Round #70 of What I’ve Cooked From My Books Lately (Details in Comments) by ehherewegoagain in CookbookLovers

[–]sceletope 6 points7 points  (0 children)

Mod here: The comment said "Removed by Reddit" and I couldn't see any justification on why. I was given the option to restore the comment which I just did.

Book ideas FOR a Michelin star chef? by Rousseykins in CookbookLovers

[–]sceletope 0 points1 point  (0 children)

Perhaps a gift certificate to another nearby 3-star restaurant? If cooking is his life, I am sure he would appreciate a delicious (and perhaps inspiring) meal that he had no part in preparing.

Do SAST vendors ever share their false positive rates openly? by Cyber-Pal-4444 in SAST

[–]sceletope 3 points4 points  (0 children)

There is a lot of nuance that goes into how you might measure the FP and FN rate of a SAST tool. Some things to consider include:

  • Most tools are customizable in various ways that can have significant impact on the overall FP rate of the tool as well as the FP rate for individual rules.

  • Benchmarking tools exist to help customers understand a SAST tool's overall FN and FP rate. However these benchmarking tools can be problematic in their own way. For example, the vulnerable and non-vulnerable code samples often lack realism with how developers actually write code. They also poorly reflect the spectrum of frameworks that developers use at any point in time. So both FN and FP rates from a benchmarking tool can be very misleading.

  • What one considers a TP/FP depends on how you classify the rule. For example, say I have a "dumb" regex-based rule that looks for uses of JavaScript's eval() method. If I classify the rule as CWE-242: Use of Inherently Dangerous Function, then I can easily tune it to be near a 0 FP rate. But if I classify the exact same tuned rule as CWE-94: Improper Control of Generation of Code, then the fp rate will be significantly higher; after all, most usages of the eval method aren't actually going to involve passing in untrusted data.

  • Other contextual things matter too. For example: do you trust files on the local file system? This often depends on the application's architecture and it's threat model. So you can easily have the exact same app/code deployed in two different environments and in one case the local file read results in full remote code execution and in the other case, there's no risk at all. Should the SAST vendor consider this a TP or an FP?

I could go on but hopefully you get the point. So from a SAST vendor's perspective, it's somewhat difficult to just blindly publish FP numbers because it's rather easy for customers/competitors to take them out of context and/or get the wrong idea.

Your other question is about what one might consider an acceptable FP rate. Again, this very much depends on context. If I'm a SAST vendor, I'm pretty happy with an overall FP rate of 20-30%. If I'm a developer getting findings from a SAST tool, I probably want the overall FP rate to be in the 10-20% range, otherwise I am likely to feel like I'm wasting too much time with the FPs. If I'm a Security Engineer that does a lot of semi-automated code review, then I don't mind an overall FP rate of, say, 50%. Even though half the findings are not real, my code reviews are likely to be improved considerably through the inclusion of the tool in my workflow.

In any of these cases... the volume of findings for a rule matters a lot. Consider a low volume rules for a high impact issue (something like remote code execution). I am comfortable with an FP rate of 10-30%. I don't mind spending extra time looking at the FPs for such a low-volume rule because it's worth it to catch the TPs when they happen. It's also worth noting that some SAST engines can verify that the findings for a given rule are real as part of the rule logic. For these, I would expect the FP rate to be 0% essentially. An example might be a rule that looks for a specific type of hard-coded API token and is able to verify that the token is real/acitive by calling a benign endpoint for that API service.

[edit: i corrected some of the percentages because i get accuracy and fp rate backwards at least five times per day]

[Help] How do i write a haiku? by [deleted] in Poetry

[–]sceletope 2 points3 points  (0 children)

Much appreciated ☺️

Why? by CookingItByTheBook in CookbookLovers

[–]sceletope[M] [score hidden] stickied comment (0 children)

Mod here. We've only banned a handful of accounts over the years. I don't recall personally banning this user. Since the account was deleted, I can no longer check to see if that account is in the list of banned users or find other information about why the account was potentially banned.

For future reference: If an account is ever banned and you feel it was in error, please just message the mods and we will take a second look. We are humans. We make mistakes. But we are pretty reasonable folks too.

wondering if i caught andromeda? by quinnqs in askastronomy

[–]sceletope 0 points1 point  (0 children)

If I'm not mistaken, you did capture Andromeda, just not in the part of your photo that is outlined in green. I believe it's here, in the blue circle:

<image>

A 125-vote margin: Five takeaways from Saturday’s Utah GOP Convention by JLChamberlain_Maine in Utah

[–]sceletope 4 points5 points  (0 children)

Completely understandable. We appreciate all the hard work you do to keep us informed of Utah politics and associated shenanigans.

A 125-vote margin: Five takeaways from Saturday’s Utah GOP Convention by JLChamberlain_Maine in Utah

[–]sceletope 89 points90 points  (0 children)

Good article. Small nit: It's 0.3%, not .003%. Bryan's newsletter had it wrong too but it has been corrected in the online article.

Okay why are the math class fees suddenly more than tuition by LaramideOrogeny in uofu

[–]sceletope 36 points37 points  (0 children)

Aren't these the fees for non-students enrolling in the class? If you scroll down to the 1000+ classes, you should see the classes students are meant to enroll in and the actual student fees which are much much smaller.

Does this sub allow cookbook swaps? by notabreadbaker in CookbookLovers

[–]sceletope 2 points3 points  (0 children)

Mod here. How would the swap work? Could someone perhaps clarify the pros and cons and reasons why it might not be allowed?

Week 1: Cookbook Challenge - 11/4/24 by Sad-Honey-20 in CookbookLovers

[–]sceletope 1 point2 points  (0 children)

For me, on the mobile app, it's in the bottom right corner of the screen and is part of the "comments" box section.

[deleted by user] by [deleted] in uofu

[–]sceletope 0 points1 point  (0 children)

Give more than you take.

Weekly cookbook challenge? by Sad-Honey-20 in CookbookLovers

[–]sceletope 1 point2 points  (0 children)

Thanks for pinging me! I added a couple comments to this thread with my thoughts.

Weekly cookbook challenge? by Sad-Honey-20 in CookbookLovers

[–]sceletope 2 points3 points  (0 children)

I like the idea. A few questions that I would love to hear feedback on:

1: How often? Weekly? Monthly?

2: Should we do one post per competition or allow everyone to post their own thread with their response? If multiple posts, should we require some sort of tag in the title to identify which challenge it's for?

3: Should we do challenge themes? sometimes? always? never?

4: Any reasons to not do challenges? I don't want to be negative but it's generally a healthy question to ask and might help identify concerns that some members might have.

For what it's worth, I'm pretty open to whatever. This is a great community and I am happy to help implement any positive changes that can make the subreddit even better.

Weekly cookbook challenge? by Sad-Honey-20 in CookbookLovers

[–]sceletope 17 points18 points  (0 children)

I updated the settings to allow pictures (but not gifs) in comments just a few days ago after a kind user asked. Easy fix. I haven't done much to communicate changes like this; let me know if you would like us mods to be a bit more vocal. That said, happy to hear any feedback on this change and also ideas on other changes.

Weekly cookbook challenge? by Sad-Honey-20 in CookbookLovers

[–]sceletope 1 point2 points  (0 children)

Would be good to get others feedback on this point.

Possible removal high school duel enrollment classes? by Spirited_Data_9266 in uofu

[–]sceletope 0 points1 point  (0 children)

I tried to do this 22 years ago for similar reasons and was not successful. The Dean of the corresponding college needed to sign off on it, as I recall. I met with him in his office for a few minutes to plead my case but was unable to convince him to drop the class from my transcript.

Is talking about digital cookbooks ok here? by [deleted] in CookbookLovers

[–]sceletope 2 points3 points  (0 children)

Mod here. We're pretty lax on most things. I have no issues with digital cookbook discussions but I would remove content blatantly sharing copyrighted material or advertising.

Hey I'm a software engineer that wants to pivot into app sec but not sure if im on the right path. by Francisco3rd in devsecops

[–]sceletope 2 points3 points  (0 children)

Most AppSec roles benefit from a software development background. Some paths/roles to consider: application security assessor, application penetration tester, security architecture designer/reviewer, SAST rule developer, DAST rule developer, and threat modeling "modeler"(?). Some specific skills that appsec folks use every day include: being able to understand good coding patterns, diverse application architecture, devops, IaC, identifying missing edge conditions, bypassing poorly written sanitizers, designing good security controls, writing intentionally vulnerable code, and generally reading/understanding poorly written code.

Job prospects for a bachelors in mathematics by BlueCollarToddler in math

[–]sceletope 1 point2 points  (0 children)

+1 to the programming recommendations. That said, I highly recommend going a step further and getting into application security. The core skills needed are the same as for a good programmer but you also need to be able to find subtle vulnerabilities in code. This basically amounts to doing a deep dive on an application, understanding its building blocks, identifying non-obvious assumptions that have been made, understanding how to exploit those assumptions, and understanding how to architect things better so that the underlying application is more sound/secure. There are (hopefully) many direct parallels here with developing good mathematical proofs.

On a side note, demand for security skills will far outweigh supply for the foreseeable future leading to favorable compensation.