# Appsec Roundup - Feb 2025
The annual DEF CON conference has wrapped up, and the Harris School of Public Policy, along with yours truly, is excited to share some key policy lessons from this year's talks and villages. The DEF CON 32 Hackers Almanack has been released, providing a comprehensive review of the most impactful discussions and findings from the event.
In the realm of appsec, the UK's National Cyber Security Centre (NCSC) has unveiled a new whitepaper titled "Eradicating trivial vulnerabilities, at scale." This document outlines a method for assessing whether a vulnerability is "unforgiveable," considering factors such as its documentation, implementation cost, and prerequisite complexity. While initially intended as voluntary code, the NCSC plans to explore policy interventions to support its adoption and impact.
The Inside Risks column has also published an article titled "It Is Time to Standardize Principles and Practices for Software Memory Safety." This piece serves as a condensed version of a longer tech report, highlighting the need for standardized principles and practices in software memory safety. The authors emphasize the importance of collaboration and open discussion to achieve this goal.
On the Nvidia blog, Leon Derczynski, Rich Harang, and Sadaf Khan have published an article titled "Defining LLM Red Teaming." This piece builds upon their previous work, "Summon a demon and bind it: A grounded theory of LLM red teaming," exploring the concept of large language model (LLM) red teaming. The authors discuss the challenges and opportunities presented by this emerging threat landscape.
PromptFoo's blog has published an intriguing article titled "1,156 Questions Censored by DeepSeek." This piece delves into the topics that the Deepseek "safety" and "alignment" teams worked on, providing valuable insights into the cultural nuances surrounding these terms. The author notes that while these terms are often used to describe simplistic or obvious concepts, they belie more complex questions about what it means for AI systems to be "safe."
Sadly, the appsec community is mourning the retirement of Ron Ross, a stalwart figure behind the NIST-800 series. His contributions have been immense, and he will be deeply missed.
In related news, Shostack + Associates has announced that Adam will be keynoting BSides Seattle (April 18/19) and training at OWASP Global Appsec Barcelona (May 27-28). Adam will also be running a game session for the Threat Modeling Hackathon (March 19).
As AI continues to evolve, it's essential to explore its implications on our society. By examining the terms "safety" and "alignment," we can gain a deeper understanding of what these concepts mean in practice.
The world of appsec is constantly evolving, with new challenges and opportunities arising daily. As we move forward, it's crucial that we prioritize collaboration, open discussion, and a commitment to standardizing principles and practices for software memory safety.
Stay tuned for more updates from the appsec community, and remember: security is everyone's responsibility.
---
# Image Credits
The image at the top of this article was created using Midjourney. It depicts a photograph of a robot sitting in a library, working on a jigsaw puzzle.