An underrated aspect of AppSec and Secure Coding is not exposing the insecure functionality in the first place. Let's say you have a XML parsing library that may be used by devs wrongly/insecurely. By disabling certain functions in the library, its not vulnerable to XML Injection anymore Instead of constantly training them to figure out security params, having a wrapper library (custom) that automatically disables insecure functionality is way more effective. It's: * easier to use * easier to enforce (in SAST, CI, SBOM, etc) * easier to train on * reduces cognitive load for devs in the long run * and more secure Keep it simple.

I've been meaning to blog a bit more. I authored this post in an attempt to consolidate my thoughts following the recent $MSFT and CVE-2024-3400 news. We need all need to be better. #SoftwareLiabilityReform medium.com/@JoeChrist/where-…