Reasonable 🔐AppSec #55 - What is a threat model?, Five Security Articles, and Podcast Corner

A review of application security happenings and industry news from Chris Romeo.

Author

Chris Romeo
June 10, 2024

Hey there,

In this week’s issue, please enjoy the following:

  • Five security articles 📰 that are worth YOUR time

  • Featured focus: What is a threat model?

  • Application Security Podcast 🎙️Corner

  • Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

  1. HackerOne's List of Top 10 AI EMB(arrassments)  — Common AI pitfalls include unauthorized discounts, promoting non-existent products, offensive language, and recommending competitor products, which can harm an organization's reputation. The article emphasizes the importance of careful AI development and thorough security testing to prevent these issues and maintain a positive organizational image. [It’s nice to have this list of embarrassments in one place for future reference. If you haven’t followed along with all the screw-ups AI has made in the early years, it’s time to catch up!]

  2. The MITRE EMB3D™ Threat Model — The MITRE EMB3D™ Threat Model is a knowledge base of cyber threats to embedded devices, aiming to improve security by mapping device properties to potential threats and suggesting mitigation strategies. It is a resource for device vendors, asset owners, operators, and security researchers to identify, assess, and mitigate threats specific to embedded devices across various industries. [I cannot pass up reviewing a threat model! This one explores embedded devices, a green field for threat modeling.]

  3. SAST is Dead, long live SAST — SAST (Static Application Security Testing) has evolved from a revolutionary tool in the early 2000s for detecting vulnerabilities in code to facing challenges with false positives and slow scan times. Despite its drawbacks, SAST remains valuable in modern SDLCs, especially with advancements like reachability analysis prioritizing exploitable vulnerabilities. It is a critical part of the strategy for early security integration. [SAST provides operational value to a program. You’d need a dozen more security pros to fill the gap without it. You should maximize its value and push the value envelope, but I don’t see it going away soon.]

  4. There Is No Cyber Labor Shortage — The cybersecurity labor shortage is largely a result of organizations and recruiters overemphasizing certifications, degrees, and formal training, which creates unnecessary barriers for potentially qualified candidates. Organizations can effectively address the perceived labor shortage and find capable individuals from diverse backgrounds by broadening the candidate pool and focusing on skills and traits rather than arbitrary qualifications. [Some say we are two million people short. Others say there is no shortage. I tend to fall into the camp of saying the shortage is greatly exaggerated.]

  5. When it comes to threat modeling, not all threats are created equal  — Addressing inherent threats in threat modeling is challenging because these threats are intrinsic to a system and difficult to eliminate. Early detection, continuous threat modeling, and custom threat libraries are crucial for effectively prioritizing and managing these organizational risks. [I’m excited to be quoted in this article, talking about the value of custom threat libraries to improve threat modeling results.]

My friend Sarah-Jane Madden inspired this writing. She shared on LinkedIn how a salesperson decided to explain the definition of a threat model. First, this is hilarious because I watched Sarah-Jane rock the stage at OWASP Dublin last year, with a talk (link to the YouTube here) on; guess what? THREAT MODELING! Salespeople learn to read the room and dig into the people on the call before the start.

But with that, this is a good question. What is a threat model? It seems like such a simple question, but all simple questions are made complex when we add context.

The Threat Modeling Manifesto tees up a definition of threat modeling. “Threat modeling is analyzing system representations to highlight concerns about security and privacy characteristics.”

Using that Manifesto as our base, we could define a threat model as “a representation of a system that highlights concerns about security and privacy characteristics.” A representation is any way of describing the system or feature. It could be a data flow diagram, which is the modality that I favor. Still, a representation could also be a picture scribbled on a napkin or a conversation amongst a development team.

Once we have the representation, we need a collection of security and privacy characteristics. Personally, I believe the best way to do this is to use attributes that describe the thing you are building and tie them back to threats and mitigations that represent the security and privacy characteristics.

A threat model can be defined, and the Manifesto-inspired definition feels correct. Defining threat modeling has never been the hard part—the hard part is ingraining it within a development lifecycle.

P.S. Check out Devici to see how we meet the definition of both threat model and threat modeling.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

  • Application Security Podcast

    • James Berthoty -- Is DAST Dead? And the future of API security (Audio only; YouTube)

      • James Berthoty shares his career path from IT operations to cloud security and his experiences with security tools and DAST.

      • Chris and James debate whether DAST is dead and explore the future of API security. They also tackle a series of AppSec Koolaid items that James speaks about.

      • The episode highlights James's insights on CVEs, reachability analysis, WAF misconceptions, and his initiative, Latio Tech, to improve the evaluation of application security products.

  • Security Table

    • Security, Stories, Jazz, and Stage Presence with Brook Schoenfield (Audio only; YouTube)

      • The gang interviews Brook Schoenfield in a very special episode.

      • Brook shares insights from his 40-year security career and experiences as an author, emphasizing ensemble work's value in security and music.

      • Personal anecdotes include Brook's experiences playing music with legends like Bo Diddley and Chuck Berry, illustrating the interplay between his professional and musical journeys.

  • Threat Modeling Podcast

    • Product-led threat modeling (Audio only)

      • The episode explores how integrating threat modeling into product management can enhance understanding of user needs and design effective security mitigations using methodologies like rapid risk assessment and STRIDE.

      • Chris and Michal emphasize collaboration and communication between product managers, architects, and technical leaders, providing insights and best practices for aligning threat modeling with product goals and user needs.

Pictures are Fun

I let the AI create its picture of being embarrassed by mistakes.

Where to find Chris? 🌎

  • InfoSec World, Sept 23-25, 2024

    • The Modern Application Security Rocket Ship — Time/date TBD

    • The Paradox of Secure and Private By Design — Time/date TBD

    • Workshop: Threat Modeling Championship: Breaker vs. Builder — Time/date TBD

  • OWASP Global San Francisco, Sept 26-28, 2024

    • I’ll be hanging around the Devici booth.

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.