- Reasonable Application Security
- Posts
- Reasonable 🔐AppSec #20 - Five Security Articles, Becoming a CFP Ninja 🥷, and Podcast Corner
Reasonable 🔐AppSec #20 - Five Security Articles, Becoming a CFP Ninja 🥷, and Podcast Corner
A review of application security happenings and industry news from Chris Romeo.
Hey there,
In this week’s issue of Reasonable Application Security:
Five security articles 📰 that are worth YOUR time
Featured focus: Becoming a CFP Ninja 🥷
Application Security Podcast 🎙️Corner
Where to find Chris? 🌎
Five Security Articles 📰 that Are Worth YOUR Time
I’m not worried that AI will replace me as a threat modeling person. In comparing AI models for threat modeling, GPT-3.5, Claude 2, and GPT-4 were tested, with GPT-4 emerging as the most robust and adaptable. At the same time, GPT-3.5 and Claude 2 offered valuable insights, especially for teams with limited security expertise. Heck, what AI has my witty charm? (more)
IBM researchers demonstrated the ability to "hypnotize" AI chatbots, including OpenAI’s ChatGPT and Google’s Bard, making them generate malicious responses, leak confidential information, and provide potentially harmful advice to users. I can’t trust this thing to threat model if it can be hypnotized. Wait, can I be hypnotized? (more)
Adyen emphasizes the importance of threat modeling as a collaborative tool for designing secure products, with their approach focusing on understanding key security concerns, making risk-based design decisions, and fostering a mindset where development teams actively consider potential threats to their products. (more)
Mozilla's study reveals that vehicles from 25 manufacturers extensively track users' data, including intimate details like sexual activity, and often sell this data to third parties, with all tested cars failing to meet data protection standards. (more)
LinkedIn's Information Security team details its transition from a centralized to a decentralized approach in implementing Content Security Policy (CSP), aiming to enhance web application security while boosting developer productivity and autonomy. This shift allowed for more flexible and efficient CSP changes, though it introduced challenges in security governance, which they addressed with proactive security validators during code commits. (more)
Featured focus: Becoming a CFP Ninja 🥷
Many people want to speak at conferences in the security industry. People have excellent things to share, stories to tell, and experiences to enlighten us.
Getting a talk accepted at a conference can be a challenging endeavor. I decided to write down what I’ve learned in submitting for conferences, and as someone who has reviewed submissions for conferences for the past twenty-plus years.
Craft a catchy title — a catchy title is an excellent start toward getting a reviewer to read deeper into your submission. Program Committees are busy. They have hundreds of submissions to review and must choose the best. Catching their attention begins with a catchy title. The title and the short abstract are the window to a deeper consideration. Put effort into crafting a catchy title.
Write and submit your original submission — many folks use a PR firm to draft and submit their conference talks. As a reviewer, I don’t look closely at PR-submitted talks. It’s not just because they tend to sway in the direction of the vendor pitch. My primary reason is that you are asking me to invest time reviewing your work, and you didn’t have the courtesy to write it yourself. Write and submit your original submissions. Own the process for your speaking future.
Use the available character counts — conference submission forms provide a character count for each field within the submission. I’ve seen SO many submissions that use two sentences. As a reviewer, there is no way I can get an appreciation for your topic in two sentences. Use the allocated space and fill it with the goodness that describes your talk.
Proofread, spell check, and read your submission — maybe it’s just me, but I love a well-written, spell-checked submission with solid grammar. Your abstract shows me a window into your attention to detail when you take the stage at my event. Ensure that your abstract and everything you submit is spot on, with no errors.
Do NOT focus on what your product or company does — I shouldn’t have to write this, but I will anyway. Do NOT try to submit a product pitch or sneak a product pitch into my conference. As a committee member, I am on the lookout for product pitches. We want authentic talks that speak from experience. Save your product pitch for demo calls and sponsored events. Side note: I’ve been a vendor for ten-plus years and speak at many significant events. I do this by giving away general knowledge about the topics I am passionate about. I once had an audience member get mad at me because I wouldn’t tell them what my product did. I told them I would be happy to chat after the talk. Have integrity and respect for the conference stage.
Share your stories and experiences — the best talks I will likely choose tell me a story. They explain a problem and how the person solved it in real life. I love real-life stories. They help me and the audience to learn from our experiences and set us up to apply those lessons in our environments. Tell me a story.
Let your marketing department help you tune up the title and abstract — a bit of pizzazz doesn’t hurt in the title and the abstract. My first major conference talk at RSA about the Cisco Security Ninja program was tuned up by Lisa Bobbitt. Lisa was my marketing contact then, and she did an excellent job of tuning up my abstract without turning it into a product pitch. See #5 — don’t let marketing turn your submission into a product pitch.
Will this panel end in a fight? I’m not a fan of panels. There is far too much, “I agree, I agree, and I agree with all the things that everyone else on this panel has ever said, said today, or will ever say in the future.” I’m exaggerating, but for me, the only good panel has conflict and disagreeing parties. And you know they will disagree based on who they are or what they do. I once accepted a panel with members of the EFF and NSA together to argue an issue. I knew there would be fireworks with this panel, which would push boundaries amongst people who thought very differently about issues.
I hope this is helpful for folks trying to join the speaking scene. We need you on the scene, so consider these tips for your next submission.
Podcast 🎙️ Corner
I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.
Jeff Williams -- The Tech of Runtime Security
Jeff Williams discusses the advantages of Interactive Application Security Testing (IAST), highlighting its efficiency in the DevOps environment, adaptability, and ability to provide rapid feedback, and changes my mind about the upside of IAST.
The Table delves into the complexities of Application Security (AppSec) and Product Security (ProdSec), discussing the role of hardware, supply chain challenges, and the blurred lines between the two concepts.
A new episode is coming soon with Akira Brand!
Where to find Chris? 🌎
Sept 23-27 — InfoSec World, Orlando, FL
Sept 23, 11:15 AM, Zero Trust Summit, Zero Trust Threat Modeling
Sept 24-26, wandering aimlessly around Epcot and other Disney parks.
Sept 27, 9:30 am, The Application Security State of the Union
Oct 20 — Triangle InfoSecCon, Raleigh, NC
The Application Security State of the Union
Oct 24-26 — ISC2 Security Congress, Nashville, TN
Oct 25, 10:25 AM, Zero Trust Threat Modeling
Oct 25, 3:05 PM, The State of Application Security
Oct 29 — ThreatModCon, Washington, DC
Conference Chairman, opening and closing speaker
Oct 30-31 — Global OWASP, Washington DC
Oct 31, 2:15 PM, Zero Trust Threat Modeling
Nov 8 — ISC2 Secure Software Webinar
🤔 Have questions, comments, or feedback? I'd love to hear from you!
🔥 Reasonable AppSec is brought to you by Kerr Ventures.
🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.