Reasonable 🔐AppSec #62 - The AppSec Hype Cycle, Five Security Articles and Podcast Corner

A review of application security happenings and industry news from Chris Romeo.

Author

Chris Romeo
August 07, 2024

Hey there,

In this week’s issue, please enjoy the following:

  • Five security articles 📰 that are worth YOUR time

  • Featured focus: The AppSec Hype Cycle

  • Application Security Podcast 🎙️Corner

  • Where to find Chris? 🌎

Threat modeling requires so much more than a tool. Sure, a tool is the program's foundation, but what if your threat modeling tool could help you run your program? Welcome to Devici. Workflows, custom threats, mitigations, and custom templates create the threat modeling program you need, and Devici helps you execute your strategy.

Devici has a free plan for forever, so you can try us out. You get three comprehensive threat models. Create an account today and start threat modeling for free! You can invite up to nine colleagues to your account to model together in a collaborative environment. Visit devici.com today to sign up.

Five Security Articles 📰 that Are Worth YOUR Time

  1. Will AI Revolutionize Software Engineering and Security? — AI is revolutionizing software engineering and security by advancing threat detection, automating routine tasks, and boosting overall efficiency, leading to more effective and proactive security measures.[Short answer: yes and no. In the short term, no. In the long term, I see a path towards AI-enhancing developers and security people to achieve 100% more productivity.]

  2. New Tactics from a Familiar Threat — Phylum has exposed North Korean threat actors attacking software developers in the open-source supply chain for over a year. This blog post highlights evolving tactics from a North Korean campaign that began in September 2023 with a package published on 4 July 2024 in npm. Like a snake shedding its old skin, this attacker's evasive attempts have introduced some novelties, but many of the same patterns and idioms we have seen throughout this campaign remain. [This is not a topic I usually cover, but when nation-state actors come for the supply chain, it’s time to dive in.]

  3. Hacking Millions of Modems (and Investigating Who Hacked My Modem) — Sam Curry details how millions of modems are vulnerable to hacking due to weak security practices, exposing significant risks of unauthorized access and control over network devices. [Vulns with mass scale always catch my attention. Excellent research by Sam.]

  4. 2024 State of Cloud Security Report Shows That More Risk Prioritization is Needed — The 2024 State of Public Cloud Report from Orca Security highlights key risks and prioritization strategies for securing public cloud environments, emphasizing the need for comprehensive risk management to address evolving threats and vulnerabilities. [Takeaway: Your cloud is not secure enough.]

  5. Securing the Future of Artificial Intelligence and Machine Learning at Microsoft — Microsoft's guide on securing artificial intelligence and machine learning emphasizes the importance of integrating robust security measures to protect AI systems from vulnerabilities and threats throughout their lifecycle. [Check out how a big company is packaging up security for AI.]

Plenty of hype cycle-style analyses are floating around, so here is mine.

Trending downward: DevSecOps

I continue to see conference presentations, podcast episodes, and blog posts on DevSecOps five years after DevSecOps took our industry by storm. DevSecOps is tired and needs to drift away. For years, I’ve been saying we should call it DevOps and include security as a natural step in building software. It’s time to stop treating it as a separate thing and let it go.

So far down that it should be six feet under: Shifting Left

I just saw this one again today on LinkedIn. It’s so weathered, worn out, and tired, yet people continue to drag it back out. Let this one go as well — it started as a marketing term, had a good run, and made sense for technical people, but now it’s back to a marketing term. Let it go.

Everyone is gaga for it: Application Detection and Response (ADR)

Can anyone count the detection and response technology types we now have? ADR is the latest, and many vendors are morphing their language from their existing products to align with ADR. Time will tell if this becomes a valid technology type that is a must-have for the AppSec stack. It’s worth a look, but the jury is still unsure about its value/return on investment.

It would be best if you were looking at it: Application Security Posture Management (ASPM)

Alert fatigue is a real thing. Face it: our tools are generating 10x the findings they should, and we need to increase the fidelity of the data feed we send to developers. ASPM is the answer to this challenge and should be added to your stack soon.

Terms vendors are jumping on board with: Guardrails / Paved Roads

I’m not sure who first used these terms, but if you look around, you will see that many vendors now use them to define their product suites. I predict these terms are the next “shift left” for our industry and will cross into the marketing world within six months.

That ends my first AppSec Hype Cycle analysis. I hope you enjoyed it. Reply and let me know if you agree or disagree with these statements.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

  • Application Security Podcast

    • Andrew Van Der Stock -- The New OWASP Top Ten (Audio only; YouTube)

      • Andrew Van Der Stok joins Chris Romeo and Robert Hurlbut to discuss OWASP Top 10 Project updates, emphasizing data collection and developer engagement.

      • The episode covers the methodology for the OWASP Top 10, framework security, and key insights for shaping the future of web application security.

  • Security Table

    • Why Do Engineers Hate Security? (Audio only; YouTube)

      • Chris, Matt, and Izar discuss why security professionals should develop empathy, soft skills, and integration strategies to avoid being perceived as intrusive by engineers.

      • Building strong relationships requires understanding engineers' perspectives and effectively communicating the value of security measures.

  • Threat Modeling Podcast

    • The Four Question Framework with Adam Shostack (Audio only)

      • Chris and Adam dive into the four-question framework for threat modeling, explaining the meaning and purpose of each question to simplify the process.

      • They discuss the importance of retrospectives, the evolution of the framework, and its application in various situations, highlighting that the questions serve as a practical foundation for threat modeling.

Where to find Chris? 🌎

  • Webinar: Secure by Design, August 29 @ 3 PM Eastern; register link coming soon.

  • InfoSec World, Sept 22-25, 2024

    • The Modern Application Security Rocket Ship — Monday, Sept 23, 10:15 AM

    • The Paradox of Secure and Private By Design — Tuesday, Sept 24, 1:30 PM

    • Workshop: Threat Modeling Championship: Breaker vs. Builder — Sunday, Sept 22, 9 AM - 12 PM

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.