Reasonable 🔐AppSec #28 - Five Security Articles, Zero trust threat modeling, and Podcast Corner

Hey there,

In this week’s issue of Reasonable Application Security:

• Five security articles 📰 that are worth YOUR time

• Featured focus: Zero trust threat modeling

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

1. Increasing transparency in AI security: Google has introduced two new methods to enhance AI supply chain security and ensure the responsible creation and use of AI through its Secure AI Framework.

2. Datadog's 2023 Container Report shows organizations leveraging container technology for next-generation applications, developer productivity, and cost optimization, with findings based on over 2.4 billion containers. Insights include “Adoption of serverless containers continues to increase” and “Usage of GPU-based compute on containerized workloads has increased.” Stay in touch with the current state of containerization. They also drop a hint that Containerd is replacing Docker. Could this be the death of Docker?

3. OWASP Top 10 for LLM update bridges the gap between app sec and AI: The first update to the OWASP Top 10 for LLM Applications includes minor changes and a new data flow visualization to help identify potential risk areas in LLM applications. I shared a direct quote for the article: “The data flow provides a reference architecture to help readers understand how LLM systems are assembled. Without that context, it is more challenging to understand how the LLM Top 10 risks fit together." I’m a big fan of data flows!

4. Towards Modern Development of Cloud Applications: Sanjay Ghemawat's paper describes the concept of writing applications as logical monoliths, offloading the decisions of distributing and running applications to an automated runtime and deploying applications atomically. Could this be the next application architecture? AppSec, let’s get ahead of this one.

5. Announcing Microsoft Secure Future Initiative to advance security engineering: The part of this initiative that caught my attention is the transformation of software development through automation and AI, evolving the Security Development Lifecycle to a dynamic model that integrates continuous security measures throughout the coding, testing, deployment, and operation stages, using memory-safe languages and automated threat modeling.​ If Microsoft can deliver on 50% of these promises, they’ll reestablish dominance at the top of the security food chain.

Featured focus: Zero trust threat modeling

[This is the first few paragraphs of my latest research on the fusion of Zero Trust and Threat Modeling, based on a conference talk I’ve delivered a few times over the past year.]

Zero trust is all the rage. Zero trust has undoubtedly gathered the attention of companies of all sizes and National Governments. CISA and NIST have written extensively, including NIST's 800-207 Zero Trust Architecture and CISA's Zero Trust Maturity Model.

While these are excellent resources that set the stage for all you think you need to know about Zero Trust, neither covers an approach for discovering the depth of security and privacy challenges that Zero Trust unleashes. The maturity model categorizes the things to be done without expressing the more significant security and privacy issues requiring consideration. Neither of those documents set out to answer the question posed. So, where do we explore the depth of Zero Trust Threats?

Nevertheless, zero trust has vast implications for application security and threat modeling. Zero trust threat modeling means the death of the trust boundary. Zero trust security models assume attackers are in the environment, and data sources and flows can no longer be hidden. This uncovers threats never dreamed of in classic threat modeling.

In this rant, we'll consider how to lay a foundation of zero trust against the lens of application security. We'll explore what Zero Trust architecture means as it reaches the top of the technology stack.

To read the rest, you’ll find the full post on the Devici blog.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • Chris John Riley -- MVSP: Minimum Viable Secure Product (Audio only; YouTube)

    • Chris John Riley discusses the Minimum Viable Secure Product (MVSP), a streamlined security checklist for B2B software developed with inputs from tech giants, aimed at helping startups meet large enterprise security standards and evolve with the cybersecurity landscape.

• Security Table

  • An SBOM Fable (Audio only; YouTube)

    • Chris, Matt, and Izar engage in an animated discussion on the critical elements of SBOMs and VEX documents, offering a blend of sharp analysis and humor as they navigate the intricacies of a famed technology council’s thoughts on the essentials of SBOM.

• Threat Modeling Podcast

  • A new episode, "Privacy and Threat Modeling in Practice,” is coming soon.

Where to find Chris? 🌎

• The rest of 2023 — relaxing in Raleigh, NC, building new features supporting the Devici beta, and preparing for a busy 2024.

• BSides SF, May 4-5, 2024

• RSA, San Francisco, May 6 - 9, 2024

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.