Reasonable 🔐AppSec #43 - The Symbiotic Relationship Between Attack Trees and Threat Modeling, Five Security Articles, and Podcast Corner

Hey there,

In this week’s issue, please enjoy the following:

• Five security articles 📰 that are worth YOUR time

• Featured focus: The Symbiotic Relationship Between Attack Trees and Threat Modeling

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

1. ChatGPT vs. Gemini: Which Is Better for 10 Common Infosec Tasks? — a rap battle of sorts was kicked off between OpenAI's ChatGPT and Google's Gemini (formerly Bard) in handling ten everyday infosec tasks, evaluating their performance in areas like generating diagrams, explaining the architecture, interpreting exploit code, and writing security policies, highlighting the strengths and weaknesses of each AI tool in these contexts. You’ll have to read the article to find out who won.

2. New study on coding behavior raises questions about impact of AI on software development — a study by GitClear analyzed 153 million changed lines of code to assess the impact of AI on software development, finding an increase in "code churn" and "copy/pasted code," raising concerns about AI-induced technical debt and the balance between code quantity and quality. So, is AI code generation just a glorified StackOverflow search and paste?

3. Humans Are More Important Than Hardware - Modern Adversary — Human expertise is the most crucial in cybersecurity. The article highlights that while automation and AI can assist in detecting threats, experienced security professionals are crucial in understanding and responding to cyberattacks' complex and evolving nature. Skynet, I think you’re the most important if you're listening.

4. PSCF - No more insecure software — The Product Security Capability Framework (PSCF) aims to help software delivery organizations build core capabilities for secure software product delivery, with features like clear accountabilities, quantification of security capability effectiveness, and compliance with standards like OWASP SAMM, NIST SSDF, and GDPR.

5. I Know What Your Password Was Last Summer... — This article analyzes password trends based on cracked Windows NTLM passwords, highlighting common vulnerabilities such as password reuse and weak passwords, and offers advice for creating stronger passwords to enhance security. I love a good article on how bad we continue to be with passwords.

Featured focus: The Symbiotic Relationship Between Attack Trees and Threat Modeling

I’ve been studying attack trees and realized that there is a symbiotic relationship between attack trees and threat modeling. Although distinct in their approaches, when combined, they offer a comprehensive framework for getting to the bottom of the most critical threats for mitigation.

Attack trees visually represent the various ways an attacker can exploit vulnerabilities to achieve a malicious goal. Each node in the tree represents a specific attack step, with the root node representing the attacker's ultimate goal. By breaking down attacks into smaller, manageable components, attack trees help security teams understand the complexity of potential threats and identify critical points for defense.

Attack trees flip the usual script we follow for threat modeling. My historical approach to threat modeling has been to never “think like an attacker” but instead “think like a secure-by-design architect.” Attack trees take us to a different place, but I don’t think it’s the wrong place. There is tension between the two approaches, but tension is often good, leading to better outcomes.

The intersection of threat modeling and attack trees lies in their complementary nature. Threat modeling provides a broad landscape overview, identifying potential threats. Attack trees dig deeper into how an attack could unfold, providing a roadmap of additional threats, but from a different viewpoint.

We can comprehensively understand the threats facing applications by integrating attack trees into the threat modeling process.

This holistic approach enables us to:

• Identify and Visualize Complex Attack Scenarios: By combining the two, uncover and visualize complex attack scenarios that might be overlooked.

• Enhance Threat Assessment: The detailed pathways outlined in attack trees can provide insights into the likelihood and impact of different threats, enhancing the overall threat assessment process.

• Improve Mitigation Strategies: With a clearer understanding of potential attack paths, develop more targeted and effective mitigation strategies, focusing on the most critical threats for mitigation.

In conclusion, the intersection of threat modeling and attack trees offers a robust framework. By leveraging these tools in tandem, security engineers can better understand potential threats, prioritize their defenses more effectively, and build more resilient applications. Going forward, I’ll add attack trees to my quiver of secure-by-design arrows.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • Bill Sempf -- Development, Security, and Teaching the Next Generation (Audio only; YouTube)

    • Robert discusses Bill's journey in security, the CodeMash conference, the Veilid application framework, educating children about technology, challenges in application security, and the significance of diverse skills in the field.

• Security Table

  • Debating the Priority and Value of Memory Safety (Audio only; YouTube)

    • Chris, Izar, and Matt analyze the White House report's emphasis on memory safety in software development for critical infrastructure, debating its impact, the role of government recommendations, and the importance of adopting safer programming languages like Java, Rust, or Go.

• Threat Modeling Podcast

  • The next episode is coming after I finish creating two one conference presentation draft which is already late. 🤷

Pictures are Fun

Where to find Chris? 🌎

• Webinar/Livestream: The Present & Future Impact of AI on Threat Modeling with Dr. Kim Wuyts, Brook Schoenfield, and Izar Tarandach, March 27 at 11 EDT; sign up.

• Livestream: AppSec and DevSecOps track discussion for #RSAC March 29, 2024; sign up.

• Webinar: Building a Successful Security Champions Program, April 11, 2024, Noon US/Eastern; sign up.

• BSides SF, May 4-5, 2024

  • I’ll be hanging out at the Devici booth during the event.

• RSA, San Francisco, May 6 - 9, 2024

  • Speaking: The Year of Threat Modeling: Secure and Privacy by Design Converge (May 8, 14:25 Pacific)

  • Learning Lab: Threat Modeling Championship: Breaker vs. Builder (May 8, 08:30 Pacific) (This will fill up FAST)

  • I'm hanging out at the Devici booth at the Startup Expo for the rest of the time!

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.