back together was kind of hard because everyone had gotten into something else over the, over the lockdown. So now it's like sharing your hobby time with some, with, with another, another, uh, partner, sort of.

Robert Hurlbut: 12:25

right, right. So at this last, um, Code Mash, I want to go over a couple of talks that you gave. Uh, one of them was on, uh, an application framework. It looks like it was introduced at DEF CON 31.

Bill Sempf: 12:39

Yep, Veilid.

Robert Hurlbut: 12:39

Veilid. Yeah. Uh, so, so tell me about that and our listeners, um, why should developers learn and use that framework? You know, what, what is it and, and why, how could they use it?

Bill Sempf: 12:50

So Veilid is a, is a, um, application network framework that's privacy. It's mobile first, first of all, and it's privacy driven. Um, so all the communication that is taking place, um, where each of the. The organizations that get, get the pass through of the traffic are, are collecting that data for future modeling of the kind of people who use that service that they're, that they're clicking on or whatever. Um, it's that's getting a little tiring for a lot of people, um, where you literally don't know, like if you happen to send your location data to. Server X, how many places between here and there are collecting that data and using it, even if it's not directly associated with your name, um, the, the collection and monetization of the data that we're moving around is getting very frustrating. Um, and there's been a couple of tries to, to solve that problem with overlays and building from the ground up. Veilid's kind of in the middle. Um, they take the existing internet protocols and they're, um, providing a collection of APIs that a developer can use to do their normal network traffic, but it moves the data from Uh, from point A to point B, very much in a Tor like way, where it's, it's tossing around amongst, um, other nodes in the network. Um, and it's brilliantly, uh, designed and extraordinarily well developed as well by the Occult of the Dead Cow, one of the original hacking groups. It was with Loft Industries and everything else back in the 90s. Um, and, uh, they, uh CDC wrote back office. If anybody was a Windows admin in 2000 timeframe, um, you, you know how people got into your Outlook or your Exchange install, your SharePoint install, your even Word and Office products, you know, that was how you, you broke in. Um, but this is, this is much more driven for, um, Not, not, not attack side stuff. This is defense side stuff. We're defending ourselves against this, this massive superstructure that's being built where it's basically trading in our data constantly. Um, it's some pretty interesting stuff. It really is.

Robert Hurlbut: 15:19

Okay.

Bill Sempf: 15:20

It's a neat, early, open source project that really does need some help, um, from developers, and, um, it's early enough you can get in and actually make a difference, you know?

Robert Hurlbut: 15:34

Is it, is that on GitHub or,

Bill Sempf: 15:36

It's GitLab, actually. Yeah. Which I found very interesting. I have, um, A number of my customers use GitLab and, um, it's nice because you can reach out and touch someone at GitLab. GitHub's kind of a walled garden as far as the people are concerned and, you know, getting like, Hey, how do you do this? That kind of thing. Whereas GitLab is much, a little bit, uh, younger and, and, And more flexible that way. So it's nice to be able to just like the forums, the, the developers hang out on the forums and stuff. And you don't run into that as much with GitLab, with GitHub, I mean.

Robert Hurlbut: 16:13

Right. Right. Okay. We'll encourage folks to take a look at it.

Bill Sempf: 16:16

Yeah,

Robert Hurlbut: 16:17

The other topic, and we actually touched on this in the last podcast, but I want to kind of get an idea of where are we now, but I know that working with KIDSmash and, and, and other endeavors, but your topic was developing kids in tech a retrospective. So tell us about that. And,

Bill Sempf: 16:38

sure.

Robert Hurlbut: 16:38

Some of the experiences there.

Bill Sempf: 16:40

yeah, I, I, um, basically what I did is I, I, I kind of, as a, as a, as kind of a joking way of looking at it, I, I took. Uh, the, the model of a development of a child into a tech savvy, um, but philosophically sound adult, um, taking, taking them down that path using the Agile method. So that, that very circular, um, pattern, uh, following the, the, the principles of the Agile manifesto. Um, and since I'm pretty much done with that process with my own kids, it's like, That's why this is the retrospective. I mean, my kids are 18 and 13. They teach me about tech stuff all the time. Anytime I have to use discord, I go to one of them and they're like, how did you do this? Um, so it's, it's, it went fairly well, but, um, I more or less walked through the, you know, what I used in, not only with these two, um, but, Also with, um, Scouts, working with Scouts for years and years, and working with KidsMatch, um, and just being the advice giver in the family for people who, you know, have kids that they, they want, they're not necessarily technically savvy, but they want to make sure their kids are and what's, what should the goal be. And that's pretty much what the talk was about, was what, what, what path. Do you take, and I'm not talking about making the next great program or network engineer or anything like that, or hacker for that matter. Um, I'm just talking about creating tech savvy kids. So we talked about starting, you know, at a very young age, um, with the, the couple of things you need to be a good technical user, you need, you know, you need creativity, you need observation, and you need problem solving skills. Um, and no, no matter whether you're going to do. anything with a computer, even except for just like randomly surf web pages, you're going to need those three characteristics. So we talked about starting out with like art supplies and how to solve problems by building things and then getting into more advanced art supplies like 3d printers and stuff, and see that that takes a path all to itself. And we talked about. Following a kid's actual interests, I talked about, um, weather. I've got this little thing called the Atmo tube that, um, collects all kinds of weather data and allows you to access it and get, get, um, parts of it, um, uh, into a data munging tool set that you can then play with. Um, we talked about, um. Network stuff like the Flipper Zero, which it's really funny because at this year's Codematch somebody had one. For those of you who aren't familiar with Flipper Zero, it's basically a signals testing kit in one box. If you've ever done any network security testing or physical penetration testing, you've probably got that box of miscellaneous stuff. Things like, uh, you know, uh, uh, uh, uh, uh, uh, Bluetooth antenna. Um, that's, that's got an open firmware piece and it's easy. You can hack on it and a wifi pineapple and all this stuff. Well, pretty, pretty much all that stuff is built into this little box here. Um, but there's somebody relatively soon before CodeMash released a, um, Bluetooth spamming thing that will basically take an iPhone offline if you're on it. I mean, you can, you can go into a room with a bunch of iPhones and start it and all the iPhones will just stop working because they'll be dealing with, you know. It's a known flaw in the, in, in iOS, um, but nobody was really doing anything with it until somebody wrote a tool for this to make it happen. So that was, it was funny that I had that with me. And we had a couple of security attendees who were running tracking. Packages to look for people with flippers, trying to figure out who had the Bluetooth thing running. They might not even know it was running on their, on their flipper, because that's the way those things are. And, um, so every time I walk past one, they'd be like, Eh, we already know you have a flipper. Yes, I need one for my talk. I'm going to show it. Anyway, we talked about video gaming and, and, uh, getting started early, building things with Roblox and Minecraft, and, um, I've got a, uh, And I, I made, I made a big list of all the stuff that I used have, have used through the years and have used recently. Um, put it up on, uh, uh, on a gist. I'll, um, I'll get it to you guys later and you can put it in the show notes afterwards.

Robert Hurlbut: 21:26

Great. Great. Fantastic. Thank you. Um, so just sort of rounding out about conferences, uh, in particular developer conferences, um, this is a question that came up when I was at, uh, ThreatModCon, uh, when I was giving the keynote, we had at the end, uh, we had actually a question and answer time. And one of the questions was, you know, threat modeling, but in general, just application security, should we have more presence? at developer conferences. Should AppSec people go there and speak? Uh, what about developers who are interested in security and speaking about security? What are your thoughts on that and what are some things that they could talk about and that would be helpful as well?

Bill Sempf: 22:09

Yeah, there's, I mean, the interesting piece of this is that a lot of people who historically have been in application security were primarily a security person who just ended up in an application role. I mean, very often it's a, um, a. Somebody who came up the normal way, you know, it started in help desk somewhere, had a proclivity for, for dealing with, you know, security related issues, ended up somewhere jockeying some logs and then just wound their way up through the cycle. And, Eventually, by accident, kind of ended up in application security. Um, the, the, of course, they're absolutely wonderful. Some of the, the best AppSec people I know come exactly from that background. But having developers in that role, like myself, um, it, it provides just a different voice. You know, a different, a different perspective to both the community and also to the, to the corporations and organizations that are in need of protection and education as far as application security is concerned. Um, and, um, I think that, yeah, I mean, people who are in application security with a primarily network background should go to developer conferences and see what the developers are dealing with. And people who are in development should absolutely be going to security conferences and seeing what the attackers are doing, because they often don't know. To, I mean, even people who are security savvy, a lot of times cross site scripting means that you can bring up a dialog box in a web form, because that's all they've ever seen done with cross site scripting. But going to, you know, a B side somewhere and having somebody show some you know, new exploits that have been discovered because of cross site scripting flaws and applications and, and, and channeling things and, and stacking them on top of each other, um, is real beneficial. So I'm, I'm a big believer in broadening your, your knowledge base. I mean, and it's partially, it's because I'm a very much a jack of all trades master of none kind of person personally, but, um, I do think that there should be. A lot of inner traffic. And I love the conferences that I've seen a lot more on the development side, development conferences, creating a security track, um, for people to come, uh, and, and give, uh, give those kinds of talks. I remember, uh, it's, I'm, I'm working on, um, doing the speaker selection for a conference here in town called Stir Trek. It's held at a movie theater every year in May. Uh, so you get to give your talk. On a movie screen, literally. And, um, you, uh, then at the end, we all get together and watch whatever the big summer blockbuster is. I can't remember what we're doing this year, but, um, the, uh, Phil Grimes, it goes by greatbabeonline, it came in and gave, it gave a full scale demo of cross site request forgery at, um, and it worked, I mean, an actual live demo, and it worked, um, and, uh, it opened some eyes, you know, Because, of course, what's Cross Site Request Forgery to a developer? It's a, it's an item in a report that says, Hey, you're missing this token, and they go, Oh, okay, and they get to put the token in there, but they don't know what it means, but now those people know, because they went to Phil's talk.

Robert Hurlbut: 25:50

And saw it.

Bill Sempf: 25:51

You know, they saw it happen. Um, and that's why I locked it, and when I go to developers, I lock it. Groups, conferences and give trainings. I like to kind of the last section of it. I like to get into some advanced Payloads and what really the kind of damage that can be done, you know If you if you are really willing to put a little bit of time into coding something that does what you want it to do. You can do some damage even with real straightforward flaws and software development. So it's, I think that's an, I think it's an important addition to the overall community.

Robert Hurlbut: 26:35

Excellent. So just rounding out, uh, talking about, uh, developing and, and, and being a programmer. Of course, you know, that's my background as well. We both, uh, focused on NET for many years, of course. Uh, but what are some of the trends or what are your thoughts on the trends and new languages and related to AppSec?

Bill Sempf: 26:54

Well, it's funny. Um, we're circling back real quick to Valid. Uh, Valid is written in Rust.

Robert Hurlbut: 26:59

Okay. Yeah, I was going to, I was curious about that as well.

Bill Sempf: 27:03

I am not a Rust developer at all, but they, they did it, uh, for a lot of reasons. It is very much runs along the secure by default kind of, um, kind of philosophy. There are no scissors to run with in Rust. It's not that they don't give you the scissors, there are no scissors.

Robert Hurlbut: 27:22

are no scissors, right?

Bill Sempf: 27:24

Um, so you, you have all the power until you get to that line and then the language just says nothing. I mean, it doesn't give you anything. There's nothing like some magic thing you can wiggle to make it so you can do. This thing you want to do that you probably shouldn't do. Rust just simply doesn't have those pieces built into it. But, um, there's been a lot of, um, malware written in Rust recently, a tremendous amount, actually. Rust and Go, Go Lang, both, um, and, uh, somebody at the Veilid talk asked, you know, I'm really interested to see that you, you, they, they built this thing in Rust. What else is Rust good for? I'm like, well, writing malware. Because it's true. It's an awesome language to write malware with, um, but it's not a, uh, it's not a be all end all, that's for sure. Um, but yeah, it's, it's, my, my main thing actually isn't, what I'm seeing most of, myself, in the work that I do, um, isn't, An issue of the new languages that are showing up. The fact is, is that not a lot of the kind of people who have their applications sitting on along the outer boundary of their organization, where they need them to be pen tested, have a vulnerability assessment completed. None of those people are building in Rust and Go or anything, anything new really. But they are using a lot of new. Frameworks and tool sets and those frameworks and tool sets are also using frameworks and tool sets that are using frameworks and tool sets and the supply chain gets really deep and it becomes extraordinarily. Whoa, I just bumped my keyboard. Hope I didn't mess something up. Um, becomes extraordinarily difficult to, um, keep an eye on an application from a static analysis perspective, especially like looking at the, uh, You can't look at the code really anymore. I mean, back in the day when, when you and I got started in, in, if you wanted to do something, you wrote the whole dang thing and it was in VB script and there was an ASP page on top of it. And that was it, you know, in the Microsoft world. Um, but now with. With the JavaScript frameworks, there's, there's a billion of them. They're constantly being updated. They're using each other, um, and tracking down potential vulnerabilities is an exercise in futility in so many ways. They, they can't get there. Um, you, you, when you can find things, half the time it doesn't matter, because it's not anything you'd ever use or you're going to use, but the thing is you could. So, like, in my position, where I do vulnerability analysis and I write up all the things that could be wrong with an application, um, rather than spending the time to go and exploit it and show, ha ha, look, I can take over your computer. I just say, listen, somebody who has the time to spend doing this can break into your computer with this. We know that. Um. So if I'm looking at static analysis and I see that, you know, they're running a version of some jQuery plugin that has a bunch of DOM cross site scripting, do I, do I write that up or no? Because it doesn't look like they're using it now, but they might be and I just missed it or they couldn't like tomorrow because everybody's on these super fast development and deployment cycles.

Robert Hurlbut: 31:08

right.

Bill Sempf: 31:09

Um, so, I don't know. That's what I'm, that's what I'm running into more than the, the, the changes in languages. Now on the mobile side of things, um, the, the, the slow grind of, of language changes is a little bit more evidence. It's a little earlier there, you know, we're, we're a little, it's a little newer. So watching, um, IOS go from, you know, Objective C through, through Swift and through, um, and now I think that all the, all the packages you can stack on top of it, like the Telerik, uh, controls that allow you to build pretty easily in Visual Studio where you feel at home. And then you can just compile down to iOS or Android. Um, that, that provides its own. Different little tweaks as far as vulnerabilities are concerned. And you run into that same problem where, you know, we know there's a vulnerability in this library but it doesn't look like you're using this library, but if you ever did, it would be a bad thing. So, uh, um, I, I don't, Don't envy developers or people starting projects for having to make those decisions up front. It would, it kind of would be like, heck, whether we're just going to write it all from scratch, but you can't anymore

Robert Hurlbut: 32:22

No,

Bill Sempf: 32:23

you can't meet deadlines and, and keep up with everybody else if you do. So

Robert Hurlbut: 32:27

right.

Bill Sempf: 32:28

that's kind of my take.

Robert Hurlbut: 32:30

different world, but certainly, uh, good things to, to keep track of and be aware of supply chain issues. And, and of course, all the. The, uh, pre, pre written code that we're using and, and where do those, where are the dependencies and so forth. So

Bill Sempf: 32:46

exactly right. Web application

Robert Hurlbut: 32:49

Well, Bill, uh, one of the, the things that we, uh, typically do it towards the end of our, uh, podcast interview is we, we have what we call this lightning round and actually I've been doing these. And so I'm going to ask the questions today as well. Um, So, uh, three questions. Uh, first is, uh, what we call our controversial take. Uh, what's your most controversial opinion on application security and, and why do you hold that view?

Bill Sempf: 33:13

firewalls are useless. They are trivial to bypass. And you simply cannot stop bad, really bad problems with regular expressions, which is what they all used under the covers. They can say, Oh, we've got this fancy sauce to be used to determine if a given request might be an attack. And no, it's eventually somewhere down in the pipeline. It's a regular expression. And you simply can't write one that will find either SQL injection or command injection of an operating system or even cross site scripting that won't prevent something. So, quick story, obviously this particular problem has been fixed, but when that SQL injection flaw that I mentioned way back at the beginning that got me started in all this, my first way of solving quote unquote the problem was to prevent people from putting tick marks in. It took about an hour before we got an email from Mary O'Malley who couldn't update her alumni stuff. Um, and that's, okay, fast forward that 30 years or so, um, that's what we're still dealing with today. Um, you, you go look at the, the rule, the very few tools that will let you actually see the rules they're using and they're these big, huge, you know, thousand character long trejects and, and they're just a useless. So there's my controversial opinion is WAFs are useless, don't bother, just write your code securely to begin with. I'm

Robert Hurlbut: 34:57

Excellent. All right. Number two, um, what would it say if you could display a single message on a billboard at the RSA or Black Hat conference?

Bill Sempf: 35:07

tempted to say don't click shit, but that's, that's not, I've actually been. Converted from that, um, but, um, uh, I mean, it, I, I, I want to say something, I mean, probably something more philosophical, like check your premises, because the, the, the, the, the, the, if people in, in the application security world or security in general would just step back and not concern themselves with the details of the upfront, the details of what they're trying to do, but try to get that forced view. You know, so check the assumptions you have might be wrong. So check those. And the only way you can do that is by stepping my other hands way over here. You can't really see it, but it's stepping way back and saying, Oh yeah, you're right. That isn't going to work on a global or application wide or corporate wide or network wide perspective. It fixes this one little problem I've got right here. That's it. Um, so that, that's kind of, that's some, something along those lines.

Robert Hurlbut: 36:15

Okay. Excellent. All right. And the last one is, um, what's your top book recommendation and why do you find it valuable?

Bill Sempf: 36:22

So I, I don't have a book. I have a category of books that I've been reading and it might, this may just completely be me. Okay. So, um, way back when, when I was in college, I, um, studied management information systems. Well, I studied music for a long time, actually, and then I studied management information systems. Okay. Um, and I have, uh, uh, every, I'm one credit hour short of a minor in economics. So, economics has always been a hobby thing of mine, like, before I was in college, when I was in high school, I had a, was very interested in, in economic stuff and like that. So, economics makes a lot of use of abstract algebra under the covers. And there are just a boatload of really good books written about, um, real mathematics, not like, you know, X plus four equals six, but, but abstract algebra. And I'm, I'm like, I'm reading a book right now called math without numbers. That's That's a book about topology and man, it has absolutely nothing to do with application security or economics, really, except for the fact that topology makes use of the same integrals that the economics does to make distinctions between, uh, models. Um, but wow, it's, it's really great to just stretch your brain around something else really technical occasionally and, and get around there. So I'm, I don't have a cool, uh, you know, a security book right now that I would recommend to people. Um, but, but I would say, Pick some technical topic that gets you going, and if you have any interest at all in mathematics, even if you, like, want to be interested in cryptography, studying real math. Not arithmetic, but real math is, um, even if you just read popular books about it, rather than actually take a class in it or really study it, boy, it changes the way you think about things.

Robert Hurlbut: 38:29

No, absolutely. Okay. Well, Bill, as we wrap up, um, give our listeners a key takeaway or call to action or both.

Bill Sempf: 38:39

Um, uh, you know, um, I mean, honestly, I'll be honest with you, I think things are going real good, uh, in the security space. A lot of people are doom and gloomers, and oh my gosh, everything's falling apart, we're all gonna die, and, and, but I'm, I'm looking big picture at what attackers are having to do to really make things happen. And, wow, you know, we're, we're, we're making some serious strides. in making a safe overall, um, I mean think about making an instantaneous global network and trying to secure it from people who would do bad things. I think we're doing a pretty good job of that considering how big of a lift it is. Um, so just keep going and don't, don't let the naysayers get you down. It's, we're, we're doing okay.

Robert Hurlbut: 39:32

Very cool. All right. Well, thanks, Bill. Always a pleasure to talk to you. Thank you for joining today and, and, uh, uh, appreciate your time.

Bill Sempf: 39:41

me. Thank you very much. My pleasure as well.