Reasonable 🔐AppSec #61 - Sticking with anything, Five Security Articles and Podcast Corner

A review of application security happenings and industry news from Chris Romeo.

Author

Chris Romeo
July 29, 2024

Hey there,

In this week’s issue, please enjoy the following:

  • Five security articles 📰 that are worth YOUR time

  • Featured focus: Sticking with anything

  • Application Security Podcast 🎙️Corner

  • Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

  1. Let's blame the dev who pressed "Deploy"—Blaming software engineers for bugs and outages overlooks the broader issues caused by CEO decisions, customer demands, IT department pressures, and unrealistic regulations, contributing to systemic failures in the tech industry. [Blame culture has existed for as long as software has had bugs. Over the last few weeks, root cause analyses have ended with some people exiting the building. We should be past blame culture, but we’re not.]

  2. Palo Alto isn’t going to buy everyone: the anatomy of cybersecurity startup exits — Speculating that Palo Alto Networks will acquire any cybersecurity startup is misguided, as most acquisitions are strategic, focusing on early leaders in specific markets, and many don't result in significant financial gains for founders or employees. [Insight into the cybersecurity startup space, fueled by recent Wiz news about walking away from the Google deal. If you’re an early-stage founder, don’t look at this as discouragement but intelligence.]

  3. Responsibility Over Freedom: How Netflix’s Culture Has Changed — Netflix's internal culture, characterized by transparency, freedom, and responsibility, has been central to its success, though it continually evolves, emphasizing "People Over Process" and refining its principles to balance openness with practical constraints. [Netflix is always a good case study, as they’ve been cutting-edge for so long.]

  4. QR code SQL injection and other vulnerabilities in a popular biometric terminal — ZKTeco biometric terminals have vulnerabilities, such as SQL injection via QR codes, that can allow unauthorized access and compromise authentication processes and biometric data security. [I don’t usually share the vuln of the week, but this one caught my attention because of the novel attack vector.]

  5. Docker's 2024 State of Application Development Report Highlights Key Trends for Developers — Docker's 2024 State of Application Development Report highlights trends such as a shift to cloud-based development, rising microservices adoption, ongoing security challenges, and increased integration of AI tools like ChatGPT and GitHub Copilot in development processes. [If you want to improve at #AppSec, study the details about developers and their worlds. Please get to know them better.]

If you’ve been on this planet for over five seconds, you know that things sometimes get challenging. Whether we’re talking about work or personal-related things, challenges are a fact of life. This is for the person struggling with something, feeling like there is no solution or a positive path forward.

I want to encourage you. When things get tough, it can seem like there is no possible positive outcome. I've had many ups and downs in my almost three-decade career. I’ve been blessed to have more ups than downs when they all add up, but I have also had some tough times.

I have found value in sticking with whatever the challenge lies before me and having the attitude of not giving up. There is immense value in resiliency, in finding a path forward to the challenge.

One time in my career, the path forward was switching teams after I was forced out of my first management role. In their defense, I wasn’t a great manager in those days. (I learned an immense amount from that experience.) While those days appeared dark, a sun rose on the horizon. The new team that I switched to was Cisco’s Secure Development Lifecycle team, and that was the change that put me on the AppSec path way back in 2009. Was it tough in the moment? Heck yeah. I wanted to run away, but sticking with it, I changed the focus of my career.

So, could you stick with anything? Things will sometimes be tough in the short term, but resiliency means pushing forward and finding a better outcome.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

  • Application Security Podcast

    • Derek Fisher -- Hiring in Cyber/AppSec (Audio only; YouTube)

      • Chris and Robert discuss cybersecurity hiring and entry-level role challenges with Derek Fisher.

      • They cover the value of certifications, the necessity of lifelong learning, and the importance of networking.

  • Security Table

    • To SSH or Not? (Audio only; YouTube)

      • Chris, Matt, and Izar discuss the OpenSSH regression vulnerability, detailing a race condition leading to remote code execution and debating SSH's necessity in modern cloud-native environments.

      • They explore the chain of security updates, the role of QA in preventing regressions, and who should catch vulnerabilities first—QA teams, pentesters, or automated tools.

  • Threat Modeling Podcast

    • What is the Essence of Threat Modeling? (Audio only)

      • Chris Romeo explores various definitions of threat modeling from industry experts, discussing whether risk assessment and threat modeling are the same, the essence of threat modeling, collaboration and documentation, and proactive security.

      • The podcast favors the Threat Modeling Manifesto's definition, emphasizing threat modeling as analyzing system representations to highlight security and privacy concerns involving art, science, collaboration, and brainstorming.

Where to find Chris? 🌎

  • Webinar: Modern Threat Modeling: Business vs. Technical Perspectives, July 29 @ 1 PM Eastern; register here.

  • Webinar: Secure by Design, August 29 @ 3 PM Eastern; register link coming soon.

  • InfoSec World, Sept 22-25, 2024

    • The Modern Application Security Rocket Ship — Monday, Sept 23, 10:15 AM

    • The Paradox of Secure and Private By Design — Tuesday, Sept 24, 1:30 PM

    • Workshop: Threat Modeling Championship: Breaker vs. Builder — Sunday, Sept 22, 9 AM - 12 PM

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.