Reasonable 🔐AppSec #51 - All the happenings at #RSAC, Five Security Articles, and Podcast Corner

Hey there,

In this week’s issue, please enjoy the following:

• Five security articles 📰 that are worth YOUR time

• Featured focus: All the happenings at #RSAC

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

1. OWASP Top 10 OSS Risks: A guide to better open source security  — The OWASP Top 10 Risks list advocates for a more mature approach to open-source software (OSS) consumption, pushing for measures beyond traditional CVE catalogs to enhance security practices around the use of OSS components. Amidst increasing vulnerabilities revealed by incidents like the XZ Utils backdoor, the list calls for comprehensive governance and enhanced security measures to address the complexities of OSS in the software supply chain. [Lots of hype at #RSAC about the supply chain. Many new vendors and older vendors claim to have the “answers.” This OSS risk top ten is essential to understand and add to your AppSec arsenal.]

2. Cybercriminals Beta Test New Attack to Bypass AI Security —Cybercriminals have crafted a new phishing attack named "Conversation Overflow" to evade AI security, utilizing emails that trick machine learning by separating harmful content from harmless text. This sophisticated technique mainly targets executives to steal credentials, highlighting the dynamic and adaptive threats in cybersecurity today.​ [This article contains one of my most significant security fears about AI in the short term — attackers using AI to craft personalized, letter-perfect phishing emails.]

3. Finding and Fixing Standard Misconceptions About Program Behavior — This discussion highlights the "Standard Model of Languages" (SMoL), which identifies the shared semantic core of modern programming languages, such as lexical scoping and automatic memory management. It also details efforts to improve teaching methods to deepen students' understanding of these concepts, thereby facilitating the learning of various languages by emphasizing semantic similarities over syntactic differences. [To understand AppSec is to understand programming languages — this one is deep, but it expands your mind about how languages work and the similarities with modern languages.]

4. Over 170K Users Affected by Attack Using Fake Python Infrastructure — An attack on Python developers affected over 170,000 users by distributing a tampered version of the "Colorama" package through a fake Python package repository. This method, known as typosquatting, deceived users by mimicking legitimate package names and URLs, leading to widespread compromise of user data, including GitHub account takeovers through stolen cookies. [There must be a solution to typosquatting — we continue to have this happen repeatedly. Should we sign the packages somehow so fake packages don’t get signed? We need an OSS registry that signs packages.]

5. First Step in Securing AI/ML Tools Is Locating Them — The proliferation of AI and machine learning in applications is complicating security for organizations, necessitating enhanced scrutiny and updates to security controls and data governance to manage these emerging risks. Employees ' unauthorized and unmonitored adoption of these technologies poses significant challenges, highlighting the need for comprehensive oversight and policy adjustments. [I haven’t worked in a large company for ten+ years. I guess that AI/LLM side projects are cropping up across the organizational landscape, and like API inventory, we need an AI inventory approach. Startup idea, anyone?]

Featured focus: All the happenings at #RSAC

I’m sitting on a plane, flying home after a spectacular RSA Conference experience. This was my ninth simultaneous year of attending and speaking and my tenth overall trip to the event. What a whirlwind of activity.

One of the things that I love most about RSA is seeing old friends and colleagues, bumping into them on the street, or walking the show floor. Our community is about connection, which trumps anything you can get from a conference. I saw folks that I hadn’t seen in years and also saw the first manager of my security career (Stan Wisseman.)

I met some fantastic AppSec community members in person for the first time, including Akira Brand, Alexandra Charikova, and Katharina Koerner. Some stopped by the booth, and others attended the Devici AppSec Unwind happy hour.

Devici hosted a booth at Early-Stage Expo, and we got feedback that said we were on the right track. Folks are looking for a solution that simplifies threat modeling and delivers it so that it’s not a hindrance for developers. That is our goal, and we have achieved it with our first release for sale. (Hint: visit devici.com for an update on what we do.)

I led the conference's threat modeling learning lab and had the best experience yet! I had six teams that were hyper-focused on getting the win. Each team played against everyone else in the room to capture the most points from their threats and mitigations. All six teams went down the wire on the threats and mitigations phases, using the full 25 minutes allocated. I can’t wait to go back through and study their detailed inputs to learn from them. I’ve been performing threat modeling for twenty-plus years and still learn something new every time I do a workshop. I also had the privilege of delivering a talk on Secure and Private by Design/Default, which will be available as a recording in about thirty days.

I did my yearly walk-the-floor walkabout experience. I have a specific pattern for walking the show floor — in the giant halls (North and South), I stick to the outside and review the smaller and medium-sized vendors. Then, I cut through the middle and picked up the mid-sized vendors in the connecting hall.

Now, onto my AppSec observations from walking the show floors, both the giant Expo halls and the Early-Stage Expo.

1. The Early Stage Expo had a bunch of AI, a small amount of Quantum, and a good share of the software supply chain.

   • The AI hype cycle is sizzling, which means soon, it will be fizzling. I don’t see a path forward for all the startups that have jumped on the AI bandwagon; we will see AI/LLM continue to create new opportunities within existing product sets.

   • Quantum. Maybe I just don’t get it. Has anybody proven that we need to move the quantum algorithms now? (I’m WAY out of my depth here on this topic.) I saw vendors selling quantum solutions, and I’m wondering who is buying that solution today. All I could think of was quantum-proofing the future now, which somebody shared with me at the Devici booth. If a company makes decades-long products, they need a quantum solution today.

   • The software supply chain feels like an area that is becoming oversubscribed. I expect to see consolidation and some folks disappearing next year. There cannot be enough market share for all the vendors focusing on the software supply chain. I don’t see enough differences in what they do.

2. AppSec continues to be under-represented in the grand scheme of RSA. I saw the greatest concentration of AppSec in the early-stage expo. This is fine, as AppSec is sprinkled around the show floor, and RSAC does not focus directly on AppSec. If you want all AppSec, go to an OWASP event.

3. ASPM is a hot ticket item; plenty of vendors are now in this space and are talking about it. Some more significant vendors, some smaller. I'd like to know if the more prominent vendors that consolidate products will quickly buy something to cover this need or try to develop themselves (CheckMarx, Synopsys, Snyk, for example).

4. I enjoyed seeing the success of many startups with whom I’ve crossed paths (Plextrac, Mitiga, Reversing Labs, Contrast, and Semgrep). They have all upgraded to the mid-size company booths. I also connected with Seconize, based in India, and Katilyst (Dustin Lehr’s new company), who made their first trip to RSA. Go, Chethan and Sashank, Dustin and Stan!

I’ll see you next year, RSAC. I can’t wait to learn what the buzzword is for next year. Could AI last one more?

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • Elie Saad -- OWASP WSTG, Cheat Sheets, and Integration (Audio only; YouTube)

    • Elie Saad is an application security engineer who leads three OWASP projects, focusing on empowering developers to integrate security into their projects through guidance, secure pipeline designs, and external security measures.

    • In his discussion, Elie provides insights into the latest developments in the WSTG, Cheat Sheets, and the Integration Standard, including demonstrations of each project's applications.

• Security Table

  • XZ and the Trouble with Covert Identities in Open Source (Audio only; YouTube)

    • Matt, Izar, and Chris explore the complexities of open-source security, discussing trust issues, vulnerabilities, and risks of malicious infiltration, highlighting the need for proactive security approaches.

    • They address open source maintainers' challenges and suggest solutions such as improved funding models and behavior analysis to bolster security in the open source ecosystem.

• Threat Modeling Podcast

  • The new episode posts this week, the day after you receive this email.

Pictures are Fun

Where to find Chris? 🌎

• InfoSec World, Sept 23-25, 2024

  • The Modern Application Security Rocket Ship — Time/date TBD

  • The Paradox of Secure and Private By Design — Time/date TBD

  • Workshop: Threat Modeling Championship: Breaker vs. Builder — Time/date TBD

• OWASP Global San Francisco, Sept 26-28, 2024

  • I’ll be hanging around the Devici booth.

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.