Reasonable 🔐AppSec #17 - Five Security Articles, Four things that are wrong in AppSec, and Podcast Corner

A review of application security happenings and industry news from Chris Romeo.

Hey there,

In this week’s issue of Reasonable Application Security:

  • Five security articles 📰 that are worth YOUR time

  • Featured focus: 🚨 Four things that are wrong in AppSec 🚨

  • Application Security Podcast 🎙️Corner

  • Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

  • The founder and lead of the OWASP dependency-check project (Jeremy Long) proposes a solution to enhance software supply chain security through a process called binary source validation, which goes deeper than just examining the software's source code, emphasizing that traditional software bills of material (SBOMs) are insufficient for ensuring comprehensive security. (more)

  • At the DEF CON cybersecurity conference, the U.S. Air Force and Space Force sanctioned hackers to attempt breaking into a live, orbiting satellite named Moonlighter, aiming to identify potential security vulnerabilities and enhance the security of space systems against potential threats from adversaries like China. (more)

  • Phil Venables emphasizes the importance of building balanced security teams, highlighting the need for a harmonious blend of technical specialists, risk advisors, and operational experts to ensure effective risk identification, resolution, and overall security architecture while stressing that the synergy of these roles is crucial for achieving optimal security outcomes. (more)

  • CISA emphasizes that artificial intelligence (AI) systems, like all software, must be "Secure by Design," meaning security should be a core consideration throughout the product's lifecycle, ensuring that AI systems are safe to use from the outset and highlighting the importance of integrating standard security practices into AI engineering. (more)

  • At a recent Black Hat event, cybersecurity researchers demonstrated how they exploited vulnerabilities in the ChatGPT model using indirect prompt injection, highlighting concerns about the potential manipulation of large language models and the implications for millions of users. (more)

Featured focus: Four things that are wrong in AppSec 🚨

What a title, eh? How dare I point out the potential flaws in our beloved industry, application security? I do dare because that is what makes me me.

  1. Everyone equates tools = AppSec.

Look at the job postings for Application Security Engineer. Go ahead and search for one and read it now if you like. You’ll find that the AppSec Engineer is focused on running and interpreting tool results.

Alas, there is so much more to AppSec than tools—people, processes, tools, and governance. You need the people educated about the topic to design and build secure and private things; you need the process to ensure that when we make lots of things, they all have some semblance of security and privacy built-in; you need the tools to automate the hard things that are too time-consuming for people to perform manually; and you need governance to ensure that there are checks and balances for people doing the right thing.

So much more than just “tools”.

  1. Developers enter their field with little training/knowledge of AppSec.

I still believe that education is power, and knowledge and experience give an engineer a solid security and privacy backbone. Universities worldwide continue to ignore security in the undergrad areas and focus on it in grad school.

We need an environment where developers learn Secure Coding with Java, not just Java. Why ever teach a developer to take input from the command line without performing / teaching input validation at that moment? It’s a shame that this is the current state of our world. I don’t see academia moving quickly in the right direction to fix this. I get that it’s hard to stay updated with the latest threats and updated courseware, but that is what we all do in the real world. We can’t ignore new threats because it’s too hard. Find a way to improve academia.

  1. A lack of focus on secure by design.

Secure by design via threat modeling is how you set your engineers up for security and privacy success. Threat modeling takes a simple design, considers the potential bad things that could happen to it, and prioritizes a list of things to change to make those bad things disappear.

Embrace secure by design for your engineering teams. Secure by design is another arrow in the quiver of application security, along with your favorite tools. Take your shot with threat modeling.

  1. Focusing on the wrong things.

I’ve already written in depth about my feelings with DAST and SBOM. Both of these are distractions at different levels. DAST is irrelevant to the modern AppSec world, so it’s a distraction because it wastes time, money, and resources. SBOM is a distracting focus, leaving everyone thinking that SBOM is the answer to all their security woes when it is just a step on a many-mile journey to security and privacy near perfection.

Conclusion

In most ways, I’m an optimist. I believe we can get better and will get better in the future. I want to see us evolve as an industry and want secure software that protects my privacy.

I point out flaws because that is how I’ve been trained as a threat modeling person for the past twenty-six years. But I do focus on mitigations as well. We must evolve to move forward as an industry. Join me on this path to making our industry a more refined and productive place.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

Where to find Chris? 🌎

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.