Reasonable 🔐AppSec #36 - Five Security Articles, Why Don’t They UPDATE the components, and Podcast Corner

Hey there,

Week two of our subscription drive! Please forward this newsletter to a friend and encourage them to subscribe. We’re trying to grow our subscriber base to enlighten everyone with AppSec news with a side of snark.

In this week’s issue, please enjoy:

• Five security articles 📰 that are worth YOUR time

• Featured focus: Coding is a Super Power

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

1. Attack Trees for Robust and Secure Design - I need more time learning and gaining experience with attack trees. Perhaps you do, too? Explore using attack trees in threat modeling to proactively mitigate potential cybersecurity threats through a graphical representation that breaks down primary malicious activities into sub-goals and strategies used by adversaries. It differentiates attack trees from broader threat modeling practices by focusing on specific attack scenarios and their hierarchical components, offering insights into vulnerabilities and aiding in developing targeted defenses.

2. A trail of flipping bits - What about vulnerabilities of trusted execution environments (TEEs), such as secure enclaves, when facing the Forbidden attack on AES-GCM, particularly in manipulating encrypted private key shards to recover private keys iteratively? Yes, it’s hardware, but we must understand hardware security protections as software people. It highlights the complexities and challenges in safeguarding cryptographic operations within TEEs against sophisticated attack methods, underscoring the importance of correct cryptographic deployment and vigilant security practices.

3. Cybersecurity Isn’t Special - Kelly Shortridge's blog post argues that cybersecurity is often mistakenly viewed as a uniquely complex and special field. This perspective leads to overly constrictive practices and misunderstandings about the challenges it shares with other software development and infrastructure areas. She advocates for a more integrated and cooperative approach to cybersecurity, suggesting it should not be siloed but rather treated as part of a broader effort towards improving software resilience and system reliability, fostering a more effective and empathetic response to security challenges. Face it; we aren’t unique. Even though our moms told us we were.

4. The AI trust crisis — Simon Willison's blog post discusses the AI trust crisis, mainly focusing on the public's skepticism towards Dropbox's new AI features and the broader mistrust in companies like OpenAI regarding data privacy and usage. It compares the current disbelief about AI data handling to past conspiracy theories about Facebook, emphasizing the challenge of rebuilding trust in a context where AI models operate as opaque black boxes. It also suggests that transparency in AI training processes could help alleviate these concerns.

5. A Career in AppSec — AppSec is an essential and viable career field for the next generation. There should be an appeal of Application Security (AppSec) within the cybersecurity field, emphasizing that while many newcomers aspire to roles in penetration testing, threat intelligence, or red teaming, AppSec is a critical yet often overlooked area offering job security, competitive salaries, and the chance to work with cutting-edge technologies. It addresses the growing demand for AppSec professionals due to increasing awareness of software security among clients and new regulations, noting the role's varied responsibilities, potential for hacking activities without extensive reporting, and the value of passion over prior coding experience for success in this vital and dynamic field.

Featured focus: Why Don’t They UPDATE the components?

I saw a LinkedIn post where this statement was made: “…some software companies don’t update their components to pick up security fixes before they ship their products.” The author made this sound like a DUHH moment; the vendor should upgrade.

It sounds so simple: update the components automatically before shipping the new version of the product. It seems it should only take a few seconds to run ‘npm update’ and then commit the code as a Pull Request(PR). Or you could have a bot automatically update the software. The problem is that it’s never this simple.

Years ago, I had a moment where I, as a security engineer, agreed with this previous statement. I expected the Engineering team to break the build on a vulnerable dependency and fix the issue immediately. Then, we had a dose of reality. We had an issue hit, and there was no fix available. Following the policy and moving the build forward was not possible. We had to add an exclude list that timed out to force us to re-check the availability of the dependency after a set period. If I had stuck with my security engineer's conclusion, the team would have shaken their heads and said, “We have no solution.”

Software is complex, and it includes many different open-source components. Updating software components at real-time speeds requires in-depth unit and integration tests. Upgrading dependencies at speed is too dangerous if you are sub-80% of code coverage. There is a higher chance of an availability issue without that coverage.

The perfect world is when you have the test coverage and the ability to auto-generate a PR, run the tests, and merge on the green. Even better if you have a canary build to launch the first container, let it breathe for some time, and then replace the rest of the field with the newest version.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • Chris Hughes -- Software Transparency. (Audio only; YouTube)

    • Chris Hughes, co-founder of Aquia, discusses software supply chain security and the importance of software transparency, SBOM, and open-source growth, highlighting the role of the U.S. government and the benefits of transparency.

    • The conversation also explores the challenges of balancing compliance and real security, the significance of SOC 2 and threat modeling, and advocates for a holistic security approach prioritizing relationships over technology.

• Security Table

  • Threat Modeling Capabilities (Audio only; YouTube)

    • Matt, Izar, and Chris delve into the newly released Threat Modeling Capabilities document, discussing its creation as a measure of organizational goals in cybersecurity and contrasting capabilities with maturity levels.

    • They reflect on the collaborative journey of the document's development, drawing parallels to the Threat Modeling Manifesto, and invite community feedback for further refinement.

• Threat Modeling Podcast

  • Nandita Rao Narla -- Privacy Threat Modeling (Audio only)

    • Nandita Rao Narla introduces the basics of privacy in software. She discusses privacy threats, privacy threat modeling, and privacy by design.

    • Suppose you write or handle software that touches user information. In that case, you need to understand privacy, how to assess and mitigate privacy concerns, and know when to implement privacy concerns into a design.

    • This episode of the Threat Modeling Podcast is the perfect primer to raise awareness of the critical role privacy concerns should play in your next project.

Where to find Chris? 🌎

• North Carolina Cybersecurity Symposium, February 22-23, 2024

• BSides SF, May 4-5, 2024

• RSA, San Francisco, May 6 - 9, 2024

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.