Reasonable 🔐AppSec #46 - Are we getting better or worse at AppSec?, Five Security Articles, and Podcast Corner

A review of application security happenings and industry news from Chris Romeo.

Hey there,

In this week’s issue, please enjoy the following:

  • Five security articles 📰 that are worth YOUR time

  • Featured focus: Are we getting better or worse at AppSec?

  • Application Security Podcast 🎙️Corner

  • Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

  1. Modern DAST: The Evolution of Dynamic API Security Testing

    A supposed evolution is happening where DAST is now Dynamic API Security Testing (DAST). There are downfalls with traditional DAST, such as slow scans, lack of API-specific capabilities, and testing only in production. The benefits of modern DAST are then outlined, including fast testing times, API-centric expertise, logic testing, testing before production, automation, closer proximity to the code, and developer-friendliness. [Did I miss a meeting? I thought DAST stood for Dynamic Application Security Testing. Can we redefine our coveted four-letter AppSec acronyms whenever we want?]

  2. Everything I know about the XZ backdoor — Plenty of people have written about the XZ backdoor — Evan’s writeup caught my attention with an in-depth write-up of a series of suspicious activities involving the XZ compression tool, starting with the creation of a GitHub account by JiaT75 (Jia Tan) in 2021 and leading up to the discovery of a backdoor in the XZ/liblzma library in 2024. The timeline outlines a series of events, including the introduction of questionable patches, pressure to add new maintainers, and changes to testing infrastructure, culminating in the exposure of the backdoor and its potential implications for security in open-source software. [All of our most significant software supply chain nightmares have come true — the threats in the threat model about inside actors now have proof points.]

  3. NSA Releases Top Ten Cloud Security Mitigation Strategies — The National Security Agency (NSA) has released a report titled "Top Ten Cloud Security Mitigation Strategies" to guide cloud customers on essential security practices for protecting their data in cloud environments. The report, which includes ten Cybersecurity Information Sheets (CSIs) on different strategies, emphasizes the importance of implementing these measures to prevent becoming a victim of cyber threats. [I don’t see much novelty in the list, but seeing all these things documented together in one place is beneficial.]

  4. Ten open questions about the future of privacy — The article explores the philosophical and practical challenges of the future of privacy in the context of technological advancements like predictive analytics, profiling, and quantum computing. It delves into questions about the essence of privacy, its associated rights, the impact of collective consciousness, and the need for privacy in a world of increasing interconnectedness and technological capabilities. [Foundational privacy is now table stakes, but new challenges impact the future of privacy. AppSec/ProdSec must embrace security and privacy as a single discipline.]

  5. GoFetch: It’s Performance versus Security all over again! — There is a vulnerability in Apple's chips, specifically in the data memory-dependent prefetcher (DMP) feature, which can lead to the leakage of cryptographic keys. The issue, GoFetch, is not exclusive to Apple but potentially affects any processor with similar performance-boosting systems. The researchers demonstrate how this feature can be exploited to infer secret keys, highlighting the trade-off between enhancing performance and ensuring security in modern processors. [As AppSec/ProdSec people, it’s good to understand the hardware underneath everything we build.]

I did a talk last year entitled “The State of the Union of Application Security.” In this talk, I set the stage for where we are in AppSec, using statistics pulled from various reports. Here are some examples of stats that I shared:

  • Top languages (as of Aug 2023): Python, 13.33%; C, 11.41%; C++, 10.63%. (Source, Tiobe Index) The TIOBE index shows us the depth of languages in use and the depth of languages for which we must provide secure and private guidance.

  • 5% of organizations have 5001 or more containers deployed — who could keep track of what all those containers are doing?

  • 87% of container images have high or critical vulnerabilities — this speaks to the depth of container issues.

  • 15% of high and critical vulnerabilities are in use at runtime — many issues are available running in production.

  • 20.44% of companies have an increased AppSec issue ramp-up of 5X or more — what we are detecting is on the rise — could be seen as a positive or negative.

  • Over the past three years, there has been an astonishing 742% average annual increase in Software Supply Chain attacks — some of this is based on the amount of attention given to the supply chain. Still, there is also a significant move in this area.

Do any of these statistics allow us to conclude that things are better or worse? We need to declare what we are comparing the current state of APpSec to as a first step. Let’s think about the state of AppSec from five years ago.

Five years ago, we had the same distribution of languages and frameworks. Maybe not everything that exists today existed then, but if anything, we’ve improved the field by including go and rust in the modern language field.

Containers have become more prevalent in five years, but I would argue that they haven’t become more insecure. We haven’t moved the needle as much as we’d like to claim, but we haven’t gotten worse.

If we take a glass-half-full stance, the AppSec issue ramp-up is a condition of better tools finding more issues. We are no less secure and better at finding the existing issues.

The supply chain is an area that has seen much change in five years, but that is more due to the tooling and attention that has been placed on this segment of our industry. Yes, we are using open source more, but we still relied upon open source five years ago.

All of this to say, let’s keep the glass half-full approach. Let’s be cybersecurity professionals who are optimistic about the movement we’re causing across our industry. Let’s continue to focus on the people, process, tools, and governance stance of AppSec/ProdSec. When we invest in the people and provide them the guardrails and paved roads they need for success, we allow them to help us move AppSec and ProdSec forward to the point where we can claim a significant movement in five years.

Hit me up with a comment on one of my LinkedIn posts to let me know your thoughts about whether things are better or worse.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

  • Application Security Podcast

    • Mukund Sarma -- Developer Tools that Solve Security Problems (Audio only; YouTube)

      • Mukund Sarma, Senior Director for Product Security at Chime, shares his journey from software engineer to application security leader, emphasizing the importance of building developer-friendly security tools and viewing application security as a subset of product security.

      • He discusses the value of collaboration, security scorecards, embedded security functions in development teams, and treating security as an enabling function to foster a culture of shared responsibility and innovation in securing services.

  • Security Table

    • SQLi All Over Again? (Audio only; YouTube)

      • The gang analyzes a recent CISA alert on eliminating SQL injection vulnerabilities, highlighting the lack of actionable guidance for software manufacturers and discussing strategies like ORMs, threat modeling, and communication of the reasons behind security measures.

      • They suggest improving the impact of such alerts through partnerships with organizations like OWASP, PSIRTs, and ISACs and by effectively integrating threat intelligence into AppSec programs to enhance CISA's effectiveness in the software security industry.

  • Threat Modeling Podcast

    • The episode is scripted and undergoing editing now. It’s a second part from Nandita, where we discuss things that work and don’t work and how tooling impacts privacy threat modeling.

Pictures are Fun

Is the AppSec glass half-empty or half-full? Or if AI generates the image, perhaps they are both the same.

Where to find Chris? 🌎

  • Webinar: Building a Successful Security Champions Program, April 11, 2024, Noon US/Eastern; sign up.

  • Webinar: AppSec Unbounded, “Embrace 'Secure and Privacy by Design,” April 18, 2024, sign up.

  • BSides SF, May 4-5, 2024

    • I’ll be hanging out at the Devici booth during the event.

  • RSA, San Francisco, May 6-9, 2024

    • Speaking: Secure and Privacy by Design Converge with Threat Modeling (May 8, 14:25 Pacific)

    • Learning Lab: Threat Modeling Championship: Breaker vs. Builder (May 8, 08:30 Pacific) (This will fill up FAST)

    • I'm hanging out at the Devici booth at the Startup Expo for the rest of the time!

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.