Reasonable 🔐AppSec #3 - Does anyone need DAST?, Five Security Articles, Photo, and Podcast Corner

Hey there,

Happy Friday! I’ve traveled through England and Scotland this past week, enjoying beautiful sights across these excellent countries.

In this week’s issue of Reasonable Application Security:

• Does anyone need DAST? 🙋‍♂️

• Photo of the week 📸

• Five security articles 📰 that are worth YOUR time

• Application Security Podcast 🎙️Corner

Does anyone need DAST? 🙋‍♂️

We did an episode of the Security Table a few weeks ago addressing DAST. The premise was exploring reasonable application security. (Note, this is how I got to the name of this newsletter.) I brought this to the table because I don’t believe DAST is reasonable. I did not raise my hand to signal I think anyone needs DAST.

In case you don’t know, DAST is Dynamic Application Security Testing. DAST is a tool that scans a running version of your application and attempts to deduce various vulnerabilities from the OWASP Top Ten to various challenges with running versions of the services, whether API or web server.

I’ve come to believe that DAST is not necessary for three reasons. First, DAST does not operate at the speed of DevOps. If DAST could scan the changes of a single Pull Request, I would be ready to believe in it. But the lack of a single change means that DAST does not run well in a pipeline. DAST requires tens of minutes to hours to thoroughly scan an application. It doesn’t run fast enough. Secondly, the results I’ve seen come out of it are limited in value. DAST is excellent at identifying missing headers or an open port, but the results I’ve seen pop out are limited. Third, and setting my context, when you deploy an application in a container with a limited container definition, a solid, mature web-based JavaScript framework running in a Kubernetes cluster within a cloud provider, there are not many findings that are even possible. By limiting the scope of the running application, I’ve already removed many of the possible things that a DAST could find.

Perhaps I’m using the wrong tool — perhaps I don’t know how to configure DAST properly. Perhaps, perhaps. I don’t see the value proposition.

My practitioner recommendation is SAST and SCA in the pipeline and RASP in the runtime engine. I’ve used this AppSec cocktail multiple times and have had excellent results with the combo. I add DAST only when the procurement/security teams twist my arm and say they won’t buy unless we have DAST.

Feel free to respond if I’m missing something, and let’s take the conversation to the public square and hash it out.

Photo of the week 📸

During a quick trip through London last week, I snapped a picture of the MIND THE GAP message embedded all around the tube and train stations. The message resonates with me as I think about what we are called to do as application security professionals. We mind the gap — we look for the openings within the products and applications our companies build, manage them, mitigate as many as we can, and track the rest. We mind the gap every day.

Five Security Articles 📰 that Are Worth YOUR Time

• Are immutable laws of security immutable if you release a v2? Microsoft’s take on countering the myths of our industry. Here’s one of the laws: Not keeping up is falling behind. (more)

• Jeff Williams continues the debate about shift left vs. shift smart. Is shift smart the same thing as shift everywhere, or shift left/right?(more)

• Decoding the U.N. Cybercrime Treaty — not your standard AppSec fare, but this treaty has ramifications because it drifts away from cybercrime. (more)

• Dana Epp covers the Security Researcher’s Guide to Reporting Vulnerabilities to Vendors, offering plenty of wisdom for interacting with vendors to avoid a beg bounty situation. (more)

• The AI Attack Surface Map v1.0 is a resource for thinking about the various attack surfaces related to AI. Threat modeling people, this is a guide that will stretch your knowledge as we begin to think about threat modeling in an AI world. (more)

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes they are my podcasts. Other times they are podcasts that have caught my attention.

• Application Security Podcast

  • Jeevan Singh -- The Future of Application Security Engineers

    • Jeevan emphasizes the evolving role of application security engineers, requiring skills in software development, application security, teaching, and vital soft skills like empathy and influence. He urges security engineers to broaden their skills, discusses the impact of AI tools, and advocates for a team-based approach to meet the growing security demands.

• Security Table

  • Simple Product Security Requirements (Youtube)

    • We discuss the United Kingdom's new minimum security standards for all Internet-connected consumer products: banning universal default and easily guessable passwords, transparency about security updates, and vulnerability reporting.

• Threat Modeling Podcast

  • The Four Question Framework with Adam Shostack

    • I love this episode so much that I left it here for one more week. 🚨

    • Adam Shostack, the creator of the four-question framework for threat modeling, discusses its significance, evolution, and practicality, emphasizing its role as a foundation for threat modeling rather than a methodology, and encourages retrospectives for continuous improvement.

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.