Reasonable 🔐AppSec #11 - Five Security Articles, AppSec Ownership, Photo, and Podcast Corner

Hey there,

In this week’s issue of Reasonable Application Security:

• Five security articles 📰 that are worth YOUR time

• Featured focus: AppSec Ownership

• Photo of the week 📷

• Application Security Podcast 🎙️Corner

Five Security Articles 📰 that Are Worth YOUR Time

• I met Eitan at OWASP Dublin. He’s at the forefront of this issue of generative AI fixing code for you. Generative AI has the potential for fixing code vulnerabilities, highlighting that while it can be beneficial for simple, repetitive tasks, its application to complex code applications requires careful human oversight to avoid creating more problems than it solves. While it may not yet be the ultimate solution for DevSecOps teams, it can help make incremental progress in reducing vulnerability backlogs. (more)

• The OWASP Secure Cloud Architecture Cheat Sheet provides comprehensive guidelines for creating and reviewing secure cloud architectures. It covers key aspects such as risk analysis, threat modeling, attack surface assessments, secure object storage, the use of virtual private clouds (VPCs) and subnets, trust boundaries, and the implementation of security tooling like web application firewalls, logging and monitoring, DDoS protection, and maintenance of self-managed tooling. (more)

• A new Python script tool has been developed to help developers check for "manifest confusion" mismatches, a cybersecurity vulnerability that threat actors can exploit. The tool, available on GitHub, aims to minimize risk until a formal solution is developed. (more)

• Integrate security measures early in the software development process, known as "shifting left." Emphasize the need for a cultural shift within organizations, make security everyone's responsibility, and explore involving developers in threat-modeling exercises, using security tools aimed at developers, and establishing best practices at scale. (more)

• Infographic on Privacy Engineering — the systematic and scientific approach to incorporating privacy requirements into systems and services design, development, and operations across various domains. This includes software development, system design, data science, physical architecture, process design, information technology infrastructure, and human-computer interaction/user experience design, and involves tasks such as analyzing data, evaluating floor and building plans, developing IT infrastructure, conducting user studies, and performing code audits to ensure privacy objectives are met. (more)

Featured focus: AppSec Ownership

I saw a great question expressed on LinkedIn last week as a poll. I answered it, but as I thought about it more, I realized I needed more words to explain my thoughts. “Should AppSec be a separate team, or should the responsibilities of AppSec be completely owned by development?”

At first blush, AppSec should be entirely owned by development. Development controls the process of building software and has teams that define the tooling that support the other developers in being most productive. Security should plug in as another suite of tools that developer experience needs to manage, and the entire set of work should be managed by one set of product and program managers.

But then reality sets in. I start to wonder if security and privacy will get the attention they need if there is no separate team advocating and resourcing to build and deploy tools, processes, training, and governance, ensuring that the right things are being done at the right time for security and privacy. Important things will slip through the cracks, leading to disclosed vulnerabilities and data and system breaches that will warrant creating a specialized team to ensure those issues don’t happen again.

I’m landing on the fact that we are too early in the security lifecycle to push all of AppSec into development. I think it will happen; maybe ten years in the future, maybe further. But it will happen at some point.

Photo of the week 📷

I was in Vienna, Austria, riding in an Uber towards the town center. As my standard practice, I started talking with the driver. I asked him for any restaurant recommendations in Vienna. He had heard this question before and quickly navigated to a checklist on his phone. This reminded me of the power of checklists, and we can drag this concept into security. Checklists help us ensure we consider the right things at the right time.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes they are my podcasts. Other times they are podcasts that have caught my attention.

• Application Security Podcast

  • Farshad Abasi -- Three Models for Deploying AppSec Resources

    • Farshad Abasi explores three models for deploying resources within application security teams: the Dedicated AppSec Person Model, the Federated Model, and the Champion or Deputy Model, ultimately concluding that the fully deputized Champion or Deputy Model is the most scalable approach.

• Security Table

  • Should #AppSec be Part of the Development Team?

    • Explore the possibility of integrating all application security functions directly into development, discussing the challenges developers face in ensuring security without adequate tools or training, and the concept of "shifting everything left" to integrate security earlier in the development process while expressing concern over the imbalance of responsibility and power in AppSec.

• Threat Modeling Podcast

  • Software-Centric Threat Modeling

    • Experience the emphasis of asset-based threat modeling, focusing on user stories, integrating threat modeling into the DevSecOps process, and using pull request templates for standard threat modeling questions, all while advocating for a developer-friendly approach to threat modeling.

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.