Reasonable 🔐AppSec #26 - Five Security Articles, Loosening Guides Are A BAD Idea, and Podcast Corner

Hey there,

In this week’s issue of Reasonable Application Security:

• Five security articles 📰 that are worth YOUR time

• Featured focus: Loosening Guides Are A BAD Idea

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

• Who’s Afraid of Product’s Liability in Cybersecurity and the Defect Model:

  • Explore the application of product liability law to cybersecurity, discussing how it can hold manufacturers accountable for product security defects. It delves into this approach's challenges and potential benefits, comprehensively analyzing the legal landscape and its implications for cybersecurity.

• Scaling BeyondCorp with AI-Assisted Security:

  • Google Security discusses integrating AI-assisted security in scaling BeyondCorp's enterprise security model. It highlights how machine learning helps make access decisions, improve security, and ensure a seamless user experience.

• Open Source Security: How Digital Infrastructure is Built on a House of Cards:

  • We have concerns about the security of open-source software. The digital infrastructure is a precarious house of cards. We need more accountability and investment in open-source projects to strengthen cybersecurity.

• Why the Open Core / GPL Dual Licensing Model Works:

  • Mark Curphey discusses the advantages of the Open Core/GPL Dual Licensing model in software development. He explains how this model works and why it benefits developers and businesses. This sheds light on the open-source business model.

• Designing for Security: A Conversation with Lenovo’s Nima Baiati:

  • Nima Baiati from Lenovo discusses the importance of incorporating security into the design phase of product development. Baiati shares insights on Lenovo’s approach to security and the challenges of maintaining security in an ever-evolving technological landscape.

Featured focus: Loosening Guides Are A BAD Idea

CISA has drawn attention to this idea of a loosening guide via their Secure by Design / Secure by Default guide, signed by many other nations worldwide.

Here is a direct quote from the guide:

“Rather than developing hardening guides that list methods for securing products, the authoring organizations recommend software manufacturers shift to a secure by default approach and provide "loosening guides. " These guides explain the business risk of decisions in plain, understandable language, and can raise organizational awareness of risks to malicious cyber intrusions Security tradeoffs should be determined by the customers’ senior executives, balancing security with other business requirements.”

The challenge with this concept is that teams will provide loosening guides that allow customers to back out of the secure decisions made and implemented for a product by default. A loosening guide becomes a vehicle for taking a product from a secure state and placing it into an insecure state. I get that the Customer is always right and all that jazz, but as a lifelong security practitioner, I cannot get on board with loosening the security stance of a product. We have finally reached the point where we are giving attention to a secure by default stance. Why does a Customer need a backup plan? Let’s build secure by design/default and leave it at that.

You may argue that according to the quote from CISA, the Loosening Guide is an educational document that explains the design decisions to lock the product down by default. If that is genuinely what the document is for, let’s change the name of it to the “Security Architecture Guide.” But that is not what they called it, so I doubt that is the true intention of the Loosening Guide.

Please don’t write a loosening guide for your product or application. A loosening guide is not in the Customer's or your product's best interest. Instead of moving us backward, let’s all continue to move forward in securing by design/default.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • Tanya Janca -- What Secure Coding Really Means (Audio only; YouTube)

    • Tanya Janca, also known as SheHacksPurple, shares her wealth of knowledge on secure coding, threat modeling, and the importance of a secure SDLC, emphasizing proactive security measures and a mindset of distrust and verification in coding while sharing personal threat modeling experiences.

• Security Table

  • NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations (Audio only; YouTube)

    • The Table Team critically analyzes the "NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations" document, discussing the nuances of system configurations, the risks of default settings, network segmentation challenges, and the importance of distinguishing between configuration problems and design flaws, all while emphasizing the need for continuous learning in the ever-evolving field of cybersecurity.

• Threat Modeling Podcast

  • A new episode, "Privacy and Threat Modeling in Practice,” is coming soon.

Where to find Chris? 🌎

• Oct 29 — ThreatModCon, Washington, DC

  • Conference Chairman, opening and closing speaker

• Oct 30-31 — Global OWASP, Washington DC

  • Oct 30-31, Devici booth on the expo floor

  • Oct 31, 2:15 PM, Zero Trust Threat Modeling

• Nov 8 — ISC2 Secure Software Webinar

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.