Reasonable šŸ”AppSec #2 - Hidden Gems, Photo, Five Security Articles, And Podcast Corner

A review of application security happenings and industry news from Chris Romeo.

Author

Chris Romeo
May 12, 2023

Hey there,

Happy Friday! Iā€™m thinking about AI like many of you are. The week's flavor is AI and the challenges that AI brings about for us as security professionals. This isnā€™t an AI security newsletter, but sometimes I let the wind carry me.

In this weekā€™s issue:

  • Hidden gems šŸ’Ž

  • Photo of the week šŸ“ø

  • Five security articles šŸ“° that are worth YOUR time

  • Application Security Podcast šŸŽ™ļøCorner

Hidden gems

In my travels, I talk to smart and well-educated application security professionals and constantly scour the InterWebs. I am a constant learner and try to learn from everyone who crosses my path. Here are a few hidden gem resources Iā€™ve learned about over the past few weeks.

  1. Cyber-Informed Engineering (CIE) ā€” the homepage describes CIE as ā€œa framework to guide the application of cybersecurity principles across the engineering design lifecycle.ā€œ Long story short, CIE principles apply to everything that we build. Look in more depth, and think about (and then let me know) how you see applying CIE to the things you build.

  2. Secure by Design, Secure by Default ā€” ā€œIt's time to build cybersecurity into the design and manufacture of technology products.

    Find out here what it means to be secure by design and secure by default.ā€ CISA is leading from the front, pushing to take the industry forward. Iā€™m not against anything they say, but I would order it differently to make more logical sense.

  3. Mitre Atlas ā€” ā€œMITRE ATLASā„¢ (Adversarial Threat Landscape for Artificial-Intelligence Systems) is a knowledge base of adversary tactics, techniques, and case studies for machine learning (ML) systems based on real-world observations, demonstrations from ML red teams and security groups, and the state of the possible from academic research.ā€

  4. OWASP AI Security and Privacy Guide ā€” This guide wants to provide clear and actionable insights on designing, creating, testing, and procuring secure and privacy-preserving AI systems.

Photo of the week

Two of my threat modeling besties Kim Wyuts and Brook Schoenfield. The picture was taken at a threat modeling meetup we did at RSAC.

Five Security Articles that are Worth YOUR Time

  • The debate over whether ChatGPT and other generative AI tools will benefit defenders or further embolden attackers may continue, but companies are going forward with new tools. (more)

  • The untold story of the boldest supply-chain hack ever ā€” the attackers were in thousands of corporate and government networks. They might still be there now. Behind the scenes of the SolarWinds investigation. (more)

  • Security researcher Carlos FernĆ”ndez recently found open-source registries. Bad actors favor simplicity, effectiveness, and user-centered thinking. To take their malicious code to the next level, theyā€™re adding new features assisted by ChatGPT. (more)

  • Kelly Shortridgeā€™s take on how Sun Tzu would react to today's cybersecurity industry. (more)

  • Four principles for creating a new blueprint for secure software development; improving the security of the software development process is key to thwarting bad actors. (more)

Podcast Corner

I love making podcasts. In Podcast Corner, you get a single place to see what Iā€™ve put out this week. Sometimes they are my podcasts. Other times they are podcasts that have caught my attention.

  • Application Security Podcast

    • Tony Turner -- Threat Modeling and SBOM

      • Tony Turner joins the discussion on SBOMs and their role in identifying vulnerabilities and informing threat modeling while emphasizing the importance of Consequence-Driven Cyber Informed Engineering for understanding the impact of cyberattacks on critical infrastructure and advocating for transparency from suppliers and trust in third-party attestations.

  • Security Table

    • Reasonable Software Security: Do We Need DAST?

      • We discuss the value of software security tools like DAST, emphasizing that reasonable security depends on an organization's context, needs, and risk appetite and is a dynamic concept rather than a constant.

  • Threat Modeling Podcast

    • The Four Question Framework with Adam Shostack

      • Adam Shostack, the creator of the four-question framework for threat modeling, discusses its significance, evolution, and practicality, emphasizing its role as a foundation for threat modeling rather than a methodology, and encourages retrospectives for continuous improvement.

šŸ¤” Have questions, comments, or feedback? I'd love to hear from you!

šŸ”„ Reasonable AppSec is brought to you by Kerr Ventures.

šŸ¤ Want to partner with Reasonable AppSec? Reach out, and letā€™s chat.