Reasonable 🔐AppSec #58 - Secure and Private by Design Converge with Threat Modeling, Five Security Articles, and Podcast Corner

Hey there,

In this week’s issue, please enjoy the following:

• Five security articles 📰 that are worth YOUR time

• Featured focus: Secure and Private by Design Converge with Threat Modeling

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Did you know that Devici, the threat modeling company I founded, has a free forever plan? We provide three comprehensive threat models that are free forever. Create an account today and start threat modeling for free! Invite up to ten colleagues into your account to model together in a collaborative environment. Visit devici.com today to sign up.

Five Security Articles 📰 that Are Worth YOUR Time

1. Study Finds That 52 Percent of ChatGPT Answers to Programming Questions Are Wrong  — A study by Purdue University found that 52% of ChatGPT's answers to programming questions contain misinformation, with many users preferring its polite and comprehensive style despite its inaccuracies. This highlights the challenges and risks of relying on AI-generated code solutions, stressing the need to carefully validate such responses. [And people wonder why I suggest GPT is not a replacement for a threat modeling tool? The challenge I have is that it is not predictable. You can get two different answers right after the other.]

2. The state of AppSec: Are we getting ahead of attackers — or falling behind? — Over the past five years, application security (AppSec) has improved in secure programming languages and container security, but software supply chain security challenges persist. Despite advancements, AppSec must evolve rapidly to keep pace with modern threats, requiring better tools, investment in people, and a comprehensive understanding of security risks throughout the software development lifecycle. [Nice report on the state of AppSec across many different categories.]

3. PCI DSS 4.0 Simplified: What You Need to Know — PCI DSS 4.0 introduces several changes to improve the security of payment card data, emphasizing secure network maintenance, data protection, vulnerability management, access control, and regular monitoring and testing. Organizations must adopt comprehensive security policies, ensure minimal data storage, and continuously update and audit their security practices to comply with these standards. [Many impactful changes for AppSec in 4.0. Worth a closer look.]

4. The CEO Is Next — Government agencies will soon seek to hold CEOs personally liable for insufficient cybersecurity investments, as the actual costs of breaches often impact consumers more than companies. The Biden administration's National Cybersecurity Strategy and recent actions, such as the SEC's case against SolarWinds, reflect a shift towards holding CEOs accountable, highlighting the need for corporate leadership to prioritize and adequately fund cybersecurity measures. [How does this change the game in the CEO’s office and the board room? It seems challenging to prove personal liability unless there is gross negligence.]

5. Why HAST is important to API hackers — Human Application Security Testing (HAST) involves creating manual tests that can be automated to find security vulnerabilities in APIs, providing deeper insights than traditional automated tools like SAST and DAST. HAST allows for context-aware testing, continuous security validation, and detection of complex attack chains, making it crucial for thorough and effective API security. [Nice methodology to think through from Dana about manual API testing.]

Featured focus: Secure and Private by Design Converge with Threat Modeling

My talk from RSAC 2024, “Secure and Private by Design Converge with Threat Modeling,” was recently published on YouTube.

I created this talk because I saw something missing from all the hoopla around secure by design. Plenty of things looked secure by design and were sold as secure by design, but none provided a way to ACHIEVE secure by design.

In this talk, I describe a framework for achieving secure and private by design and default. I broke this process into four components: design decisions, data flow diagrams, security and privacy patterns, and checking the work (threat modeling.)

With design decisions, I provided a list of things to consider before starting a new application. Such as language and framework choice (a security and privacy enforcing stack), mechanisms to protect PII and customer data, and the responsibility to use open source responsibly. Many of these are not new, but I ordered them in such a way as to make them matter for a new design. Just so you know, you can also apply these design decisions to other existing things that you have written.

Data flow diagrams are the heart of the design analysis, using a simple and structured format to draw a picture of the design. I find data flow diagrams the best way to visualize what I need to analyze. With a conversation, it is easy to get lost. A DFD is a reference you can continuously return to and revise.

Security and privacy patterns are the paved roads that security teams can define and then make available to developers via a menu of options. These patterns include authentication/multi-factor, access control/authorization, and validation/sanitization/encoding. They provide the building blocks for a solid security and privacy foundation.

Threat modeling is the final step, where the work is checked. The DFD exists from step two, and adding the details of the patterns provides a final design for proper threat modeling. Proper threat modeling considers threats and focuses on the best ways to mitigate them.

These steps together provide a framework for embracing secure and private by design and default so that you can make this concept a reality! So put down your pledges, hide the reference documents, and focus on deploying a process that creates secure and private by design instead of all the other movements that talk about it.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • Steve Wilson -- OWASP Top Ten for LLMs (Audio only; YouTube)

    • The OWASP Top Ten for LLMs project, led by Steve Wilson, aims to create standardized guidelines for building secure AI applications using large language models like ChatGPT, addressing traditional security issues and introducing a new discipline of AI security engineering.

• Security Table

  • Privacy and the creepiness factor of collecting data (Audio only; YouTube)

    • Ally O'Leary, a privacy compliance expert, explains the intersection of privacy and security, emphasizing the importance of understanding personal information and data storage within company systems.

    • She highlights that privacy, often triggered by regulations like GDPR, is distinct from security but closely related. It requires regular data flow reviews, audits, and collaboration between privacy and security professionals during development.

• Threat Modeling Podcast

  • Dr. Michael Loadenthal -- Intersectional, Harm Reduction Approach to Threat Modeling (Audio only)

    • Dr. Michael Loadenthal emphasizes a comprehensive threat modeling approach considering political, legal, ethical, and social dimensions. This approach, developed from his experience in social movements and activism, addresses threats beyond the technical realm.

    • He utilizes multidisciplinary tools like mind maps and the harm reduction framework, collaborating with diverse teams to develop context-specific solutions for companies, non-profits, and high-profile individuals, enhancing the effectiveness of threat modeling.

Where to find Chris? 🌎

• Webinar: Modern Threat Modeling: Business vs. Technical Perspectives, July 25 @ 1 PM Eastern; register here.

• InfoSec World, Sept 23-25, 2024

  • The Modern Application Security Rocket Ship — Time/date TBD

  • The Paradox of Secure and Private By Design — Time/date TBD

  • Workshop: Threat Modeling Championship: Breaker vs. Builder — Time/date TBD

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.