Reasonable 🔐AppSec #38 - My Final Word on #ShiftLeft and #ShiftEverywhere, Five Security Articles, and Podcast Corner

Hey there,

This is the end of the subscription drive. (Until we start another subscription drive. I feel like a PBS Executive.)

Please forward this newsletter to a friend and encourage them to subscribe. We’re trying to grow our subscriber base to enlighten everyone with AppSec news with a side of snark. If you get three colleagues to sign up, you’ll feel good about helping educate our industry! (You thought there was a prize, but the prize is the betterment of the security universe.)

In this week’s issue, please enjoy the following:

• Five security articles 📰 that are worth YOUR time

• Featured focus: My Final Word on #ShiftLeft and #ShiftEverywhere

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

1. Building A Security Platform Engineering Team — The article discusses building security platform engineering teams to integrate security seamlessly into organizational processes and tools, emphasizing the importance of creating "secure paved roads" where security is built by default. It explores the rationale behind forming such teams and the types of problems they solve, including unique security challenges not addressed by off-the-shelf solutions. It guides when and how to develop this specialized function within an organization​.

2. LeftoverLocals: Listening to LLM responses through leaked GPU local memory — "LeftoverLocals" enters the scene, a vulnerability allowing data recovery from GPU local memory across different processes on several GPU platforms, impacting the security of applications, especially those involving large language models (LLMs) and machine learning models. The vulnerability, demonstrated through a proof of concept, showcases the potential for attackers to intercept LLM responses by exploiting leaked GPU local memory, emphasizing the urgent need for security reviews and patches in machine learning development stacks.

3. Post-Quantum Cryptography in January 2024 — I include post-quantum articles to make people think I’m smarter than I am. The article provides an overview of the progress in quantum computing, highlighting significant advancements in qubit development and the potential implications for cryptography. It discusses the concept of "Q-Day," the point at which quantum computing could break current cryptographic protocols. It outlines the industry's efforts towards developing post-quantum cryptography standards to secure data against future quantum attacks.

4. Standards for Software Liability: Focus on the Product for Liability, Focus on the Process for Safe Harbor — The document proposes a new framework for software liability, advocating for a blend of rules-based standards and process-based safe harbors to navigate the complex landscape of software development and cybersecurity. It emphasizes the necessity for legal reforms to establish more precise standards of care and liability for software developers, suggesting federal legislation to enforce these standards while encouraging innovation and security best practices. Software liability is a potential NIGHTMARE for all of us. Buyer beware.

5. The PANOPTIC™ Privacy Threat Model — This paper introduces the PANOPTIC™ model, aimed at addressing the absence of a standardized threat language in privacy management by offering a comprehensive framework that includes various types of intents and recognizes both internal and external system threats, thereby expanding the scope beyond traditional cybersecurity models.

Featured focus: My Final Word on #ShiftLeft and #ShiftEverywhere

Let me set the stage here. At its core, I don't disagree with the idea of shifting left or right. We do want to consider security and design as early in the process of creating something as possible. It doesn't matter what you're building. You have a process you're going to follow. Nobody imagines work to be done and starts coding. You're pulling a user story, a ticket, or requirements that feed into your actions. You have the opportunity to apply security and privacy from the beginning. You also have the (wrong) choice to wait until the end.

The shift left idea is to “consider security and privacy as early in the process as possible.” With the core concept of shift left, I don't have a problem. Joe Jarzombek was at DHS in the late 90s and launched a program called Build Security In. Build Security In was calling for starting early in the development lifecycle, adding security controls, and thinking about security before you start building something. Shift left is not a novel concept.

Shift Left did not originate as a security concept. Look it up. The creator of the Shift Left concept was a project manager. Shift-left testing is an approach to software and system testing in which testing is performed earlier in the lifecycle (i.e., moved left on the project timeline). It is the first half of the maxim, "test early and often." It was coined by Larry Smith in 2001.

The ultimate bone I have to pick is that vendors have taken this idea of shifting left and used it as a marketing franchise. They have created some of the most crazy statements that I’ve written about before. This draws out so many other questions about why we as an industry need a high-level marketing slogan to which vendors try to affix themselves. Make it about the actual business value your product provides. Stop attaching yourself to a slogan from 2001.

And with that, I’ll stop talking about shift left and move forward. (Until the next time I see it make its way into the zeitgeist of #AppSec.)

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • Justin Collins -- Enabling the Business to Move Faster, Securely (Audio only; YouTube)

    • Justin Collins from Gusto discusses the nuances of managing security teams within an engineering-centric organization and emphasizes the need for aligning security practices with business objectives.

    • He touches on the challenges of integrating product security with new technologies like GenAI, the role of security partners, the impact of GRC and privacy, and the future of AI in cybersecurity, highlighting that security strategies should be customized to a business's unique context and resources.

• Security Table

  • Adam Shostack -- Thinking like an Attacker and Risk Management in the Capabilities (Audio only; YouTube)

    • Adam Shostack, a threat modeling expert, delves into the role of threat actors in threat modeling and discusses the balance between 'thinking like an attacker' and leveraging current attacker data.

    • The conversation also covers the effectiveness of risk assessments and emphasizes the importance of evolving threat modeling and risk management practices.

• I interviewed with the crew of the Hedge that inspired my #ShiftLeft exploration above.

  • Hedge 212: Shift Left? w/Chris Romeo (Audio only)

    • How often have you heard you should “shift left” in the last few years? What does “shift left” even mean? Even if it had meaning once, does it still have any meaning today? Should we abandon the concept or just the term?

    • Listen in as Chris Romeo joins Tom Ammon and Russ White to talk about the term's origin, meaning, and modern uselessness “shift left.”

• Threat Modeling Podcast

  • Nandita Rao Narla -- Part Two is dropping in the next few weeks.

Pictures are Fun

Where to find Chris? 🌎

• North Carolina Cybersecurity Symposium, February 22-23, 2024

• BSides SF, May 4-5, 2024

• RSA, San Francisco, May 6 - 9, 2024

  • Speaking: The Year of Threat Modeling: Secure and Privacy by Design Converge (May 8, 14:25 Pacific)

  • Learning Lab: Threat Modeling Championship: Breaker vs. Builder (May 8, 08:30 Pacific)

  • I'm hanging out at the Devici booth at the Startup Expo for the rest of the time!

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.