Reasonable 🔐AppSec #57 - Secure by Design at Scale, Five Security Articles, and Podcast Corner

A review of application security happenings and industry news from Chris Romeo.

Author

Chris Romeo
June 24, 2024

Hey there,

In this week’s issue, please enjoy the following:

  • Five security articles 📰 that are worth YOUR time

  • Featured focus: Secure by Design at Scale

  • Application Security Podcast 🎙️Corner

  • Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

  1. Trusted relationship attacks: trust, but verify — Trusted relationship attacks exploit connections between organizations and their service providers, allowing attackers to infiltrate less-protected networks of small or medium-sized service providers and use legitimate credentials to access the target organization’s infrastructure. This approach lets attackers carry out large-scale, often undetected cyberattacks, leveraging vulnerabilities, compromised credentials, and sophisticated phishing methods. [Side channel attacks will become more prevalent as we continue to invest in building up our defenses attached to the front door.]

  2. OWASP SAMM Benchmark Data — The OWASP SAMM Benchmark Data provides insights into the average scores of various business functions within the Software Assurance Maturity Model (SAMM) across different organizations. The report highlights key findings, such as the highest and lowest-scoring security activities, emphasizing the importance of real-world data for guiding improvements in software security practices. [SAMM benchmark is the open source answer to what has previously been a high-priced, follow-the-hed pay-to-play space. SAMM needs more data to achieve this goal — the data can be anonymous.]

  3. Introducing Design Static Application Security Testing (DSAST) with Devici Code Genius — Devici Code Genius introduces Design Static Application Security Testing (DSAST), a novel approach to security testing that generates threat models from existing code, enhancing security and reducing development time. This method scans code to extract design information, automating threat model creation and allowing developers to address security issues efficiently. [ I’m fond of this one. 😂]

  4. Microsoft Chose Profit Over Security and Left U.S. Government Vulnerable to Russian Hack, Whistleblower Says — Microsoft allegedly ignored warnings about a critical security flaw in their software to avoid jeopardizing government contracts. Russian hackers later exploited this flaw in the SolarWinds attack, allowing access to sensitive data from multiple U.S. federal agencies. [I’m struggling with this one, as big companies have thousands of bugs they are attempting to triage at any given time. Expecting perfection seems like a setup for failure. It stinks that this flaw was used for SolarWinds access, but it seems like a stretch to say they chose profit over security. They are a for-profit company, though, by the way.]

  5. Guide to Kubernetes Security Posture Management (KSPM)  — Kubernetes Security Posture Management (KSPM) emphasizes the importance of assessing and managing the security posture of Kubernetes clusters to protect against common attack vectors. It provides a comprehensive guide on hardening clusters, incident response, and maintaining a defense-in-depth strategy for robust security. [Ahhh, yes, another PM category of tooling. When will it end?]

Secure by design is a hot topic—so hot, in fact, that CISA wrote a whole pledge and held a signing ceremony 🤮 at RSA. I wish I could say that a pledge would move the industry forward, but perhaps it would be a tiny step.

When we think about scaling anything, we must consider how to make the concept work for five developers and five thousand. Scaling secure by design is in the same category.

Secure-by-design principles are challenging to implement at scale because they require that the security team build a collection of shared security services that can be incorporated into all applications. These shared security services include multi-factor authentication, SAML/OIDC/SSO, session management, attribute-based access control (ABAC), and input validation/output encoding.

These services are complex to implement but even more complex to create in a way developers can use. Shared security services aim to simplify the implementation and make it less time-consuming than a developer building something from scratch. This is the essence of paved roads that everyone talks about—provide paved roads that are easier for developers to drive on than if they had to build their own roads. Implementing secure-by-design at scale means building paved roads as shared security services developers can easily consume.

Platform engineering should work toward automating as much of the application and product security tool suites as possible. Even more importantly, the platform should invest heavily in improving the fidelity of tool results to ensure that developers are not slowed down by the noise the tool suites generate. Hyperfocus on the five most critical items developers must deal with to deploy a feature that respects security and privacy.

Secure by design is scalable, but unlocking scalability requires an investment in building the pieces that make it easy for developers. That is the key — ease of use; make security easier than not doing security.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

  • Application Security Podcast

    • David Quisenberry -- Building Security People and Programs (Audio only; YouTube)

      • With guest David Quisenberry, we discuss his security journey, building AppSec programs in small to mid-sized companies, and the importance of data-driven decision-making.

      • The conversation also covers the value of mentoring, trust with engineering teams, mental health, and community in the industry while sharing personal stories highlighting the importance of relationships and life balance.

  • Security Table

    • AppSec Resolutions (Audio only; YouTube)

      • Chris, Izar, and Matt answer fan mail, make fun predictions for 2024, discuss their cybersecurity resolutions, and call global listeners to action. They highlight the podcast's reach and explain topics like large language models (LLMs), Quantum LLMs, and Software Bill of Materials (SBOM).

      • They emphasize the importance of teaching secure coding from the high school level and share their passion for making cybersecurity more accessible, practical, and effective through critical discussions and innovative ideas.

  • Threat Modeling Podcast

    • A Comprehensive Threat Modeling Strategy (Audio only)

      • Make threat modeling holistic and straightforward, starting after the high-level design phase and continuously revisiting the model throughout a product's lifecycle. Concentrate on domain-specific problems and use automated approaches for domain-agnostic issues.

      • Special thanks to Iswarya Subramanian Balachandar, Kuldeep Kumar, Abdoulkader (Abdo) Dirieh, Rob van der Veer, and Tony Turner for their feedback on this episode.

Where to find Chris? 🌎

  • Webinar: Modern Threat Modeling: Business vs. Technical Perspectives, with Sarah-Jane Madden and Izar Tarandach, hosted by yours truly. Stay tuned for a registration link.

  • InfoSec World, Sept 23-25, 2024

    • The Modern Application Security Rocket Ship — Time/date TBD

    • The Paradox of Secure and Private By Design — Time/date TBD

    • Workshop: Threat Modeling Championship: Breaker vs. Builder — Time/date TBD

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.