• Reasonable Application Security
  • Posts
  • Reasonable 🔐AppSec #42 - The Answer to Life, the Universe, and Everything (in AppSec), Five Security Articles, and Podcast Corner

Reasonable 🔐AppSec #42 - The Answer to Life, the Universe, and Everything (in AppSec), Five Security Articles, and Podcast Corner

A review of application security happenings and industry news from Chris Romeo.

Author

Chris Romeo
March 11, 2024

Hey there,

In this week’s issue, please enjoy the following:

  • Five security articles 📰 that are worth YOUR time

  • Featured focus: The Answer to Life, the Universe, and Everything (in AppSec)

  • Application Security Podcast 🎙️Corner

  • Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

  1. Cyber workers turning to crime, warns study — Disgruntled cybersecurity workers, including code developers and AI experts, are turning to cybercrime by offering their services on the dark web, according to the Chartered Institute of Information Security (CIISec). The trend is fueled by dissatisfaction with salaries and working conditions. If the issue is not addressed, the industry could lose up to one in ten workers to cybercrime. We need to teach the superhero code in Universities — people need to embrace the “do no evil” mantra.

  2. Nvidia CEO predicts the death of coding — Jensen Huang says AI will do the work, so kids don't need to learn — Nvidia CEO Jensen Huang has declared the end of coding, stating that advancements in AI, particularly in natural language processing, will make coding languages obsolete. Huang suggests that future professionals should focus on other industries like farming and education, as AI will enable everyone to program using their native language. Hmmm. It seems strange coming from somebody with a giant $$$ incentive for this future to come true.

  3. Cybersecurity Needs to Be Part of Your Product’s Design from the Start — The article emphasizes the importance of integrating cybersecurity into the design phase of products, services, and business operations to ensure proactive resilience against cyber attacks. It highlights the need for a shift in mindset, where cybersecurity becomes an intrinsic part of innovation. Design and cybersecurity teams assume complementary responsibilities to secure business objectives in the digital transformation landscape. Yes, it does.

  4. Malicious AI models on Hugging Face backdoor users’ machines — JFrog's security team discovered around 100 instances of malicious AI and machine learning models on the Hugging Face platform, some of which can execute code on the victim's machine, creating a backdoor for attackers. Despite Hugging Face's security measures, these models pose a significant risk of data breaches and espionage attacks. We need a threat model of Hugging Face.

  5. Principles for Package Repository Security — The page outlines principles for package repository security developed by the OpenSSF's Securing Software Repositories Working Group. It presents a taxonomy of package repositories and defines four security maturity levels, detailing specific security capabilities for authentication, authorization, general capabilities, and CLI tooling that repositories should strive to meet. The document aims to provide best practices for ensuring the security of package repositories in the face of digital transformation. This feels like old news / an area that has been overcovered, but we still have the same results.

In the realm of application security, where the complexities of protecting applications are as vast as the cosmos, one might find solace in the simplicity of a seemingly arbitrary number: 42. This number, famously cited in Douglas Adams' The Hitchhiker's Guide to the Galaxy as the "Answer to the Ultimate Question of Life, the Universe, and Everything," holds a whimsical yet profound relevance in the context of cybersecurity.

In Adams' universe, 42 is the output of a supercomputer named Deep Thought, designed to calculate the answer to the ultimate question. While the question remains unknown, 42 has become a symbol of elusive answers in the face of complex problems. What question does 42 answer for us in AppSec?

Depending on who you ask in AppSec will influence the answer that you receive. Suppose you ask the majority of vendors around our space. In that case, they will say the elusive question in AppSec is what tools and technologies you need to secure the modern application and its related infrastructure. If you ask consultants (they do still exist, don’t they?), they will say the elusive question is, “How can you grow your program and capabilities with the additional resources of the consultancies.” If you ask trainers, they will say the elusive question is, “What educational packages do you need to prepare your developers to solve your application security issues?”.

The most important question is the one formed by the practitioner working inside a company to build a program. The practitioner should ask, “How do I partner with the business to ensure that anything we do from an investment perspective contributes to the bottom line of the business.” Return on investment is not where you thought this article would end, but without the business, we wouldn’t need an application security program team or anything at all. It’s tough to see how the answer to this question is 42, but if we get the relationship right with the business, the answer no longer matters.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

  • Application Security Podcast

    • Hendrik Ewerlin -- Threat Modeling of Threat Modeling (Audio only; YouTube)

      • Hendrik Ewerlin has applied threat modeling to the threat modeling process to help practitioners manage threats more effectively.

      • We discuss the vital role of threat modeling in software development and stress the importance of an efficient, effective, and satisfying approach to ensure security success.

      • We cover his document: Threat Modeling of Threat Modeling.

  • Security Table

    • Jim Manico ❤️ Threat Modeling: The Untold Story (Audio only; YouTube)

      • This is one from the archive that discusses the transformation of thought from a threat modeling hater to a supporter: Jim Manico.

  • Threat Modeling Podcast

    • The next episode is coming after I finish creating two conference presentation drafts already late. 🤷

Pictures are Fun

Where to find Chris? 🌎

  • Webinar: The Present & Future Impact of AI on Threat Modeling with Dr. Kim Wuyts, Brook Schoenfield, and Izar Tarandach, March 27 at 11 EDT; sign up coming soon.

  • Livestream: AppSec and DevSecOps track discussion for #RSAC March 29, 2024; sign up here.

  • Webinar: Building a Successful Security Champions Program, April 11, 2024, Noon US/Eastern, sign up.

  • BSides SF, May 4-5, 2024

    • I’ll be hanging out at the Devici booth during the event.

  • RSA, San Francisco, May 6 - 9, 2024

    • Speaking: The Year of Threat Modeling: Secure and Privacy by Design Converge (May 8, 14:25 Pacific)

    • Learning Lab: Threat Modeling Championship: Breaker vs. Builder (May 8, 08:30 Pacific) (This will fill up FAST)

    • I'm hanging out at the Devici booth at the Startup Expo for the rest of the time!

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.