• Reasonable Application Security
  • Posts
  • Reasonable 🔐AppSec #53 - Security Rockstars and Collaboration: The NF Concert Story, Five Security Articles, and Podcast Corner

Reasonable 🔐AppSec #53 - Security Rockstars and Collaboration: The NF Concert Story, Five Security Articles, and Podcast Corner

A review of application security happenings and industry news from Chris Romeo.

Author

Chris Romeo
May 28, 2024

Hey there,

It is a bit late for this week, but Monday was a holiday in the US. Happy securing and privateering!

In this week’s issue, please enjoy the following:

  • Five security articles 📰 that are worth YOUR time

  • Featured focus: Security Rockstars and Collaboration: The NF Concert Story

  • Application Security Podcast 🎙️Corner

  • Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

  1. Some Thoughts on AI & Security within the SDLC — Integrating AI into the Software Development Life Cycle (SDLC) can significantly enhance various stages such as development, testing, and maintenance by improving efficiency, code quality, and security. Key concerns include intellectual property protection, data security, and ethical considerations, necessitating robust supervision and secure data handling practices to ensure a harmonious collaboration between AI and human expertise.​ [This piece will get you thinking about how AI security fits the SDLC cycles.]

  2. Finding Attack Vectors using API Linting — API linting tools, such as Spectral, help identify security vulnerabilities by analyzing API documentation for inconsistencies and errors. This proactive approach enables developers and security professionals to detect and mitigate potential attack vectors in APIs before they can be exploited. [Using linting tools to sniff out API vulns is pretty cool. It's worth reviewing and adding this tool and approach to your arsenal.]

  3. The quantum apocalypse: What is post-quantum cryptography, and why do we need it? — Post-quantum cryptography is essential to counter the threat of quantum computers, which could potentially break current encryption methods. The article highlights the urgency for developing new encryption algorithms and adopting a flexible cybersecurity approach to protect sensitive data from future quantum-based attacks. [Quantum this and quantum that; I get the problem that quantum crypto is solving, but I don’t get what I could buy today. Why all the noise about quantum? Is there anything there?]

  4. To securely build AI on Google Cloud, follow these best practices — Google Cloud's guide on securely building AI emphasizes defining business problems, protecting models, validating inputs and outputs, enforcing content safety, and maintaining strong identity and access management. An infographic outlines best practices across model development, application security, infrastructure management, and data governance to address AI-specific and general cloud security risks. [Solid mitigations that will work with far more than just GCloud.]

  5. Introducing SignSaboteur: forge signed web tokens with ease  — SignSaboteur is a Burp Suite extension that simplifies the process of forging signed web tokens by automating the detection, signing, verifying, and attacking of tokens, including JWT, Django, Flask, and Express. It supports brute force attacks with prebuilt word lists for known secret keys and salts, allowing security professionals to identify and exploit vulnerabilities in token-based authentication systems efficiently. [A dive into the technical deep end highlights a tool for messing with all shapes and sizes of tokens.]

I don’t go to many concerts. I like music, but I don’t have many artists that I value enough to spend the time and money to see them play live. I’ve only seen two separate artists in concert. One of those artists goes by the handle of NF, and I attended my third straight concert with him. (Fun fact: the only other group I’ve seen in concert was Tim McGraw and Faith Hill about fifty years ago.)

Being at this event got me thinking about the connection between an event like a concert and our security industry. Watching NF rock the stage with a heck of a performance driven through various screens and videos made me think about the “rock star” persona we portray in security. We think the industry consists of rock stars who get to speak at all the largest stages and get all the attention at events. I’d rather hear the stories of folks working in the trenches than rock stars traveling around and speaking for a living. Practitioners trump mouthpieces all day.

The other thing I witnessed at this event was after the concert. NF said goodbye, leaving the stage, and the audience left the arena. I hung around in my seat for about thirty minutes and watched the crew disassemble the stage and all the equipment like lightning. They worked consistently and speedily, and everybody knew their job. It was fun to watch, and it got me thinking about collaboration within a security team and how we all must work together toward shared goals and successes.

Maybe I didn’t need to attend a concert to take away these conclusions, but it was a way to enjoy it! Forget the rock stars and find ways to collaborate towards a shared goal — those are the secrets to success in security.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

  • Application Security Podcast

    • Mark Curphey and Simon Bennetts -- Riding the Coat Tails of ZAP, without Open Source Funding (Audio only; YouTube)

      • Mark Curphey and Simon Bennetts discuss the need for better funding and support for open-source security projects like ZAP, highlighting the industry's reliance on such tools without adequate financial contribution.

      • They advocate for ethical investment and responsible marketing to sustain critical infrastructure, with Curphey's company leading by example to ensure ZAP's ongoing development and maintenance as a non-profit.

  • Security Table

    • Why Developers Will Take Charge of Security, Tests in Prod (Audio only; YouTube)

      • Chris, Izar, and Matt discuss the evolving role of developers in security, emphasizing the 'shift left' approach and DevSecOps to integrate security earlier in the development process. They also highlight the need for secure coding languages and executive support.

      • They explore an article by Lorraine Lawson, which suggests developers should take more responsibility for security, with product managers advocating for security investments to executives, bridging the gap between security teams and developers, particularly in smaller companies without robust governance mechanisms.

  • Threat Modeling Podcast

    • The Four Question Framework with Adam Shostack (Audio only)

      • Adam Shostack explains how his four-question framework for threat modeling simplifies the process, emphasizing practicality and adaptability for various scenarios, and discusses the importance of retrospectives in evolving the framework.

      • The episode highlights the benefits of making threat modeling simple, actionable, and scalable with tools like Devici, which offers a free plan for building and collaborating on threat models.

Pictures are Fun

When a group of people work together on a task with efficiency, it’s a thing of beauty.

Where to find Chris? 🌎

  • InfoSec World, Sept 23-25, 2024

    • The Modern Application Security Rocket Ship — Time/date TBD

    • The Paradox of Secure and Private By Design — Time/date TBD

    • Workshop: Threat Modeling Championship: Breaker vs. Builder — Time/date TBD

  • OWASP Global San Francisco, Sept 26-28, 2024

    • I’ll be hanging around the Devici booth.

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.