Reasonable 🔐AppSec #15 - Five Security Articles, Developers are craftspeople and artisans 🛠️, and Podcast Corner

Hey there,

In this week’s issue of Reasonable Application Security:

• Five security articles 📰 that are worth YOUR time

• Featured focus: Developers are craftspeople and artisans 🛠️

• Application Security Podcast 🎙️Corner

Five Security Articles 📰 that Are Worth YOUR Time

• Gary Hayslip shares his frustrations with vendors in the cybersecurity community. This flows nicely with the AppSec Podcast episode below about AppSec Salespeople. Gary provides recommendations for a better approach, focusing on issues such as professionalism, honesty, integration, understanding the problem the technology solves, and pricing to enhance collaboration and innovation between Chief Information Security Officers (CISOs) and technology partners. (more)

• Have you ever wondered how to do encryption at scale? Square's approach to encrypting sensitive data for Cash App services running in the cloud utilizes AWS KMS and envelope encryption to create a self-service, safe, fast, and easy encryption system and share lessons from implementing this design, including key rotation and region-specific challenges. (more)

• Simon Bennetts announces that ZAP, the world's most popular web scanner, is joining the new Software Security Project (SSP) as a founding project under the Linux Foundation, enabling full-time work on ZAP and increased funding while also marking its departure from OWASP, where it had been since its launch in 2010. (more)

• "Forrester Research: The State of Application Security 2023" summarizes a report highlighting the growing importance of application security, the rise of the Shift-Everywhere movement, the emergence of Software Composition Analysis (SCA), increasing budgets for application security, shifts in developers' purchasing power, and the need for a collaborative approach to protect against next-generation attacks and industry-specific threats. (more)

• This advisory provides details on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2022 and the associated Common Weakness Enumeration(s) (CWE). (more)

Featured focus: Developers are craftspeople and artisans 🛠️

This past week, I got to watch a craftsperson work. I was sitting in a flower shop, meeting two guys about buying property from them. One of the guys is a lifelong florist and was building a floral arrangement. He continued making this flower display as we sat around the table and discussed the potential purchase.

As I was sitting there, it gave me a new appreciation for the art and science of creating a flower bouquet. My skills are lacking, but I appreciate watching an artist work. His skill and effort with each addition to the bouquet were spectacular.

This made me conclude our software developers of today are artists and scientists. Software development is a science in that there are rigorous rules for how code must be written, and if those rules are not followed, the software will not work. It is also artistic work in that developers can create new approaches to designing and implementing their software in ways constrained only by their creativity and any constraints from the language itself.

In the Threat Modeling Manfiesto, we described threat modeling with these exact words: art and science. Threat modeling taps into the creativity and scientific thinking of the developer and channels that consider things that could go wrong from a security and privacy perspective.

Threat modeling is gaining more attention as the secure-by-design flag waves across our industry. The depth of acceptance will determine the success of threat modeling we receive from developers. There are not enough security people around to threat model all the things. That, my friend, is a fact. Teach the developers to threat model, and stand out of the way as a security gold rush occurs across your organization. Capture the benefit of it, of watching your products, applications, and services become their secure alternatives. It’s a powerful thing to watch, transformation.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes they are my podcasts. Other times they are podcasts that have caught my attention.

• Application Security Podcast

  • Tony Quadros -- The Life of an AppSec Vendor

    • Tony Quadros, the AppSec Lumberjack, shares the unique career journey that led him to Application Security. He explains his role as an AppSec vendor, emphasizing the importance of understanding customer needs and providing value. The discussion also covers the challenges salespeople face in the cybersecurity industry, the significance of setting realistic expectations, and the role of sales leadership in fostering a positive company culture, along with Tony's involvement with OWASP Maine and his encouragement for community participation.

• Threat Modeling Podcast

  • A Comprehensive Threat Modeling Strategy

    • The podcast episode emphasizes the essential role of threat modeling in the AppSec community and the everyday struggles in implementing it effectively. Chris outlines a comprehensive strategy for threat modeling, focusing on understanding the organization's culture, tech debt, and current risk posture, integrating threat modeling into the development process in an agile manner, keeping the threat model up-to-date, and concentrating on domain-specific problems, all aimed at guiding AppSec teams to success in this critical discipline.

• Security Table

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.