Reasonable 🔐AppSec #59 - FOMO or something else?, Five Security Articles, and Podcast Corner

Hey there,

In this week’s issue, please enjoy the following:

• Five security articles 📰 that are worth YOUR time

• Featured focus: FOMO or something else?

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

1. How platform engineering helps you get a good start on Secure by Design — Platform engineering facilitates the adoption of "secure by design" principles by embedding security measures early in development. This integration enhances system resilience and reduces vulnerabilities through core engineering practices. [I provided some thoughts on the intersection of platform and SbD.]

2. Stop Recommending JWTs (with symmetric keys) — Using JSON Web Tokens (JWTs) poses security risks like key exposure and token forgery. Switching to asymmetric keys or alternative token formats is recommended to enhance security. [The more you know.]

3. Introducing RedFlag: Using AI to Scale Addepar's Offensive Security Team — Addepar introduces RedFlag, an AI-powered tool to enhance their offensive security team by automating the scoping of manual security tests. Leveraging Anthropic’s Claude v3 model, RedFlag analyzes pull requests, enriches them with related information, and generates focused security test plans, significantly reducing the time and effort needed for comprehensive security assessments. [This fits within my vision for AI in the next five years — AI doing a labor-intensive task, allowing the humans to focus on the part that needs “brainstorming.”]

4. If _____, you might not be Secure By Design Part 1  — "Secure By Design" emphasizes the importance of reducing and managing complexity to enhance security. Increased complexity heightens vulnerabilities, complicates situational awareness, and undermines the system's robustness, making simplicity a fundamental principle in effective security design. [Simplicity is essential for security and privacy, but it is hard to maintain within a functioning system.]

5. Don’t Security Engineer Asymmetric Workloads — Matt Schellhas’ "Asymmetric Workloads" concept highlights leadership failures, particularly the unfair distribution of workload burdens. This issue is relevant to security engineers, where the imbalance can lead to inefficiencies and resentment, ultimately undermining collaboration and organizational security. [This isn’t workloads as you think with orchestration, but instead is focused on a human capital problem.]

Featured focus: FOMO or something else?

OWASP Global Lisbon and ThreatModCon took place a few weeks ago. I didn’t attend either event. I’m an avid conference attendee and speaker (when I get the chance), but this time, I didn’t get the FOMO I expected.

Each summer for the past fourteen years (except for COVID), I’ve run a summer camp in Eastern Europe, in Moldova. This camp is focused on serving young people from this country. This is a 180 turn from what I do in my “day job.” Instead of spending time on calls, answering emails, and dreaming up new features, I act as a camp director for this summer camp. It’s a busy week, starting at 6 AM and often cruising towards a 10 PM wrap-up for the day.

This experience always reminds me that there is more to life than work and more to life than professional things. I share this experience to encourage everyone to find things away from work that add value to the world. Don’t live to work, work to live.

I hope you'll be able to find your summer camp-style experience for the future.

Devici's not-so-well-hidden advertisement

Hey, what did you expect? We needed a sponsor, and now we have one.

Did you know that Devici, the threat modeling company I founded, has a free forever plan? We provide three comprehensive threat models that are free forever. Create an account today and start threat modeling for free! Invite up to ten colleagues into your account to model together in a collaborative environment. Visit devici.com today to sign up.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • Jahanzeb Farooq -- Launching and executing an AppSec program (Audio only; YouTube)

    • Jahanzeb Farooq discusses his journey in cybersecurity, emphasizing the importance of understanding developer needs and implementing appropriate tools based on his experiences at Siemens, Novo Nordisk, and Danske Bank.

    • The conversation also explores the complexities of cybersecurity in pharmaceutical and financial sectors, focusing on regulatory requirements, software's role in critical industries, security education, threat modeling, and digital transformation.

• Security Table

  • Privacy vs. Security: Complexity at the Crossroads (Audio only; YouTube)

    • Chris, Izar, and Matt discuss the shift in cybersecurity from a product-centric to an architectural-centric approach, focusing on integrating inherent capabilities rather than relying on add-on products.

    • They examine the intersections of security and privacy, the challenges of privacy threat modeling, and the evolving nature of regulations, emphasizing the importance of understanding the broader data ecosystem and continuous threat modeling.

• Threat Modeling Podcast

  • Akira Brand -- Gaining Experience by Threat Modeling (Audio only)

    • Akira Brand joins Chris to discuss her journey into threat modeling, highlighting the importance of collaboration, understanding the application, and using tools and diagrams to aid the process, drawing parallels between surgical checklists and the STRIDE model for a comprehensive approach.

    • Her initial threat modeling identified significant security risks due to excessive permissions. She emphasized the power of collaboration across engineering, data analytics, and security teams to create holistic security solutions, showcasing true success in threat modeling.

Where to find Chris? 🌎

• Webinar: Modern Threat Modeling: Business vs. Technical Perspectives, July 25 @ 1 PM Eastern; register here.

• Webinar: Secure by Design, August 29 @ 3 PM Eastern; register link coming soon.

• InfoSec World, Sept 23-25, 2024

  • The Modern Application Security Rocket Ship — Time/date TBD

  • The Paradox of Secure and Private By Design — Time/date TBD

  • Workshop: Threat Modeling Championship: Breaker vs. Builder — Time/date TBD

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.