- Reasonable Application Security
- Posts
- Reasonable 🔐AppSec #50 -Understand first and then try to secure, Five Security Articles, and Podcast Corner
Reasonable 🔐AppSec #50 -Understand first and then try to secure, Five Security Articles, and Podcast Corner
A review of application security happenings and industry news from Chris Romeo.
Hey there,
In this week’s issue, please enjoy the following:
Five security articles 📰 that are worth YOUR time
Featured focus: Understand first and then try to secure
Application Security Podcast 🎙️Corner
Where to find Chris? 🌎
Five Security Articles 📰 that Are Worth YOUR Time
(The) Postman Carries Lots of Secrets — Postman, renowned for its vast collection of public APIs, has inadvertently become a primary source of leaked credentials, with over 4,000 live credentials currently exposed, primarily due to unclear UI, ambiguous taxonomy, and features like public forks and misleading secret variable types. Users can use TruffleHog's new Postman secret scanner with a specified workspace ID and API token to scan for leaked secrets on Postman. [Databases of secrets that cross organizations and touch so many different companies are a hidden threat that has not been deeply explored or considered — until something terrible happens.]
OpenAI's GPT-4 can exploit real vulnerabilities by reading security advisories — Researchers discuss the potential for GPT-4, a hypothetical successor to GPT-3, to exploit real-world vulnerabilities by generating convincing phishing emails and malware code. They highlight concerns about the ethical implications and the need for responsible deployment of advanced AI language models. [I don’t buy this yet. The ability will come, but modern LLMs are not yet this savvy. They may be able to create a better phishing email without spelling errors, but building real vulnerabilities is more complex than they make it sound.]
SQL Injection Isn't Dead Yet — Emphasizing the persistence of SQL injection vulnerabilities despite security advancements, the text underscores the need for ongoing vigilance and mitigation efforts. It provides practical guidance and real-world examples to help developers safeguard against SQL injection attacks effectively. [OWASP Top One anybody? What if we made a list of one thing, and then we all worked on fixing that one thing? Then we choose a second thing. Wishful thinking, I know. But yet, we still have injections twenty-plus years later.]
How does ChatGPT work? As explained by the ChatGPT team. — This blog explores the workings of ChatGPT, diving into its architecture and training process to provide insights into how the language model generates responses. It offers an accessible explanation of the underlying mechanisms behind ChatGPT's natural language understanding and generation capabilities. [LLMs are challenging to understand. This is a detailed lesson on how an LLM gets me to its chosen answer. To secure something, you must understand first how it works.]
Muddled Libra’s Evolution to the Cloud — An examination of the evolution of the Libra malware, focusing on its transition to cloud-based infrastructure and its increased complexity and resilience against detection. Get insight into the techniques employed by Libra to evade security measures and view highlights on the challenges posed by cloud-based malware for cybersecurity professionals. [I find it fascinating that malware now moves amongst cloud infrastructure. It was only a matter of time.]
Featured focus: Understand first and then try to secure
I made this comment above: “LLMs are challenging to understand. This is a detailed lesson on how an LLM gets me to its chosen answer. To secure something, you must understand first how it works.”
I know it’s tacky to quote yourself in your newsletter. Push that aside for a second. This thought resulted from my early education in security from Marv Schaefer, Gary Grossman, Victoria Thompson, and Bill Wilson. These folks were giants before most people had entered the field.
They taught me an important lesson about understanding first. We can fall into the trap of trying to secure something based on our knowledge and experience instead of gaining knowledge and experience with how things work. It seems simple, but it is often ignored.
One of the early projects in my security career was performing a Common Criteria evaluation on IBM’s AIX. NSA still required technical review boards to review the results of trusted product evaluations. I was assigned hardware and memory management as my sections. We went into our first review board with representatives from Aerospace, and it was like lambs to the slaughter. They hit us with questions we could not answer about how all the parts of the OS worked.
We went away and studied, discussed, and debated as a team to prepare for our following review. The next one went better, and I learned a lifelong lesson in security: understand first and then try to secure.
Podcast 🎙️ Corner
I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.
Jeevan Singh – The Future of Application Security Engineers (Audio only; YouTube)
Singh underscores the evolving role of application security engineers, emphasizing the need for a diverse skill set encompassing AppSec, software development, teaching, and the significance of soft skills like empathy and influence.
He highlights the growing demand for application security professionals and the importance of scaling security efforts through team-based approaches, automation, and executive involvement. He also discusses the supportive role of AI, particularly OpenAI's GPT, in providing valuable insights for security engineers.
LastPass and the Security of Security Products (Audio only; YouTube)
The gang explores the LastPass breach and the importance of ensuring the security of utility-style security providers, questioning how password managers impact security advice and whether security professionals take these services seriously enough.
They cover the responsibility of "hard security" providers like LastPass and discuss if security practitioners adequately address the implications of breaches, prompting reflections on the level of seriousness and accommodation within the security community.
The episode is scripted and undergoing editing now. It’s a second part from Nandita, where we discuss things that work and don’t work and how tooling impacts privacy threat modeling.
Pictures are Fun
At the Review Board, everybody was scowling.
Where to find Chris? 🌎
RSA, San Francisco, May 6-9, 2024
Speaking: Secure and Privacy by Design Converge with Threat Modeling (May 8, 14:25 Pacific)
Learning Lab: Threat Modeling Championship: Breaker vs. Builder (May 8, 08:30 Pacific) (This will fill up FAST)
I'm hanging out at the Devici booth at the Startup Expo for the rest of the time!
🤔 Have questions, comments, or feedback? I'd love to hear from you!
🔥 Reasonable AppSec is brought to you by Kerr Ventures.
🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.