Graph structures and how they are used in security code analysis

Graphs structures are a natural representation of many kinds of data. They are a good way to represent relationships between objects, such as the relationship between users on social media sites, and the distance between different locations.

Today, let’s explore graphs and how they are used in security code analysis. Then, we will dive into how we can use graphs to analyze code for vulnerabilities.

A brief intro to graphs

You’ve probably already heard of graph structures and graph databases. In mathematics, graphs are a set of nodes and edges that connects those nodes. Like this graph right here:

Nodes represent objects, and edges that…


Expected Delivery

Main Branch is a comic strip for developers produced by James Gilbreath, Jason Green, and Vickie Li.


Sessions to watch for developers and hackers

Photo by Austin Distel on Unsplash

Here at ShiftLeft, we are gearing up for Shifting Left 2.0, a two-day application security conference for developers and security practitioners on June 22–23, 2021. It has something security-related for everyone: dev team leaders, application security folks, and the developers who are ready to become security champions.

Here are a few sessions I am most excited about and what you should attend if you are a developer or a hacker. The conference is split into two days: June 22nd and June 23rd. All session times are in PDT. Now let’s get into it!

A Fireside Chat — How to Measure the Success of Your AppSec Program ( June 22nd 1:05 PM — 2:05 PM)

With Arun Balakrishnan of ShiftLeft, Paolo del…


Sources and Sinks interviews Alok Shukla, VP of Product Management at Shiftleft on how to beat the OWASP Benchmark

Photo by Aaron Burden on Unsplash

Welcome back to another episode of sources and sinks. The OWASP benchmark project is an OWASP initiative designed to measure the accuracy of security scanners. But what does that mean? Today, we talk to Alok Shukla, VP of product management at Shiftleft about what the benchmark score of a product means, and how you should evaluate a security scanner.

Source and Sinks is a technology-focused podcast. We talk about the business, people, products, and culture of technology — with a security twist. Listen to more Sources and Sinks here:


Meet the Manager

Main Branch is a comic strip for developers produced by James Gilbreath, Jason Green, and Vickie Li.


Sources and Sinks interviews Gyan, CEO of Kontra, on how to do developer education better

Photo by Jean-Philippe Delberghe on Unsplash

Welcome back to another episode of sources and sinks! Today, I talk to Gyan Chawdhary, the founder and CEO of Kontra application security training, about how to teach security to developers. Gyan has founded two startups in the developer security education space and believes that the future of security training is interactive. We discuss his experience in security training and his experience of founding kontra to create a new type of security training.

Source and Sinks is a technology-focused podcast. We talk about the business, people, products, and culture of technology — with a security twist. Listen to more Sources and Sinks here:


Thanks to everyone who submitted to the Secure Developer Challenge for May 2021!

For this month’s challenge (https://go.shiftleft.io/developer-challenge-05-2021), we asked you to identify which of these statements about HTTP security headers are false:

The correct answer is that options C and F are incorrect. Did you get it right?

X-XSS-Protection turns on the XSS auditor of the browser and protects against XSS attacks. But the best practice is actually to disable XSS filtering by specifying the header “X-XSS-Protection: 0”. Using this header to prevent XSS attacks is insufficient because it sometimes interferes with custom XSS protection code, and security researchers…


How I write technical posts and hacking tutorials

Woman writing in notebook
Woman writing in notebook
Coffee and Croissants sometimes included. Photo by Cathryn Lavery on Unsplash.

Some of the questions I get the most online are “How do I start hacking?” and “How could I write better technical posts?” After the announcement of my book, I also had people asking me what that process entails.

I love technical writing because it’s a way of sharing knowledge. You can share what you’ve learned and expedite the learning process for others without ever meeting them in person. So I encourage most technical folks to give writing a try. It’s a great way to clarify your thoughts, understand a concept more deeply, and participate in indirect mentorship.

My writing…


Security Weekly Podcast Episode with Manish Gupta

Photo by Soundtrap on Unsplash

Security Weekly is the security podcast network for the security community. This week, Security Weekly interviewed Manish Gupta, CEO and Co-Founder of ShiftLeft about his thoughts on bringing application security into the modern CI pipeline.

Application security in a modern CI pipeline needs a combination of tools, collaboration, and processes to be successful. Importantly, it also needs to scale. So, how can an Appsec team bring tools and security knowledge to developers? Listen to Manish here:

Static analysis is the most efficient way of uncovering vulnerabilities in your applications. …


Photo by Alex Radelich on Unsplash

How to help devs write code, learn security, and fight attackers

Securing software is friggin complicated.

Supply chain attacks, the OWASP top ten, ransomware, insider attacks, and plain old typos. As software development becomes increasingly fast-paced, the potential threats that can compromise security don’t stop. If anything, the likelihood of releasing vulnerabilities into production increases as we push out more and more software each day.

Developer education is key to reducing security risks

Security is a team effort by everyone: application security engineers, system administrators, managers, architects, and analysts. But when dealing with application security, developers are the ones who write vulnerabilities into code, and developers are the ones who have to fix vulnerabilities when they are found.

More…

Vickie Li

Professional investigator of nerdy stuff. Hacks and secures. Creates god awful infographics. https://twitter.com/vickieli7

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store