Reasonable 🔐AppSec #5 - Doing AppSec Wrong, Five Security Articles, Photo, and Podcast Corner

Hey there,

Summer and the month of June are upon us. Time for all of us AppSec people to stress out during our summer vacation because of some untimely change that slipped into that PR, and the Product Manager won’t stop calling you about it. I hope this is not the case.

Find a way to enjoy some time away from work this summer. This seems strange to read in an AppSec newsletter, so let’s consider it a Public Service Announcement. Getting away from work and leaving work behind brings you back to a refreshed and rejuvenated state. The key is to leave it all behind and pick it back up when you return. It will all be waiting for you upon your return. It always is.

In this week’s issue of Reasonable Application Security:

• Doing AppSec Wrong 🤦‍♂️

• Photo of the week 📸

• Five security articles 📰 that are worth YOUR time

• Application Security Podcast 🎙️Corner

Doing AppSec Wrong 🤦‍♂️

I spoke with a chap about AppSec, and he shared a story of a team he worked with as a Product Manager. This company’s security efforts were focused on compliance and risk management, not a pure play AppSec.

He shared that when the Security team would find something, they would reach out to Product Management, declare the issue, and then say nothing. When pressed for assistance in mitigating the issue, they would hear the joyous sound of crickets 🦗on a summer evening. The Security team had no insight or wisdom to share, leaving them to flounder.

I guess that this happens more than I would like to imagine. I think about the better-case scenario when advising development teams from security. I think of AppSec as a glorified coaching service, where our role is to identify the issues and solve the problem.

As I’m finding is often the case, I’m living in a purist world and need more insights from the real world. I need to understand more about what is happening in AppSec. I like to think of my approach as reasonable application security, but I guess that reasonable in my mind is not what is often deployed in the real world.

Embrace security coaching — find a way to add it to your AppSec program offering. The value of coaching pays off tenfold, as coaches teach, and the students take the knowledge and reflect it to others. The students become the teachers, and your security architecture and implementation gain the benefit.

Photo of the week 📸

This was the winning team at our Threat Modeling: Red vs. Blue experience at RSA Conference. I enjoyed the experience because the teams collaborated to solve the challenges, and everyone was learning.

I hope to do this event at other conferences around the world.

Five Security Articles 📰 that Are Worth YOUR Time

• AppSec and AI: Can this new supply chain risk be contained by tools such as NeMo Guardrails? Nvidia's tool is among the first to promise to manage the risk from generative AI. Here's a look at it — and an analysis of the scope of that risk to the software supply chain. (more)

• After all the dust I kicked up across our industry about DAST, I found this piece on IAST to be clear and to the point — helping me to understand what IAST has to offer the modern AppSec team. (more)

• Yes, it’s from a vendor blog, but I find Daniel to be someone worth listening to. His article is a good reminder that, as AppSec, we serve the Engineering function. They are our customers, and we must strive to understand them and their challenges better. (more)

• Please excuse the word “hacker” in this title — “3 Ways Hackers Use ChatGPT to Cause Security Headaches”. As ChatGPT adoption grows, the industry needs to proceed with caution. Here's why. (more)

• The question asked, “Is cybersecurity an unsolvable problem?”. My take is no, but read on for much more by the author. (more)

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes they are my podcasts. Other times they are podcasts that have caught my attention.

• Application Security Podcast

  • Joshua Wells -- Application Security in the Age of Zero Trust

    • We explore the concept of zero trust, a security model where no user or device is trusted by default and requires constant authentication, and its impact on various domains, including architectural security, endpoint detection, and mobile device management. We also highlight the challenges of implementing this framework and the role of attribute-based access control in zero trust.

• Security Table

  • Capture the Flag or NOT?

    • This episode argues that the cybersecurity industry should shift from an overemphasis on Capture The Flag (CTF) competitions and penetration testing towards a 'builder' perspective that encourages the development of robust, secure-by-design systems.

• Threat Modeling Podcast — new episode next week on Product Led Threat Modeling.

• I was featured on ConversingLabs, by my friends at ReversingLabs, during RSAC 2023, talking about my State of Application Security talk and the Red vs. Blue Threat Modeling experience.

  • ConversingLabs Cafe: Chris Romeo on the state of application security

• Various podcasts I’m a part of have been featured in the PodSec Newsletter. The newsletter provides curated summaries & analyses of security podcasts for practitioners.

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.