Reasonable 🔐AppSec #25 - Five Security Articles, Threat Modeling the SW Supply Chain, and Podcast Corner

Hey there,

In this week’s issue of Reasonable Application Security:

• Five security articles 📰 that are worth YOUR time

• Featured focus: Threat Modeling the Software Supply Chain

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

• Five Questionable Things About Top Ten Security Lists: Mark Curphey's article on LinkedIn critically examines the various "Top Ten Security Lists" prevalent in the cybersecurity industry. He raises concerns about these lists' biases, motivations, and effectiveness, suggesting that commercial interests might influence many or lack empirical data to back their claims. (more)

• IT Admins and Weak Password Use: Outpost24's blog post reveals that many IT administrators are guilty of using weak passwords, risking organizational security. The article stresses the importance of strong password policies and the need for IT professionals to lead by example in cybersecurity practices. (more)

• Announcing the 2023 State of DevOps Report: Google Cloud's blog post announces the release of the 2023 State of DevOps Report. The report provides insights into DevOps's latest trends, challenges, and best practices, helping organizations optimize their DevOps strategies. (more)

• Top 10 Cybersecurity Misconfigurations: Chris Hughes writes via Resilient Cyber. This article lists the top 10 most common cybersecurity misconfigurations organizations often overlook. These misconfigurations can lead to significant vulnerabilities, and the article underscores the importance of regular audits and reviews to ensure a robust cybersecurity posture. Chris does an excellent job of defining and breaking down each item on this list. (more)

• The Evolution of App Sec - How to Get Off the Hamster Wheel of Scan and Fix: This article from ReversingLabs discusses the evolution of application security and emphasizes the need to move beyond the repetitive cycle of scanning and fixing. It highlights the importance of understanding the entire software supply chain and adopting a proactive approach to security. (more)

Featured focus: Threat Modeling the Software Supply Chain

Threat modeling analyzes system representations, searching for security and privacy challenges to mitigate. The software supply chain exudes security-specific challenges that require mitigation.

When considering the software supply chain and threats, I divide things into two groups. The first group is all the threats against the CI/CD pipeline and any other infrastructure required to build your software. The second group is all the possible attacks and challenges that could result in a malicious package being integrated into your application.

Each group of threats is essential and should be considered in your threat modeling process. Gather a group including developers, product people, security, and infrastructure to review the pipeline outside the scope of building features. Consider this threat model as a separate artifact. If you’re looking for inspiration about threats, remember you can extract threat data from any OWASP Top Ten list. And there happens to be an OWASP Top Ten for CI/CD. Take item number one on the list: CICD-SEC-1: Insufficient Flow Control Mechanisms. It means that a lack of safeguards in CI/CD allows attackers with permission to push malicious code without review. The threat that we can extract is “An attacker with access to the pipeline could push malicious code without review.” Mitigations could include checking code commits and code review approvals that govern whether a commit can enter the pipeline process.

The second group, or integrating a malicious package into an application, requires a taxonomy of threats based on the various software supply chain attacks. Here are a few examples that developers can consider when threat modeling a specific feature:

• Dependency Confusion Attacks: An attacker publishes malicious packages with names similar to legitimate ones in public repositories, hoping organizations mistakenly use them.

  • Mitigation: Use an organization-wide proxy for third-party packages and control which packages are contained within the proxy.

• Compromised Software Updates: An attacker compromises the update mechanism of legitimate software to distribute malicious versions.

  • Mitigation: Ensure that your update mechanism correctly signs and validates all software in the installation process.

• Malicious Libraries or SDKs: An attacker introduces malicious code into libraries or SDKs, which developers then use in their applications.

  • Mitigation: Have a vetted set of components that developers can use, served up by the proxy. Have a standard defining the components' characteristics that developers can download (if you don’t have a proxy).

• Third-party Vendor Compromises: An attacker targets third-party vendors or service providers to gain access to the primary organization's software supply chain.

  • Mitigation: Have a robust third-party vendor security process, policy, and team; partner with your vendors to increase their security posture.

Threat model your software supply chain. Integrate this guidance into your secure development lifecycle. Have developers threat model their connection to the software supply chain as they threat model the features they build.

[This feature is based on a Webinar I did with my friends at Reversing Labs this past week on threat modeling and supply chain. Check it out via the Reversing Labs site to listen.]

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • Hasan Yasar -- Actionable SBOM via DevSecOps

    • Audio only; Youtube

      • Hasan Yasar discusses the concept of "actionable SBOM" (Software Bill of Materials), emphasizing the importance of integrating it into infrastructure as code, real-time monitoring, and its role in ensuring software security, especially in fast-paced development environments.

• Security Table

  • The Future Role of Security and Shifting Off the Table

    • Audio only; Youtube

      • We explore the future of application security, discussing the possibility of integrating security directly into development, thereby eliminating the need for separate security teams. We critically examine the "shift left" movement in application security, emphasizing the importance of starting security considerations from the project's inception.

• Threat Modeling Podcast

  • A new episode, "Privacy and Threat Modeling in Practice”, is coming soon.

Where to find Chris? 🌎

• Oct 20 — Triangle InfoSecCon, Raleigh, NC

  • The Application Security State of the Union

• Oct 24-26 — ISC2 Security Congress, Nashville, TN

  • Oct 25, 10:25 AM, Zero Trust Threat Modeling

  • Oct 25, 3:05 PM, The State of Application Security

• Oct 29 — ThreatModCon, Washington, DC

  • Conference Chairman, opening and closing speaker

• Oct 30-31 — Global OWASP, Washington DC

  • Oct 30-31, Devici booth on the expo floor

  • Oct 31, 2:15 PM, Zero Trust Threat Modeling

• Nov 8 — ISC2 Secure Software Webinar

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.