Reasonable 🔐AppSec #60 - Five Security Articles and Podcast Corner

Hey there,

In this week’s issue, please enjoy the following:

• Five security articles 📰 that are worth YOUR time

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Sponsor post: Devici is the threat modeling platform you’ve been waiting for

Simple, intelligent, scalable: these words describe the Devici threat modeling platform.

Devici has a free forever plan. We provide three comprehensive threat models for free forever. Create an account today and start threat modeling for free! You can invite up to nine colleagues to your account to model together in a collaborative environment. Visit devici.com today to sign up.

Five Security Articles 📰 that Are Worth YOUR Time

1. CISOs plan to start downsizing security teams because of AI – but experts warn it’s a “shortsighted and dangerous" path to take — CISOs are planning to reduce security team sizes due to AI adoption. Still, experts warn that this is a shortsighted and dangerous approach as AI should complement rather than replace human expertise in cybersecurity. [What is a word larger than shortsighted and dangerous? We’ve been short on security team sizes for as long as I can remember, and now AI will result in shedding headcount. I don’t think so. Bad plan.]

2. A simple firmware update completely hides a device's Bluetooth fingerprint — Researchers at the University of California San Diego have developed a firmware update that completely hides a device's Bluetooth fingerprint, preventing it from being used to track the device by randomizing the device's unique signal characteristics. [Shouldn’t this be included within the core operating system?]

3. The Race to Make a Business of Secure Defaults — Modern security teams, with support from government and tech companies, are using secure defaults—tools and processes that inherently integrate security—to help developers build secure applications quickly while reducing the need for explicit security decisions. [There is tension between secure defaults, paved roads, guard rails, and innovation. With too many lockdowns, we start to build cookie-cutter things that are all the same.]

4. 3 ways to improve appsec code auditing with graudit — Improve application security code auditing with Graudit by customizing dangerous function databases, reducing false positives using flatline.db and fruit.db, and using non-destructive review tools like vi with aliases for highlight and less. [Code auditing is a skill, and new tools are always worth a look.]

5. What happened to RASP? — RASP's initial promise of in-app security monitoring and protection has faced challenges due to technical issues and non-technical critiques, leading to interest in the newer Application Detection and Response (ADR) approach as a potential solution. [This is a counterpoint to what I thought of as the industry's current state. ADR? Really? Do we need another DR solution?]

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • Tanya Janca -- Secure Guardrails (Audio only; YouTube)

    • Join Tanya Janka, aka SheHacksPurple, when she discusses secure guardrails, the distinction between them and paved roads, and their implementation in application security.

    • Tanya, an award-winning speaker and SEMGREP's head of education, also shares insights on creating secure software, teaching developers, and her passion for her hobby farm and gardening.

• Security Table

  • Rethinking Security Conferences: Engagement and Innovation (Audio only; YouTube)

    • Chris, Matt, and Izar discuss the current state of security conferences, evaluating the value of various types of gatherings, the importance of networking, and the need for engaging, participatory formats catering to introverts and extroverts.

    • They share personal experiences and preferences for attending and speaking at conferences and explore hybrid approaches that combine presentations with facilitated discussions and interactive elements.

• Threat Modeling Podcast

  • Nandita Rao Narla -- Privacy Threat Modeling (Audio only)

    • Nandita Rao Narla introduces the basics of privacy in software, covering privacy threats, threat modeling, and privacy by design, which is essential for anyone handling user information.

    • This episode of the Threat Modeling Podcast is a primer on assessing and mitigating privacy concerns and implementing privacy-focused design in projects.

Where to find Chris? 🌎

• Webinar: Modern Threat Modeling: Business vs. Technical Perspectives, July 29 @ 1 PM Eastern; register here.

• Webinar: Secure by Design, August 29 @ 3 PM Eastern; register link coming soon.

• InfoSec World, Sept 23-25, 2024

  • The Modern Application Security Rocket Ship — Time/date TBD

  • The Paradox of Secure and Private By Design — Time/date TBD

  • Workshop: Threat Modeling Championship: Breaker vs. Builder — Time/date TBD

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.