Hey there,

In this week’s issue, please enjoy the following:

• Five security articles 📰 that are worth YOUR time

• Podcast 🎙️Corner

• Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

1. From Naptime to Big Sleep: Using Large Language Models To Catch Vulnerabilities In Real-World Code — Google's Project Zero team has advanced their "Naptime" framework into "Big Sleep," collaborating with Google DeepMind to enhance large language models (LLMs) for vulnerability research. This evolution led to the discovery of a stack buffer underflow in SQLite, demonstrating the potential of AI agents in identifying previously unknown exploitable memory-safety issues in widely used software. [This is an area to watch over the next 1-2 years.]

2. Redefining Security in DevSecOps—Threat modeling is essential for integrating security into the DevSecOps process. It addresses the challenges of speed and complexity in modern software development by identifying potential vulnerabilities throughout the application lifecycle. Emphasizing a proactive security culture, organizations are encouraged to incorporate threat modeling iteratively, use automation tools, and foster collaboration among development and security teams to enhance resilience and mitigate risks effectively. [I still maintain that DevSecOps is dead.]

3. How AWS built the Security Guardians program, a mechanism to distribute security ownership — The AWS Security Guardians program aims to distribute security ownership by integrating security experts, known as Guardians, directly into product development teams to prioritize security throughout the development lifecycle. This initiative fosters a culture of proactive security ownership, empowering teams to build and deploy products more securely and efficiently. [Scale always catches my attention - the AWS Security Guardians is rumored to be the most extensive Champion program on the planet.]

4. Top 10 for LLM Project, Expands Initiatives & Publishes New AI Security Guidance — The OWASP Top 10 for LLM & Generative AI Security project offers comprehensive guidance on securing applications that utilize Large Language Models (LLMs) and generative AI technologies. It provides a curated list of the most critical vulnerabilities and actionable recommendations to help developers, data scientists, and security experts navigate the complex landscape of AI application security. [Top 10 for LLM are leading the pack.]

5. Hacking Back the AI-Hacker: Prompt Injection as a Defense Against LLM-driven Cyberattacks — Mantis is a defensive framework designed to counter LLM-driven cyberattacks by exploiting large language models' vulnerability to adversarial prompt injection. By embedding crafted inputs into system responses, Mantis can misdirect or disrupt the attacker's LLM, achieving over 95% effectiveness in experiments. [Just when you thought the hackback issue had exited the building.]

Podcast Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • Tanya Janca -- What Secure Coding Means (Audio only; YouTube)

    • Tanya Janca, SheHacksPurple, returns to discuss the importance of secure coding practices and the need for a robust, secure system development life cycle (SDLC) to uphold security claims genuinely.

    • Emphasizing proactive measures such as input validation and the principle of distrust and verification, Tanya shares personal anecdotes from threat modeling sessions to illustrate the necessity of anticipating vulnerabilities.

• Security Table

  • The Future Role of Security and Shifting off the Table (Audio only; YouTube)

    • Hosts Chris, Izar, and Matt discuss the evolving application security landscape. Chris suggests that security functions may eventually be integrated into development teams to reduce friction and enhance efficiency despite common misconceptions about the impact of security breaches on brand reputation.

    • The conversation also addresses the "shift left" movement in application security, highlighting the need for clarity in what this term entails and advocating for starting security considerations from the project's requirements phase to ensure meaningful implementation.

• Threat Modeling Podcast

  • Nandita Rao Narla -- Privacy Threat Modeling Wins, Losses, and Tools (Audio only)

    • Hosts Chris and Nandita Rao Narla discuss the pitfalls of privacy threat modeling programs, including high costs, friction in development processes, and misalignment with compliance-focused strategies rather than risk management.

    • Nandita emphasizes successful strategies for improving privacy threat modeling, such as using existing security resources, simplifying methodologies, and fostering a culture that prioritizes understanding potential risks, ultimately advocating for stronger integration of privacy and security threat modeling practices.

Threat Model for Free

Welcome to Simple, Collaborative Threat Modeling by Devici.

Introducing the modern drawing tool that's user-friendly, customizable, and easy on the eyes. Individuals and teams work together – no matter their location. Devici helps build a scalable threat modeling process for multi-disciplinary and geographically dispersed teams, ensuring everyone can contribute.

Visit devici.com to experience threat modeling for free.

Where to find Chris? 🌎

• Nothing is on the docket now, but stay tuned for the next webinar!

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.

Hey there,

In this week’s issue, please enjoy the following:

• Five security articles 📰 that are worth YOUR time

• Featured focus: Why the 'Secure by Design' pledge won't save us from AppSec failures

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

1. Chaos Engineering in IT Systems: Embracing Failure and Security Testing for a More Resilient Future — Chaos Engineering and Security Chaos Engineering allows organizations to proactively identify vulnerabilities and improve resilience by intentionally introducing failures and simulating security incidents. By employing strategies like continuous monitoring, safety mechanisms, and fostering a blameless culture, these methodologies help ensure systems can withstand and recover from unexpected disruptions and cyber threats. [I’ve been a fan of chaos since its early days — never had a chance to implement it, but it makes sense to change things up and break the status quo.]

2. Software developers are spending more time every week fixing security issues – and it’s costing companies a fortune — Software developers are increasingly spending more time each week addressing security issues, which is costing companies significant amounts of money. This trend highlights the growing complexity of software security and the need for improved tools and processes to help developers manage vulnerabilities effectively and reduce the financial impact on organizations. [If software developers had implemented secure and private by design and default, they’d spend much less time fixing issues.]

3. Deceptive Delight: Jailbreak LLMs Through Camouflage and Distraction — Large language models (LLMs) can be manipulated through tactics such as camouflage and distraction, which exploit their vulnerabilities and influence their outputs. These techniques raise significant concerns about the security and reliability of AI systems, particularly in critical applications where accuracy and trustworthiness are paramount. [This just in — LLMs have security problems.]

4. Technologist Bruce Schneier on security, society and why we need 'public AI' models — Bruce Schneier emphasizes the critical need for public AI models to enhance security and societal benefits, advocating for transparency and collaboration in the development of AI technologies. He argues that public models can improve accountability and foster a more equitable digital landscape, mitigating risks associated with proprietary systems. [Schneier says one or two things worth paying attention to per year — you decide if this is one of them.]

5. 'Shift Left' Gets Pushback, Triggers Security Soul Searching — The pushback against the "shift left" approach in application security has prompted a period of introspection among security professionals, highlighting challenges in balancing speed and security in the development process. This reflection reveals a need for improved collaboration between development and security teams to address the complexities of integrating security measures early in the software lifecycle. [Shift left is a joke.]

Featured Focus: Why the 'Secure by Design' pledge won't save us from AppSec failures

[I’m giving a talk on this topic later this week, so I decided to use my column to gather my thoughts into a semi-cohesive pile.]

CISA’s ‘Secure by Design Pledge’ brought much hope for a kinder, gentler, more secure world. The only problem is that it has no teeth. It is a toothless pledge with no ramifications for lack of meeting or exceeding the goal.

The content is acceptable—the requirements are precise and point us in the right direction as an industry: multi-factor authentication, reducing default passwords, reducing entire classes of vulnerabilities, increasing the installation of secure patches, publishing a vulnerability disclosure policy, transparency in reporting CVEs, and increasing the ability to gather evidence after an incident.

Here is my first rub — ‘this is a voluntary pledge … a good-faith effort to work towards the goals.’ This means nothing — voluntary in that nobody has to participate, and good faith is the most wishy-washy terminology that could be used. Good faith means I’ll try my best, and no matter where I land, I’ll get a trophy for participation.

Ladies and gentlemen, I've produced the ‘Secure by Design Pledge Trophy’ for participation. I’ll mail one to each of the pledge signers.

My second rub is that you can divide the companies that have signed on to the pledge into two categories—those that already meet all the requirements and those that want to kiss a** to CISA and think they’ll gain some marketing advantage by signing. Nobody is doing this for the good of the Internet or the world; everybody has the motivation to try to get something for nothing.

Do you want to make a pledge that has some teeth? Write the requirements in any way you want — for the sake of argument, we’ll keep what they have today. The thing we’ll change is the consequences. If you don’t demonstrate 10% improvement in all categories identified, you must donate 10% of your gross profit to a technology-focused charity that brings new folks into our industry. Now, we’d have a pledge with teeth, and nobody would sign up to play.

Podcast Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • Kayra Otaner -- DevSecOps (Audio only; YouTube)

    • Hosts Chris and Robert welcome Kayra Otaner, the Director of DevSecOps at Roche, who asserts that traditional DevSecOps is "dead" and emphasizes the need for organizations to tailor their approaches based on size and specific needs.

    • Kayra introduces "security as code" and "policy as code" as more effective strategies and highlights the emergence of Application Security Posture Management (ASPM) tools as the "SIEM for AppSec," suggesting that AI-enhanced tools can help manage the influx of security alerts faced by development teams.

• Security Table

  • We'll Be Here Until We Become Obsolete (Audio only; YouTube)

    • We explore the multifaceted concept of obsolescence in technology, discussing its planned, unplanned, and forced forms while highlighting the security implications of outdated devices and software.

    • The conversation focuses on vulnerabilities in cloud-connected vehicles, examines architectural decisions and regulatory requirements, and reflects on real-world incidents like the OnStar hack, underscoring the necessity for robust security protocols.

• Threat Modeling Podcast

  • Akira Brand -- Gaining Experience by Threat Modeling (Audio only)

    • Hosts Chris and Akira Brand discuss her journey into threat modeling, emphasizing the importance of collaboration, understanding applications, and utilizing tools and diagrams to enhance the process.

    • Akira draws parallels between surgical checklists and the STRIDE model, highlighting how her hands-on approach and teamwork across engineering, data analytics, and security led to successful threat modeling outcomes.

Threat Model for Free

Welcome to Simple, Collaborative Threat Modeling by Devici.

Introducing the modern drawing tool that's user-friendly, customizable, and easy on the eyes. Individuals and teams work together – no matter their location. Devici helps build a scalable threat modeling process for multi-disciplinary and geographically dispersed teams, ensuring everyone can contribute.

Visit devici.com to experience threat modeling for free.

Where to find Chris? 🌎

• Speaking at the Elephant in AppSec Conference on Thursday, November 7, 14:25 Eastern time, on “Why the ‘Secure by Design’ pledge won’t save us from AppSec failures.”

• I’m at Triangle Infosecon in Raleigh this Friday, November 8, and I'll give a talk at 15:30 on “The Paradox of Secure and Private by Design and Default.”

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.

Hey there,

In this week’s issue, please enjoy the following:

• Five security articles 📰 that are worth YOUR time

• Featured focus: The absence of vulnerability

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

1. Cloud Guardrails — Check out a comprehensive suite of tools designed to enhance security and compliance for cloud environments by automating governance policies and best practices. Organizations can proactively manage risks by implementing these guardrails, ensuring their cloud operations align with industry standards and regulations. [I am a huge fan of guardrails, and this resource is a catalog of guardrails that you can mix and match.]

2. The struggle for software liability: Inside a ‘very, very, very hard problem’ — The White House faces challenges establishing cybersecurity software liability standards as stakeholders express concerns about the potential implications for innovation and security practices. The effort aims to create a framework that holds software developers accountable for vulnerabilities, but balancing regulatory measures with industry needs remains contentious. [Can anyone say “NIGHTMARE”? The good news is the first case will get tied up on appeal for a decade.]

3. The Global Surveillance Free-for-All in Mobile Ad Data — Mobile advertising data has become a new battleground for global surveillance, with companies increasingly collecting and monetizing personal information from users without clear consent or oversight. The article highlights concerns over the implications of this pervasive data collection on user privacy and security and the challenges regulators face in establishing meaningful protections in an industry driven by profit. [I didn’t realize the depth of mobile ad data and how it is misused.]

4. DEF CON 32 Main Stage Talks — This playlist features a wealth of insights into the latest trends and challenges in cybersecurity, with discussions covering topics such as ransomware defenses, AI implications, and innovative vulnerabilities. Listeners can expect to learn from industry leaders and gain valuable perspectives on enhancing security practices in today's rapidly evolving digital landscape. [Missed Vegas? Don’t fret; the DC talks are on YouTube.]

5. The Ultimate Guide to Reachability Analysis Which reachability is good for you: Enhancing Code, Library, and Container Security with ASPM — ASPM (Application Security Posture Management) reachability analysis provides a method to assess the accessibility of an application’s components, identifying potential vulnerabilities based on how these components interact with each other and the external environment. By understanding reachability, organizations can enhance their security posture, ensuring that only necessary access points are exposed and reducing the risk of exploitation. [I’m bullish on ASPM, so I'm sharing a resource to help you unpack its capabilities.]

Featured Focus: The absence of vulnerability

On a soon-to-be-released AppSec Podcast episode, Matin, our guest, offered a definition of security that I’ve never heard before, and it’s got me thinking. He defines security as “the absence of vulnerabilities.” Stop and think about that for a second—the absence of vulnerabilities?

I’ve always considered security an active issue. As a programmatic thinker, I approach problems by considering how we can systemize a solution that will allow the scaling of resources to address the problem at all levels.

Security is people, processes, tools, and governance. The people secure the things, while the processes guide and attempt to make things unilateral. The tools make things easier for the people (in theory), and governance ensures that the right things are done at the correct times to protect the right things.

Matin’s definition is a measurable state of a thing instead of a program to create a thing. This definition makes me wonder whether this is the Matrix.

Tune in to this episode next week to hear Matin’s explanation for this definition and the exploration of anti-requirements. It will cause you to stop and think. If you have an epiphany on this definition, hit reply and share it with me. I’d love to hear other opinions.

Podcast Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • François Proulx - Arbitrary Code Execution 0-day in Build Pipeline of Popular Open Source Packages (Audio only; YouTube)

    • Hosts Chris Romeo and François Proulx discuss the discovery of security vulnerabilities in build pipelines, emphasizing how attackers can exploit this often-overlooked aspect of the software supply chain.

    • To combat this issue, François's team developed an open-source scanner called Poutine, designed to identify vulnerable build pipelines at scale and provide remediation guidance, leveraging his extensive experience in application security and his role as founder of the NorthSec conference in Montreal.

• Security Table

  • Everything is Boring (Audio only; YouTube)

    • Hosts Chris, Izar, and Matt delve into the perception that recent cybersecurity topics, such as vulnerabilities and ransomware, have become less exciting, prompting a discussion about the waning interest in these issues.

    • They explore the roles of Governance, Risk, and Compliance (GRC), the complexities of cyber insurance, and the fading novelty of AI, emphasizing that while essential security tasks may seem mundane, they remain crucial to maintaining effective security practices.

• Threat Modeling Podcast

  • The Four Question Framework with Adam Shostack (Audio only)

    • Chris and Adam dive into the four-question framework for threat modeling, explaining the meaning and purpose of each question to simplify the process.

    • They discuss the importance of retrospectives, the evolution of the framework, and its application in various situations, highlighting that the questions serve as a practical foundation for threat modeling.

Threat Model for Free

Welcome to Simple, Collaborative Threat Modeling by Devici.

Introducing the modern drawing tool that's user-friendly, customizable, and easy on the eyes. Individuals and teams work together – no matter their location. Devici helps build a scalable threat modeling process for multi-disciplinary and geographically dispersed teams, ensuring everyone can contribute.

Visit devici.com to experience threat modeling for free.

Where to find Chris? 🌎

• Webinar: Supercharge Threat Modeling with Software Supply Chain Security — TODAY! (Tuesday, October 29) @ noon (Eastern)

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.

Hey there,

We’re doing a threat modeling game for Cyber Security Month, and it’s fast approaching. The event will occur on October 24, 2024, at Noon Eastern/US. Sign up now, as you are almost out of time. Check out our landing page. It’s a free game where you’ll join a team and perform a threat modeling exercise against other teams, battling to be THE threat modeling champion!

P.S. Custom Lego sets from Devici are the prize for winning.

In this week’s issue, please enjoy the following:

• Five security articles 📰 that are worth YOUR time

• Featured focus: It is my birthday

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

1. Eliminating Memory Safety Vulnerabilities at the Source — Google's Android team has successfully reduced memory safety vulnerabilities from 76% in 2019 to 24% in 2024 by transitioning to memory-safe languages, such as Rust. This shift focuses on preventing new vulnerabilities through safe coding practices, which have been shown to lower overall security risks without extensive rewrites of older code. [The proof is in the pudding, and this proof is tasty and expected — memory-safe languages improve security.]

2. Threat modeling and binary analysis: Supercharge your risk strategy — Threat modeling and binary analysis are essential for improving software risk management strategies, particularly in securing supply chains. By integrating these approaches, organizations can better anticipate vulnerabilities, manage risks proactively, and enhance the security posture of their software assets.[I was featured in this article, sharing thoughts about the intersection of threat modeling and software supply chain.]

3. Attacking APIs using JSON Injection — JSON injection can exploit APIs by inserting malicious data into JSON streams, leading to vulnerabilities like SQL injection and remote code execution. It highlights the risks posed by inconsistencies in how different JSON parsers handle data, emphasizing the importance of thoroughly vetting API components to prevent such attacks. [I had never looked at JSON injection before, and this one gave me context and perspective.]

4. New ConfusedPilot Attack Targets AI Systems with Data Poisoning — The ConfusedPilot attack targets AI systems, particularly Retrieval-Augmented Generation (RAG) models like Microsoft 365 Copilot, by introducing malicious content into documents the AI references. This data poisoning can cause the AI to generate misinformation or incorrect responses, posing a significant risk to organizations relying on such systems for decision-making. [Data poisoning fleshed out deeper than what you’ll find in the OWAP Top Ten for LLM.]

5. How to do Vulnerability Prioritization — Effective Vulnerability Prioritization moves beyond simple CVSS base scores and incorporates factors such as exploit status, environmental context, and patch availability. It emphasizes the importance of using a comprehensive threat intelligence approach and scalable data platforms to manage large numbers of vulnerabilities. [Challenging thing for teams — James provides an easy-to-follow structure that considers the data.]

Featured Focus: It is my birthday

Today is my birthday. I wouldn’t say I like celebrating birthdays, but I should be excited to be experiencing another lap around the solar system. I’m not writing this because it’s my birthday, but instead, because this concept of celebration got me thinking.

We don't celebrate enough in security, and application security specifically. I’m from a generation where the thought of everyone getting a trophy makes us nauseous, so I’m not talking about everybody being recognized. We don’t celebrate our small and big wins with enough fervor.

As a general principle, at Security Journey, we had an all-hands meeting for the 20+ team members each Monday. A segment of that meeting was always small wins, where folks could send in small victories that they experienced or saw others experience, and we could all celebrate those victories together and recognize the success.

We need to do more of this in security. We need to pinpoint the small wins and find ways to celebrate them. Celebration is more than just the security team—look for ways to celebrate with the security and privacy supporting teams, development, operations, and anyone else. Culture was created over time, and Rome wasn’t built in a day. Celebrate.

Podcast Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • Varun Badhwar -- The Developer Productivity Tax (Audio only; YouTube)

    • Varun Badhwar joins to discuss the "Developer Productivity Tax," highlighting the challenges developers face when overwhelmed by vulnerabilities that often lack actionable context.

    • Varun emphasizes the integration of SBOM plus VEX to improve vulnerability management, advocating for "Scanning with Context" to reduce false positives and ensure that only relevant threats are addressed effectively.

• Security Table

  • Experts Want to Excel (Audio only; YouTube)

    • We explore the criteria that define an expert in threat modeling, discussing the cultural references and intricacies of threat modeling practices and the roles of facilitators.

    • The conversation humorously addresses the challenges of scaling practices in large organizations while highlighting how expertise can inspire others. It includes tangents on movies, old media technologies, sports analogies, and competitive Excel.

• Threat Modeling Podcast

  • Product-led threat modeling (Audio only)

    • Explore the connection between threat modeling and product development, emphasizing the importance of understanding user needs while applying lean product management principles.

    • They discuss best practices for conducting threat modeling sessions, including methodologies like rapid risk assessment and STRIDE, and stress the significance of collaboration and communication among product managers, architects, and technical leaders to align threat modeling with product goals.

Threat Model for Free

Welcome to Simple, Collaborative Threat Modeling by Devici.

Introducing the modern drawing tool that's user-friendly, customizable, and easy on the eyes. Individuals and teams work together – no matter their location. Devici helps build a scalable threat modeling process for multi-disciplinary and geographically dispersed teams, ensuring everyone can contribute.

Visit devici.com to experience threat modeling for free.

Where to find Chris? 🌎

• Webinar: Supercharge Threat Modeling with Software Supply Chain Security — Tuesday, October 29 @ noon (Eastern)

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.

Hey there,

We’re doing a threat modeling game for Cyber Security Month, and it’s fast approaching. The event will occur on October 24, 2024, at Noon Eastern/US. Sign up now, as you are almost out of time. Check out our landing page. It’s a free game where you’ll join a team and perform a threat modeling exercise against other teams, battling to be THE threat modeling champion!

P.S. Custom Lego sets from Devici are the prize for winning.

In this week’s issue, please enjoy the following:

• Five security articles 📰 that are worth YOUR time

• Featured focus: Highlighting some good folks

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

1. Answering "Dumb Security Questionnaires" — The Developer Security Questions (DSQs) framework enhances software development security by offering teams a structured approach to identify and address security concerns early. By integrating DSQs into the software development lifecycle, organizations can cultivate a security-focused culture and improve collaboration between development and security teams. [Security questionnaires have been the bane of many folk’s existence for YEARS. Can’t we all agree on a standard way of describing this stuff? (and don’t say SOC2).]

2. When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying — Exploiting hosted models poses significant security risks, as attackers can manipulate vulnerabilities in the underlying infrastructure to gain unauthorized access or disrupt services. The article highlights the importance of implementing robust security measures and monitoring practices to protect against such threats and ensure the integrity of hosted applications. [AI is scary, and it’s not even Halloween yet!]

3. MISHAPS: A New Approach to Threat Modeling — Ryan Heffernan reflects on recognizing and learning from mishaps in professional settings, emphasizing that mistakes can lead to valuable insights and growth. By sharing personal experiences, he advocates for fostering a culture that encourages openness and accountability, ultimately enhancing team dynamics and performance. [I applaud the effort, but it lacks the simplicity that makes STRIDE so powerful and makes folks want to build something new and better.]

4. Is Retro = Threat Modeling a Team? — Retro threat modeling focuses on analyzing and identifying security vulnerabilities in systems after their development, emphasizing the importance of collaboration among team members. The article advocates for a structured approach to retroactive assessments to improve security measures and foster a proactive security culture within organizations. [I like Hendrik’s thought processes on threat modeling, so check out how he wraps retro and TM together.]

5. The Strategic Use of Attack Trees in Cybersecurity—Attack trees help organizations visualize potential attack vectors and improve risk assessment processes. By systematically identifying vulnerabilities, attack trees enable teams to prioritize security efforts and enhance their defenses against cyber threats. [Attack trees do not replace TM but provide a different perspective.]

Featured Focus: Highlighting some good folks

I don’t listen to content about application security. GASP, I know; I host three AppSec-focused podcasts. I feel like I get enough AppSec by interviewing and debating with people while recording.

That said, I want to highlight some folks in our industry doing great things to advance content and provide you with learning opportunities.

1. The Elephant in AppSec (Alexandra Charikova)—I was honored to appear on this show for an episode about why Shift Left is wrong.

2. Confidence Staveley — I was honored to write the foreword for Confidence’s API security book and find her API Kitchen show, which melds security and cooking.

3. Chris Hughes — Chris writes the Resilient Cyber newsletter and podcast and has authored a few books. He is a force of nature when it comes to content creation. His newsletter is well-written, researched, and thought out.

If you have a platform, highlight folks others need to know about. Our industry must continue to expand, and we encourage that behavior through new sources of information.

Podcast Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • Varun Badhwar -- The Developer Productivity Tax (Audio only; YouTube)

    • Varun Badhwar joins to discuss the "Developer Productivity Tax," highlighting the challenges developers face when overwhelmed by vulnerabilities that often lack actionable context.

    • Varun emphasizes the integration of SBOM plus VEX to improve vulnerability management, advocating for "Scanning with Context" to reduce false positives and ensure that only relevant threats are addressed effectively.

• Security Table

  • Experts Want to Excel (Audio only; YouTube)

    • We explore the criteria that define an expert in threat modeling, discussing the cultural references and intricacies of threat modeling practices and the roles of facilitators.

    • The conversation humorously addresses the challenges of scaling practices in large organizations while highlighting how expertise can inspire others. It includes tangents on movies, old media technologies, sports analogies, and competitive Excel.

• Threat Modeling Podcast

  • Product-led threat modeling (Audio only)

    • Explore the connection between threat modeling and product development, emphasizing the importance of understanding user needs while applying lean product management principles.

    • They discuss best practices for conducting threat modeling sessions, including methodologies like rapid risk assessment and STRIDE, and stress the significance of collaboration and communication among product managers, architects, and technical leaders to align threat modeling with product goals.

Threat Model for Free

Welcome to Simple, Collaborative Threat Modeling by Devici.

Introducing the modern drawing tool that's user-friendly, customizable, and easy on the eyes. Individuals and teams work together – no matter their location. Devici helps build a scalable threat modeling process for multi-disciplinary and geographically dispersed teams, ensuring everyone can contribute.

Visit devici.com to experience threat modeling for free.

Where to find Chris? 🌎

• Nothing on the docket now, but stay tuned for the next webinar!

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.

Hey there,

Before you dive in — we’re doing a threat modeling game for Cyber Security Month, so if you’d like to check it out and sign up, check out our landing page. It’s a free game where you’ll join a team and perform a threat modeling exercise against other teams, battling to be THE threat modeling champion! P.S. Custom Lego sets from Devici are the prize for winning.

In this week’s issue, please enjoy the following:

• Five security articles 📰 that are worth YOUR time

• Featured focus: Threat modeling a vacation, or the lack thereof

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

1. Moving DevOps Security Out of 'the Stone Age' — Managing the security posture of DevOps practices is essential for organizations to avoid falling behind in an increasingly complex threat landscape. By adopting proactive security measures and integrating them into the development lifecycle, companies can strengthen their defenses and ensure a more resilient application security framework. [Nice summary of the current state of DevOps and where things need to move forward for better success. I still think DevSecOps is dead.]

2. Mental Toughness in Cybersecurity: Preparing Teams for High-Pressure Situations — Developing mental toughness is crucial for cybersecurity professionals to navigate the challenges and stresses inherent in the field. By fostering resilience, adaptability, and a positive mindset, individuals can enhance their performance and cope with the demands of a rapidly evolving cybersecurity landscape. [The career field we have chosen is challenging — no matter your job description. This article caught my attention, given the nature of building mental toughness. I love the concept.]

3. Things You Need to Know About Your Tech Salary — Understanding key factors influencing tech salaries, such as skills, experience, and industry demand, is essential for professionals navigating their careers. By staying informed about market trends and salary benchmarks, individuals can better advocate for themselves and make informed decisions regarding their compensation. [You must advocate for yourself, your salary, and your career. Know before you go into that salary discussion with your boss.]

4. The 20-year application security blindspot: Can ADR finally fix it? — A longstanding blindspot in application security has hindered organizations' ability to detect and respond to threats effectively, often leaving vulnerabilities unaddressed for years. Application detection and response (ADR) offers a potential solution by enhancing visibility and enabling proactive security measures throughout the software lifecycle to bridge this critical gap. [I’m fascinated by ADR and reading everything I can about it. It could genuinely bridge the gap and bring AppSec truly into the fold.]

5. Rogue WHOIS server gives researcher superpowers no one should ever have — A rogue WHOIS server has emerged that grants unauthorized access to sensitive information, allowing researchers to exploit domain name registration data in ways that could pose significant security risks. This development raises concerns about privacy and potential abuse, highlighting the need for improved oversight and security measures in domain registration practices. [This is a reminder about the legacy stuff that exists on the Internet and how it can be used to create modern-day nightmares.]

Featured Focus: Threat modeling a vacation, or the lack thereof

This past week, I decided to take a short vacation. A friend was available to join me, and one of his bucket list items was seeing and experiencing the Grand Canyon. At this point, I’ve never seen the Grand Canyon in person, only from the window of a plane on the way to the West Coast. I thought, “I need to see the Grand Canyon at some point in this life, so let’s do it.”

We have a family friend who is a vacation planner/travel agent, so I called her and empowered her to plan the trip. She asked for a word to describe the trip, and I went with “adventure.” She generated an itinerary for us with activities around the Grand Canyon, and last Monday morning, we went off to the airport.

We arrived in Flagstaff, found our hotel, and prepared for our first adventure the following day. We had a hike planned with a guide at the Grand Canyon. I did not do any due diligence on what this meant, the two words “a hike.” My mental model was a pleasant stroll down a controlled, paved path with guard rails. What I found was something that was initially extraordinarily shocking.

Hiking the Grand Canyon means walking down a trail four to six feet wide, with one side being the cliff face and the other sometimes a drop of thousands of feet. I forgot to mention earlier that my fear of heights has been exacerbated as I've gotten older. So, there I was, beginning the descent down the trail, and I caught a glimpse over the side of the trail. (My hands are sweating again now as I replay the experience.)

At that point, I had a choice: I could turn around and give up, as many people had done at the same spot, or I could push through and face my fear. I was more driven in my decision because my friend’s bucket list item was to hike the Grand Canyon, and if I turned around, it would ruin his experience.

So we pressed on. Our guide, Kevin, was excellent. He told me that if I wanted to continue, he would walk next to me, on the drop side, and allow me to walk nearest the cliff wall. We began our descent, with me staring at the ground, Kevin at my side, and my friend taking in all the sights.

We crossed through the “Oh Ah” point, which, as Kevin explained, is where most people turn around and go back up. Kevin asked if we wanted to continue, and I said we’ll go for it.

We continued our descent and reached Cedar Ridge, a vast plane 1.5 miles down the trail into the Canyon. It was a nice break to be in such a flat space. I could eat dinner, recharge, and enjoy the sunset's views.

I did look on as two young folks creating influencer videos stood on a dead tree at the edge of the Canyon to capture a video of themselves. The threat modeling person within was about to scream. Dead tree, side of Canyon with thousand-foot drops—you get the picture.

Then we began our 1.5-mile ascent, which was a chore, but cresting the final hill and walking back across the parking lot gave me the opportunity for a victory dance. I had reached Cedar Ridge, a place within the Grand Canyon that only 1% of visitors will ever see.

I’m proud that I pushed through and faced my fear, and I also learned some things to apply to application security from this experience.

1. Security, too, is about the people: Kevin, the hiking guide, taught me techniques for walking down and up the trail and coached me through. He also kept the conversation going nonstop to take my mind off the danger I felt. Security people must strive to coach and walk alongside developers, showing empathy toward their situations.

2. Spend time on the ground, not just looking from the plane's window: When you roll up your sleeves and connect with the people on the ground, you learn more about your organization. Build your security strategy based on the details you can see from the ground.

3. Find people who love what they do: People who love what they do are infectious. Kevin is a perfect example of somebody who loves their job so much they would do it for free. Find security champions passionate about security and help them unlock their security knowledge and experience.

4. Threat model your vacation destinations!: I’m glad I didn’t threat model this experience because I would never have begun descending the Canyon. In general, threat model your experiences to ensure you know the risk.

Podcast Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • Steve Wilson -- The Developer's Playbook for Large Language Model Security: Building Secure AI Applications (Audio only; YouTube)

    • We welcome Steve Wilson to discuss his book 'The Developer’s Playbook for Large Language Model Security, which covers AI hallucinations, trust, and future AI challenges.

    • Steve offers insights on security boundaries and LLM-specific testing tools and addresses vital concerns in the evolving AI landscape.

• Security Table

  • A Show About Nothing That Turned into Something (Audio only; YouTube)

    • Chris Romeo, Izar Tarandach, and Matt Coles discuss how Application Security tools should automate tasks that humans can perform but with incredible speed and efficiency.

    • Izar highlights the difficulty of managing attention spans and context-switching across multiple Slack channels, while Chris teases the possibility of AppSec becoming obsolete.

• Threat Modeling Podcast

  • What is the Essence of Threat Modeling? (Audio only)

    • Chris Romeo discusses different definitions of threat modeling, exploring whether it overlaps with risk assessment and emphasizing early threat identification and mitigation through structured brainstorming.

    • He highlights the Threat Modeling Manifesto's definition, noting that threat modeling blends art, science, and collaboration to address security and privacy concerns in systems.

Threat Model for Free

Welcome to Simple, Collaborative Threat Modeling by Devici.

Introducing the modern drawing tool that's user-friendly, customizable, and easy on the eyes. Individuals and teams work together – no matter their location. Devici helps build a scalable threat modeling process for multi-disciplinary and geographically dispersed teams, ensuring everyone can contribute.

Visit devici.com to experience threat modeling for free.

Where to find Chris? 🌎

• Nothing on the docket now, but stay tuned for the next webinar!

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.

Hey there,

In this week’s issue, please enjoy the following:

• Five security articles 📰 that are worth YOUR time

• Featured focus: DevSecOps is dead

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

1. Raw SQL Queries are Actually Better for Security Than ORMs? — Raw SQL queries can enhance security by giving developers greater control over query structure and execution, reducing the risk of vulnerabilities associated with Object-Relational Mappers (ORMs). The article argues that while ORMs simplify database interactions, they can introduce complexity that may lead to security issues, making raw SQL a more secure choice in specific scenarios. [This seems like sacrilege — read it closer to see if you agree or disagree?]

2. Microsoft’s largest ever security transformation detailed in new report —

   Microsoft's latest security report highlights the growing importance of integrated security measures as organizations face increasingly sophisticated cyber threats. The initiative aims to strengthen collaboration between tech companies and businesses to create a more resilient security ecosystem, emphasizing proactive strategies and continuous improvement. [Going back to 2003 with the memo and the dawn of Trustworthy Computing, MSFT has pushed the envelope. I’ll be following this new movement as it progresses.]

3. Living the Blueberry Muffin Principle: Baked-In Security for Developers —

   The "Blueberry Muffin Principle" emphasizes integrating security measures directly into the development process rather than treating them as an afterthought. Organizations can enhance their security posture and reduce vulnerabilities by fostering a culture where security is fundamental to development. [I’m a sucker for a good software security illustration.]

4. Intel Warns of 20+ Vulnerabilities, Advises Firmware Updates — Intel has notified customers about more than a dozen vulnerabilities in its processors, which could potentially allow attackers to execute arbitrary code or gain unauthorized access to sensitive information. The company is working on patches to mitigate these risks and urges users to update their systems to enhance security. [I’ve always thought that the most effective exploit possible is a processor vulnerability that allows an exploit.]

5. Managing Github as code: A DevSecOps approach — A DevSecOps journey focused on securing and standardizing GitHub repositories aims to enhance software development security and streamline collaboration among development, security, and operations teams. The organization seeks to ensure compliance and reduce vulnerabilities by implementing best practices and automated tools. [Very thorough explanation of DevSecOps in real life.]

Featured Focus: DevSecOps is dead

I feel like DevSecOps has had its moment/time in the sun/fifteen minutes of fame, and it’s time to move on. This idea was sparked by a conversation with Jeff Williams on the AppSec Podcast, mentioned below. In discussing ADR, Jeff shared the reality of the disconnect between the operations team and AppSec.

Our industry has promoted the idea that DevSecOps involves all three groups walking hand in hand toward secure software. Jeff shared that operations were never at the table and are unaware of what is happening in the AppSec world. Development and security have done an okay job of adding tooling to pipelines and focusing more heavily on security, but operations were never in sync.

Perhaps it’s time to move on from the industry's focus on DevSecOps. DevSecOps is how we build software with pipelines, but everybody I know uses Agile or Kanban to source and track work. Let’s let the hype dry up on DevSecOps in the future. It’s not like we don’t have other problems to solve. Find something else to talk about at a conference.

Podcast Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • Jeff Williams -- Application Detection & Response (ADR) (Audio only; YouTube)

    • Hosts Chris Romeo and Robert Hurlbut engage with Jeff Williams, a pioneer in application security, to explore the transformative potential of Application Detection and Response (ADR) in production environments.

    • Jeff shares insights from his career, including the founding of OWASP and his views on security assurance, providing valuable perspectives for newcomers and seasoned professionals in the AppSec field.

• Security Table

  • The Hamster Wheel of Scan and Fix (Audio only; YouTube)

    • Hosts Chris Romeo, Matt, and Izar engage in a lively debate about the limitations of the "scan and fix" approach in application security, with Chris critiquing the prevalent tools that often generate lengthy lists of vulnerabilities filled with false positives.

    • The discussion highlights the necessity for more innovative, context-aware security solutions, emphasizing the importance of actionable insights and the human factor in security practices, ultimately advocating for a shift away from traditional methodologies.

• Threat Modeling Podcast

  • Nandita Rao Narla -- Privacy Threat Modeling Wins, Losses, and Tools (Audio only)

    • Hosts Chris Romeo and Nandita Rao Narla discuss the common pitfalls of privacy threat modeling programs, including high costs, friction in development processes, and a focus on compliance over risk management.

    • Nandita also shares effective strategies for improvement, such as simplifying methodologies, leveraging existing resources, and fostering a proactive mindset towards potential risks, emphasizing the need for a strong partnership between privacy and security threat modeling.

Threat Model for Free

Welcome to Simple, Collaborative Threat Modeling by Devici.

Introducing the modern drawing tool that's user-friendly, customizable, and easy on the eyes. Individuals and teams work together – no matter their location. Devici helps build a scalable threat modeling process for multi-disciplinary and geographically dispersed teams, ensuring everyone can contribute.

Visit devici.com to experience threat modeling for free.

Where to find Chris? 🌎

• Nothing on the docket at the moment, but stay tuned for the next webinar!

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.

Hey there,

In this week’s issue, please enjoy the following:

• Five security articles 📰 that are worth YOUR time

• Featured focus: Should I Stay or Should I Go Now?

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

1. Redefining CNAPP: A Complete Guide To the Future of Cloud Security — This report provides a holistic view of cloud security's evolution, tracing its significant milestones, a detailed breakdown of the critical vendors today, and evolving market shifts. It presents a new framework for redefining Cloud Native Application Protection Platforms (CNAPP), addressing its limitations and contradictions while offering a comprehensive roadmap to navigate the future of cloud security. [Lately, you’ve seen me comment that “I’m a big fan of…” on stuff. The same goes for this one — I’m a big fan of James Berthoty and the breath of fresh air he’s bringing to analyzing our industry.]

2. Fake recruiter coding tests target devs with malicious Python packages — Fake recruiters target developers with malicious Python packages disguised as coding tests, posing significant security risks. The blog highlights the importance of vigilance and caution when downloading and running third-party packages to avoid falling victim to these scams. [I’ve been around a long time in this industry, but I’m always most sickened when attackers prey on desperate people.]

3. Scorecarding Security — Scorecarding is introduced as a method for evaluating the security posture of applications and organizations through quantitative metrics. This approach helps identify strengths and weaknesses in security practices, enabling better decision-making and resource allocation to improve overall security. [Scorecards are crucial to governance, connecting results for security investments with visibility to the entire business.]

4. 2024 Dependency Management Report — The 2024 Dependency Management Report reveals crucial insights into the challenges organizations face with software dependencies, including security vulnerabilities and management complexities. It emphasizes the need for improved practices and tools to manage dependencies and enhance overall software security. [Software supply chain should be so easy to solve.]

5. The Road to Simplicity — Focusing on simplicity in organizational processes and tools is essential for improving team efficiency and effectiveness. By streamlining workflows and minimizing complexity, organizations can empower their members to prioritize value creation, reduce frustration, and achieve their goals more effectively. [Simple is always the answer to any problem.]

Featured Focus: Should I Stay or Should I Go Now?

“Should I stay, or should I go now?
Should I stay, or should I go now?
If I go, there will be trouble
And if I stay, it will be double
So come on and let me know”

— The Clash

The song is famous, and you might be hearing it in your head now. (You’re welcome.) It’s got me thinking about the future of my public speaking career.

I’m at InfoSec World in Orlando, FL. They say this town and the Disney properties are “the happiest place on earth.” Based on the number of children screaming in public places at the hotel, I'm unsure. But I digress.

I’ve begun to think about my future role in our industry. Over the years, I’ve had the luxury and the gift of being invited to speak at many major conferences, from RSA to DefCon AppSec Village to OWASP Global. Speaking has been a large part of my career since 2016 after I started Security Journey. I enjoy attending conferences and sharing my experience and insights into our industry.

The question I’m pondering is when it is time to slow down and let others have a turn. Am I blocking others from having an opportunity on the stage by continuing to submit to conferences? I will ponder this over the coming months and think about my approach for 2025.

My current thought is to step back and do less speaking while continuing to contribute to the podcasts I am a part of. Podcasts have a different reach and a different lifespan than conference talks.

If I decide to proceed with this plan and step back, I’ll miss the opportunities to meet and encourage new people in our industry. I’ll miss seeing friends at various events, some of whom I worked with decades ago. Every industry has this experience where you do something for the last time. Everything we do has a “last time” you’ll do it. This is part of maturing and part of bringing a phase of a career to a close.

I won’t miss the travel and preparation that goes into each talk, but I will miss the opportunity to teach. I’m a teacher at heart. I guess I’ll have to find a new avenue to teach from. Perhaps it’s time to take what I’ve been blessed to learn and know and share it in other avenues, such as the university system. Time will tell.

If you have any thoughts on this topic, please message me. I’d love to get other perspectives on this issue.

Podcast Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • Phillip Wylie -- Pen Testing from Somebody Who Knows about Pen TWsting (Audio only; YouTube)

    • We welcome Philip Wylie, who shares his fascinating journey from professional wrestling to becoming a renowned pen tester.

    • He offers entertaining stories and insights from his unique background.

    • The episode includes in-depth discussions on application security and valuable advice for those looking to start a career in cybersecurity, making it a rich resource for listeners interested in pen testing and career development.

• Security Table

  • Numb to Data Breaches and How it Impacts Security of the Average Feature (Audio only; YouTube)

    • Explore the evolving landscape of modern security approaches, discussing the shift from strategy to tactics and the growing desensitization to data breaches.

    • The conversation emphasizes the importance of understanding security's business side and highlights product managers' role as essential security champions.

• Threat Modeling Podcast

  • Nandita Rao Narla -- Privacy Threat Modeling (Audio only)

    • Hosts Chris Romeo and Izar Tarandach welcome Nandita Rao Narla, who introduces the basics of privacy in software, discussing privacy threats, threat modeling, and the principles of privacy by design.

    • The episode emphasizes the importance of understanding and mitigating privacy concerns for anyone involved in handling user information, making it an essential primer for incorporating privacy into software design.

Threat Model for Free

Welcome to Simple, Collaborative Threat Modeling by Devici.

Introducing the modern drawing tool that's user-friendly, customizable, and easy on the eyes. Individuals and teams work together – no matter their location. Devici helps build a scalable threat modeling process for multi-disciplinary and geographically dispersed teams, ensuring everyone can contribute.

Visit devici.com to experience threat modeling for free.

Where to find Chris? 🌎

• Nothing on the docket at the moment, but stay tuned for the next webinar!

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.

Hey there,

In this week’s issue, please enjoy the following:

• Five security articles 📰 that are worth YOUR time

• Featured focus: My favorite “boss”

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

1. New Research Reveals Security Budgets Only Increased 2 Points in 2024, While 12% of CISOs Faced Reductions — Security budgets increased by only 2% in 2024, reflecting a modest rise in financial commitment to cybersecurity despite rising threats. Additionally, 12% of CISOs experienced budget reductions, signaling financial constraints and potential challenges in maintaining security investments. [This is consistent with what I’ve seen in the market — budgets are tighter, and even security teams are forced to make hard decisions.]

2. They'll deny it, but your phone is listening in — Concerns are growing about smartphones secretly listening to conversations and collecting personal data without users' explicit consent. Despite these fears, experts highlight that many apps and services use permissions and data collection practices that are often misunderstood by users, raising questions about privacy and transparency. [We’ve invited the phone to encapsulate every angle of our lives — we are too dependent on these privacy-breaching devices that we carry around in our pockets, every place we go. I’m considering a move back to a flip phone.]

3. Sustained Attention Fatigue in Vulnerability Analysis — Sustained attention fatigue in vulnerability analysis results in decreased effectiveness and oversight due to prolonged focus on security issues. Improved strategies and tools are necessary to manage attention and maintain vigilance against persistent security challenges. [AI could play a role in summarizing this data in such a way as to remove some of the fatigue.]

4. Making Sense of the Application Security Product Market — Understanding the application security product market requires recognizing the diversity of tools available, from static and dynamic analysis to software composition analysis and more. Each product addresses different security needs, so evaluating their specific strengths and fit for your organization’s unique challenges is essential. [I enjoyed this view of the market — looking at how others categorize our space is helpful. It makes me think deeper about how I bucketize the different categories of what we do as an industry.]

5. Lifting the world out of the cybersecurity poverty — Cybersecurity talent shortages and high demand drive up wages, pushing companies to invest more in training and retention strategies. To address these issues, organizations must foster a culture of continuous learning and adapt their hiring practices to cultivate and retain skilled professionals. [Grow your own — that is my strategy for any team I run. I take folks and grow them up in cybersecurity. Yes, this does mean that sometimes I invest in them, and they move on to bigger and better things, but that is a sign of success!]

Featured Focus: My favorite boss

My first boss at Cisco was a guy named Tom Sweeney. Tom was an early Cisco employee and is famous for being Cisco’s first employee in NYC and for wiring Wall Street during Cisco’s land grab with such a strategic part of the world. Tom had a standing pool match with Cisco's CEO at every sales conference.

Tom taught me a lot in my few years working for him, but one thing still sticks with me. He said, “Manage your career not by the number of people you manage but by the number of managers you create.” I can’t say that I understood the gravity of this statement while reporting to Tom, but as I reflect on almost three decades of my professional career, I realize the depth of this statement.

Many people judge themselves based on the size of their team, and they say, “I manage one hundred people” on my team as if that is a badge of honor. Tom would recommend counting the number of people you lead to become managers. This is the approach that I take today in my career.

Focus on growing people up. Tom gave me a functional area within our team’s business, got out of my way, and let me do my thing. Team autonomy was another lesson I learned from Tom. He did have one rule: “Don’t let somebody come after you to me without me knowing in advance.” I only had to brief him once about a team that I ticked off, and that was coming for my head. Tom had my back that day. Tom was the best manager of my career, and I’m grateful for the time I spent working with him. You never worked FOR Tom; you always worked with him. That was how he introduced you, and if you ever said, “I work for Tom,” he would correct you by saying, “We work together.”

Thank your mentors, folks. Take what you learned from them and pour it into others as they poured into you.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • Maril Vernon -- You Get What You Inspect, Not What You Expect (Audio only; YouTube)

    • Maril Vernon highlights the importance of integrating developers and security teams through purple teaming, emphasizing how framing recommendations in developer-centric language can bridge communication gaps and make security measures more actionable.

    • She predicts a shift towards automation and AI in purple teaming. Still, she stresses that human red teamers' creative and intuitive input will remain crucial, advocating for a more holistic approach to security that fosters cross-departmental collaboration.

• Security Table

  • Philosophizing Cloud Security (Audio only; YouTube)

    • Chris Romeo, Izar Tarandach, and Matt Coles discuss the 'Shared Fate Model' in cloud security, building on the shared responsibility model to explore its impact on cloud service providers and consumers.

    • They cover the evolution of internet service providers, technical details of cloud infrastructure security, and the philosophical implications of implementing robust default security measures.

• Threat Modeling Podcast

  • Dr. Michael Loadenthal -- Intersectional, Harm Reduction Approach to Threat Modeling (Audio only)

    • Dr. Michael Loadenthal expands threat modeling beyond technology to include political, legal, ethical, and social dimensions, emphasizing a comprehensive and multidisciplinary approach to addressing complex challenges.

    • His unique "intersectional threat modeling" approach, influenced by social movements and activism, integrates tools like mind maps and the harm reduction framework to address various threats, benefiting diverse clients, from companies to high-profile individuals.

Threat Model for Free

Welcome to Simple, Collaborative Threat Modeling by Devici.

Introducing the modern drawing tool that's user-friendly, customizable, and easy on the eyes. Individuals and teams work together – no matter their location. Devici helps build a scalable threat modeling process for multi-disciplinary and geographically dispersed teams, ensuring everyone can contribute.

Visit devici.com to experience threat modeling for free.

Where to find Chris? 🌎

• Webinar: Threat Modeling and Secure Coding with Tanya Janca — Thursday, September 19 @ noon (Eastern) — THIS WEEK! Get signed up now.

• InfoSec World — Sept 22-25, 2024

  • The Modern Application Security Rocket Ship — Monday, Sept 23, 10:15 AM

  • The Paradox of Secure and Private By Design — Tuesday, Sept 24, 1:30 PM

  • Workshop: Threat Modeling Championship: Breaker vs. Builder — Sunday, Sept 22, 9 AM - 12 PM

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.

Hey there,

In this week’s issue, please enjoy the following:

• Five security articles 📰 that are worth YOUR time

• Featured focus: Priorities

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

1. TL;DR: Every AI Talk from BSidesLV, Black Hat, and DEF CON 2024 — Key insights from AI-focused talks at BSidesLV, Black Hat, and DEF CON 2024 are summarized, covering emerging trends, critical discussions, and advancements in AI security. [Kudos to Clint Gibler for summarizing the action from Vegas for those who don’t like desert climates or couldn’t make the trip.]

2. Bypassing airport security via SQL injection — A security researcher discovered a vulnerability in the TSA's Known Crewmember (KCM) system due to an SQL injection flaw in FlyCASS, allowing unauthorized individuals to bypass security checks. Despite disclosing the issue to the Department of Homeland Security, the TSA downplayed the risk, although the flaw was later fixed after the system was disabled. [SQLi continues to pay off in 2024 — oh, when will we ever get this thing to disappear? 2042?]

3. When your puzzle has a few broken pieces — We greatly rely on open-source software (OSS) in software development, emphasizing its benefits and security risks. While OSS accelerates innovation, it also introduces vulnerabilities, highlighting the need for organizations to adopt secure practices such as software composition analysis (SCA) and rigorous code reviews to mitigate risks associated with malicious or vulnerable packages. [Another well-thought-out and researched analysis by Derek Fisher.]

4. Rethinking Threat Models for the Modern Age — Traditional threat models need to be expanded to account for modern communication habits and external human factors, such as the decline in answering phone calls and alert fatigue. Organizations should incorporate behavioral insights and external risks into their threat modeling to enhance security, ensuring their applications remain effective and resilient in a rapidly evolving technological landscape. [We discussed this on the Security Table and debated it to some degree.]

5. Server-Side Template Injection: Transforming Web Applications From Assets to Liabilities — Server-Side Template Injection (SSTI) is a vulnerability that allows attackers to inject and execute malicious code on a server via template engines. This can result in server compromise, data theft, and remote code execution, highlighting the need for secure coding practices, regular vulnerability assessments, and prompt patching to protect web applications from such exploits. [This feels like it’s been around for a while, but it could be moving up the ranks as we mature past things like CSRF.]

Featured Focus: Priorities

A few months ago, I experienced a momentous life achievement: I became a grandfather for the first time. Yes, to all you parents out there, what they say is true: raising grandchildren differs from raising your kids.

A few additional decades of age have caused me to appreciate a baby more than I did before with my kids. We were a crazy house with four children separated by a total of four and a half years, so we were always on the move, and we lived an orderly, chaotic life, if it is even possible to put those two things together.

Now, I stare into this kid's eyes and think about how I need to teach him to code securely to prevent XSS and SQLi and how to threat model. I kid, I kid. I’ll be happy if he has nothing to do with cybersecurity, but I won’t object if he wants to follow in his Granddad’s footsteps.

You’re wondering what this article is doing in an application security-focused newsletter. I want to use this as an opportunity to remind you about priorities in life. Cybersecurity can consume us day and night, and our families can be the ones to suffer. Remember that you cannot return those days, months, and years with your children. Put down the laptop, throw the phone out the window, and enjoy prioritizing life focused on the people that matter the most. The work will be waiting for you in the morning.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • Steve Springett -- Software and System Transparency (Audio only; YouTube)

    • Steve Springett discusses CycloneDX and the BOM landscape, highlighting new projects that aim to unify the security industry and enhance secure software development.

    • The episode also offers a personal glimpse into Steve’s life outside of technology, sharing insights into his hobbies and interests.

• Security Table

  • Innovations in Threat Modeling? (Audio only; YouTube)

    • Hosts Chris Romeo, Izar Tarandach, and Matt Coles explore the evolving concept of threat models, examining the impact of user behavior, alert fatigue, and psychological acceptability on modern threat modeling.

    • They discuss the article "Rethinking Threat Models for the Modern Age" by Evan Oslick, debating integrating broader human factors into threat modeling practices.

• Threat Modeling Podcast

  • Akira Brand -- Gaining Experience by Threat Modeling (Audio only)

    • Akira Brand discusses her journey into threat modeling, highlighting the critical role of collaboration, understanding the application, and using visual tools like data flow diagrams to ensure comprehensive security solutions.

    • Drawing parallels between surgical checklists and the STRIDE model, Akira emphasizes that successful threat modeling involves practical, hands-on approaches and teamwork across engineering, data analytics, and security to address potential risks.

Threat Model for Free

Welcome to Simple, Collaborative Threat Modeling by Devici.

Introducing the modern drawing tool that's user-friendly, customizable, and easy on the eyes. Individuals and teams work together – no matter their location. Devici helps build a scalable threat modeling process for multi-disciplinary and geographically dispersed teams, ensuring everyone can contribute.

Visit devici.com to experience threat modeling for free.

Where to find Chris? 🌎

• Webinar: The Synergy Between Threat Modeling & Security Champions, with Dustin Lehr — Tuesday, September 10 @ 2 PM (Eastern)

• Webinar: Threat Modeling and Secure Coding with Tanya Janca — Thursday, September 19 @ noon (Eastern) — registration is open!

• InfoSec World — Sept 22-25, 2024

  • The Modern Application Security Rocket Ship — Monday, Sept 23, 10:15 AM

  • The Paradox of Secure and Private By Design — Tuesday, Sept 24, 1:30 PM

  • Workshop: Threat Modeling Championship: Breaker vs. Builder — Sunday, Sept 22, 9 AM - 12 PM

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.

Hey there,

In this week’s issue, please enjoy the following:

• Five security articles 📰 that are worth YOUR time

• Featured focus: Threat Modeling as Culture

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

1. Software's Iron Triangle: Cheap, Fast, and Good - Pick Two — Navigating the "Iron Triangle" in software development—cost, speed, and quality—requires careful balance, as focusing too heavily on one aspect often impacts the others, ultimately influencing the project's overall success and efficiency. [We’ve been saying that security is part of quality since at least the early 2000s. The challenge is nobody did anything about it. Great article by Hughes expanding on the issue — everything he writes is thorough and thought-provoking!]

2. CORS is Stupid — CORS (Cross-Origin Resource Sharing) is critical for managing how web applications interact with resources across different domains, and the article provides insights into its functionality, issues, and best practices for implementation. [CORS is stupid. I agree. Let’s make something more straightforward, such as a paved road, that works and provides the same level of protection. Anybody raising their hand?]

3. Leaked Environment Variables Allow Large-Scale Extortion Operation of Cloud Environments — A large-scale cloud extortion operation is detailed, revealing how attackers exploit cloud environments to demand ransoms, emphasizing the need for enhanced security measures to combat such threats. [This caught my attention because of the environment variable leakage. I’ve wrestled with whether it’s time to stop recommending env variables as a step toward secret vaults. It’s time to move to secret vaults as the only answer.]

4. Unraveling Privacy Threat Modeling Complexity: Conceptual Privacy Analysis Layers —

   Kim Wuyts explores the complexities of privacy threat modeling, highlighting the conceptual challenges and the need for robust frameworks to address privacy risks in various scenarios effectively. [Dr. Wuyts is brilliant — read anything she puts out.]

5. Unraveling the State of Kubernetes Security in 2024 — Kubernetes security in 2024 is assessed, focusing on the latest threats, such as vulnerabilities and misconfigurations, best practices for mitigating these risks, and evolving strategies to enhance the protection of containerized environments amidst growing complexity and adoption. [K8s feels like the forgotten component hidden deep in the infrastructure. I don’t hear much about it anymore in my circles.]

Featured Focus: Threat Modeling as Culture

I did a webinar with GitGuardian on August 29 on the topic of secure and private by design/default. During the event, we asked, “Is threat modeling currently part of your or your organization’s security strategy?”

89% of people polled are not doing threat modeling as a discipline within their SDLC. You could argue that the sample size isn’t representative of our industry. Still, based on my anecdotal evidence of talking to different organizations over the past year, I think it’s pretty darn close to correct.

Threat modeling is due for a renaissance, and all the noise we’ve made about it over the past years with the Threat Modeling Manifesto and Capabilities is just the tip of the iceberg. We have more work to do.

As I see it, the value proposition and return on investment for threat modeling are not front and center with Executives yet. There is a collection of unique companies out there that are early adopters and get the value prop, and they are building programs that are pushing threat modeling down to the developer layer. Too often, threat modeling for security and privacy is considered a security team's responsibility. This is great if you want to scale to five threat models for the entire company. I dream big, and I want developers to threat model every story. We only get there by moving the modeling down to the developer layer.

We must work toward moving threat modeling forward at the organizational level. Threat modeling must escape the security team and become seen as a crucial step in designing software.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • Mark Curphey and John Viega -- Chalk (Audio only; YouTube)

    • Mark Curphey and John Viega introduce Chalk, a new tool by Crash Override while discussing the reasons behind ZAP's departure from OWASP to join the Software Security Project and the importance of corporate contributions to open-source projects.

    • The conversation highlights the challenges large tech firms face in managing software engineering processes. Chalk offers a solution for clarity and efficiency and emphasizes the need for an "outside-in" perspective to enhance decision-making in software development.

• Security Table

  • The Illusion of Secure Software (Audio only; YouTube)

    • Hosts Chris, Izar, and Matt examine Jen Easterly’s statement on the cybersecurity industry's software quality problem, discussing its implications, recurring themes in security guidelines, and whether the core issues lie with people or technology.

    • The discussion explores the roles of developers, QA engineers, and emerging AI tools in improving security and questions whether current industry practices are leading to meaningful change.

• Threat Modeling Podcast

  • A Comprehensive Threat Modeling Strategy (Audio only)

    • Chris outlines a comprehensive strategy for effective threat modeling, emphasizing the importance of aligning it with organizational culture, tech debt, and risk posture and integrating it incrementally into the development process.

    • Successful threat modeling requires defining clear success metrics, keeping the model updated, and focusing on domain-specific problems while leveraging automation for domain-agnostic issues.

Threat Model for Free

Welcome to Simple, Collaborative Threat Modeling by Devici.

Introducing the modern drawing tool that's user-friendly, customizable, and easy on the eyes. Individuals and teams work together – no matter their location. Devici helps build a scalable threat modeling process for multi-disciplinary and geographically dispersed teams, ensuring everyone can contribute.

Visit devici.com to experience threat modeling for free.

Where to find Chris? 🌎

• Webinar: The Synergy Between Threat Modeling & Security Champions, with Dustin Lehr — Tuesday, September 10 @ 2 PM (Eastern)

• Webinar: Threat Modeling and Secure Coding with Tanya Janca — Thursday, September 19; registration link coming soon!

• InfoSec World — Sept 22-25, 2024

  • The Modern Application Security Rocket Ship — Monday, Sept 23, 10:15 AM

  • The Paradox of Secure and Private By Design — Tuesday, Sept 24, 1:30 PM

  • Workshop: Threat Modeling Championship: Breaker vs. Builder — Sunday, Sept 22, 9 AM - 12 PM

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.

Hey there,

In this week’s issue, please enjoy the following:

• Five security articles 📰 that are worth YOUR time

• Featured focus: Secure and Privacy by Design and Default: The Convergence with Threat Modeling

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

1. Threat Modeling with ATT&CK v1.0.0 — Threat modeling with the MITRE ATT&CK framework offers a structured method for identifying and addressing potential security threats by mapping adversary tactics and techniques to strengthen defenses and improve overall security posture. [It’s about time that somebody melded these two concepts together!]

2. Cybersecurity tool sprawl is out of control – and it’s only going to get worse — As organizations increasingly adopt various disparate cybersecurity tools, the problem of tool sprawl is expected to intensify, highlighting the urgent need for improved integration and management to ensure cohesive and effective security. [It will be fun to watch and see if ASPM pays off as much as possible, offering a single place for AppSec results to gather and triage. We have too much noise and a lack of fidelity of results with the modern AppSec stack.]

3. What You ACTUALLY Need To Know For A Cybersecurity Job — To excel in cybersecurity, you need a solid understanding of core security concepts, hands-on experience with security tools and practices, and the ability to stay updated with evolving threats and technologies. [I get asked this question constantly, and this article tracks with much of what I tell people.]

4. Threat model with controls - GenAI as-is — The OWASP AI Security Overview provides a comprehensive guide to AI security. It includes a periodic table that categorizes various AI security threats and mitigations to help organizations effectively manage and protect their AI systems. [Many folks are writing about AI and security; the periodic table is a good resource to attempt to bucketize all the various threats.]

5. CVE-2022-21587(Oracle E-Business Suite RCE): Could RASP or ADR Have Prevented It? And How? — CVE-2022-21587 exposes a critical unauthenticated, remote code execution vulnerability in Oracle E-Business Suite, with the discussion focusing on how Runtime Application Self-Protection (RASP) and Automated Dynamic Analysis (ADR) can help mitigate the risk. [Thorough technical analysis of whether RASP/ADR would have prevented this issue.]

Featured Focus: Secure and Privacy by Design and Default: The Convergence with Threat Modeling

[Note: this is a post based on my primary conference talk for this year.]

In today's ever-evolving digital landscape, ensuring security and privacy isn't just a technical requirement—it's a fundamental philosophy that must permeate every aspect of software design and development. This philosophy, known as Secure and Privacy by Design and Default (SPbDD), is more than a set of guidelines; it’s a mindset shift toward prioritizing protection over new features from the very inception of a project.

Understanding Secure and Privacy by Design and Default

SPbDD is the art and science of embedding security and privacy into the DNA of your applications. It’s not just about compliance or ticking off boxes in a regulatory checklist. Instead, it’s about building solutions that inherently protect devices, data, and applications against the ever-present and inevitable security threats. Think of it as a journey, not a destination—a continuous process of refining and enhancing security and privacy measures as threats evolve.

The Customer’s Perspective

Customers have clear wants and needs regarding security and privacy. They expect that any product or service they purchase will protect their personally identifiable information (PII) or company data immediately—no extra steps are required. They want solutions that are self-updating, automated, and capable of defending themselves without user intervention. In essence, customers demand a secure and private experience by default.

Core Tenets of SPbDD

At the heart of SPbDD are four core principles:

• Holistic Security and Privacy Approach: Security and privacy must be considered whole, not isolated.

• Mindset Shift: Developers need to prioritize protection over adding new features.

• Business Priorities: Security and privacy should be business imperatives, not merely technical challenges.

• Default State: Features should be secure and private by default, requiring no extra configuration from the user.

The Challenges

While the principles of SPbDD are clear, implementing them is anything but straightforward. Traditional security practices and regulatory guidelines often fail to address the complexities of modern software ecosystems. There’s a significant gap between theory and practice, where security and privacy must be woven seamlessly into every aspect of the development process.

Designing for Security and Privacy: A Strategic Approach

Implementing SPbDD requires a strategic approach to design decisions:

• Security and Privacy-Enforcing Stack: The strength of your software stack dictates the security ceiling. Choose a stack that inherently supports secure and private operations, from memory-safe languages to privacy-protecting storage solutions.

• User Experience: Balance security and usability by creating non-disruptive user flows. Ensure that users have control over their data, with clear and transparent communication about how their information is used and stored.

• Protecting PII and Customer Data: Adopt privacy policies and data minimization, encryption, and de-identification strategies. You can only protect what you fully understand.

• Locking Down the System: Securely configure solutions to reduce the attack surface. Remove unnecessary interfaces and features to make it harder for attackers to find vulnerabilities.

• Responsible Open Source Usage: Develop a strategy for using open source software that includes data processing and security review criteria. If not managed correctly, the software supply chain can be vulnerable.

• Code Integrity: Implement standards and tools for secure coding, code review, and automated checks to ensure that the design decisions are reflected in the final product.

• Vulnerability Management: Establish clear processes for handling vulnerabilities when they arise. Transparency is key to maintaining customer trust and managing risk effectively.

What Are Security and Privacy Patterns?

Security and privacy patterns are blueprints that guide the implementation of specific controls within an application. They encapsulate best practices and provide a repeatable framework for developers to address common security and privacy concerns. By applying these patterns consistently, organizations can ensure that their applications are secure and private by default and resilient against evolving threats. Patterns + property planned for design decisions form the basis of a secure and private application.

Key Patterns

1. Authentication and Multi-Factor Authentication (MFA)

   • Description: Strong authentication mechanisms ensure only authorized users can access the system. MFA adds a layer of security by requiring more than one verification method.

   • Application: This pattern is critical for protecting against spoofing attacks and is a foundational element in any secure application.

   • Example Implementation: Integrating MFA with an Identity Provider (IdP) to support various authentication factors, such as mobile codes or hardware tokens.

2. Access Control and Authorization

   • Description: This pattern regulates what authenticated users can do within the system by enforcing strict access controls. It often employs Attribute-Based Access Control (ABAC) to provide fine-grained permissions.

   • Application: Protects against elevation of privilege attacks by ensuring users access only the necessary resources.

   • Example Implementation: Paved road authorization strategies incorporating ABAC, ensuring consistent access control enforcement across services.

3. Validation, Sanitization, and Encoding

   • Description: Helps prevent injection attacks by ensuring all input data is properly validated, sanitized, and encoded before processing.

   • Application: This pattern is essential for protecting against tampering and injection vulnerabilities, such as SQL injection or Cross-Site Scripting (XSS).

   • Example Implementation: Standard validation, sanitization, and encoding libraries are integrated into the development pipeline to ensure consistency and security.

4. Secure Logging

   • Description: Implements logging mechanisms that ensure all security-relevant events are recorded and can be audited while protecting the confidentiality and integrity of the log data.

   • Application: Helps detect and respond to incidents by providing a clear and accurate audit trail.

   • Example Implementation: Logs are securely transmitted to a Security Information and Event Management (SIEM) system, monitored, and analyzed in real time.

5. Proper Password Storage and Initiation

   • Description: Ensures that passwords are stored securely using modern hashing algorithms and that password policies enforce strong, unique passwords.

   • Application: This protects against credential stuffing and brute-force attacks by ensuring that passwords cannot be easily exploited even if compromised.

   • Example Implementation: Use bcrypt or Argon2 for hashing passwords, with strict password policies and regular rotation of credentials.

6. Data Protection

   • Description: Safeguards sensitive data through encryption, both at rest and in transit, and ensures that encryption keys are managed securely.

   • Application: Protects against information disclosure by ensuring that even if data is intercepted, it cannot be read without the proper decryption keys.

   • Example Implementation: End-to-end encryption for all data flows, with robust key management practices to prevent unauthorized access.

7. Scalability

   • Description: Designs the system to handle increased loads without compromising security or privacy. This includes ensuring high availability and redundancy.

   • Application: Protects against denial-of-service (DoS) attacks by ensuring the system can scale to meet demand and continue operating securely under load.

   • Example Implementation: Load balancing, auto-scaling, and orchestration technologies that ensure the system remains available and secure even during peak usage.

Checking the Work: The Role of Threat Modeling

Threat modeling is critical in ensuring that SPbDD principles are correctly applied. Organizations can identify potential threats and develop appropriate mitigations by assembling a diverse team and leveraging frameworks like STRIDE and OWASP. This proactive approach ensures that security and privacy are not just theoretical concepts but embedded in the application's fabric.

Measuring What Matters

To truly embrace SPbDD, organizations need to measure the effectiveness of their design decisions. Customized dashboards can track the implementation of security and privacy patterns across different product versions, providing valuable insights into the correlation between these patterns and mitigating specific threats.

Conclusion: Start the Journey Today

SPbDD is not just a trend—it’s the future of secure and private software development. By embracing this philosophy, organizations can build applications that meet today’s security and privacy standards and are resilient against tomorrow's challenges. The journey begins now, with every design decision contributing to a more secure and private digital world.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • Maril Vernon -- You Get What You Inspect, Not What You Expect (Audio only; YouTube)

    • Maril Vernon highlights the importance of purple teaming by fostering collaboration between developers and security teams, emphasizing the need to communicate remediation recommendations in developer-centric language to bridge gaps and make them actionable.

    • Looking ahead, Maril envisions automation and AI enhancing purple teaming efficiency while valuing human red teamers' irreplaceable creativity and suggesting a future where a more integrated approach or "white teams" could replace traditional purple teams.

• Security Table

  • The Intersection of Hardware and Software Security (Audio only; YouTube)

    • Chris, Izar, and Matt delve into threat modeling for hardware, focusing on the intersection of hardware and software security and highlighting challenges like speculative execution faults and supply chain vulnerabilities.

    • They emphasize the importance of understanding attack surfaces and discuss the ongoing hardware and software security integration to address these critical issues effectively.

• Threat Modeling Podcast

  • Software-Centric Threat Modeling (Audio only)

    • Farshad Abasi emphasizes the importance of asset-based and user story-focused threat modeling, recommending early architectural threat modeling and periodic reviews while integrating threat modeling into the DevSecOps process and using pull request templates for consistency.

    • He highlights the need for a simplified and developer-friendly approach to threat modeling, ensuring that it is actionable and scalable by adopting practices that align with development workflows and improve threat management.

Where to find Chris? 🌎

• Webinar: Designing Secure and Private Software by Default — August 29 @ 3 PM (Eastern)

• Webinar: The Synergy Between Threat Modeling & Security Champions, with Dustin Lehr — Tuesday, September 10 @ 2 PM (Eastern)

• Webinar: Threat Modeling and Secure Coding with Tanya Janca — Thursday, September 19; registration link coming soon!

• InfoSec World — Sept 22-25, 2024

  • The Modern Application Security Rocket Ship — Monday, Sept 23, 10:15 AM

  • The Paradox of Secure and Private By Design — Tuesday, Sept 24, 1:30 PM

  • Workshop: Threat Modeling Championship: Breaker vs. Builder — Sunday, Sept 22, 9 AM - 12 PM

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.

Hey there,

In this week’s issue, please enjoy the following:

• Five security articles 📰 that are worth YOUR time

• Featured focus: Trusting AI to Fix Vulns

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

1. Threat Modeling ‘threat’ modeling — Applying threat modeling to the process can uncover hidden risks, improve transparency, and strengthen security practices. [This one caught my eye because of my lack of threat modeling a sidewalk from last week’s featured focus. BTW, Loren is one of the folks that invented STRIDE.]

2. NIST releases new tool to check AI models’ security — NIST has released a new tool to help organizations evaluate the security and trustworthiness of their AI models, addressing growing concerns about AI vulnerabilities and biases. [Can we create a tool to check how something we don’t understand works?]

3. The Gili Ra’anan model: Questions emerging from Cyberstarts' remarkable success — Cyberstarts' remarkable success is partly attributed to a unique model that offers CISOs equity in the fund, creating potential conflicts of interest as these cybersecurity leaders may favor Cyberstarts' portfolio companies, boosting their growth and valuations. [This confirms my hypothesis that the CISO is not the best buyer of AppSec solutions. They are buried in noise from too many sources.]

4. Six Things DevOps Wants from InfoSec — DevOps teams want InfoSec to empower them with tools, clear guidance, trust, and autonomy to build secure code without hindrance. [This is a stark reminder of how to serve developers, which SHOULD be the primary focus of AppSec.]

5. HTTPS: How secure is it, and do we really need it? (Part 1 of 2) — HTTPS is essential for securing online communication, as it encrypts data, ensures privacy, and protects against cyber threats, making it a must-have for any website handling sensitive information. [Great history lesson on HTTPS and its impact over the last two decades.]

Featured Focus: Trusting AI to Fix Vulns

I keep seeing solutions claiming they can create pull requests to fix vulnerabilities using AI. GitHub is the latest that I’ve seen hit the streets. My humble opinion is that the technology behind AI is not yet ready to be trusted in such a manner.

The primary challenge to trusting an AI-related fix is predictability. When I use an LLM today and ask it a question, I often get different answers on multiple runs. With this lack of predictability in an answer, how can I guarantee that a fix eliminates the vulnerability?

The secondary challenge is the future of laziness. This is connected to my primary challenge: as I see a world where we become more dependent on AI, we will become lazy about checking its results. We could easily reach a false sense of security about automated PRs and see them automatically approved.

What is the answer then? Are you donning the hat of a Luddite and swearing off AI for security? No, that isn’t the answer. The answer is being more patient as we wait for this technology to develop. We’ll reach the point where AI can competently fix vulnerabilities, but I don’t think we’re there today. Patience isn’t something people write about or think of as a pillar of a security program, but that doesn’t mean it isn’t the best strategy for now.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • Dan Küykendall -- Why All Application Security Products Suck (Audio only; YouTube)

    • Dan Küykendall discusses his series "Why All AppSec Products Suck" and emphasizes the importance of understanding the limitations and appropriate uses of security tools.

    • The hosts remember Kevin Mitnick, explore the challenges of DAST scanners with modern apps, and highlight the need for comprehensive security training for engineers.

• Security Table

  • Computing Has Trust Issues (Audio only; YouTube)

    • Chris, Izar, and Matt discuss classic security-themed movies like 'Sneakers' and 'War Games' before delving into Secure Boot vulnerabilities and the complexities of key management.

    • They also cover password management, passkeys, and the challenges of securing digital identities in today's landscape.

• Threat Modeling Podcast

  • Product-led threat modeling (Audio only)

    • Product-led threat modeling integrates security into product management by aligning threat assessments with user needs, using methodologies like STRIDE and rapid risk assessment.

    • Michal and Chris emphasize collaboration across teams, with product managers taking ownership of security, applying lean principles, and utilizing threat libraries and cookbooks to address security challenges.

Where to find Chris? 🌎

• Webinar: Designing Secure and Private Software by Default — August 29 @ 3 PM (Eastern)

• Webinar: The Synergy Between Threat Modeling & Security Champions, with Dustin Lehr — Tuesday, September 10 @ 2 PM (Eastern)

• Webinar: Threat Modeling and Secure Coding with Tanya Janca — Thursday, September 19; registration link coming soon!

• InfoSec World — Sept 22-25, 2024

  • The Modern Application Security Rocket Ship — Monday, Sept 23, 10:15 AM

  • The Paradox of Secure and Private By Design — Tuesday, Sept 24, 1:30 PM

  • Workshop: Threat Modeling Championship: Breaker vs. Builder — Sunday, Sept 22, 9 AM - 12 PM

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.

Hey there,

In this week’s issue, please enjoy the following:

• Five security articles 📰 that are worth YOUR time

• Featured focus: Slip and Fall

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

1. Smashing Runtime Application Self-Protection (RASP) — This post explores why RASP, or Runtime Application Self-Protection, cannot always protect your Java applications and can be bypassed. [RASP has been a hot topic for the past few years, and I think of it as something cutting edge for an AppSec program. This one caught my attention as it posits that perhaps RASP is not as strong as the market believes.]

2. How a North Korean Fake IT Worker Tried to Infiltrate Us — A North Korean agent attempted to infiltrate KnowBe4 by posing as a legitimate IT worker with a stolen identity and AI-enhanced photo. Still, the scheme was detected when malware was found on the employee's device. [This scenario happens more than anyone thinks — interview well and check those references!]

3. Bitdefender Vulnerability Let Attackers Trigger SSRF Attacks — A critical vulnerability in Bitdefender's GravityZone Update Server, identified as CVE-2024-6980, could allow attackers to execute server-side request forgery (SSRF) attacks, posing significant risks to affected systems. [SSRF is still up and coming, so I added this article as a case study into what SSRF looks like in the real world.]

4. Anyone can Access Deleted and Private Repository Data on GitHub — GitHub repositories, including deleted and private ones, can still access their data through forks, posing a significant security risk by allowing unauthorized access to sensitive information. [Architecture is important, and a flaw like this is architectural, as a design decision that allowed this to happen was made somewhere in the past.]

5. Why are vulnerabilities out of control in 2024? — Vulnerabilities are surging in 2024 due to the collapse of NVD, an overwhelming number of Linux kernel CVE IDs, and insufficient resources to handle the growing volume of open-source software issues. [Is there anything different for 2024? Vulns have been consistently reported for as long as I can remember.]

Featured Focus: Slip and Fall

Last week, I was out walking my dog. I believe in threat modeling and encourage people to do it for everything they do, whether building software or going on vacation. Threat modeling has a role in every situation.

Here is how the story goes — I’m walking down the sidewalk, not paying attention, enjoying my morning walk with my dog. Tropical storm Debby had made its way through our area and dumped a lot of rain. I walked the same path every morning. As I was walking down the sidewalk, not paying enough attention, I slipped on a thin amount of mud the storm had pushed across the sidewalk and smacked down on the ground.

As I was lying there assessing my injuries, including a nice cut on my leg, elbow, and shoulder and a muscle pull in the neck, I had a thought. There is a lesson to be learned from my experience and a good reminder: I should have threat modeled the situation. I should have looked at the sidewalk before me and analyzed that representation of a quarter inch of mud. So, at the end of the day, you can use threat modeling for everything, even keeping yourself from a slip and fall.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • Irfaan Santoe -- The Power of Strategy in AppSec (Audio only; YouTube)

    • We discuss measuring AppSec maturity, ROI, and bridging gaps between CISOs and AppSec knowledge.

    • Irfaan shares his journey from consulting to being an AppSec professional, offering insights for scaling AppSec programs and aligning them with business goals.

• Security Table

  • The Stages of Grief in Incident Response (Audio only; YouTube)

    • Chris, Izar, and Matt discuss the developer's stages of grief during incidents and analyze a recent large-scale IT incident.

    • They share insights from their extensive security experience, examining system fragility and the role of luck in security failures.

• Threat Modeling Podcast

  • Gavin Klondike -- Threat modeling for large language model applications (Audio only)

    • Gavin Klondike discusses threat modeling, especially in AI and machine learning contexts.

    • Gavin shares a detailed case study, challenges of large language models (LLMs), and a comprehensive threat model for LLM applications.

Where to find Chris? 🌎

• Webinar: Secure by Design, August 29 @ 3 PM Eastern; register link coming soon.

• Webinar: The Intersection of Security Champions and Threat Modeling, with Dustin Lehr — Tuesday, September 10

• Webinar: Threat Modeling and Secure Coding with Tanya Janca — Thursday, September 19

• InfoSec World, Sept 22-25, 2024

  • The Modern Application Security Rocket Ship — Monday, Sept 23, 10:15 AM

  • The Paradox of Secure and Private By Design — Tuesday, Sept 24, 1:30 PM

  • Workshop: Threat Modeling Championship: Breaker vs. Builder — Sunday, Sept 22, 9 AM - 12 PM

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.

Hey there,

In this week’s issue, please enjoy the following:

• Five security articles 📰 that are worth YOUR time

• Featured focus: The AppSec Hype Cycle

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Sponsor post: Devici is THE threat modeling platform and a program in a box.

Threat modeling requires so much more than a tool. Sure, a tool is the program's foundation, but what if your threat modeling tool could help you run your program? Welcome to Devici. Workflows, custom threats, mitigations, and custom templates create the threat modeling program you need, and Devici helps you execute your strategy.

Devici has a free plan for forever, so you can try us out. You get three comprehensive threat models. Create an account today and start threat modeling for free! You can invite up to nine colleagues to your account to model together in a collaborative environment. Visit devici.com today to sign up.

Five Security Articles 📰 that Are Worth YOUR Time

1. Will AI Revolutionize Software Engineering and Security? — AI is revolutionizing software engineering and security by advancing threat detection, automating routine tasks, and boosting overall efficiency, leading to more effective and proactive security measures.[Short answer: yes and no. In the short term, no. In the long term, I see a path towards AI-enhancing developers and security people to achieve 100% more productivity.]

2. New Tactics from a Familiar Threat — Phylum has exposed North Korean threat actors attacking software developers in the open-source supply chain for over a year. This blog post highlights evolving tactics from a North Korean campaign that began in September 2023 with a package published on 4 July 2024 in npm. Like a snake shedding its old skin, this attacker's evasive attempts have introduced some novelties, but many of the same patterns and idioms we have seen throughout this campaign remain. [This is not a topic I usually cover, but when nation-state actors come for the supply chain, it’s time to dive in.]

3. Hacking Millions of Modems (and Investigating Who Hacked My Modem) — Sam Curry details how millions of modems are vulnerable to hacking due to weak security practices, exposing significant risks of unauthorized access and control over network devices. [Vulns with mass scale always catch my attention. Excellent research by Sam.]

4. 2024 State of Cloud Security Report Shows That More Risk Prioritization is Needed — The 2024 State of Public Cloud Report from Orca Security highlights key risks and prioritization strategies for securing public cloud environments, emphasizing the need for comprehensive risk management to address evolving threats and vulnerabilities. [Takeaway: Your cloud is not secure enough.]

5. Securing the Future of Artificial Intelligence and Machine Learning at Microsoft — Microsoft's guide on securing artificial intelligence and machine learning emphasizes the importance of integrating robust security measures to protect AI systems from vulnerabilities and threats throughout their lifecycle. [Check out how a big company is packaging up security for AI.]

Featured Focus: The AppSec Hype Cycle

Plenty of hype cycle-style analyses are floating around, so here is mine.

Trending downward: DevSecOps

I continue to see conference presentations, podcast episodes, and blog posts on DevSecOps five years after DevSecOps took our industry by storm. DevSecOps is tired and needs to drift away. For years, I’ve been saying we should call it DevOps and include security as a natural step in building software. It’s time to stop treating it as a separate thing and let it go.

So far down that it should be six feet under: Shifting Left

I just saw this one again today on LinkedIn. It’s so weathered, worn out, and tired, yet people continue to drag it back out. Let this one go as well — it started as a marketing term, had a good run, and made sense for technical people, but now it’s back to a marketing term. Let it go.

Everyone is gaga for it: Application Detection and Response (ADR)

Can anyone count the detection and response technology types we now have? ADR is the latest, and many vendors are morphing their language from their existing products to align with ADR. Time will tell if this becomes a valid technology type that is a must-have for the AppSec stack. It’s worth a look, but the jury is still unsure about its value/return on investment.

It would be best if you were looking at it: Application Security Posture Management (ASPM)

Alert fatigue is a real thing. Face it: our tools are generating 10x the findings they should, and we need to increase the fidelity of the data feed we send to developers. ASPM is the answer to this challenge and should be added to your stack soon.

Terms vendors are jumping on board with: Guardrails / Paved Roads

I’m not sure who first used these terms, but if you look around, you will see that many vendors now use them to define their product suites. I predict these terms are the next “shift left” for our industry and will cross into the marketing world within six months.

That ends my first AppSec Hype Cycle analysis. I hope you enjoyed it. Reply and let me know if you agree or disagree with these statements.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • Andrew Van Der Stock -- The New OWASP Top Ten (Audio only; YouTube)

    • Andrew Van Der Stok joins Chris Romeo and Robert Hurlbut to discuss OWASP Top 10 Project updates, emphasizing data collection and developer engagement.

    • The episode covers the methodology for the OWASP Top 10, framework security, and key insights for shaping the future of web application security.

• Security Table

  • Why Do Engineers Hate Security? (Audio only; YouTube)

    • Chris, Matt, and Izar discuss why security professionals should develop empathy, soft skills, and integration strategies to avoid being perceived as intrusive by engineers.

    • Building strong relationships requires understanding engineers' perspectives and effectively communicating the value of security measures.

• Threat Modeling Podcast

  • The Four Question Framework with Adam Shostack (Audio only)

    • Chris and Adam dive into the four-question framework for threat modeling, explaining the meaning and purpose of each question to simplify the process.

    • They discuss the importance of retrospectives, the evolution of the framework, and its application in various situations, highlighting that the questions serve as a practical foundation for threat modeling.

Where to find Chris? 🌎

• Webinar: Secure by Design, August 29 @ 3 PM Eastern; register link coming soon.

• InfoSec World, Sept 22-25, 2024

  • The Modern Application Security Rocket Ship — Monday, Sept 23, 10:15 AM

  • The Paradox of Secure and Private By Design — Tuesday, Sept 24, 1:30 PM

  • Workshop: Threat Modeling Championship: Breaker vs. Builder — Sunday, Sept 22, 9 AM - 12 PM

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.

Hey there,

In this week’s issue, please enjoy the following:

• Five security articles 📰 that are worth YOUR time

• Featured focus: Sticking with anything

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

1. Let's blame the dev who pressed "Deploy"—Blaming software engineers for bugs and outages overlooks the broader issues caused by CEO decisions, customer demands, IT department pressures, and unrealistic regulations, contributing to systemic failures in the tech industry. [Blame culture has existed for as long as software has had bugs. Over the last few weeks, root cause analyses have ended with some people exiting the building. We should be past blame culture, but we’re not.]

2. Palo Alto isn’t going to buy everyone: the anatomy of cybersecurity startup exits — Speculating that Palo Alto Networks will acquire any cybersecurity startup is misguided, as most acquisitions are strategic, focusing on early leaders in specific markets, and many don't result in significant financial gains for founders or employees. [Insight into the cybersecurity startup space, fueled by recent Wiz news about walking away from the Google deal. If you’re an early-stage founder, don’t look at this as discouragement but intelligence.]

3. Responsibility Over Freedom: How Netflix’s Culture Has Changed — Netflix's internal culture, characterized by transparency, freedom, and responsibility, has been central to its success, though it continually evolves, emphasizing "People Over Process" and refining its principles to balance openness with practical constraints. [Netflix is always a good case study, as they’ve been cutting-edge for so long.]

4. QR code SQL injection and other vulnerabilities in a popular biometric terminal — ZKTeco biometric terminals have vulnerabilities, such as SQL injection via QR codes, that can allow unauthorized access and compromise authentication processes and biometric data security. [I don’t usually share the vuln of the week, but this one caught my attention because of the novel attack vector.]

5. Docker's 2024 State of Application Development Report Highlights Key Trends for Developers — Docker's 2024 State of Application Development Report highlights trends such as a shift to cloud-based development, rising microservices adoption, ongoing security challenges, and increased integration of AI tools like ChatGPT and GitHub Copilot in development processes. [If you want to improve at #AppSec, study the details about developers and their worlds. Please get to know them better.]

Featured Focus: Sticking with anything

If you’ve been on this planet for over five seconds, you know that things sometimes get challenging. Whether we’re talking about work or personal-related things, challenges are a fact of life. This is for the person struggling with something, feeling like there is no solution or a positive path forward.

I want to encourage you. When things get tough, it can seem like there is no possible positive outcome. I've had many ups and downs in my almost three-decade career. I’ve been blessed to have more ups than downs when they all add up, but I have also had some tough times.

I have found value in sticking with whatever the challenge lies before me and having the attitude of not giving up. There is immense value in resiliency, in finding a path forward to the challenge.

One time in my career, the path forward was switching teams after I was forced out of my first management role. In their defense, I wasn’t a great manager in those days. (I learned an immense amount from that experience.) While those days appeared dark, a sun rose on the horizon. The new team that I switched to was Cisco’s Secure Development Lifecycle team, and that was the change that put me on the AppSec path way back in 2009. Was it tough in the moment? Heck yeah. I wanted to run away, but sticking with it, I changed the focus of my career.

So, could you stick with anything? Things will sometimes be tough in the short term, but resiliency means pushing forward and finding a better outcome.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • Derek Fisher -- Hiring in Cyber/AppSec (Audio only; YouTube)

    • Chris and Robert discuss cybersecurity hiring and entry-level role challenges with Derek Fisher.

    • They cover the value of certifications, the necessity of lifelong learning, and the importance of networking.

• Security Table

  • To SSH or Not? (Audio only; YouTube)

    • Chris, Matt, and Izar discuss the OpenSSH regression vulnerability, detailing a race condition leading to remote code execution and debating SSH's necessity in modern cloud-native environments.

    • They explore the chain of security updates, the role of QA in preventing regressions, and who should catch vulnerabilities first—QA teams, pentesters, or automated tools.

• Threat Modeling Podcast

  • What is the Essence of Threat Modeling? (Audio only)

    • Chris Romeo explores various definitions of threat modeling from industry experts, discussing whether risk assessment and threat modeling are the same, the essence of threat modeling, collaboration and documentation, and proactive security.

    • The podcast favors the Threat Modeling Manifesto's definition, emphasizing threat modeling as analyzing system representations to highlight security and privacy concerns involving art, science, collaboration, and brainstorming.

Where to find Chris? 🌎

• Webinar: Modern Threat Modeling: Business vs. Technical Perspectives, July 29 @ 1 PM Eastern; register here.

• Webinar: Secure by Design, August 29 @ 3 PM Eastern; register link coming soon.

• InfoSec World, Sept 22-25, 2024

  • The Modern Application Security Rocket Ship — Monday, Sept 23, 10:15 AM

  • The Paradox of Secure and Private By Design — Tuesday, Sept 24, 1:30 PM

  • Workshop: Threat Modeling Championship: Breaker vs. Builder — Sunday, Sept 22, 9 AM - 12 PM

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.

Hey there,

In this week’s issue, please enjoy the following:

• Five security articles 📰 that are worth YOUR time

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Sponsor post: Devici is the threat modeling platform you’ve been waiting for

Simple, intelligent, scalable: these words describe the Devici threat modeling platform.

Devici has a free forever plan. We provide three comprehensive threat models for free forever. Create an account today and start threat modeling for free! You can invite up to nine colleagues to your account to model together in a collaborative environment. Visit devici.com today to sign up.

Five Security Articles 📰 that Are Worth YOUR Time

1. CISOs plan to start downsizing security teams because of AI – but experts warn it’s a “shortsighted and dangerous" path to take — CISOs are planning to reduce security team sizes due to AI adoption. Still, experts warn that this is a shortsighted and dangerous approach as AI should complement rather than replace human expertise in cybersecurity. [What is a word larger than shortsighted and dangerous? We’ve been short on security team sizes for as long as I can remember, and now AI will result in shedding headcount. I don’t think so. Bad plan.]

2. A simple firmware update completely hides a device's Bluetooth fingerprint — Researchers at the University of California San Diego have developed a firmware update that completely hides a device's Bluetooth fingerprint, preventing it from being used to track the device by randomizing the device's unique signal characteristics. [Shouldn’t this be included within the core operating system?]

3. The Race to Make a Business of Secure Defaults — Modern security teams, with support from government and tech companies, are using secure defaults—tools and processes that inherently integrate security—to help developers build secure applications quickly while reducing the need for explicit security decisions. [There is tension between secure defaults, paved roads, guard rails, and innovation. With too many lockdowns, we start to build cookie-cutter things that are all the same.]

4. 3 ways to improve appsec code auditing with graudit — Improve application security code auditing with Graudit by customizing dangerous function databases, reducing false positives using flatline.db and fruit.db, and using non-destructive review tools like vi with aliases for highlight and less. [Code auditing is a skill, and new tools are always worth a look.]

5. What happened to RASP? — RASP's initial promise of in-app security monitoring and protection has faced challenges due to technical issues and non-technical critiques, leading to interest in the newer Application Detection and Response (ADR) approach as a potential solution. [This is a counterpoint to what I thought of as the industry's current state. ADR? Really? Do we need another DR solution?]

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • Tanya Janca -- Secure Guardrails (Audio only; YouTube)

    • Join Tanya Janka, aka SheHacksPurple, when she discusses secure guardrails, the distinction between them and paved roads, and their implementation in application security.

    • Tanya, an award-winning speaker and SEMGREP's head of education, also shares insights on creating secure software, teaching developers, and her passion for her hobby farm and gardening.

• Security Table

  • Rethinking Security Conferences: Engagement and Innovation (Audio only; YouTube)

    • Chris, Matt, and Izar discuss the current state of security conferences, evaluating the value of various types of gatherings, the importance of networking, and the need for engaging, participatory formats catering to introverts and extroverts.

    • They share personal experiences and preferences for attending and speaking at conferences and explore hybrid approaches that combine presentations with facilitated discussions and interactive elements.

• Threat Modeling Podcast

  • Nandita Rao Narla -- Privacy Threat Modeling (Audio only)

    • Nandita Rao Narla introduces the basics of privacy in software, covering privacy threats, threat modeling, and privacy by design, which is essential for anyone handling user information.

    • This episode of the Threat Modeling Podcast is a primer on assessing and mitigating privacy concerns and implementing privacy-focused design in projects.

Where to find Chris? 🌎

• Webinar: Modern Threat Modeling: Business vs. Technical Perspectives, July 29 @ 1 PM Eastern; register here.

• Webinar: Secure by Design, August 29 @ 3 PM Eastern; register link coming soon.

• InfoSec World, Sept 23-25, 2024

  • The Modern Application Security Rocket Ship — Time/date TBD

  • The Paradox of Secure and Private By Design — Time/date TBD

  • Workshop: Threat Modeling Championship: Breaker vs. Builder — Time/date TBD

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.

Hey there,

In this week’s issue, please enjoy the following:

• Five security articles 📰 that are worth YOUR time

• Featured focus: FOMO or something else?

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

1. How platform engineering helps you get a good start on Secure by Design — Platform engineering facilitates the adoption of "secure by design" principles by embedding security measures early in development. This integration enhances system resilience and reduces vulnerabilities through core engineering practices. [I provided some thoughts on the intersection of platform and SbD.]

2. Stop Recommending JWTs (with symmetric keys) — Using JSON Web Tokens (JWTs) poses security risks like key exposure and token forgery. Switching to asymmetric keys or alternative token formats is recommended to enhance security. [The more you know.]

3. Introducing RedFlag: Using AI to Scale Addepar's Offensive Security Team — Addepar introduces RedFlag, an AI-powered tool to enhance their offensive security team by automating the scoping of manual security tests. Leveraging Anthropic’s Claude v3 model, RedFlag analyzes pull requests, enriches them with related information, and generates focused security test plans, significantly reducing the time and effort needed for comprehensive security assessments. [This fits within my vision for AI in the next five years — AI doing a labor-intensive task, allowing the humans to focus on the part that needs “brainstorming.”]

4. If _____, you might not be Secure By Design Part 1  — "Secure By Design" emphasizes the importance of reducing and managing complexity to enhance security. Increased complexity heightens vulnerabilities, complicates situational awareness, and undermines the system's robustness, making simplicity a fundamental principle in effective security design. [Simplicity is essential for security and privacy, but it is hard to maintain within a functioning system.]

5. Don’t Security Engineer Asymmetric Workloads — Matt Schellhas’ "Asymmetric Workloads" concept highlights leadership failures, particularly the unfair distribution of workload burdens. This issue is relevant to security engineers, where the imbalance can lead to inefficiencies and resentment, ultimately undermining collaboration and organizational security. [This isn’t workloads as you think with orchestration, but instead is focused on a human capital problem.]

Featured focus: FOMO or something else?

OWASP Global Lisbon and ThreatModCon took place a few weeks ago. I didn’t attend either event. I’m an avid conference attendee and speaker (when I get the chance), but this time, I didn’t get the FOMO I expected.

Each summer for the past fourteen years (except for COVID), I’ve run a summer camp in Eastern Europe, in Moldova. This camp is focused on serving young people from this country. This is a 180 turn from what I do in my “day job.” Instead of spending time on calls, answering emails, and dreaming up new features, I act as a camp director for this summer camp. It’s a busy week, starting at 6 AM and often cruising towards a 10 PM wrap-up for the day.

This experience always reminds me that there is more to life than work and more to life than professional things. I share this experience to encourage everyone to find things away from work that add value to the world. Don’t live to work, work to live.

I hope you'll be able to find your summer camp-style experience for the future.

Devici's not-so-well-hidden advertisement

Hey, what did you expect? We needed a sponsor, and now we have one.

Did you know that Devici, the threat modeling company I founded, has a free forever plan? We provide three comprehensive threat models that are free forever. Create an account today and start threat modeling for free! Invite up to ten colleagues into your account to model together in a collaborative environment. Visit devici.com today to sign up.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • Jahanzeb Farooq -- Launching and executing an AppSec program (Audio only; YouTube)

    • Jahanzeb Farooq discusses his journey in cybersecurity, emphasizing the importance of understanding developer needs and implementing appropriate tools based on his experiences at Siemens, Novo Nordisk, and Danske Bank.

    • The conversation also explores the complexities of cybersecurity in pharmaceutical and financial sectors, focusing on regulatory requirements, software's role in critical industries, security education, threat modeling, and digital transformation.

• Security Table

  • Privacy vs. Security: Complexity at the Crossroads (Audio only; YouTube)

    • Chris, Izar, and Matt discuss the shift in cybersecurity from a product-centric to an architectural-centric approach, focusing on integrating inherent capabilities rather than relying on add-on products.

    • They examine the intersections of security and privacy, the challenges of privacy threat modeling, and the evolving nature of regulations, emphasizing the importance of understanding the broader data ecosystem and continuous threat modeling.

• Threat Modeling Podcast

  • Akira Brand -- Gaining Experience by Threat Modeling (Audio only)

    • Akira Brand joins Chris to discuss her journey into threat modeling, highlighting the importance of collaboration, understanding the application, and using tools and diagrams to aid the process, drawing parallels between surgical checklists and the STRIDE model for a comprehensive approach.

    • Her initial threat modeling identified significant security risks due to excessive permissions. She emphasized the power of collaboration across engineering, data analytics, and security teams to create holistic security solutions, showcasing true success in threat modeling.

Where to find Chris? 🌎

• Webinar: Modern Threat Modeling: Business vs. Technical Perspectives, July 25 @ 1 PM Eastern; register here.

• Webinar: Secure by Design, August 29 @ 3 PM Eastern; register link coming soon.

• InfoSec World, Sept 23-25, 2024

  • The Modern Application Security Rocket Ship — Time/date TBD

  • The Paradox of Secure and Private By Design — Time/date TBD

  • Workshop: Threat Modeling Championship: Breaker vs. Builder — Time/date TBD

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.

Hey there,

In this week’s issue, please enjoy the following:

• Five security articles 📰 that are worth YOUR time

• Featured focus: Secure and Private by Design Converge with Threat Modeling

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Did you know that Devici, the threat modeling company I founded, has a free forever plan? We provide three comprehensive threat models that are free forever. Create an account today and start threat modeling for free! Invite up to ten colleagues into your account to model together in a collaborative environment. Visit devici.com today to sign up.

Five Security Articles 📰 that Are Worth YOUR Time

1. Study Finds That 52 Percent of ChatGPT Answers to Programming Questions Are Wrong  — A study by Purdue University found that 52% of ChatGPT's answers to programming questions contain misinformation, with many users preferring its polite and comprehensive style despite its inaccuracies. This highlights the challenges and risks of relying on AI-generated code solutions, stressing the need to carefully validate such responses. [And people wonder why I suggest GPT is not a replacement for a threat modeling tool? The challenge I have is that it is not predictable. You can get two different answers right after the other.]

2. The state of AppSec: Are we getting ahead of attackers — or falling behind? — Over the past five years, application security (AppSec) has improved in secure programming languages and container security, but software supply chain security challenges persist. Despite advancements, AppSec must evolve rapidly to keep pace with modern threats, requiring better tools, investment in people, and a comprehensive understanding of security risks throughout the software development lifecycle. [Nice report on the state of AppSec across many different categories.]

3. PCI DSS 4.0 Simplified: What You Need to Know — PCI DSS 4.0 introduces several changes to improve the security of payment card data, emphasizing secure network maintenance, data protection, vulnerability management, access control, and regular monitoring and testing. Organizations must adopt comprehensive security policies, ensure minimal data storage, and continuously update and audit their security practices to comply with these standards. [Many impactful changes for AppSec in 4.0. Worth a closer look.]

4. The CEO Is Next — Government agencies will soon seek to hold CEOs personally liable for insufficient cybersecurity investments, as the actual costs of breaches often impact consumers more than companies. The Biden administration's National Cybersecurity Strategy and recent actions, such as the SEC's case against SolarWinds, reflect a shift towards holding CEOs accountable, highlighting the need for corporate leadership to prioritize and adequately fund cybersecurity measures. [How does this change the game in the CEO’s office and the board room? It seems challenging to prove personal liability unless there is gross negligence.]

5. Why HAST is important to API hackers — Human Application Security Testing (HAST) involves creating manual tests that can be automated to find security vulnerabilities in APIs, providing deeper insights than traditional automated tools like SAST and DAST. HAST allows for context-aware testing, continuous security validation, and detection of complex attack chains, making it crucial for thorough and effective API security. [Nice methodology to think through from Dana about manual API testing.]

Featured focus: Secure and Private by Design Converge with Threat Modeling

My talk from RSAC 2024, “Secure and Private by Design Converge with Threat Modeling,” was recently published on YouTube.

I created this talk because I saw something missing from all the hoopla around secure by design. Plenty of things looked secure by design and were sold as secure by design, but none provided a way to ACHIEVE secure by design.

In this talk, I describe a framework for achieving secure and private by design and default. I broke this process into four components: design decisions, data flow diagrams, security and privacy patterns, and checking the work (threat modeling.)

With design decisions, I provided a list of things to consider before starting a new application. Such as language and framework choice (a security and privacy enforcing stack), mechanisms to protect PII and customer data, and the responsibility to use open source responsibly. Many of these are not new, but I ordered them in such a way as to make them matter for a new design. Just so you know, you can also apply these design decisions to other existing things that you have written.

Data flow diagrams are the heart of the design analysis, using a simple and structured format to draw a picture of the design. I find data flow diagrams the best way to visualize what I need to analyze. With a conversation, it is easy to get lost. A DFD is a reference you can continuously return to and revise.

Security and privacy patterns are the paved roads that security teams can define and then make available to developers via a menu of options. These patterns include authentication/multi-factor, access control/authorization, and validation/sanitization/encoding. They provide the building blocks for a solid security and privacy foundation.

Threat modeling is the final step, where the work is checked. The DFD exists from step two, and adding the details of the patterns provides a final design for proper threat modeling. Proper threat modeling considers threats and focuses on the best ways to mitigate them.

These steps together provide a framework for embracing secure and private by design and default so that you can make this concept a reality! So put down your pledges, hide the reference documents, and focus on deploying a process that creates secure and private by design instead of all the other movements that talk about it.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • Steve Wilson -- OWASP Top Ten for LLMs (Audio only; YouTube)

    • The OWASP Top Ten for LLMs project, led by Steve Wilson, aims to create standardized guidelines for building secure AI applications using large language models like ChatGPT, addressing traditional security issues and introducing a new discipline of AI security engineering.

• Security Table

  • Privacy and the creepiness factor of collecting data (Audio only; YouTube)

    • Ally O'Leary, a privacy compliance expert, explains the intersection of privacy and security, emphasizing the importance of understanding personal information and data storage within company systems.

    • She highlights that privacy, often triggered by regulations like GDPR, is distinct from security but closely related. It requires regular data flow reviews, audits, and collaboration between privacy and security professionals during development.

• Threat Modeling Podcast

  • Dr. Michael Loadenthal -- Intersectional, Harm Reduction Approach to Threat Modeling (Audio only)

    • Dr. Michael Loadenthal emphasizes a comprehensive threat modeling approach considering political, legal, ethical, and social dimensions. This approach, developed from his experience in social movements and activism, addresses threats beyond the technical realm.

    • He utilizes multidisciplinary tools like mind maps and the harm reduction framework, collaborating with diverse teams to develop context-specific solutions for companies, non-profits, and high-profile individuals, enhancing the effectiveness of threat modeling.

Where to find Chris? 🌎

• Webinar: Modern Threat Modeling: Business vs. Technical Perspectives, July 25 @ 1 PM Eastern; register here.

• InfoSec World, Sept 23-25, 2024

  • The Modern Application Security Rocket Ship — Time/date TBD

  • The Paradox of Secure and Private By Design — Time/date TBD

  • Workshop: Threat Modeling Championship: Breaker vs. Builder — Time/date TBD

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.

Hey there,

In this week’s issue, please enjoy the following:

• Five security articles 📰 that are worth YOUR time

• Featured focus: Secure by Design at Scale

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

1. Trusted relationship attacks: trust, but verify — Trusted relationship attacks exploit connections between organizations and their service providers, allowing attackers to infiltrate less-protected networks of small or medium-sized service providers and use legitimate credentials to access the target organization’s infrastructure. This approach lets attackers carry out large-scale, often undetected cyberattacks, leveraging vulnerabilities, compromised credentials, and sophisticated phishing methods. [Side channel attacks will become more prevalent as we continue to invest in building up our defenses attached to the front door.]

2. OWASP SAMM Benchmark Data — The OWASP SAMM Benchmark Data provides insights into the average scores of various business functions within the Software Assurance Maturity Model (SAMM) across different organizations. The report highlights key findings, such as the highest and lowest-scoring security activities, emphasizing the importance of real-world data for guiding improvements in software security practices. [SAMM benchmark is the open source answer to what has previously been a high-priced, follow-the-hed pay-to-play space. SAMM needs more data to achieve this goal — the data can be anonymous.]

3. Introducing Design Static Application Security Testing (DSAST) with Devici Code Genius — Devici Code Genius introduces Design Static Application Security Testing (DSAST), a novel approach to security testing that generates threat models from existing code, enhancing security and reducing development time. This method scans code to extract design information, automating threat model creation and allowing developers to address security issues efficiently. [ I’m fond of this one. 😂]

4. Microsoft Chose Profit Over Security and Left U.S. Government Vulnerable to Russian Hack, Whistleblower Says — Microsoft allegedly ignored warnings about a critical security flaw in their software to avoid jeopardizing government contracts. Russian hackers later exploited this flaw in the SolarWinds attack, allowing access to sensitive data from multiple U.S. federal agencies. [I’m struggling with this one, as big companies have thousands of bugs they are attempting to triage at any given time. Expecting perfection seems like a setup for failure. It stinks that this flaw was used for SolarWinds access, but it seems like a stretch to say they chose profit over security. They are a for-profit company, though, by the way.]

5. Guide to Kubernetes Security Posture Management (KSPM)  — Kubernetes Security Posture Management (KSPM) emphasizes the importance of assessing and managing the security posture of Kubernetes clusters to protect against common attack vectors. It provides a comprehensive guide on hardening clusters, incident response, and maintaining a defense-in-depth strategy for robust security. [Ahhh, yes, another PM category of tooling. When will it end?]

Featured focus: Secure by Design at Scale

Secure by design is a hot topic—so hot, in fact, that CISA wrote a whole pledge and held a signing ceremony 🤮 at RSA. I wish I could say that a pledge would move the industry forward, but perhaps it would be a tiny step.

When we think about scaling anything, we must consider how to make the concept work for five developers and five thousand. Scaling secure by design is in the same category.

Secure-by-design principles are challenging to implement at scale because they require that the security team build a collection of shared security services that can be incorporated into all applications. These shared security services include multi-factor authentication, SAML/OIDC/SSO, session management, attribute-based access control (ABAC), and input validation/output encoding.

These services are complex to implement but even more complex to create in a way developers can use. Shared security services aim to simplify the implementation and make it less time-consuming than a developer building something from scratch. This is the essence of paved roads that everyone talks about—provide paved roads that are easier for developers to drive on than if they had to build their own roads. Implementing secure-by-design at scale means building paved roads as shared security services developers can easily consume.

Platform engineering should work toward automating as much of the application and product security tool suites as possible. Even more importantly, the platform should invest heavily in improving the fidelity of tool results to ensure that developers are not slowed down by the noise the tool suites generate. Hyperfocus on the five most critical items developers must deal with to deploy a feature that respects security and privacy.

Secure by design is scalable, but unlocking scalability requires an investment in building the pieces that make it easy for developers. That is the key — ease of use; make security easier than not doing security.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • David Quisenberry -- Building Security People and Programs (Audio only; YouTube)

    • With guest David Quisenberry, we discuss his security journey, building AppSec programs in small to mid-sized companies, and the importance of data-driven decision-making.

    • The conversation also covers the value of mentoring, trust with engineering teams, mental health, and community in the industry while sharing personal stories highlighting the importance of relationships and life balance.

• Security Table

  • AppSec Resolutions (Audio only; YouTube)

    • Chris, Izar, and Matt answer fan mail, make fun predictions for 2024, discuss their cybersecurity resolutions, and call global listeners to action. They highlight the podcast's reach and explain topics like large language models (LLMs), Quantum LLMs, and Software Bill of Materials (SBOM).

    • They emphasize the importance of teaching secure coding from the high school level and share their passion for making cybersecurity more accessible, practical, and effective through critical discussions and innovative ideas.

• Threat Modeling Podcast

  • A Comprehensive Threat Modeling Strategy (Audio only)

    • Make threat modeling holistic and straightforward, starting after the high-level design phase and continuously revisiting the model throughout a product's lifecycle. Concentrate on domain-specific problems and use automated approaches for domain-agnostic issues.

    • Special thanks to Iswarya Subramanian Balachandar, Kuldeep Kumar, Abdoulkader (Abdo) Dirieh, Rob van der Veer, and Tony Turner for their feedback on this episode.

Where to find Chris? 🌎

• Webinar: Modern Threat Modeling: Business vs. Technical Perspectives, with Sarah-Jane Madden and Izar Tarandach, hosted by yours truly. Stay tuned for a registration link.

• InfoSec World, Sept 23-25, 2024

  • The Modern Application Security Rocket Ship — Time/date TBD

  • The Paradox of Secure and Private By Design — Time/date TBD

  • Workshop: Threat Modeling Championship: Breaker vs. Builder — Time/date TBD

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.