Reasonable 🔐AppSec #23 🏀 - Five Security Articles, Is AppSec too Expensive? 💰, and Podcast Corner

Hey there,

In this week’s issue of Reasonable Application Security:

• Five security articles 📰 that are worth YOUR time

• Featured focus: Is AppSec too expensive? 💰

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

• What are the potential benefits of the Exploit Prediction Scoring System (EPSS) over the traditional Common Vulnerability Scoring System (CVSS) in managing software risk? Contemplate EPSS's data-driven approach, which predicts the likelihood of vulnerabilities being exploited based on real-world data, and emphasizes the importance of collaboration and understanding vulnerabilities in depth for adequate application security. (more)

• Daniel Miessler discusses the shift in corporate culture towards favoring "hardcore" employees, emphasizing the importance of individual value and autonomy over traditional corporate roles, and suggests that the future lies in recognizing the significance of the individual over the corporation. This is helpful to help us consider the future of work, as so much has changed in the past few years. (more)

• The DFRLab provides an interactive dashboard on software supply chain attacks, offering visualizations of significant trends, incidents by various criteria, and detailed data on software supply chain attacks and disclosures over the years, emphasizing the importance of understanding this understudied aspect of cybersecurity. (more)

• Phil Venables emphasizes that complexity is not the primary adversary of security; instead, poor design is the real culprit, and he delves into various design principles, from abstraction and visualization to chaos engineering and blame-free post-mortems, to manage and secure complex systems effectively. (more)

• As I’ve said before, I love a good threat model. OpenSSF brings us a Threat Model of Enterprise Open Source Supply Chains, which identifies and describes threats to proprietary software components integrated into software development processes typically observed within large enterprise software development organizations. The threat model emphasizes the consumption of software dependencies and the infrastructure used for enterprise solutions to identify control gaps and map them to security controls provided by OpenSSF projects and initiatives. (more)

Featured focus: Is AppSec too expensive? 💰

My good friend Brook Schoenfield offered a challenge to my post from last week on why I’m not fond of WAF.

Brook says, “The choices in open-source RASP (or IAST) are slim. If it's JS/nodeJS, the only option was SAP node-RASP, which has been deprecated. Commercial solutions are expensive, for many, prohibitively so. This is a problem I have spoken about regularly: the focus in #AppSec on sufficiently wealthy organizations, to the exclusion of the majority (SMB, startups, mom&pops, 1-person shops, etc.) who can't afford commercial products. 10's of millions of programmers without the resources to run commercial RASP.

… But if all you've got is GCP, then Cloud Armour makes sense. Basic WAF is free with your Azure tenancy (but costs with AWS!).”

I agree that there is no open-source RASP offering. I would love to see one, but one hasn’t been built yet. It’s a challenging technology to build from scratch and most people who want to put the effort in to build one want to do it within a company they found. Still, I’m not convinced this is a valid excuse for not using RASP.

This got me thinking about whether AppSec is too expensive. I understand that some have limited resources to protect their environments, and a free WAF from AWS may be all they can afford.

As an investor and practitioner, I will be leery of a company that needs help to afford basic AppSec tooling at the small scale of a startup. If you can pay developers salaries, you can buy inexpensive tech to secure their apps to the best of your ability. I am okay with folks using cloud provider technology to practice defense in depth. It adds another hoop for an attacker to jump through and catches some noise.

AppSec is not too expensive between the available open-source solutions for SAST and SCA and a commercial offering for RASP. Yes, deploying an ‘as secure as possible app’ costs some money. If you’re building an app that represents a product for a company, you have some money to invest in your security success. The alternative is to do nothing and become a statistic.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • OWASP Board of Directors Debate

    • Check out the OWASP Board of Directors Debate for the 2023 elections, where six candidates discuss their visions, priorities, and strategies for OWASP's future, addressing topics like vendor neutrality, community growth, and the allocation of profits from global events; listeners are urged to actively participate in the upcoming elections to shape the organization's direction.

    • Youtube link.

• Security Table

  • Imposter Syndrome

    • Matt and Izar discuss their experiences with imposter syndrome in cybersecurity, sharing anecdotes about challenges and vulnerabilities, emphasizing the importance of self-worth, and offering encouragement to others who may feel similarly.

• Threat Modeling Podcast

  • Akira Brand -- Gaining Experience by Threat Modeling

    • Akira Brand discusses her journey into threat modeling, highlighting the significance of collaboration, understanding applications deeply, and drawing parallels between the STRIDE model and surgical checklists, emphasizing the importance of hands-on approaches and teamwork in achieving comprehensive security solutions.

Where to find Chris? 🌎

• Oct 11 — NowSecure Connect 2023 — Threat Modeling Roundtable

• Oct 18 — Threat Modeling & Software Supply Chain Security Webinar with Reversing Labs

  • In this webinar, hosted by ReversingLabs, join RL Field CISO Matt Rose and Chris Romeo, the CEO of Devici, to learn what the new face of cyber risk management looks like and why comprehensive threat modeling in concert with the software supply chain- and third-party risk assessment is vital to fending off the next generation of sophisticated hacks.

• Oct 20 — Triangle InfoSecCon, Raleigh, NC

  • The Application Security State of the Union

• Oct 24-26 — ISC2 Security Congress, Nashville, TN

  • Oct 25, 10:25 AM, Zero Trust Threat Modeling

  • Oct 25, 3:05 PM, The State of Application Security

• Oct 29 — ThreatModCon, Washington, DC

  • Conference Chairman, opening and closing speaker

• Oct 30-31 — Global OWASP, Washington DC

  • Oct 31, 2:15 PM, Zero Trust Threat Modeling

• Nov 8 — ISC2 Secure Software Webinar

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.