Reasonable 🔐AppSec #14 - Five Security Articles, Dev Tools over Sec Tools, and Podcast Corner

Hey there,

Episode #14 — welcome to all our new subscribers! I’ve set a goal to raise the number of subscribers to 1000. We’re at 340 right now. Would you help us by sharing this newsletter with people who could use it?

In this week’s issue of Reasonable Application Security:

• Five security articles 📰 that are worth YOUR time

• Featured focus: 👩‍💻Dev tools over Sec tools? 🛠️

• Application Security Podcast 🎙️Corner

Five Security Articles 📰 that Are Worth YOUR Time

• The OWASP Top 10 for Large Language Model Applications version 1.0, the first comprehensive industry-standard reference for security vulnerabilities in applications using Large Language Models (LLMs), has been officially released, marking a significant milestone in enabling the safe use of LLMs and providing practical guidance to help developers, data scientists, and security teams identify and address vulnerabilities specific to LLMs. (more)

• The Rust Foundation has outlined numerous enhancements to the language's security structure, including developing tools, features, and recommendations based on security research, focusing on software supply chain security, crate security information, and threat modeling. (more)

• The Cybersecurity and Infrastructure Security Agency's (CISA) Secure Software Development Attestation Form, released in response to the White House's Cybersecurity Executive Order, is a self-reporting tool for suppliers to the federal government to confirm their compliance with security practices, including software composition analysis and software bills of materials, despite initial confusion suggesting a de-emphasis on these components. (more)

• While many organizations are implementing a zero trust framework to enhance their security posture, only half include authorization in their program, potentially leaving their infrastructure exposed to threat actors, with challenges including a lack of visibility and control over authorization policies and insufficient technical resources. (more)

• Tyler Jewell’s newsletter focuses on the Developer-Led Landscape, where tooling is aimed at developers and not labeled as a security tool. This latest paper discusses the importance of securing the software supply chain. He has previous writings on other topics. (more)

Featured focus: 👩‍💻Dev tools over Sec tools? 🛠️

I’ve been around cybersecurity for a long time: twenty-six years at last count. I’ve seen many tools come and go; I’ve seen whole classes of tools appear, dominate the market, and then disappear into the sunset. IDS/IPS, I’m looking directly at you.

When I think about the success of tooling within the world of AppSec, I’m struck by how many security tools are not made for developers. They are made for the security team. The challenge here is that for a tool to be successful (providing a return on investment), it must be accepted and used by the body of people building the things. A tool aimed at a security team in AppSec is a tool that has limited traction and will struggle to move the needle in a big way.

The stickiest of tools connect with the developers and provide them with value. So much value that they lobby their management chains to purchase licenses for said tools to allow all developers to take advantage of the improvements and streamlined capabilities of the technology. Snyk is an excellent example of a company that has been successful in connecting with developers and then turning that into sales.

If you’re considering purchasing a new tool or examining all the AppSec tools in your quiver, ask yourself, is this tool something that fits within the flow of my developers, or is this a “security” tool? If the tools you buy are not developer friendly, examine other options in the market. The most robust AppSec programs choose the correct technology to improve the development team's capabilities, not the security team.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes they are my podcasts. Other times they are podcasts that have caught my attention.

• Security Table

  • Security Champions as the Answer to Engineering Hating Security

    • The transformation of engineers into security champions is a decisive step. There are benefits and implications of this change. We explore the components of a good security champion program, including advanced training for developers with influence to bridge the gap between security and engineering while addressing potential challenges such as overloading team members and maintaining salary expectations.

• Application Security Podcast

• Threat Modeling Podcast

  • Working on the next episode, “Developing a Comprehensive Strategy for Threat Modeling.”

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.