Reasonable 🔐AppSec #13 - Five Security Articles, Resilient AppSec, and Podcast Corner

Hey there,

Lucky episode #13 — I wanted to tell you that I’m having a blast putting this together and carrying the conversations forward to LinkedIn on various topics. Let’s keep the conversation going as we try to unpack what “reasonable” application security entails.

In this week’s issue of Reasonable Application Security:

• Five security articles 📰 that are worth YOUR time

• Featured focus: Resilient AppSec

• Application Security Podcast 🎙️Corner

Five Security Articles 📰 that Are Worth YOUR Time

• "A Look at Chrome’s security review culture" — from the Chrome Security Team discusses the importance of developing confidence and skills in security reviewers, the process of security review in Chrome, and the focus on the design of a proposed feature rather than its details. The post also shares advice for new reviewers, emphasizing the importance of asking questions, focusing on people in security analysis, and learning from mistakes. (more)

• Kelly Shortridge contrasts two cybersecurity strategies, advocating for a resilience strategy that respects human behavior and organizational priorities over a control strategy that is often unrealistic and inconvenient for users. (more)

• "Bugs in the Software Liability Debate" discusses the complexities of software liability, arguing for a nuanced approach that considers the realities of software development and the lack of clear standards for what constitutes secure software rather than focusing solely on known vulnerabilities. (more)

• "Resilience requires helping each other out" discusses the importance of resource sharing and cooperation in enhancing resilience in complex systems, drawing parallels from biological systems and organizational structures, and emphasizing the role of cooperative culture in fostering resilience. (more)

• A book review of "Resilience Engineering: Concepts and Precepts" highlights the importance of resilience in complex systems and the strategies to achieve it. (more)

Featured focus: Resilient AppSec

Inadvertently, resiliency has become the topic of this week’s newsletter. While reviewing my queue of fantastic AppSec articles, I realized a pattern was forming, so I decided to explore what resilient AppSec means. I now begin defining what a resilient application means from a security perspective.

Resilience is the ability to recover from or adjust easily to misfortune or change. You could think of a resilient application as one that continues to operate regardless of the level of attack it comes under or the amount of stress that those attacks place upon the infrastructure that drives the application.

Resilient application security refers to an application's ability to withstand and recover from threats and vulnerabilities. It involves designing and implementing security measures so that even if a component of the application is compromised, the overall system can continue to operate and recover quickly. This makes me think of zero trust. A Zero Trust architecture plays into resiliency, providing additional measures within the infrastructure to bolster the application security practices applied.

This includes practices like secure coding, regular patching and updates, encryption use, robust authentication and authorization, and continuous threat monitoring. The goal is to minimize the impact of any security breach and ensure the continuity of the application's functionality and services.

Long live resilient applications and resilient application security. It seems reasonable.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes they are my podcasts. Other times they are podcasts that have caught my attention.

• Application Security Podcast

  • Steve Giguere -- Cloud AppSec

    • The evolution of cloud security, the complexity of secure-by-default settings, the need for broadening AppSec, and the consolidation of application security tools, provide insights into cloud-first development, security personas, and the future of cloud application security.

• Security Table

  • Why Do Engineers Hate Security?

    • Explore the relationship between security professionals and engineers, emphasizing the need for security professionals to be empathetic, possess soft skills, understand the engineering world, and manage resources effectively to improve their rapport with engineers and overcome the challenge of selling security as a necessary investment.

• Threat Modeling Podcast

  • Working on the next episode titled “Developing a Comprehensive Strategy for Threat Modeling.”

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.