Reasonable 🔐AppSec #35 - Five Security Articles, Coding is a Super Power, and Podcast Corner

A review of application security happenings and industry news from Chris Romeo.

Hey there,

Would you do us a favor this week, forward this newsletter to a friend, and encourage them to subscribe? We’re trying to grow our subscriber base to enlighten everyone with AppSec news with a side of snark.

In this week’s issue, please enjoy:

  • Five security articles 📰 that are worth YOUR time

  • Featured focus: Coding is a Super Power

  • Application Security Podcast 🎙️Corner

  • Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

  1. Prompt Injection Should Not Be A Security Issue — My friend Izar wrote this article after a Security Table episode arguing that prompt injection is not a security problem. Scandalous, yes, but worth a closer look, 100%.

  2. npm in Review: A 2023 Retrospective on Growth, Security, and Quirky Facts — The 2023 npm retrospective discusses npm's significant growth and security challenges over the past year. It highlights the exponential increase in npm package releases, surpassing 2.5 million live packages with immense download counts, while also dealing with notable security issues, including malware and spam campaigns. The article also delves into quirky facts about npm, like the package with the longest name and the most extensive package sizes.

  3. SSH protects the world’s most sensitive networks. It just got a lot weaker — I don’t usually cover the latest attack, but once in a while, I want to challenge us to dive into the details of an attack and understand, in this case, a crypto failure in a prominent protocol, SSH. Put your IR hat on briefly and understand the flaw and the fix.

  4. ISO/IEC 5338: Get to know the global standard on AI systems — Explore the importance and content of the ISO/IEC 5338 standard, a global standard for AI systems. It emphasizes the standard's role in guiding organizations in developing and managing AI solutions, covering aspects such as risk management, quality assurance, and AI-specific lifecycle processes.

  5. Redefining Security in DevSecOps — There is a rising evolution of threat modeling within DevSecOps, a necessity of integrating threat modeling into the agile and iterative DevSecOps processes, advocating for a proactive security culture and continuous adaptation to emerging threats throughout the lifecycle of applications.

Coding is a superpower for the security professional. It may seem trite, and you may read this and disagree.

I don't have any data -- only circumstantial (which will not hold up in court.) Based on my unscientific analysis of the security industry over the past few decades, I hypothesize that only 5% of security professionals can code proficiently (i.e., create a PR for a production app and receive approval on the quality of the change/code). From there, I hypothesize that another 10% can read code proficiently. I'm not limiting this to AppSec, but thinking about Cybersecurity holistically.

Let me build an argument for the benefits of learning how to code for the security professional:

  • Coding and data structure knowledge makes you a better threat modeling person. Threat modeling is analyzing a design searching for security and privacy challenges. When you understand the things and how they fit together, you see threats covered up before.

  • It is easier to break something when you understand how it was built. Everyone wants to hack the planet. Ask any college student studying cybersecurity what their life goal is. Here is a simple tip — if you understand how something works, you can shockingly or not have a better idea for how to break it.

  • The world is built on software — coding enables you to understand how and why the world as we know it continues to operate via all this running software. Software isn’t going away, so think of coding as a prerequisite to anything new or fantastic that is emerging.

  • Learning to code when you don’t know how expands your mind and continues your journey as a lifelong learner. Keep moving and growing — it is a superpower on its own.

  • You could create an app using your new super-excellent coding skills or invent a product using a new four-letter acronym and create your own Gartner magic quadrant. Okay, I’m being silly, but I get at least one, right?

I took a different approach with an article called “Why cybersecurity pros need to learn how to code,” where I explained the value proposition for specific cybersecurity roles, from AppSec to Pen Test to Auditor to the CISO.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

  • Application Security Podcast

    • Jay Bobo & Darylynn Ross -- App Sec Is Dead. Product Security Is the Future. (Audio only; YouTube)

      • Jay Bobo and Darylynn Ross from CoverMyMeds to explain their assertion that 'AppSec is Dead.' They discuss the differences between product and application security, emphasizing the importance of proper security practices and effective communication with senior leaders, engineers, and other stakeholders.

      • Jay proposes that product security requires a holistic approach and cautions against the current state of penetration testing in web applications.

      • Darylynn encourages AppSec engineers to broaden their scope beyond individual applications to product security.

      • With enlightening insights and practical advice, this episode thoughtfully challenges AppSec professionals with new application and product security ideas.

  • Security Table

    • Open Source Puppies and Beer (Audio only; YouTube)

      • We address the complexities of open-source component usage, vulnerability patches, civic responsibility, and licensing issues sparked by a post from Bob Lord, Senior Technical Advisor at CISA.

      • We discuss whether software companies have a civic duty to distribute fixes for vulnerabilities they discover in open-source components.

      • We also examine if a threat model is needed for every third-party component and consider the implications of specific licenses for security patches.

  • Threat Modeling Podcast

    • A new episode, "Privacy Threat Modeling,” drops next week!

Where to find Chris? 🌎

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.