Reasonable 🔐AppSec #49 - RSA Season, Five Security Articles, and Podcast Corner

Hey there,

In this week’s issue, please enjoy the following:

• Five security articles 📰 that are worth YOUR time

• Featured focus: RSA Season

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

1. prompt-security/ps-fuzz: Make your GenAI Apps Safe & Secure Test & harden your system prompt — The Prompt Fuzzer is an interactive tool designed to evaluate the security of system prompts in GenAI applications against dynamic LLM-based attacks. It tailors its tests to your application's unique configuration and domain, providing a security assessment based on simulated attack outcomes to help you fortify your system prompts against various generative AI attacks. [Fuzzing is always fun, but now we can fuzz a prompt interface to an LLM. Get this into the hands of those building prompt-based applications. Perhaps customers won’t be able to trick a chatbot into selling them a Chevy for $1.]

2. MEPs approve world's first comprehensive AI law — The European Parliament has passed the world's first comprehensive AI framework to address risks associated with the technology, aiming for a "human-centric" approach, placing the EU at the forefront globally. The AI Act classifies AI products by risk level, with stricter rules for higher-risk applications to ensure transparency and compliance while businesses are gearing up to comply with the legislation. [AI is the first technology I’ve seen where legislation is running side by side with innovation. Hopefully, the legislation doesn’t crush the innovation.]

3. Top 20 MITRE ATT&CK Tactics Threat Actors Use Now —BlackBerry's Threat Research and Intelligence Team unveiled the top MITRE ATT&CK tactics used by threat actors, based on analysis of over five million cyberattacks stopped by BlackBerry® technology in the last 120 days. Privilege escalation, discovery, and collection were the most prevalent tactics, emphasizing the need for understanding these techniques for robust cybersecurity planning. [We don’t spend enough time in AppSec pondering Mitre’s ATT&CK and including it within our education and operational programs. Embrace ATT&CK and consider how you can put it into action.]

4. OWASP's LLM AI Security & Governance Checklist: 13 action items for your team — OWASP introduced a new cybersecurity checklist for security professionals to protect organizations against risks from insecure AI implementations. Covering various areas like threat modeling and governance, the checklist aids in identifying and mitigating vulnerabilities, emphasizing the importance of proactive security measures amidst the rapid evolution of artificial intelligence. [More AI. This time, you’ll see how to build your controls to protect your organization’s data and against the AI causing other damage.]

5. Securing generative AI: Applying relevant security controls  —
   The article provides security guidelines for generative AI applications categorized into five scopes, from consumer usage to self-trained models. It offers insights into various controls, including network-based and host-based measures, access management, and content filtering, and it aligns these with MITRE ATLAS mitigations. Additionally, it advises on responsible AI development and directs to additional resources for in-depth understanding. [AI needs security controls applied. A whole crop of new startups is trying to solve this problem by wrapping security controls around LLMs.]

Featured focus: RSA Season

RSA season is upon us! Many thanks for the RSA Conference, which was the backbone of my public speaking career. The conference committee took a chance on me in 2015 and invited me to share the “Cisco Security Dojo,” where I explained the application security education program I built at Cisco. Walking towards that gigantic stage with hundreds of people in the room, I wondered what I had gotten myself into! I barely got through my first slide and began to tell the story; from there, I was off and running.

This will be my ninth year speaking at RSA, with this year’s topic “Secure and Privacy by Design Converge with Threat Modeling.” I dig into what I think of as the fallacy of secure and private by design/default. It’s a fallacy because everyone talks about its importance, but nobody explains how to achieve it. I’m trying to change that with my talk this year.

I start by explaining my take on it and looking at sources to see what people think. From there, I describe a series of design decisions that each thing you build must consider. Then, we show you how to make a data flow diagram that captures the results of the design decisions and your idea for whatever you are building. Then, we review security and privacy patterns that can be applied to the design.

We finish the process by applying threat modeling to the design, considering anything we missed with the decisions and patterns. I hope this gives you a foundation for secure and private by design/default. That was my goal.

If you’re in SF for BSides or RSA, stop by the Devici booths to say hi, and we can continue this conversation in person. We’re also hosting a party on Wednesday night, so if you’d like an invite, reply to this message, and I’ll make the connection.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • Mukund Sarma -- Developer Tools that Solve Security Problems (Audio only; YouTube)

    • Mukund Sarma, the Senior Director for Product Security at Chime, discusses his transition from software engineer to a leader in application security and emphasizes the integration of user-friendly security tools, collaborative strategies, and proactive risk management.

    • He highlights treating security as an enabling function for developers, fostering shared responsibility, and Chime's innovative approaches to securing its services with minimal developer friction.

• Security Table

  • Nobody's Going To Mess with Our STRIDE (Audio only; YouTube)

    • Matt, Izar, and Chris challenge a contentious blog post criticizing STRIDE as outdated and ineffective for threat modeling, proposing LLMs as an alternative. They emphasize STRIDE's origin, versatility, and importance in threat modeling, advocating for its continued use alongside diverse perspectives and collective practices.

    • Additionally, they address misconceptions about threat modeling, caution against reliance solely on tools like the Microsoft Threat Modeling Tool, and advocate for a holistic approach focusing on broader threat analysis principles.

• Threat Modeling Podcast

  • The episode is scripted and undergoing editing now. It’s a second part from Nandita, where we discuss things that work and don’t work and how tooling impacts privacy threat modeling.

Pictures are Fun

Where to find Chris? 🌎

• BSides SF, May 4-5, 2024

  • Change of plans — I’ll get to SF on Monday or Tuesday. You can still visit Devici at BSides SF and meet Laura and Brian!

• RSA, San Francisco, May 6-9, 2024

  • Speaking: Secure and Privacy by Design Converge with Threat Modeling (May 8, 14:25 Pacific)

  • Learning Lab: Threat Modeling Championship: Breaker vs. Builder (May 8, 08:30 Pacific) (This will fill up FAST)

  • I'm hanging out at the Devici booth at the Startup Expo for the rest of the time!

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.