Reasonable 🔐AppSec #12 - Five Security Articles, SBOM and Me Aren't Friends, and Podcast Corner

Hey there,

In this week’s issue of Reasonable Application Security:

• Five security articles 📰 that are worth YOUR time

• Featured focus: SBOM and Me Aren’t Friends

• Application Security Podcast 🎙️Corner

Five Security Articles 📰 that Are Worth YOUR Time

• I found this on “Return to Security”, but had to share. "How to be a security person that engineers don't hate" offers insights on how security professionals can build effective relationships with engineering teams by understanding their processes, gaining knowledge about the product and business, demonstrating how solving security problems can also achieve engineering objectives, and actively collaborating with the team. (more)

• "Common design patterns at Stripe" discusses the key design patterns used at Stripe, including the importance of clear language, the use of enums over booleans, nested objects for extensibility, returning the object type in responses, implementing a permission system, and making IDs unguessable, all aimed at creating APIs that are secure and human-friendly. Design patterns improve security. (more)

• PyLoose is a new Python-based fileless malware that targets cloud workloads, leveraging the Linux feature memfd to load an XMRig Miner directly into memory, making it elusive to conventional security measures. (more)

• 8.5% of the 337,171 Docker Hub images analyzed contain confidential secrets such as private keys and API secrets, thereby exposing software, online platforms, and users to a significant security risk. (more)

• I learned of Wing during a Podcast interview with Steve Giguere.

  Wing is a cloud-oriented programming language that unifies infrastructure and runtime code, compiles to Terraform/IaC and JavaScript, supports local simulation, and is designed for maximum portability and interoperability with existing stacks and tools, aiming to streamline and enhance the development process for cloud applications. (more)

Featured focus: SBOM and Me Aren’t Friends

This past week, Jeff Williams, and old friend and colleague and I were debating SBOM on LinkedIN. I’ve known Jeff since 1997, when he and I started working together at Arca Systems. I’ve learned much from Jeff over the years, and always enjoy any opportunity we have to discuss and debate all things cyber security.

You can read the entire thread if you want all the context. I thought I’d use this space to summarize my three primary objections to the way SBOM is being portrayed.

1. SBOM by itself doesn't improve anything. SBOM is an informational blob for collecting security-relevant data. I don't have an issue with the information it portrays, and I agree that it is valuable. My point is that SBOM doesn't improve secure development practices, and SBOM doesn't fix vulnerabilities. Those things require the same resources that they did before SBOM existed.
   
   If the concept of SBOM is groundbreaking, why not create SASTBOMs that will finally solve the challenges with false positives in SAST tools? Because organizing a collection of findings into an XML format doesn't fix anything.

2. SBOM cannot be acted upon fast enough in a DevOps world to fix issues or measure risk. DevOps in perfect state may release anywhere from ten to fifty times daily. I now have a pile of SBOMs for the one SaaS solution I rely upon. And tomorrow, I have another pile. I am still looking for a path for how an organization can use this level of data to reduce risk without woefully falling behind. Do I consider the SBOM once per month? Perhaps. But what about any bad stuff introduced since the last SBOM was considered? Imagine what an attacker could do with thirty free days to poison an open-source package and have it built into a production SaaS application.

3. The US Government pretends that SBOM is the thing that will save the country from our cybersecurity woes. As I've read the various US Government publications over the past 1.5 years that mention SBOM, they are portraying SBOM as the answer to all of our struggles from the past. I don't see how SBOM eliminates all our security and privacy challenges. My objection on this front is how the US Gov't is portraying SBOM. Yes, transparency is a good thing. Yes, visibility is a good thing. I don't hate SBOM. My challenge is that it is being portrayed as something that it is not and five years from now, we'll look back and see that SBOM provided a small, incremental push on our path but was not the thing that saved the world.

I want to be friends with SBOM. I really do. I’m just struggling to jump on the SBOM bandwagon. Maybe some day.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes they are my podcasts. Other times they are podcasts that have caught my attention.

• Application Security Podcast

  • Paul McCarty -- The Burrito Analogy of the Software Supply Chain

    • This episode discusses the importance of understanding the components of the software supply chain for effective security, using the burrito analogy to illustrate the need for knowledge of contents, and covers topics like the nuances of the Software Bill of Materials (SBOM), the role of third-party components, and the significance of threat thinking in the software supply chain.

• Security Table

  • Security Posture is a Thing

    • Delve into the concept of security posture, discussing its qualitative and quantitative aspects, its measurement, its differentiation between organizational and system levels, the impact of leadership changes, and the role of tools and processes in assessing it.

• Threat Modeling Podcast

  • Software-Centric Threat Modeling

    • Experience the emphasis of asset-based threat modeling, focusing on user stories, integrating threat modeling into the DevSecOps process, and using pull request templates for standard threat modeling questions, all while advocating for a developer-friendly approach to threat modeling.

    • Working on the next episode now, working title is “Developing a Comprehensive Strategy for Threat Modeling.”

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.