Reasonable 🔐AppSec #29 - Five Security Articles, Fun with vendor speak, and Podcast Corner

A review of application security happenings and industry news from Chris Romeo.

Hey there,

In this week’s issue of Reasonable Application Security:

  • Five security articles 📰 that are worth YOUR time

  • Featured focus: Fun with vendor speak

  • Application Security Podcast 🎙️Corner

  • Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

  • "Understanding OWASP’s Bill of Material Maturity Model: Not all SBOMs are created equal"

    • The article discusses the increasing importance of detailed and mature Bills of Materials (BOMs), especially Software Bills of Materials (SBOMs), in counteracting software supply chain attacks. OWASP's BOM Maturity Model aims to provide a structured approach for evaluating BOMs, including a range of capabilities like formal taxonomy, unique identifiers, and various complexity levels to support different data types​​. Since I often am pessimistic about SBOM, giving the other side of the argument/debate some air time was vital.

  • "The Cybersecurity Revolutions"

    • Explore the concept of 'cybersecurity estates' as major sectors in the cybersecurity industry, each supporting at least one significant market player. The current cybersecurity estates identified are Infrastructure Security, Security Operations, Identity Security, and Application Security, with some companies like Palo Alto Networks and Cloudflare spanning multiple estates​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​.

  • "My mental model for building and using LLM-based applications"

    • This blog post provides a conceptual framework for understanding and utilizing LLMs in application development, likening LLMs to well-informed Harvard graduates with extensive online knowledge but limited real-world experience. It highlights the importance of providing context to LLMs, especially in coding applications. It discusses Sourcegraph's approach of integrating full codebase access and advanced code search engines to enhance LLM effectiveness​​​.

  • "8 CI/CD security best practices: Protect your software pipeline"

    • This article outlines eight best practices for securing CI/CD pipelines, emphasizing the need for solid access controls, security monitoring, and embedding security as code within the development process. Key points include implementing strict access control, incorporating security monitoring and telemetry, using security gates and secure code signing, storing software artifacts effectively, and conducting thorough threat modeling of the pipeline.​​​​​​​

  • "The architecture of today's LLM applications"

    • The article provides insights into building applications using Large Language Models (LLMs), covering five significant steps: focusing on a problem, choosing the right LLM, customizing the LLM, setting up the app’s architecture, and conducting online evaluations. It emphasizes the need to understand LLMs' capabilities and limitations, such as their probabilistic outputs. It discusses the importance of enriching user input, optimizing prompts, and using tools like caches and content classifiers for efficient LLM applications​​​​​​​​​​​​​​​​​​​​.

Featured focus: Fun with vendor speak

As I continued my crusade to poke fun at our industry, I decided to land on a few specific marketing slogans I’ve seen floating around. We have a void in our industry that marketing is creating in that they are not adequately representing the advantages of their solutions in a way that makes sense to customers. They have gone off the deep end. Let’s review some slogans I’ve seen on LinkedIn or company websites and unpack what they mean.

Note that no companies shall be listed by name. Anonymity until you google for yourself.

  1. “$Tool empowers developers, DevOps, and security teams with a suite of technologies to pinpoint application vulnerabilities for quick remediation in every phase of the software development lifecycle.”

    • Excellent, this is a tool for everybody to use.

    • It takes a suite of technologies, translating to “many.” They likely don’t properly talk to each other, so your developers, DevOps, and security teams must consolidate and prioritize results separately.

    • “Pinpoint for quick remediation” — they will find the 10K problems they think exist in your application, but you have to fix them yourself.

    • Summary: We have a group of tools you can buy to generate a pile of findings you’ll be lucky to get 5% of fixed.

  2. “MAKE SHIFT HAPPEN — Shift Everywhere With the Leading Cloud-Native AppSec Platform”

    • Ah, now we are cooking. We are going to “Make Shift Happen”. Let’s use an expression that began life with a cuss word in the middle of it to make shift edgy because we all know that in AppSec, it is edgy that sells.

    • Not only will we shift left, right, up, and down, but we will also shift everywhere. Everywhere includes nowhere, so now we’re shifting to nowhere. Great.

    • To top it off, they are the leading cloud-native AppSec platform. Leading according to whom? JD Power & Associates? Somebody else? I doubt they are leading much of anything besides marketing sessions to generate slogans that don’t make sense.

  3. “Shift left with AI-Powered AppSec”

    1. Everyone knows my penchant for shifting left at this stage, so this one is off to a great start by focusing on the shifting.

    2. They have AI-Powered AppSec. What the heck does that even mean? Do they have specially trained LLMs that will fix all of my vulns? Nope. Because that isn’t a thing yet.

    3. As more companies ride the hype train of AI, we must stop and ask ourselves what this means. If someone is AI-powered, are they better than another technology with low false positives and high fidelity of results? Don’t ride the hype train to AI-ville just yet in AppSec.

This continued journey into where we are as an AppSec industry has caused me to create my phrase; “Don’t shift left; push AppSec forward.” We must continue to assess our industry and push for further innovation that gets us past the status quo. We have spent too much time doing what everyone else does because that feels like what we should do. Stop following the herd and build something new and innovative, AppSec industry.

Remember, with an infinite number of monkeys typing on AppSec typewriters, they’ll all end up with “Shift Left” in their slogan.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

  • Application Security Podcast

    • Ray Espinoza -- The AppSec CISO, Vendor Relationships, and Mentoring (Audio only; YouTube)

      • Ray Espinoza provides valuable insights for security professionals and business leaders, covering topics from CISO strategies to data-driven security and risk management. The episode is also rich in advice on career development, leadership, and mentorship, making it a crucial listen for those aiming to deepen their understanding of strategic security management and enhance their leadership skills in the rapidly evolving business landscape.

  • Security Table

    • An SBOM Lifecycle (Audio only; YouTube)

      • Aditi Sharma joins around the Security Table to discuss the Software Bill of Materials (SBOMs). The team discusses the potential advantages and challenges of SBOMs in different contexts, such as SaaS solutions, physical products, and internal procedures. The episode also explores the importance of knowing what software components a company consumes and the significance of SBOM for vulnerability management and risk posture. The team concludes by stressing that while SBOM has great potential value, the value realization is still a work in progress.

  • Threat Modeling Podcast

    • A new episode, "Privacy and Threat Modeling in Practice,” is coming soon.

Where to find Chris? 🌎

  • The rest of 2023 — relaxing in Raleigh, NC, building new features supporting the Devici beta, and preparing for a busy 2024.

  • BSides SF, May 4-5, 2024

  • RSA, San Francisco, May 6 - 9, 2024

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.