Reasonable 🔐AppSec #6 - Five Security Articles, Guard rails, Paved Roads, Photo, and Podcast Corner

Hey there,

In this week’s issue of Reasonable Application Security:

• Five security articles 📰 that are worth YOUR time

• Featured thought: Guard rails and paved roads 🛣️

• Photo of the week 📷

• Application Security Podcast 🎙️Corner

Five Security Articles 📰 that Are Worth YOUR Time

• “Silly Security Awards" is a campaign to end the practice of biased and pay-to-play security awards run by marketing firms by encouraging companies to pledge non-participation. I’m all in — I’ve never participated in this nonsense with any of my companies. (more)

• Turns out ChatGPT is not very good at security code review. Huh, who’d have thunk it? It can give misleading results and has other major practical issues. (more)

• A roundup of handy tools for collecting and analyzing publicly available data from social media platforms like Twitter and Facebook, including Namechk, Sherlock, accountanalysis, Maltego, and the search functionalities within social media sites themselves. (more)

• The Verizon DBIR is out, and it always has something for us in AppSec to comprehend. This is the cheat sheet version, or as they call it in the biz, the Infographic. (more)

• Whenever my good friend Brook Schoenfield is the source, I’m all in on reading the article. Brook challenges my thinking often, and I learn something from him whenever we meet. And I quote, “It is impossible to prove software doesn’t have bugs.” (more)

Featured thought: Guard rails and paved roads 🛣️

Guard rails and paved roads -- how do they fit together in application security? Guardrails are security tools in the pipeline that help ensure the software doesn't drift too far from established standards. These guardrails allow developers to maintain their creativity and flexibility while building features that ultimately go to the customer. Guardrails do not dictate exactly how something is done but instead provide a container around the solution and ensure that the finished feature doesn’t stray into the land of insecurity.

Paved roads are platforms that developers can build on top of without having to worry about aspects like identity and access management. Paved roads and guardrails funnel developer activity without breaking their freedom to do what they need to do. Paved roads could include vetted libraries or tools without the need for admin rights inside cloud platforms. Paved roads enable developers to work with the best security features and functionality in a way that is easier for them and saves them time.

Guardrails and paved roads fit together nicely in a modern application security program. Anna Weselius’s talk from RSA 2023, Construction Time Again: A Lesson in Paving Paths for Security, is an excellent reference to see this come together.

Photo of the week 📷

This picture highlights both the paved road and the guard rail concept. Well, the road may not be perfectly paved. That is a better metaphor for the paved road, as they are never perfect.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes they are my podcasts. Other times they are podcasts that have caught my attention.

• Application Security Podcast

  • JB Aviat -- The State of Application Security

    • What is the state of application security? JB Aviat answered that question by creating the state of application security report based on data from Datadog customers using the application security and APM products. It provides insights into threat detection, vulnerability detection, prioritization, and general trends regarding the most significant risks.

• Security Table

  • Security Guardrails and Paved Roads

    • Guardrails are tools that maintain software standards without stifling developer creativity, while paved roads provide a worry-free platform for developers to build upon. Automation plays a crucial role in maintaining these systems, ensuring the creation of new structures and the functionality of existing ones, all committed to making everything secure by default.

• Threat Modeling Podcast

  • Product-led Threat Modeling

    • Threat modeling is integral to product development as it involves taking responsibility for security and using team-specific language to influence outcomes. By applying lean product management and focusing on user needs, threat modeling can be conducted using methods like rapid risk assessment and STRIDE, building a threat library, and using cookbooks for different tech approaches, thus fostering collaboration and communication between product managers, architects, and technical leaders.

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.