Reasonable 🔐AppSec #44 - Memory Safety, Five Security Articles, and Podcast Corner

Hey there,

In this week’s issue, please enjoy the following:

• Five security articles 📰 that are worth YOUR time

• Featured focus: Memory Safety

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

1. The AI Standoff: Attackers vs. Defenders — We have an AI standoff in cybersecurity between attackers and defenders, highlighted by the rapid adoption of AI by threat actors to create unique malware and the challenges defenders face in identifying and mitigating these threats. The article emphasizes the importance of AI-powered tools and layered defenses for defenders to gain an advantage in this evolving landscape. [I can’t wait for the day when the AI tries to break into your application to extract data, and another AI is trying to prevent the action. It reminds me of the Spy vs. Spy series in Mad Magazine.]

2. Memory-safe languages and security by design: Key insights, lessons learned — We have challenges with memory safety in software development. Adopting memory-safe languages and secure coding practices to mitigate vulnerabilities is crucial. Google is focusing on promoting security by design and the need for industry-wide adoption of languages with solid memory safety guarantees to enhance software security. [Memory safety may seem to impact a small percentage of the code written today, but we need to move towards memory-safe languages for the future to eliminate ANY memory bugs ten years from now.]

3. The Economics of Developer Tooling — There is an economic play with developer tooling. Better Developer Experience (DX) significantly impacts software quality, capabilities, and cost reduction. It highlights the challenges in improving the toolkit developers use, the long process involved in prototyping solutions, and the need for investment to bridge the gap between academic prototypes and usable tools. [We explored DX and secure by default tools for developers on this week’s Security Table.]

4. Market incentives in the pursuit of resilient software and hardware — The paper "Back To The Building Blocks: A Path Toward Secure and Measurable Software" by the Office of the National Cyber Director (ONCD) emphasizes the need for market incentives to foster secure software and hardware, and highlights the importance of addressing information asymmetry and promoting investment in cyber resilience. [Dangerous territory when the Government (any Government) starts talking about driving security through incentives.]

5. Buying Spying: How the commercial surveillance industry works and what can be done about it — The Google Threat Analysis Group's report highlights the rise of commercial surveillance vendors (CSVs) that pose a threat to free speech, the press, and internet safety, detailing the industry's operation, impact, and the need for collective international action to address it. [This is not your typical AppSec article, but as well-rounded security professionals, we should understand the depth of commercial spyware. It will help you answer your family’s questions over significant holidays.]

Featured focus: Memory Safety

Memory safety is a strange topic. It is being laser-focused upon as one of the critical pillars towards saving the future when, in fact, memory safety bugs account for a small percentage of total CVEs generated in modern times. The play for me towards memory safety is eliminating a class of bugs. The other realization is that it will take ten-plus years to reach this goal of eliminating languages that do not correctly enforce security controls on memory.

This problem is primarily attributed to our reliance on non-memory-safe languages, such as C. While C can be made memory-safe with external libraries or through developer education, achieving consistent use or ensuring comprehensive developer training has been elusive. As a result, memory bugs continue to plague applications written in lower-level languages, leading to potential security breaches.

The choice of programming language is a critical design decision when building new applications. Opting for a memory-safe language can eliminate an entire class of vulnerabilities, making it a sensible starting point for any development project. Memory-safe languages prevent common memory management errors, such as buffer overflows and use-after-free errors.

In recent years, languages like Go and Rust have evolved, offering memory safety without sacrificing performance. These languages are gradually reducing our dependence on C++, which has struggled to overcome its memory safety challenges despite over two decades of development.

Adopting a "secure by default" approach is another critical aspect of enhancing application security. We can create more secure products and applications by disallowing unsafe constructs in programming languages. While this may initially cause some discomfort among developers who feel their creativity is restricted, the long-term benefits of reduced vulnerabilities are undeniable.

Transitioning to memory-safe languages is not an overnight process. It may take decades to fully realize the benefits of this shift, but this should not deter us from making the change today. We can gradually build a more secure digital future by promoting and adopting memory-safe languages.

Our industry struggles with overemphasizing the allure of "breaking stuff," with many aspiring cybersecurity professionals primarily interested in bug hunting and exploiting vulnerabilities. While these activities are essential, they should not overshadow the critical task of building better, more secure applications. Focus on proactive security measures, such as adopting memory-safe languages and secure coding practices to build better stuff. This reduces the need and opportunity to break things.

In conclusion, embracing memory safety in application development is vital for a more secure future. By choosing memory-safe languages, adopting a secure-by-default mindset, and refocusing our efforts on building rather than breaking, we can significantly reduce the prevalence of memory-related vulnerabilities and enhance the overall security of our digital infrastructure.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • Meghan Jacquot -- Assumed Breach Red Team Engagements for AppSec (Audio only; YouTube)

    • Megan Jacquot joins us for a compelling conversation about community, career paths, and productive red team exercises.

• Security Table

  • Secure by Default in the Developer Toolset and DevEx (Audio only; YouTube)

    • Matt, Chris, and Izar discuss ensuring security within the developer toolset and the developer experience (DevEx). The conversation highlights the importance of not solely relying on tools but also considering the developer experience, suggesting that even with secure tools, the ultimate responsibility for security lies with the developers and the organization.

• Threat Modeling Podcast

  • The next episode is coming after I finish creating two one conference presentation draft which is STILL late. 🤷

Pictures are Fun

Where to find Chris? 🌎

• Webinar/Livestream: The Present & Future Impact of AI on Threat Modeling with Dr. Kim Wuyts, Brook Schoenfield, and Izar Tarandach, March 27 at 11 US/Eastern; sign up.

• Livestream: AppSec and DevSecOps track discussion for #RSAC March 29, 2024; sign up.

• Webinar: Building a Successful Security Champions Program, April 11, 2024, Noon US/Eastern; sign up.

• BSides SF, May 4-5, 2024

  • I’ll be hanging out at the Devici booth during the event.

• RSA, San Francisco, May 6 - 9, 2024

  • Speaking: The Year of Threat Modeling: Secure and Privacy by Design Converge (May 8, 14:25 Pacific)

  • Learning Lab: Threat Modeling Championship: Breaker vs. Builder (May 8, 08:30 Pacific) (This will fill up FAST)

  • I'm hanging out at the Devici booth at the Startup Expo for the rest of the time!

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.