'So let’s rewrite the new OWASP item. It’s not “Software Supply Chain Failures”. It’s more accurate to say “Collection of random software I found in the couch cushions that I don’t understand and we don’t know where most of it comes from”.'
nicely phrased by @npub16g6c...s9jn
Twenty-nine years ago on this day, #httpget 0.1 was released.
I found the tool a few days later and within a few months I became the maintainer. We later renamed it. Twice. The last name it got is #curl. It stuck.
httpget was my first insight and lesson into HTTP and since then I have kept learning it.
httpget 0.1 was written by Rafael Sagula, who unfortunately is not with us anymore.
one of the most common security reports we get in #curl is claims of various CRLF injections where a user injects a CRLF into their own command lines and that's apparently "an attack".
We have documented this risk if you pass in junk in curl options but that doesn't stop the reporters from reporting this to us. Over and over.
Here's a recent one.
In the #curl security team, we get to exercise deep protocol knowledge into the bits for many protocols including version variations and exploring funny quirks we have for adapting to many 3rd party libraries as well as a thorough understanding of the C language, how ABIs work, OS/platform variations and the occasional CPU peculiarity. Did I mention build systems?
And that's only for the issues we received this weekend.
