Reasonable 🔐AppSec #40 - Simple Security Over Fancy Security, Five Security Articles, and Podcast Corner

Hey there,

In this week’s issue, please enjoy the following:

• Five security articles 📰 that are worth YOUR time

• Featured focus: Simple Security Over Fancy Security

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

1. Certifying Software: Why We’re Not There Yet — What are the challenges and limitations of static analysis tools in software assurance? There is a residual risk due to the inability of these tools to thoroughly analyze complex code. We need modernization in software assurance tools. The author advocates for more transparency in sharing tool study results and calls for greater emphasis on secure design reviews and innovation in software assurance technologies.

2. “Why Are We Having More Incidents?” Causal Loops in Reactions to Unwanted Events — Explore causal loop diagrams to understand the perpetuation of unwanted events and the impact of interventions. It highlights the focus on individual responsibility, the consequences of disciplinary actions and retraining, and the reactive introduction of new procedures, all of which can contribute to a cycle of increasing incidents.

3. The Blind Spots of Automated Web App Assessments — There are limitations to automated web application security assessments. Manual code review is crucial in identifying vulnerabilities that automated tools may miss. Automated scanners often fail to detect common security issues, emphasizing the need for a balanced approach that combines automated tools with expert human analysis for comprehensive application security.

4. SLEEPER AGENTS: TRAINING DECEPTIVE LLMS THAT

   PERSIST THROUGH SAFETY TRAINING — The article presents a comprehensive study on the effectiveness of various machine learning algorithms in detecting phishing websites. It evaluates the performance of different classifiers, including Decision Trees, Random Forests, and Support Vector Machines, using a dataset of legitimate and phishing URLs and discusses the implications of the findings for improving online security measures. This seems like an issue that ML could solve for us.

5. A Recipe for Scaling Security — Google has an approach to enhancing security at scale, focusing on safe coding practices and modernizing old code to meet current security standards. It highlights the importance of rolling out security features like Strict Content Security Policies (CSP) across Google's web applications and using custom tooling and data to manage large-scale security improvements efficiently.

Featured focus: Simple Security Over Fancy Security

I’m a big hockey fan. I’m typing this as I watch a hockey game on TV. My team is playing a team at the bottom of the NHL. My team should win and is supposed to win this game, but they are tied 1-1 halfway through the game. As I’m sitting here lightly yelling at my team through the TV (for the record, they cannot hear me), I’m telling them to stop playing so fancy and stick to the simple game that has been their success.

This got me thinking that this is a principle we can also apply to application and product security. We often focus our security programs on the fancy. We spend at the top of the budget, melding together twenty-seven different tools, of which five or so we have no idea what they do or their value proposition. We put forth ten priorities and ask developers to contribute to all of them.

What would simple application or product security look like?

• It starts by simplifying your priorities. If you can get down to a single priority for this next year, it makes it easier for developers to understand and get behind. Three priorities are the maximum that you should carry forward.

• Focus on a specific technology type (SAST, SCA, or threat modeling), teach/train the teams to gain maximum value, and give them space and time to embrace this new tool/technology.

• Measure the top or few priorities and market their results far and wide.

Simple is the best path forward. Now, if only my hockey team would heed this guidance. I can only hope for a better third period.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • Erik Cabetas -- Cracking Codes on Screen and in Contests: An Expert's View on Hacking, Vulnerabilities, and the Evolution of Cybersecurity Language (Audio only; YouTube)

    • Erik Cabetas joins to discuss the current state of software security, emphasizing the role of memory-safe languages in application security and IncludeSec's systematic approach to security assessments.

    • They cover various topics, including Erik's entry into cybersecurity, consulting for TV shows and movies, threat modeling, software engineering architecture, and the challenges of running security programs.

• Security Table

  • Prioritizing AppSec: A Conversation Between a VP of Eng, a Product Manager, and a Security "Pro" (Audio only; YouTube)

    • Prompted by fan mail, Chris, Izar, and Matt engage in a role-playing scenario as a VP of engineering, a security person, and a product manager.

    • They explore some challenges and competing perspectives in prioritizing application security.

    • They highlight the importance of empathy, understanding business needs and language, and building organizational relationships while dealing with security threats and solutions.

    • They end with insights into the role of AI in AppSec, its prioritization, and its limitations.

• Threat Modeling Podcast

  • Working on the next one — coming soon!

Pictures are Fun

Where to find Chris? 🌎

• BSides SF, May 4-5, 2024

• RSA, San Francisco, May 6 - 9, 2024

  • Speaking: Secure and Privacy by Design Converge with Threat Modeling (May 8, 14:25 Pacific)

  • Learning Lab: Threat Modeling Championship: Breaker vs. Builder (May 8, 08:30 Pacific)

  • I'm hanging out at the Devici booth at the Startup Expo for the rest of the time!

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.