Reasonable 🔐AppSec #30 - Five Security Articles, Being Thankful in AppSec, and Podcast Corner

Hey there,

In this week’s issue of Reasonable Application Security:

• Five security articles 📰 that are worth YOUR time

• Featured focus: Being Thankful in AppSec

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

1. Thanksgiving Threat Model

   • Happy Thanksgiving, all! To help you ensure your celebration goes without a hitch, here's a threat model that Gunnar Peterson originally developed and Sounil Yu fixed up.

   • 

2. 27 Malicious PyPI Packages with Thousands of Downloads Found Targeting IT Experts

   • An unknown threat actor published 27 malicious packages on the Python Package Index (PyPI), mimicking popular Python libraries downloaded thousands of times. These packages, including pyefflorer and pywool, were designed to steal sensitive data and access cryptocurrency wallets using steganography to hide malware within image files​. Why is this still a problem? Why can’t we find a solution that solves this issue? For all the software supply chain startups I see floating around, I would think somebody would try to solve this problem with package signing and a trusted repository that could provide a lookup based on package name.

3. Two years later: a baseline that drives up security for the industry

   • Google discusses improvements to the Minimum Viable Secure Product (MVSP) controls, highlighting how its adoption has enhanced security processes. Despite nearly half of third parties failing to meet multiple MVSP controls, Google's implementation has resulted in faster procurement processes and better data-driven decision-making, reinforcing its importance in product security across the industry​​​​​​​.

4. Exploited Vulnerabilities Can Take Months to Make KEV List

   • The Known Exploited Vulnerabilities (KEV) catalog, a crucial resource for information on software flaws, often experiences delays in updates. Instances like a vulnerability in Adobe's Acrobat and Reader applications demonstrate that while the KEV list is valuable, companies must rely on other threat intelligence sources due to these delays​​​.

5. Zero trust and threat modeling: Is it time for AppSec to get on board?

   • The article discusses the growing importance of zero-trust architecture in application security (AppSec). It highlights how traditional trust boundaries are becoming obsolete, necessitating a new approach to threat modeling. The adoption of zero trust in AppSec is critical, but it introduces new challenges, such as the need for a deeper understanding of protected systems and the complexity of implementing granular access controls and continuous monitoring​​​​​​​​​​​​​​​​​​​​​

Featured focus: Being Thankful in AppSec

On this week’s recording of the Security Table, we posed the question about what we were thankful for in the world of AppSec. It’s a great question, and it challenges me to focus on the positive versus pointing fun at the broken pieces.

I am thankful, first and foremost, for the community within which I’ve had the opportunity to be accepted. It started with the Threat Modeling Manifesto and blossomed into close relationships amongst a group of passionate threat modeling people. Being a part of this community means that conferences are different now. Conferences are a chance to catch up with friends, challenge each other, and celebrate application security. These relationships also open up other doors, as I spoke at a friend’s Ethics in Computing class this past week. I’m thankful for the community.

I’m also thankful for the people who challenge me in our industry. I love to verbally spar via discussion on many topics. I do this to challenge myself to think differently about topics. I do this to get input from other people that can influence my thinking. This feels like a connection to the first idea of community. I’m thankful for folks that challenge my thinking and help me get better.

What are you thankful for? Ponder this when you have some downtime. Our industry trends negatively as we focus on all the broken things. Spend some moments focusing on the positive, and consider what you are thankful for in our industry. And let me know. I’d love to hear the positive from your perspective.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • Katharina Koerner -- Security as Responsible AI (Audio only; YouTube)

    • Dr. Katharina Koerner discusses the complexities of responsible AI, including its ethical implications, intersection with security, and the importance of AI risk management. The conversation covers the roles of AI security engineers, AI in education, and international AI governance, providing valuable insights for tech professionals, policymakers, and individuals.

• Security Table

  • CVSS 4.0 Unleashed with Patrick Garrity (Audio only; YouTube)

    • Patrick Garrity joins to unpack CVSS 4.0, its impact on your program, and whether or not it will change the game, the rules of how the game is played, or maybe the entire game.

• Threat Modeling Podcast

  • A new episode, "Privacy and Threat Modeling in Practice,” is coming soon.

Where to find Chris? 🌎

• The rest of 2023 — relaxing in Raleigh, NC, building new features supporting the Devici beta, and preparing for a busy 2024.

• BSides SF, May 4-5, 2024

• RSA, San Francisco, May 6 - 9, 2024

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.