Reasonable 🔐AppSec #19 - Five Security Articles, 🚨Devici has emerged from stealth 🚨, and Podcast Corner

Hey there,

In this week’s issue of Reasonable Application Security:

• Five security articles 📰 that are worth YOUR time

• Featured focus: 🚨Devici has emerged from stealth 🚨

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

• "Emerging Architectures for LLM Applications" caught my eye because it shows the evolving architecture for Large Language Model (LLM) applications and the components teams use to assemble them. It highlights the shift from traditional application structures to innovative designs that leverage LLMs and emphasizes the significance of integrating these models seamlessly into the software development process for enhanced performance and capabilities. (more)

• "How CISOs can shift from application security to product security" discusses the growing trend of enterprises transitioning from a narrow focus on application security to a broader, more holistic approach called product security, emphasizing the importance of integrating security considerations throughout the entire product lifecycle and fostering a security-conscious culture within organizations. (more)

• "Legal Liability for Insecure Software Might Work, but It's Dangerous" emphasizes that while holding software companies legally liable for insecure software might seem like a solution, it could lead to unintended negative consequences; instead, the article advocates for mandatory transparency in security practices, allowing the market to drive the demand for secure software without imposing excessive regulations. (more)

• The AI Threat Modeling Framework for Policymakers is designed to provide a structured approach for discussing and understanding AI-related threats, emphasizing the importance of clear communication and transparency in addressing AI risks and aiding in creating effective policies and laws. (more)

• "AI Is Generating Security Risks Faster Than Companies Can Keep Up" highlights the rapid advancement of generative AI-based software and its challenges for business technology leaders, emphasizing the need for transparency, understanding potential cybersecurity risks, and the importance of tracking software components to ensure robust security measures. (more)

Featured focus: 🚨Devici has emerged from stealth 🚨

Note: I don’t often talk about specific things I’m doing from a company perspective, but I wanted to keep you in the loop on exciting things happening professionally for me. Next week, this space will return to its usual AppSec snark, opinions, and other related things.

I’m excited to announce the emergence of my new company, Devici. Today, I publicly take the reins as CEO and co-founder. Here’s why now is the time for secure and privacy-by-design.

I’ve been a proponent of threat modeling my entire security career (twenty-six years). Initially, I didn’t even realize I was doing threat modeling. I considered the security properties of a system design, made a list of what could go wrong, and then proposed mitigations to fix the problems. I worked on teams with industry giants who conformed to a robust set of security requirements and taught me to appreciate the beauty of a system designed securely from the start.

As my career progressed, I taught and implemented threat modeling at Cisco Systems, refining my unique approach through experience. I scoped models and narrowed feature sets to focus on essential security and privacy conditions of significant technology products – which grew and matured my philosophy. My method of asking questions matured, unlocking hidden security and privacy conditions.

Threat modeling is a subject I’ve been passionate about my entire career. Devici was born because we can and must get better at threat modeling as an industry. I saw a gap as I examined the tools and technologies available for threat modeling. I don’t see one that enables what I call threat modeling. I don’t see an option that embeds threat modeling within a company like Cisco. So, I’ve set out to change that.

Devici is in its infancy, but it will grow and adapt. We’re giving developers and architects a tool to embrace secure by design and default. We exist to make this process of secure design seamless and easy. We do it in a way that lets the developers and architects be experts in their field and augments the security and privacy pieces into their designs.

Devici exists to unlock the threats that exist in all the code that has been deployed for decades. In our first release, you can import the knowledge and structure of all that code, both from the code itself and runtime observability. It’s the best of both worlds in one realistic design that pinpoints the most dangerous threats that require mitigation.

I’m not doing this alone. I’m partnering with my wife, Deb Romeo (Chief Financial Officer), and Laura McAliley (Chief Marketing Officer). Both were instrumental to the success of Security Journey, the company that Deb and I founded in 2016 and that we all exited from in 2022. We’re taking the lessons we learned in building a company from the ground up to exit and applying them to Devici.

We have much more to share as we grow. We’re signing folks up now for a beta beginning in late October / early November. We’re excited to partner with early adopters that will help us shape and grow the product. We’ll also be announcing our technical advisory board of threat modeling experts. Stay tuned – we are about to take this industry segment by storm.

You can follow Devici on LinkedIn or sign up for our Beta on devici.com.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • Mark Curphey and John Viega -- Chalk

    • Mark Curphey and John Viega discuss Chalk, Crash Override's new tool, the shift of ZAP from OWASP to the Software Security Project, and the significance of Open Source Software while emphasizing the challenges tech firms face in software engineering and the need for a holistic "outside-in" approach to improve decision-making in software development.

• Security Table

  • Imposter Syndrome

    • Experienced security professionals delve into the emotional challenges of Imposter Syndrome, sharing personal experiences of self-doubt, especially during public presentations, and emphasize the importance of self-worth beyond external validation, offering support to those facing similar feelings in any profession.

• Threat Modeling Podcast

  • Dr. Michael Loadenthal -- Intersectional, Harm Reduction Approach to Threat Modeling

    • The podcast episode delves into Dr. Loadenthal's unique approach to threat modeling that extends beyond just technology, emphasizing the importance of understanding multifaceted challenges faced by companies today, including political, legal, and technical threats and advocating for a comprehensive model that considers various dimensions such as political, legal, ethical, and social aspects.

Where to find Chris? 🌎

• Sept 23-27 — InfoSec World, Orlando, FL

  • Sept 23, 11:15 AM, Zero Trust Summit, Zero Trust Threat Modeling

  • Sept 24-26, wandering aimlessly around Epcot and other Disney parks.

  • Sept 27, 9:30 am, The Application Security State of the Union

• Oct 20 — Triangle InfoSecCon, Raleigh, NC

  • The Application Security State of the Union

• Oct 24-26 — ISC2 Security Congress, Nashville, TN

  • Oct 25, 10:25 AM, Zero Trust Threat Modeling

  • Oct 25, 3:05 PM, The State of Application Security

• Oct 29 — ThreatModCon, Washington, DC

  • Conference Chairman, opening and closing speaker

• Oct 30-31 — Global OWASP, Washington DC

  • Oct 31, 2:15 PM, Zero Trust Threat Modeling

• Nov 8 — ISC2 Secure Software Webinar

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.