Reasonable 🔐AppSec #54 - Proactive Controls, Five Security Articles, and Podcast Corner

A review of application security happenings and industry news from Chris Romeo.

Author

Chris Romeo
June 03, 2024

Hey there,

In this week’s issue, please enjoy the following:

  • Five security articles 📰 that are worth YOUR time

  • Featured focus: OWASP Proactive Controls

  • Application Security Podcast 🎙️Corner

  • Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

  1. Employee Personal GitHub Repos Expose Internal Azure and Red Hat Secrets  — Personal GitHub repositories of employees from companies like Microsoft and Red Hat have been found to contain sensitive corporate secrets, exposing them to potential security breaches. These "Shadow IT" instances highlight the risks of using personal repositories for work-related projects, underscoring the need for organizations to enforce stricter security measures to prevent such vulnerabilities. [Secrets in repos have been a challenge for the last decade, but this wrinkle was new to me — corp secrets finding their way into personal and public repos.]

  2. Don't Expect Cybersecurity 'Magic' From GPT-4o, Experts Warn — Experts caution that despite the advanced capabilities of GPT-4o, it should not be expected to revolutionize cybersecurity significantly. While it can assist with specific tasks, issues like hallucinating vulnerabilities and limited visibility into technology and processes mean it won't fundamentally change how AI tools assist in cyber defense or attacks.​ [Things stay the same still. The AI hype cycle continues, but enjoy a cup of reality and realize that AI is not solving your cybersecurity shortcomings soon.]

  3. How Apple Wi-Fi Positioning System can be abused to track people around the globe — Researchers found that Apple's Wi-Fi Positioning System (WPS) can be exploited to track individuals globally, even those without Apple devices, by using Wi-Fi access point data. This vulnerability allows for detailed surveillance, highlighting significant privacy concerns despite potential mitigations like SSID randomization. [Attention to privacy is growing. Focus on understanding it and what we need to do as an industry to design for both security and privacy from the start.]

  4. Safeguards of the Largest Language Models Can Be Easily Bypassed with Simple Attacks, Research Finds — Research by the AI Safety Institute found that safeguards in large language models can be easily bypassed with simple attacks, allowing them to produce potentially harmful responses despite being trained to avoid such outputs. These vulnerabilities highlight the challenges in ensuring AI models' safety and the ease users can manipulate them to provide inappropriate information. [AI security controls are in their infancy. Like a toddler driving your car, AI security controls operate with just as much knowledge and ability.]

  5. New Disposable APIs in Javascript  — JavaScript’s new "Explicit Resource Management" proposal includes the use of a statement for automatic resource disposal. The post explains how the Disposable and AsyncDisposable interfaces work, discusses the DisposableStack for managing multiple resources, and provides patterns and examples for effective resource management in JavaScript applications. [The App in AppSec stands for coding languages. Don’t sleep on understanding the languages and their evolution for the applications you assist with protection.]

The OWASP Proactive Controls is one of the best-kept secrets of the OWASP universe. Everyone knows the OWASP Top Ten is the top application security risk, updated every few years. The OWASP Proactive Controls is the answer to the OWASP Top Ten. It is a catalog of available security controls that counter one or more of the top ten.

For example, Injection is a famous top ten item, having lived within the OWASP Top Ten since its inception. One still prevalent category of Injection is SQL Injection. The counter to SQL injection from the proactive controls is “C3: Secure Database Access” and other controls. C3 prescribes secure queries, configuration, authentication, and communication for database transactions. These techniques work together to prevent data loss due to SQL Injection.

While the current OWASP Proactive Controls do not perfectly match the OWASP Top Ten for 2021, they do a fair job of advising on controls to add to your applications to mitigate the dangers the Top Ten describes.

Ironically, the only Proactive Control that does not align with one of the OWASP Top Ten 2021 items is C1: Define Security Requirements. C1 describes security requirements, points to the OWASP Application Security Verification Standard (ASVS) as a source, and describes a path for implementing security requirements. Proper security requirements can assist in limiting the blast radius of the OWASP Top Ten. Considering requirements early in building something new lessens the impact of the OWASP Top Ten.

If you haven’t looked closely at the Proactive Controls, take a look. You’ll find a pile of value for yourself and for the developers you support.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

  • Application Security Podcast

    • Rob van der Veer -- OWASP AI Security & Privacy Guide (Audio only; YouTube)

      • We discuss observations on how AI engineering differs from regular software engineering and typical pitfalls for AI engineers.

      • We also explore the scope of the new OWASP AI Security and Privacy Guide, threats introduced by AI, and mitigations that organizations and teams can use to build secure AI systems.

  • Security Table

    • Jim Manico ❤️ Threat Modeling: The Untold Story (Audio only; YouTube)

      • Jim Manico joins Chris, Matt, and Izar to discuss his Threat Modeling journey, and they explore their views on DAST, SAST, SCA, Security in AI, and other topics, emphasizing the importance and future potential of SAST and AI in software security.

      • They also delve into the significance of threat modeling in identifying early security issues, the ROI of threat modeling, and the "shift left" movement's benefits and challenges in software security.

  • Threat Modeling Podcast

    • Dr. Michael Loadenthal -- Intersectional, Harm Reduction Approach to Threat Modeling (Audio only)

      • Dr. Michael Loadenthal emphasizes a multidisciplinary approach to threat modeling, considering political, legal, ethical, and social dimensions alongside technical threats, using tools like mind maps and the harm reduction framework to develop context-specific solutions for diverse clients.

      • His "intersectional threat modeling" approach stems from his activism background. He recognizes the importance of addressing non-technical threats and collaborating with a diverse team to tackle complex challenges.

Pictures are Fun

AI security has all the sophistication of a toddler driving a car..

Where to find Chris? 🌎

  • InfoSec World, Sept 23-25, 2024

    • The Modern Application Security Rocket Ship — Time/date TBD

    • The Paradox of Secure and Private By Design — Time/date TBD

    • Workshop: Threat Modeling Championship: Breaker vs. Builder — Time/date TBD

  • OWASP Global San Francisco, Sept 26-28, 2024

    • I’ll be hanging around the Devici booth.

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.