Reasonable 🔐AppSec #18 - Five Security Articles, Security Champion Anti-Patterns, and Podcast Corner

Hey there,

In this week’s issue of Reasonable Application Security:

• Five security articles 📰 that are worth YOUR time

• Featured focus: 🚨Security Champion Anti-Patterns 🚨

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

• The rapid growth of generative AI-based software presents challenges for business technology leaders as they grapple with potential cybersecurity risks, with concerns arising from the swift development of the technology and the complexities of auditing large language models. (more)

• Truffle Security emphasizes the mathematical impossibility of identifying every vulnerability in software, referencing Alan Turing's halting problem, and advocates for a focus on eliminating false positives in security analysis rather than attempting to find every potential vulnerability. (more)

• I love a good case study, and I’m fascinated with microservices. I’ve heard many horror stories about the lack of security unification with microservices. Let’s read PayPal’s story. PayPal transitioned from a monolithic application in the early 2000s to a microservices architecture, addressing challenges such as deployment issues, service communication, and large class structures; they introduced frameworks like Kraken and Altus and standardized API communications using REST, resulting in over 700 APIs and 2500 microservices by 2019. (more)

• The "OWASP Top 10 for LLM" outlines the most critical application vulnerabilities using Large Language Models (LLMs). They got their site, so I wanted you to have the link to it to share with your development teams. The list highlights issues such as prompt injection, insecure output handling, training data poisoning, model denial of service, supply chain vulnerabilities, sensitive information disclosure, insecure plugin design, excessive agency, overreliance, and model theft. This document aims to provide developers, data scientists, and security experts with actionable guidance on LLM security. (more)

• Matt Johansen draws parallels between cybersecurity's threat modeling and understanding depression. He conceptualizes depression as a system akin to a digital infrastructure susceptible to threats. By identifying the threats surrounding depression, the aim is to shed light on the complexities of the condition and advocate for a more comprehensive understanding of mental health. The article delves into the emotional, cognitive, physical, and social impacts of depression and offers mitigation strategies and resilience-building measures, emphasizing the importance of early intervention and support systems. (more)

Featured focus: 🚨Security Champion Anti-Patterns 🚨

I started this thread on LinkedIn and served up a game called Security Champion Anti-patterns. I provided my list of anti-patterns and asked my friends to add theirs to the list. The final list is forty-two items long! There is gold in these here hills! The list is ordered by how LinkedIn served them up to me, so no prioritization has been done by me on the list.

An anti-pattern is a typical response to a recurring problem that is usually ineffective and risks being highly counterproductive. The term is often used in software design to describe a solution that appears beneficial in the short term but leads to long-term negative consequences. It can also be a behavior or pattern that emerges in organizations and other contexts.

Note: I’ve added the person’s LinkedIn identifier for attribution and performed a light edit on all the items.

1. Hero security champion – takes all security tasks on their shoulders, versus delegating and collaborating with other team members. (Chris Romeo)

2. Enforcer security champion – tries to strong-arm other team members into improving security. (Chris Romeo)

3. Tool-reliant Champion – depends on security tool output versus applying learned knowledge and experience. (Chris Romeo)

4. Lazy Champion – fails to keep up with the latest attacks, vulns, and best practices and neglects training. (Chris Romeo)

5. Isolated Champion – avoids interaction with the security team and builds walls between dev and security. (Chris Romeo)

6. Cheerleader champion - a person with many ideas but needs a blended approach of tech skills and relationships to help manage change. (Scott Goette)

7. Unsupported Champion - attempts to lead security initiatives without sufficient backing, resources, or engagement from senior management and team members. (Erwin Kievith)

8. The victim champion - the enthusiastic security team member who joined the security champion by choice and suddenly became responsible for fixing all security issues in their team. (Saber Ferjani)

9. Knowledge-hoarding Champion - more focused on their training than seeing that the engineering teams have the needed knowledge. (Larry Maccherone)

10. "All happy families are alike, all unhappy ones unique." (Adam Shostack)

11. Volun-told Champion - The developer who does not want to be a security champion but is assigned by the organization. This individual is unmotivated to perform the tasks in the role and often ignores everything that is not mandatory. (Michael Burch)

12. Documentation champion - keeps creating tons of best practice documents for the organization, most of which are copy-pasted from NIST or ChatGPT. (Abhishek Purnam)

13. The Reluctant Champion- similar to Michael Burch’s voluntold description. (Mark Merkow)

14. The "All or nothing" champion - doesn't read the room to see where the needle is and tells the teams that they need to undertake several changes that they neither understand nor are equipped to complete. (Nigel Hanson)

15. Moralist Champion - strives for unreachable perfection and constantly teaches others how to do things right with only one version of right. Sometimes, they use shaming techniques. Doesn’t accept the imperfection of real life and the necessity of compromises. (Vira Tkachenko)

16. Signature security champion - signs up to be a champion, adds it to their email signature and performance review and doesn’t do much outside their regular job. (KC Udoh)

17. ‘I could tell you, but I’d have to kill you Champion’ - shrouds what they do in mystery, and we all know it is because they have no idea what they are doing. Closely related to the lazy champion. (Sarah-Jane Madden)

18. The non-champion - super critical of all things security-related. (Tony Quardos)

19. The Unknown Champion: one who has the interest, drive, and curiosity but is never allowed to be that champion. (Ryan H.)

20. The snitch champion - they behave exactly like a spy and do absolutely nothing active to improve security EXCEPT report exactly how the team is doing it badly and when they take shortcuts. (Mehmet Yilmaz)

21. "Stealth Champion" - starts spending a lot of time to help with security initiatives (perhaps because they want to make a career change) without letting their manager know, and then when their manager eventually finds out (due to performance issues or public recognition, etc.), their effort is shut down, and there may even be additional "performance review"-like consequences. (Dustin Lehr)

22. Rigid Champion - only satisfied by the One True Way to address an issue, a cross between Enforcer and Lazy. (Tom Conner)

23. Activity-over-outcomes Champion - fails in their duty to maximize the risk-reduction value for a given cost by merely "doing good things" (Larry Maccherone)

24. Rubber-necking Champion - wants to talk about the latest security news but does nothing to help prevent the occurrence within the organization. (Larry Maccherone)

25. The turn-dark champion - was a white hat until, tired of no action, joined the dark side "to show them" (Jean-Philippe Martin)

26. Scope Creep Champion – expands the scope of security requirements beyond what is reasonable for the project, resulting in unnecessary work and potential delays. (Blake Dorsett)

27. “Nothing is fixed until everything is fixed” - knows a lot about security debt and other technical debt; uses the security initiative to implement all the changes they ever wanted, hijacking the whole sprint. Or two. Or three. Until the management decides security is too expensive and kills off the whole initiative. (Irene Michlin)

28. Inquisitively Indifferent Champion - someone who does not want to accept loopholes or is not ready to do cyber security process/task rework. Once posted with questions, will ask the opponent 5-10 questions ( which does not make sense 99.99% of the time) and ask them to find answers to those and then is ready to answer what was asked (which will not make sense either once answered). Also asks, "Why should we do it when no one else is doing it?" (Shyam Sundar Ramaswami)

29. Analysis Paralysis champion - too focused on perfection vs. results. (James Rabe)

30. Know It All Champion - especially dangerous when they think they know something but don’t. (Sean Wright)

31. Checklist security champion - does the paperwork only, ideally on the project’s due date. (Michal Svoboda)

32. Training-solves-all-problems Champion - focuses on time-intensive broad-based security training rather than just-in-time highly contextual training. (Lary Maccherone)

33. The Creationist Champion - creates work for others. Often seen at the beginning of a program. May even create the program. Disappears when work appears by delegating work to others. Wants credit but none of the blame (or gritty work). A solitary creature that can be captured at award ceremonies or other high visibility recognition methods. Usually wanted dead or alive by teammates and/or other teams. (Robert M.)

34. Disappearing Champion - talks enthusiastically and in detail about the importance of security but grows quiet when it's time to commit to new roles or tools. (Ann M. G.)

35. Shiny Object Champion - ignores tech debt and basic security hygiene in favor of adding flashy tools that don't fit well with the rest of the tech stack. (Ann M. G.)

36. Influencer Champion - is more interested in discussing security on podcasts and social media than in wrestling internally to move things ahead. (Ann M. G.)

37. “errrr dunno” Champion. Their line manager assigned them, but they have no idea why they’re doing it other than they were probably off on leave, and the rest of the team said NO when asked. (Keith B.)

38. Deny champion - believes their application will never face this threat without fully understanding the threat factors. (Mohan Ravindran)

39. Juggernaut security champion - believes they are an SME in every security domain until they meet an SME. (Usman Khan)

40. ‘well, it depends’ Champion - can never decide. (Usman Khan)

41. "Dunning-Kruger Champion" - they overestimate their abilities and have limited competence in a particular domain. (Michael Fabian)

42. Blamer champion - every error, mistake, or screw-up was the other people's fault, not theirs. (Paul Adams Cox)

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • Maril Vernon -- You Get What You Inspect, Not What You Expect

    • Maril discusses the importance of purple teaming in cybersecurity, emphasizing collaboration between developers and security teams, the potential future role of automation and AI, and the irreplaceable value of human intuition while advocating for proactive inspection in security and the necessity of inter-team cooperation.

• Security Table

  • The Return on Investment of Threat Modeling

    • The Security Table team discusses the significance of data and metrics in risk communication, the concept of the attack surface, and the real-world implications of threat modeling, emphasizing the balance between technical details and business-oriented communication for practical Executive understanding.

• Threat Modeling Podcast

  • Dr. Michael Loadenthal -- Intersectional, Harm Reduction Approach to Threat Modeling

    • The podcast episode delves into Dr. Loadenthal's unique approach to threat modeling that extends beyond just technology, emphasizing the importance of understanding multifaceted challenges faced by companies today, including political, legal, and technical threats and advocating for a comprehensive model that considers various dimensions such as political, legal, ethical, and social aspects.

Where to find Chris? 🌎

• Sept 6 — GRITS Conference, Raleigh, NC

  • The State of the Union of Application Security

• Sept 23-27 — InfoSec World, Orlando, FL

  • Sept 23, 11:15 AM, Zero Trust Summit, Zero Trust Threat Modeling

  • Sept 27, 9:30 am, The Application Security State of the Union

• Oct 20 — Triangle InfoSecCon, Raleigh, NC

  • The Application Security State of the Union

• Oct 24-26 — ISC2 Security Congress, Nashville, TN

  • Oct 25, 10:25 AM, Zero Trust Threat Modeling

  • Oct 25, 3:05 PM, The State of Application Security

• Oct 29 — ThreatModCon, Washington, DC

  • Conference Chairman, opening and closing speaker

• Oct 30-31 — Global OWASP, Washington DC

  • Oct 31, 2:15 PM, Zero Trust Threat Modeling

• Nov 8 — ISC2 Secure Software Webinar

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.