• Reasonable Application Security
  • Posts
  • Reasonable 🔐AppSec #33 - Signing Off '23 with a Bang: Five Security Articles, AppSec New Year's Resolutions, and Podcast Corner

Reasonable 🔐AppSec #33 - Signing Off '23 with a Bang: Five Security Articles, AppSec New Year's Resolutions, and Podcast Corner

A review of application security happenings and industry news from Chris Romeo.

Author

Chris Romeo
December 15, 2023

Hey there,

In this week’s issue of Reasonable Application Security:

  • Five security articles 📰 that are worth YOUR time

  • Featured focus: AppSec New Year’s Resolutions

  • Application Security Podcast 🎙️Corner

  • Where to find Chris? 🌎

Note this is the last Reasonable AppSec for 2023. We’ll take a two-week break for the holidays in the US.

Five Security Articles 📰 that Are Worth YOUR Time

  1. Five Eyes Agencies Publish Guidance on Eliminating Memory Safety Bugs — New guidance published by government agencies from the Five Eyes countries (US, UK, Canada, Australia, and New Zealand) for software makers on eliminating memory safety vulnerabilities. The guidance emphasizes adopting memory-safe programming languages to reduce common coding errors exploited in malicious attacks. It also covers creating memory-safe roadmaps, training for developers, and various mitigation methods to enhance software security and reliability.

  2. Your Untested GraphQL API is a Ticking Time Bomb — Do you grasp the security risks of untested GraphQL APIs? Learn about GraphQL's rapid adoption, which has outpaced security measures and led to vulnerabilities. Use penetration testing and secure development training to address these risks and protect against authorization bypasses, business logic flaws, and other unique security challenges inherent in GraphQL APIs.

  3. OpenSSF Releases Top 10 Secure Software Development Guiding Principles — The OpenSSF has released version 1.0 of the Secure Software Development Guiding Principles. These ten principles provide foundational practices for enhancing software security and transparency in the supply chain. They include employing industry-accepted secure development methods, learning secure design principles, addressing vulnerabilities, and prioritizing secure supply chains. The principles aim to ensure that the software developed is secure by default and encourage collaborative industry and regulatory initiatives to secure software supply chains.

  4. CISA, NCSC Offer a Road Map, Not Rules, in New Secure AI Guidelines — New guidelines are on the loose for Secure AI System Development released by the US Cybersecurity and Infrastructure Security Agency (CISA) and the UK's National Cyber Security Centre. These guidelines, endorsed by various cybersecurity organizations, focus on embedding security into AI systems from the outset. Unlike the EU's AI Act, these are non-regulatory recommendations. The guidelines cover secure design, development, deployment, and post-deployment operations of AI technologies. While only advisory, they aim to encourage software suppliers and vendors to incorporate secure-by-design principles, balancing the need for security with innovation and agility in AI development.

  5. LLM AI Security & Governance Checklist — The "LLM AI Security & Governance Checklist" PDF is a comprehensive guide that outlines the challenges and best practices for securing and governing Large Language Models (LLMs). It provides a structured approach for organizations to identify and mitigate risks associated with LLMs, including adversarial risks, legal and regulatory compliance, and practical strategies for deployment and governance. The checklist is designed to assist technology and business leaders in developing and integrating robust LLM strategies with existing cybersecurity and governance frameworks.

A New Year's resolution is a tradition in which a person resolves to change an undesired trait or behavior, accomplish a personal goal, or otherwise improve their life at the start of the new year. An AppSec New Year’s resolution is also a tradition but captures change, goals, or improvements for an entire industry. I know I was just as surprised 🤷‍♂️ as you are that I get to set the industry New Year’s resolutions, but we must play the cards we are dealt.

Resolution #1: Stop showing so much love to the SBOM. SBOMs are not the answer to every problem in security. I’m glad that the year of SBOM, 2023, is coming to a close.

Resolution #2: Teach secure coding at the University level! Secure coding education at the corporate level is an excellent programmatic approach and levels everyone’s security knowledge. However, it’s time for the University system to answer the bell and teach secure coding for the languages they teach in Computer Science. Provide the students with an application security foundation when they graduate.

Resolution #3: Cancel your DAST subscriptions. I’ve talked about this one all year. DAST doesn’t provide the ROI it once did in an Enterprise Java Bean world with Servlets. Cancel it.

Resolution #4: Think outside the AppSec box. Stop doing things because this is what we’ve always done. Stop adding tools to your program because “these are the tools a serious AppSec program has.” Think for yourself; understand the risk and threat a given tool and technology provides, factor against the ROI vs. cost, and then build a program that makes sense for your organization.

What are your AppSec Resolutions for 2024? Find my post on LinkedIn and add your resolutions to the list. Remember, these are resolutions, not predictions.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

  • Application Security Podcast

    • Björn Kimminich -- OWASP Juice Shop (Audio only; YouTube)

      • Bjorn Kimminich explores the OWASP Juice Shop project, focusing on its latest features, including coding challenges and integrating Web3 and smart contracts. The project has continuously evolved, such as adding a cheating detection mechanism and 'shenanigan' challenges, emphasizing the Juice Shop's role in advancing cybersecurity skills.

  • Security Table (we took a break this past week, but here is an oldie but goodie)

    • The Future Role of Security and Shifting off the Table (Audio only; YouTube)

      • We delve into the future of application security, debating Chris's theory that security will be absorbed into development, thus eliminating separate teams. We discuss the friction between security and engineering teams, the impact of security incidents on brand reputation, and the potential effects of upcoming U.S. privacy legislation. The conversation then shifts to the "shift left" movement in application security, questioning its ambiguity and misuse.

  • Threat Modeling Podcast

    • A new episode, "Privacy and Threat Modeling in Practice,” is coming soon. I promise it is. I’m planning to get back to the Threat Modeling Podcast in December.

Where to find Chris? 🌎

  • The rest of 2023 — relaxing in Raleigh, NC, building new features supporting the Devici beta, and preparing for a busy 2024.

  • North Carolina Cybersecurity Symposium, February 22-23, 2024

  • BSides SF, May 4-5, 2024

  • RSA, San Francisco, May 6 - 9, 2024

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.