Reasonable 🔐 AppSec #1 - My RSAC Wrap Up, Five Security Articles, And Podcast Corner

Hey there,

Happy Friday! If you were at RSA Conference, I hope you are recovering well.

In this week’s issue:

• My RSAC wrapup 🎁

• Five security articles 📰 that are worth YOUR time

• Application Security Podcast 🎙️Corner

My RSAC Wrapup

Here are four things I remembered, realized, shared, and laughed about during my time at #rsac2023:

1. The year of the application has yet to happen. It could be 2023, 2024, or even 2025, but the year of the application is coming soon. And that year of the application reaches the driving force of application security. Get ready.

2. Conferences are, first and foremost, about the community. This is the first year in many that I wasn't representing a vendor, and it was a nice break to focus on reconnecting with old friends, making new friends, and enjoying the time versus running from sales meeting to sales meeting.

3. #threatmodeling is still a green field, with continuous room to push the industry forward. I led a workshop, Advanced Threat Modeling: Red vs. Blue. The people in the room loved the experience, and I enjoyed the opportunity to lead and mentor them to more threat modeling knowledge. There is a hunger for people to understand how to perform threat modeling.

4. The #AppSec startup space has some great stuff happening. In visiting the Early Stage Expo, I saw Privado.ai, with a software solution to trace the use of PII throughout repos and source code. I checked in with my friends at Oxeye and met a VC that asked me to be in touch on my next project. #AppSec is a happening place in the startup ecosystem.

#RSAC, what a year! I can't wait for next.

P.S. This image was taken from my talk, "The State of the Union for Application Security."

Five Security Articles that are Worth YOUR Time

• Microsoft’s DevOps Threat Matrix highlights steps of compromise within your build pipelines (more)

• The deps.dev security metadata dataset includes dependencies, licenses, advisories, and other critical health and security signals for over 50 million open-source package versions. (more)

• Side channel attacks, container breakouts, and cloud service provider vulnerabilities are three commonly neglected cloud vectors in cloud security. (more)

• The Open Source Security Foundation (OpenSSF) announced the release of SLSA v1.0, a framework that helps secure the software supply chain. (more)

• CISA is shifting the balance of cybersecurity risk with a new guide containing principles and approaches for security by design and -default. (more)

Podcast Corner

I love making podcasts. In Podcast Corner, you get a single place to see what each episode covers for that week.

• Application Security Podcast

  • Christian Frichot -- Threat Modeling with hcltm

    • Christian Frichot created hcltm, a DevOps threat modeling tool tailored for developers, which integrates with standard tools and workflows while promoting customization and adaptability through user feedback and trials.

• Security Table

  • The Final Take on the National Cybersecurity Strategy: Software Liability And Privacy

    • The National Cybersecurity Strategy's pillar three examines market-driven security, resilience, liability, GDPR's influence, and its effects on IoT security and global implications while expressing concerns about a potentially burdensome liability process akin to the medical industry.

• Threat Modeling Podcast

  • What is the Essence of Threat Modeling?

    • In the first episode of the Threat Modeling podcast, host Chris Romeo delves into various definitions of threat modeling, with a preference for the Threat Modeling Manifesto's definition. The podcast highlights that threat modeling combines art, science, collaboration, and brainstorming to enhance security and privacy within systems.

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.