Reasonable 🔐AppSec #34 - Five Security Articles, Threat Modeling Capabilities Project, and Podcast Corner

Hey there,

Welcome to the first Reasonable Application Security newsletter of this new year.

In this week’s issue, please enjoy:

• Five security articles 📰 that are worth YOUR time

• Featured focus: Threat Modeling Capabilities Project

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

1. Gen AI can supercharge your AppSec program — Explore the potential of General Artificial Intelligence (Gen AI) in enhancing Application Security (AppSec) programs. The article focuses on automating English language-based tasks like threat modeling and setting security standards. It discusses using Gen AI to streamline vendor risk management and cyber risk assessments, emphasizing the need for accuracy and human oversight in AI implementations.

2. Secure by Design Alert from CISA- How Manufacturers Can Protect Customers by Eliminating Default Passwords — a short two-pager from CISA on attacking this issue.

3. Building Zero Trust Today, Not In Five Years — Kane Narraway emphasizes the need for a pragmatic, incremental approach to implementing zero trust architectures in organizations. He critiques the tendency for excessive planning and advocates for starting with manageable projects, highlighting the benefits of rapid deployment and adaptability to changes in the industry. These are best practices for project management, but sometimes, we need to state the obvious.

4. How to Find More Vulnerabilities — Source Code Auditing Explained — Explore a methodology for breaking down complex web applications into manageable components for white box penetration testing. It describes different approaches, including bottom-up and top-down, for analyzing web applications to identify vulnerabilities, illustrating the process with examples of sources and sinks in code. This method, used in identifying CVE-2023–43154, demonstrates a systematic way to approach code review in large applications for security analysis.

5. 5 Types of Reachability Analysis (and Which is Right for You) — Five types of reachability analysis in the context of application security and software development: which is the right one? I don’t usually choose vendor articles, but I found this helpful and independent enough. I did not realize reachability analysis was this complicated. It differentiates between the types, including Function-Level Reachability, Package Baselining, and Internet Reachability, emphasizing their roles in identifying and prioritizing security risks in various scenarios.

Featured focus: Threat Modeling Capabilities Project

I am proud to announce that I and a group of my #ThreatModeling besties have released Threat Modeling Capabilities. Capabilities is the next chapter after the Threat Modeling Manifesto. Capabilities are measurable and practical with provable actions or objectives for your threat modeling program. The document provides a catalog of capabilities to help you cultivate value from your Threat Modeling practice.

You can assess your threat modeling program against these capabilities and use capabilities as a roadmap for where you take threat modeling in the future. As threat Modeling matures, you’ll need to consider your program against this state-of-the-art representation. You can take our word for what is state of the art, as the team consisted of hundreds of years of threat modeling experience across fifteen people, from academia, authors, teachers, trainers, and those that love threat modeling perhaps a bit too much.

You’ll find the document on the same site as the Threat Modeling Manifesto at https://www.threatmodelingmanifesto.org/capabilities/

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • Eitan Worcel -- Is AI a Security Champion? (Audio only; YouTube)

    • Eitan Worcel joins to discuss the role of AI in application security, particularly in automated code fixes and addressing vulnerabilities like Cross-Site Scripting (XSS). We delve into the balance of AI's efficiency in automating tasks and the need for human oversight and validation. We compare AI's role in coding to household robots while highlighting potential pitfalls and the future of AI in AppSec.

• Security Table

  • The Impact of Prompt Injection and HackAPrompt_AI in the Age of Security (Audio only; YouTube)

    • Sander Schulhoff from Learn Prompting dives into prompt injection, a technique that manipulates AI models like ChatGPT for undesired outcomes. He shares insights from the HackAPrompt competition, discusses AI's structural complexities, and emphasizes integrating traditional security practices with AI development to prevent misuse and ensure responsible usage, especially in critical decision-making scenarios.

• Threat Modeling Podcast

  • A new episode, "Privacy and Threat Modeling in Practice,” is coming soon. I promise it is. I’m editing the script now. It will be out before the end of January.

Where to find Chris? 🌎

• North Carolina Cybersecurity Symposium, February 22-23, 2024

• BSides SF, May 4-5, 2024

• RSA, San Francisco, May 6 - 9, 2024

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.