Reasonable 🔐AppSec #10 - Five Security Articles, Security Theater, Photo, and Podcast Corner

Hey there,

In this week’s issue of Reasonable Application Security:

• Five security articles 📰 that are worth YOUR time

• Featured focus: Security Theater 🎭

• Photo of the week 📷

• Application Security Podcast 🎙️Corner

Five Security Articles 📰 that Are Worth YOUR Time

• Researchers from Rezilion have found that the most popular generative AI projects on GitHub tend to have the least mature security, according to an evaluation using the OpenSSF Scorecard. The study reveals a concerning trend that the popularity of a project needs to reflect its security posture, with the most popular GPT-based project, Auto-GPT, scoring just 3.7 out of 10 on the Scorecard. (more)

• MITRE has published its annual list of the "Top 25 most dangerous software weaknesses" for 2023, with Out-of-bounds Write emerging as the top vulnerability. Based on an analysis of public vulnerability data, the list aims to help organizations make better investment and policy decisions in vulnerability management. (more)

• The Threat Modeling Handbook is a comprehensive guide provided by the Centers for Medicare & Medicaid Services (CMS) to help organizations understand and implement threat modeling as part of their risk management process. It provides detailed instructions on identifying, prioritizing, and mitigating potential threats to enhance the security posture of an organization's information systems. Kudos to my friend Robert Hurlbut who was behind this. (more)

• There is a rising interest in Software Bills of Material (SBOMs) in the application security community and government sectors. However, the author expresses skepticism about the current regulatory approach to SBOMs, viewing them more as a compliance solution than a security one, and raises concerns about their potential to stifle startup innovation. Others think, like I do, that SBOMs are not the answer to all of AppSec’s problems. (more)

• Keep as much logic as possible in the backend of web applications to avoid code duplication, improves performance, simplify maintenance, testing, and debugging, and reduce complexity. Certain functions must be handled by the front end, such as localization and accessibility features; most other functions can and should be handled by the backend, leading to more efficient and manageable web development. (more)

Featured focus: Security Theater 🎭

Writing this is challenging, but I will try it. I’ve been traveling in an Eastern European country for the past few weeks, running a summer camp. As my team and I prepared to return to the airport and depart for home, we saw on the news that a shooting had occurred the day before.

A man was denied entry into the country, and as he was being transported to a holding area to be sent back to his originating country, he grabbed a firearm from a border policeman and shot and killed two airport security officers. This is a tragedy, as is when anyone loses human life.

We arrived at the airport the next day to find greatly enhanced security procedures. We could not return our rental car because two national policemen with automatic weapons were guarding the front of the return desk, and they said that rental cars were closed for the day.

There was a heightened police presence throughout the airport, armed special forces troops visibly moving around the building, and enhanced security screening.

It was a tragedy that anyone lost their life — but why modify the external security policies when reacting to the threat inside the airport? The threat was that a contained prisoner could gain access to a weapon, not that someone else would bring a weapon into the airport from the outside. The mitigation for this threat is to enhance your team’s control of personal firearms and adjust procedures for how you transport prisoners.

In security, we often overreact and adjust in the wrong areas. Instead of pinpointing and mitigating the threat, we adjust externally perceptible controls to make people feel better about the security services we provide.

I get now why Bruce Schneier calls this “security theater.” It’s theater because we take actions to impact people’s perceptions but do not focus on the root of the issues we face. Security, focus on the real issue — focus on the root. Mitigate the issue, and the resulting impact is that security is indeed improved.

Photo of the week 📷

I collect photos of MS Windows in the wild. It took a lot of work to review the menu for the restaurant since they were re-installing Windows.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes they are my podcasts. Other times they are podcasts that have caught my attention.

• Application Security Podcast

  • Kim Wuyts -- The Future of Privacy Threat Modeling

    • Kim Wuyts discusses the LINDDUN framework for privacy threat modeling, which analyzes threats across multiple categories and has been updated to incorporate new developments in privacy. She emphasizes the importance of combining privacy and security, protecting individual rights and data, and the role of the Threat Modeling Manifesto in promoting privacy threat modeling.

• Security Table

  • Lack of Reasonable, or Everything That Is Wrong with Security Requirements

    • What is "reasonable security" in vendor evaluation? It emphasizes the need for a mutually agreed standard between the vendor and buyer. A reasonable standard could include a threat model, documentation of that model, and an invitation for the buyer to ask questions about the process, covering how the software is built and deployed into production.

• Threat Modeling Podcast

  • A new episode is coming soon — Engineering-led threat modeling.

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.