Reasonable 🔐AppSec #39 - The Power of Fear, Five Security Articles, and Podcast Corner

A review of application security happenings and industry news from Chris Romeo.

Author

Chris Romeo
February 19, 2024

Hey there,

In this week’s issue, please enjoy the following:

  • Five security articles 📰 that are worth YOUR time

  • Featured focus: Blah

  • Application Security Podcast 🎙️Corner

  • Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

  1. Trust no one: why we can't trust most stats about the cybersecurity industry, and why we must stop creating numbers out of thin air — We have challenges finding reliable cybersecurity industry statistics. Too often, people create data out of thin air. The article highlights the discrepancies in numbers reported by different sources, the incentives driving various parties to produce specific data, and the impact of these practices on the credibility of cybersecurity statistics. So, how many jobs/seats are open in the cybersecurity industry? Does anyone care to provide a number they would testify to in court?

  2. An example of LLM prompting for programming — Martin Fowler describes Xu Hao's approach to using ChatGPT for programming, focusing on self-testing code. He employs a chain of thought and general knowledge prompting to guide ChatGPT in generating applicable code, emphasizing the importance of constructing prompts effectively to achieve desired results.

  3. Tall Toothbrush Tales: How to avoid “X million Y attacked Z” hype — We are an industry of chicken littles: the sky is falling, the sky is falling. The article discusses the tendency in cybersecurity reporting to exaggerate threats, using the hypothetical example of "3 million smart toothbrushes" being used in a cyberattack. It advises cybersecurity researchers and companies to avoid unnecessarily hyping up reports and focus on transparent and rational advice for combating cybercrime.

  4. Why Bloat Is Still Software’s Biggest Vulnerability — How bad is the state of software security? Is the problem incentives for commercial operators to prioritize speed over security, leading to software with a high density of security issues and a vast amount of code that increases the attack surface? The author argues for the need to improve software quality through better code and reduced dependencies, citing European Union legislation to address these issues.

  5. Google Contributes $1 Million to Rust, Says It Prevented Hundreds of Android Vulnerabilities — Memory-safe languages are the future, and we should work towards making them the present. Google has announced a $1 million grant to the Rust Foundation to improve the interoperability between Rust and C++ code, particularly in the Android ecosystem. This investment aims to expand Rust's adoption across various platform components, as Rust has historically prevented hundreds of vulnerabilities in Android due to its memory safety features.

Fear is a strong motivator, and it’s been used too long in cybersecurity to attempt to gain a particular response. This came to the forefront for me this past week, reading the article about the attacking toothbrushes, which turned out to be bunk.

As I reflected on my twenty-six-year career in cybersecurity, I thought of various examples in the past where I’ve seen fear used as an attempted motivator. There was a time when a group of executives not prioritizing software security were brought into a room and shown how their products could be compromised in minutes. Fear of losing their jobs because of insecure products was the motivating lever from that conversation.

The data breach crisis of the 2000s is another era where fear was the primary driver of action. In those days, data breaches were a big deal. If you were breached, they played the story on the nightly news, and you felt shame, and your customers went someplace else to buy their stuff. Fear motivated those companies, the fear of being breached and crashing their reputational index.

Fear is a terrible motivator for anything. Fear may cause people to do the right things in the short term but for the wrong reasons. I’ve never heard of an AppSec or Software Security program built on the foundation of fear. Fear may work for some time, but it cannot drive real organizational change. If you were under such a regime, wouldn’t you be looking for another job as fast as possible? Move past fear as a leg in your security stool. Trend positive, and leave the negative in the dust.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

  • Application Security Podcast

    • Erik Cabetas -- Cracking Codes on Screen and in Contests: An Expert's View on Hacking, Vulnerabilities, and the Evolution of Cybersecurity Language (Audio only; YouTube)

      • Erik Cabetas joins us for a discussion about modern software security. We talk about the current state of vulnerabilities, the role of memory-safe languages in AppSec, and why IncludeSec takes a highly systematic approach to security assessments and bans OWASP language.

      • Erik shares his experience consulting about hacking for TV shows and movies. The conversation doesn't end before we peek into threat modeling, software engineering architecture, and the nuances of running security programs.

  • Security Table

    • Villainy, Open Source, and the Software Supply Chain (Audio only; YouTube)

      • Matt, Izar, and Chris engage in a vibrant discussion about the misconceptions surrounding open-source software security, inspired by a post accusing Chris’s interview with Kyle Kelly labeled the opinions as a 'hive of scum and villainy.'

      • They delve into the complexities of the software supply chain, the concept of 'inheritance' in security vulnerabilities, transitive dependencies, reputation systems, and dependency injection, highlighting the importance of taking responsibility for the security of incorporated software packages.

  • Threat Modeling Podcast

    • What is the Essence of Threat Modeling? (Audio only)

      • Explore various definitions of threat modeling gathered from industry experts. The podcast discusses whether risk assessment and threat modeling are the same, the essence of threat modeling, collaboration and documentation, identifying and mitigating threats early, the Five W's and an H approach, structured brainstorming, and proactive security.

Pictures are Fun

P.S. AI is terrible at splleing. The sky is falling, says Cybersecurity Chicken Little.

Where to find Chris? 🌎

  • North Carolina Cybersecurity Symposium, February 22-23, 2024

  • BSides SF, May 4-5, 2024

  • RSA, San Francisco, May 6 - 9, 2024

    • Speaking: The Year of Threat Modeling: Secure and Privacy by Design Converge (May 8, 14:25 Pacific)

    • Learning Lab: Threat Modeling Championship: Breaker vs. Builder (May 8, 08:30 Pacific)

    • I'm hanging out at the Devici booth at the Startup Expo for the rest of the time!

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.