Reasonable 🔐AppSec #16 - Five Security Articles, Secure by Accident, and Podcast Corner

A review of application security happenings and industry news from Chris Romeo.

Hey there,

In this week’s issue of Reasonable Application Security:

  • Five security articles 📰 that are worth YOUR time

  • Featured focus: Secure by Accident

  • Application Security Podcast 🎙️Corner

Five Security Articles 📰 that Are Worth YOUR Time

  • Explore the threats associated with deploying Limited Language Models (LLMs) in an enterprise setting, highlighting the potential for biased responses, data security concerns, and the need for a more comprehensive approach to language understanding. (more)

  • An AI-powered recipe suggestion bot, the Savey Meal-Bot, returned dangerous recipe suggestions when given a list of harmful ingredients, including a recipe for toxic chlorine gas. It’s not Skynet, but could this be the AI that so many people are afraid of? (more)

  • The Consumer Authentication Strength Maturity Model (CASMM) is a visual reference designed to help security-savvy individuals guide less knowledgeable users in improving password hygiene and authentication practices. The model ranks authentication methods from Levels 1 to 8, with higher levels representing stronger authentication. Share this with those in your life that need a security boost. (more)

  • Black Hat 2023 is behind us, and this article highlights the 20 hottest new cybersecurity tools showcased at the conference, featuring products from top security vendors such as Palo Alto Networks, Cisco Systems, Fortinet, and SentinelOne. The tools focus on critical areas like XDR (extended detection and response), zero trust security, SASE (secure access service edge), cloud and application security, vulnerability management, and threat intelligence. Generative AI remains a crucial enabler for many of these tools, with vendors offering capabilities to secure the use of Large Language Models (LLMs) or protect against attacks created with generative AI apps like OpenAI's ChatGPT. (more)

  • Does CISA's Secure by Design/Secure by Default initiative introduce challenges? Four months after its release, the initiative struggles to move beyond being an aspirational exercise. Experts suggest that the diversity of software projects makes a one-size-fits-all approach impractical and that transparency and market incentives are key. The article also highlights federal agencies' challenges in implementing the initiative, including differing protocols among agencies and the enormous cost of replacing and upgrading insecure software. (more)

Featured focus: Secure by Accident

Secure by Design is getting much attention these days. CISA put out an initial set of guidance imploring those that serve federal agencies to step up for secure by design. They also included “by default,” but we’ll get to that later.

As I was thinking about secure by design, it got me thinking about what the opposite of it is. Would you happen to know if this is secure by accident? How would that work? Imagine a product that made the right choices for security without knowing any better. Or accidentally chose the wrong options.

I’m not convinced this could occur organically. Let’s think through an example. Secrets management is top of mind for me. If developers were creating secrets inside a cloud service running within a cloud provider, could they “accidentally” use a key manager? It wouldn’t happen accidentally, but a guardrail/paved road could lead them to the key manager being the easiest thing to do.

So while secure by accident is not a thing, secure by design will continue to grow over the next few years. Threat modeling is the root of secure by design. Having a process to discover threats and build a more secure and private design is the epitome of “secure by design.” CISA lists other things, but for me, threat modeling is the critical item that unlocks all other items on their list.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes they are my podcasts. Other times they are podcasts that have caught my attention.

  • Application Security Podcast

    • Kevin Johnson -- Samurai Swords and Zap's Departure

      • Kevin Johnson, CEO of Secure Ideas and creator of BASE, discusses his journey from developer to security expert, his passion for open-source projects, and the importance of community contributions.

      • He provides insights on getting started with SamuraiWTF, a tool for mastering application security, and shares his concerns about ZAP's departure from OWASP and its impact on the cybersecurity community.

  • Security Table

    • Secure by Design

      • "Secure by Design” is where systems are designed with security principles from the outset, and "Secure by Default" is where systems are pre-configured for security.

      • We explore the idea of "de-hardening" guides for compatibility, which one host opposes due to potential security risks.

      • We also examine the role of Threat Modeling in guiding and verifying Secure by Design systems, emphasizing the importance of continuous threat modeling and staying updated with the evolving security landscape.

  • Threat Modeling Podcast

    • A Comprehensive Threat Modeling Strategy

      • The podcast episode emphasizes the essential role of threat modeling in the AppSec community and the everyday struggles in implementing it effectively.

      • Chris outlines a comprehensive strategy for threat modeling, focusing on understanding the organization's culture, tech debt, and current risk posture, integrating threat modeling into the development process in an agile manner, keeping the threat model up-to-date, and concentrating on domain-specific problems, all aimed at guiding AppSec teams to success in this critical discipline.

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.