Reasonable 🔐AppSec #24 - Five Security Articles, It’s Time ⏰ to Stop 🛑 Shifting Left, and Podcast Corner

Hey there,

In this week’s issue of Reasonable Application Security:

• Five security articles 📰 that are worth YOUR time

• Featured focus: It’s Time ⏰ to Stop 🛑 Shifting Left

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

• How do you design effective product teams within the DevOps framework? It emphasizes cross-functional teams that combine diverse skill sets, from development to operations. For DevOps to be successful, there needs to be a shared understanding of goals, clear communication, and a commitment to continuous improvement. Teams face challenges in achieving this synergy, but there are best practices that can help overcome these hurdles. (more)

• Dear Younger Me — Gary Hayslip, a seasoned CISO, pens a letter to his younger self in this reflective piece. He shares his wisdom from years in cybersecurity, discussing the challenges, successes, and lessons learned. Hayslip advises on navigating the complex cybersecurity landscape, emphasizing the importance of continuous learning, building strong professional relationships, and staying updated with the ever-evolving threat landscape. He also touches upon the personal sacrifices and the resilience required to thrive in this demanding role. (more)

• We have another generated top ten list, and most people don’t seem to care that much. These are common security mistakes that organizations frequently overlook. Drawing attention to these vulnerabilities, federal agencies urge businesses and individuals to take proactive measures to bolster their cybersecurity defenses. You’ll find a detailed analysis of each security gaffe, explaining its implications and offering solutions to mitigate the associated risks. The overarching message is clear: addressing these routine mistakes can prevent many cybersecurity breaches. (more)

• Matt Johansen delves deep into the concept of Security Obstructionism, where stringent security measures often become counterproductive, hindering progress rather than enhancing security. He discusses the delicate balance organizations must strike between ensuring security and fostering innovation. Johansen emphasizes the importance of introspection within the security community, advocating for a collaborative approach where security teams work with developers and other stakeholders. Discover practical solutions to overcome obstructionism and create a more harmonious and productive work environment. (more)

• Anthropic research deconstructs neural networks to make them more interpretable. The article reveals that specific groups of neurons within these networks can be decomposed into features that are understandable to humans. This decomposition offers a potential pathway to better understand AI models' inner workings, making them more transparent and accountable. The research also touches upon the broader implications of this discovery, suggesting that it could pave the way for more responsible and ethical AI development in the future. (more)

Featured focus: It’s Time ⏰ to Stop 🛑 Shifting Left

I believed in shifting left from the beginning; I did. I promise. In the old days, we called shifting left “Building Security In.” Joe Jarzombek at the Department of Homeland Security is the first person I remember making this argument for our industry. He focused on building security from the start instead of bolting it on. We all believed in it and tried to make it a reality.

The concept/term “shift left” was invented by Larry Smith in 2001. Larry used it in the context of shifting left in the project cycle. As a concept, it still makes sense to this day, but companies misuse it as a platform for marketing. Thanks, Larry, thanks for nothing.

“Shift left” took on a life of its own as a marketing term in application security. Not only do we have shift left, where we consider security from ideation, but we also have shift right, where we push security out into production. Let’s not forget the idea of shifting everywhere, where we deploy security into every nook and cranny of our software development lifecycle. Not to be forgotten, is shifting up and down, breaking the illustration, and should never have been added to the mix.

But where do we go from here? Do we need a pledge to stop saying “shift left”? Am I blowing this out of proportion? Perhaps I should get a hobby instead of ranting about application security industry topics? I wish. But I'm not fond of golf, and fishing doesn’t have enough action. So, I sit here and write.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • Varun Badhwar -- The Developer Productivity Tax

    • Audio only; Youtube

      • Varun Badhwar joins to discuss the "Developer Productivity Tax" challenge, the integration of SBOM with VEX for efficient vulnerability management, and the significance of contextual scanning in reducing false positives.

• Security Table

  • A Show About Nothing That Turned into Something

    • Audio only; Youtube

      • The Security Table discusses the efficiency and integration of AppSec tools and the challenges of communication platforms like Slack and contemplates a future where development might absorb the security team.

• Threat Modeling Podcast

  • Akira Brand -- Gaining Experience by Threat Modeling

    • Audio only

      • Akira Brand discusses her journey into threat modeling, highlighting the significance of collaboration, understanding applications deeply, and drawing parallels between the STRIDE model and surgical checklists, emphasizing the importance of hands-on approaches and teamwork in achieving comprehensive security solutions.

Where to find Chris? 🌎

• Oct 18 — Threat Modeling & Software Supply Chain Security Webinar with Reversing Labs

  • In this webinar, hosted by ReversingLabs, join RL Field CISO Matt Rose and Chris Romeo, the CEO of Devici, to learn what the new face of cyber risk management looks like and why comprehensive threat modeling in concert with the software supply chain- and third-party risk assessment is vital to fending off the next generation of sophisticated hacks.

• Oct 20 — Triangle InfoSecCon, Raleigh, NC

  • The Application Security State of the Union

• Oct 24-26 — ISC2 Security Congress, Nashville, TN

  • Oct 25, 10:25 AM, Zero Trust Threat Modeling

  • Oct 25, 3:05 PM, The State of Application Security

• Oct 29 — ThreatModCon, Washington, DC

  • Conference Chairman, opening and closing speaker

• Oct 30-31 — Global OWASP, Washington DC

  • Oct 30-31, Devici booth on the expo floor

  • Oct 31, 2:15 PM, Zero Trust Threat Modeling

• Nov 8 — ISC2 Secure Software Webinar

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.