Reasonable 🔐AppSec #56 - Certs or say goodbye, Five Security Articles, and Podcast Corner

Hey there,

In this week’s issue, please enjoy the following:

• Five security articles 📰 that are worth YOUR time

• Featured focus: Certs or Say Goodbye

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

1. ai-secure-code-review/Automated Secure Code Review at Scale Using Static Analysis and Generative AI.md — The automated secure code review system leverages static analysis and generative AI to scale and enhance the identification of security vulnerabilities in code. By integrating these tools, it aims to provide comprehensive reviews, improve security, and reduce the need for manual effort. [Should you trust this intrinsically? Nope. Test the tech, and let’s see where this thing can go.]

2. The State of Software Supply Chain Security [Research] — BlackBerry's survey reveals that over 75% of software supply chains experienced cyberattacks in the past year, with nearly 74% originating from unmonitored suppliers. Despite improvements in recovery times and confidence in supplier security, challenges like lack of visibility and effective monitoring tools persist. [The occurrence stats don’t surprise me a single bit. I like to analyze reports like this to take the pulse of our industry and measure if we’re making incremental steps forward.]

3. Death of DevSecOps, Part 1 — Cloud computing and DevOps have evolved software development, making traditional DevSecOps practices outdated. This shift emphasizes integrating security into development processes and empowering developers to handle security within agile frameworks. [I never liked the idea of DevSecOps from the beginning. Why did we create another thing versus integrating security into the existing thing?]

4. Owning the Workflow in B2B AI Apps — A second-generation “wave” of B2B AI applications, termed "SynthAI," focuses on synthesizing information to streamline workflows. It highlights the importance of integrating AI capabilities directly into applications to enhance efficiency and usability. [Every once in a while, we must leave the depths of security and read something about innovation. Expand your mind with how the NG of AI will work.]

5. Getting Started with eBPF for Security  — This video introduces eBPF (extended Berkeley Packet Filter), highlighting its role in enhancing cloud security and securing containers and Linux runtime environments. It explains how eBPF functions, its interaction between kernel and user space, and the benefits and challenges associated with its integration into various security tools. [I kept hearing eBPF, and I never took the time to understand what it was. Give this video a watch for a great summary.]

Featured focus: Certs or Say Goodbye

I've been a CISSP and CSSLP for many years, getting my CISSP in 1999. Should I renew them or let them lapse?

I took the question to LinkedIn, the source of all advice worldwide.

Here are a few themes that I saw in the advice:

1. Let them lapse — they lose their initial value once you’re at a certain place in the industry. [I agree that the letters after my name don’t add anything to my career and that, hopefully, my reputation in the industry speaks for itself based on my accomplishments.]

2. Keep them — they are required by Government agencies and contracting companies and are included in job posts. [In my situation, I’m blessed in that I’ll probably never get another job. 🙂 Part of the fun of starting companies is that you become unmanageable for the rest of your life.]

3. Keep them — they force additional learning to earn CPEs, and lifelong learning is good. [This is positive in my mind — I am a lifelong learner and never want to lose this trait. I don’t find that the certifications push my love of learning, as I usually file my conference attendance for CPEs, which gets me to the required amounts.]

I’m leaning toward letting them lapse, but I will continue to mull this issue over for the next few weeks.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • Matt Rose -- Software Supply Chain Security Means Many Different Things to Different People (Audio only; YouTube)

    • Matt Rose, an experienced technical AppSec testing leader, discusses his career journey and significant contributions to application security on the Application Security Podcast.

    • The conversation covers software supply chain security, critiques of the 'shift left' concept, and the role of digital twins and AI, emphasizing the need for a comprehensive approach beyond SCA and threat modeling.

• Security Table

  • Open Source Puppies and Beer (Audio only; YouTube)

    • Chris, Izar, and Matt discuss the complexities of open-source component usage, including vulnerability patches, civic responsibility, and licensing issues, inspired by Bob Lord's LinkedIn post from CISA.

    • They explore whether software companies have a civic duty to distribute fixes for vulnerabilities in open-source components, the necessity of threat modeling every third-party component, and the implications of certain licenses for security patches.

• Threat Modeling Podcast

  • Software-Centric Threat Modeling (Audio only)

    • Farshad Abasi shares his journey from being a software engineer to leading a global AppSec team at HSBC Bank, emphasizing the importance of asset-based threat modeling and simplicity.

    • He highlights focusing on the user story, incorporating architectural threat modeling early in development, using pull request templates for threat modeling questions, and being part of the DevSecOps process to review user stories regularly.

Where to find Chris? 🌎

• InfoSec World, Sept 23-25, 2024

  • The Modern Application Security Rocket Ship — Time/date TBD

  • The Paradox of Secure and Private By Design — Time/date TBD

  • Workshop: Threat Modeling Championship: Breaker vs. Builder — Time/date TBD

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.