Reasonable 🔐AppSec #22 - Five Security Articles, Why I’m not too fond of WAF, and Podcast Corner

Hey there,

In this week’s issue of Reasonable Application Security:

• Five security articles 📰 that are worth YOUR time

• Featured focus: Why I’m not too fond of WAF

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

• The Cybersecurity and Infrastructure Security Agency (CISA) emphasizes the critical need for memory safety in software products, highlighting the persistent challenges of memory safety vulnerabilities. Adopt innovative solutions, such as memory-safe programming languages like Rust, and call on software manufacturers to prioritize eliminating memory safety vulnerabilities and invest in safer software design. (more)

• Threat modeling enhances software supply chain security, emphasizing the need for a systematic approach to identify and manage potential risks throughout the software development lifecycle, with insights on the role of software bills of materials (SBOMs) and the challenges of standardizing threat modeling outcomes. Hint: my opinion of SBOM has not changed. (more)

• Taylor and Seth from Google Cloud address the pitfalls of "security theater" in cloud security, emphasizing the need for practical measures over superficial ones, and advocate for modern, cloud-first security solutions that are inherently more secure and reduce risks. (more)

• What is the evolving definition of "application" in the cloud-first era? Highlight the challenges and implications for application security as boundaries blur between software and infrastructure, emphasizing the need for integrated, proactive security measures throughout the application lifecycle. (more)

• Cossack Labs provides a comprehensive guide on the security architecture of digital wallets, emphasizing the importance of robust protection mechanisms to safeguard users' assets and data. We love a good architecture story. (more)

Featured focus: Why I’m not too fond of WAF

After I finished my talk this week at InfoSec World (the State of the Union for Application Security), I discussed with an audience member who wanted to change my mind about Web Application Firewall.

He made some compelling arguments about how WAF had protected its environment against the impact of Log4J due to an old WAF rule that prevented data from leaving its environment because of a content header. He also advocated for WAF as a staple of resilient architecture and a defense-in-depth strategy.

I said in my talk that I put WAF below the line with my friend DAST, meaning I don’t advocate installing WAF or DAST as components of a new architecture. With WAF, as I told the audience, I won’t get mad at you if you use it. I don’t see the value proposition in deploying it when I already have RASP/IAST in my arsenal. I also advocate for a keep-it-simple approach to application architecture, where I have a scaled-down container running the app, running with the least privilege, with RASP on board to catch any attacks.

WAF is a cat-and-mouse tool. Yes, I have discovered a third category of my twisted scheme for bucketing the tools of the AppSec industry. After scanning/fixing, and observing/allowing/denying, I now have a cat/mouse. WAF is cat and mouse because it is only as good as the last signature update. We’ve had signature-based tooling since the dawn of time. It has always fallen into the cat/mouse pattern.

The "cat and mouse" pattern refers to a situation where two parties are in constant conflict, with one party (the "cat") trying to catch or outsmart the other party (the "mouse"), and the "mouse" continually trying to evade or outwit the "cat." This pattern often describes scenarios where attackers (mice) devise new methods to breach systems, and defenders (cats) constantly update their security measures to prevent these breaches.

This is WAF. The WAF vendors update their signatures because of patterns attackers demonstrate. Attackers update their attack patterns to bypass the WAF. It’s a vicious cycle that we should move past in our industry.

I won’t get mad at you if you have or use a WAF; I don’t recommend it personally.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • Itzik Alvas -- Secrets Security and Management

    • Itzik Alvas discusses the crucial aspects of secret security and management, emphasizing education and actionable steps.

• Security Table

  • The Hamster Wheel of Scan and Fix

    • I (Chris) challenge the "scan and fix" approach in application security, emphasizing the need for innovative tools that provide contextualized, actionable insights. At the same time, Matt and Izar discuss the historical context, human errors, and the potential role of AI in enhancing application security practices.

• Threat Modeling Podcast

  • Akira Brand -- Gaining Experience by Threat Modeling

    • Akira Brand discusses her journey into threat modeling, emphasizing the significance of collaboration, understanding applications deeply, and using visual aids like the STRIDE model, likened to surgical checklists, to ensure comprehensive security solutions with the collective efforts of various teams.

Where to find Chris? 🌎

• Oct 18 — Threat Modeling & Software Supply Chain Security Webinar with Reversing Labs

  • In this webinar, hosted by ReversingLabs, join RL Field CISO Matt Rose and Chris Romeo, the CEO of Devici, to learn what the new face of cyber risk management looks like and why comprehensive threat modeling in concert with the software supply chain- and third-party risk assessment is vital to fending off the next generation of sophisticated hacks.

• Oct 20 — Triangle InfoSecCon, Raleigh, NC

  • The Application Security State of the Union

• Oct 24-26 — ISC2 Security Congress, Nashville, TN

  • Oct 25, 10:25 AM, Zero Trust Threat Modeling

  • Oct 25, 3:05 PM, The State of Application Security

• Oct 29 — ThreatModCon, Washington, DC

  • Conference Chairman, opening and closing speaker

• Oct 30-31 — Global OWASP, Washington DC

  • Oct 31, 2:15 PM, Zero Trust Threat Modeling

• Nov 8 — ISC2 Secure Software Webinar

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.