Reasonable 🔐AppSec #63 - Slip and Fall, Five Security Articles and Podcast Corner

Hey there,

In this week’s issue, please enjoy the following:

• Five security articles 📰 that are worth YOUR time

• Featured focus: Slip and Fall

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

1. Smashing Runtime Application Self-Protection (RASP) — This post explores why RASP, or Runtime Application Self-Protection, cannot always protect your Java applications and can be bypassed. [RASP has been a hot topic for the past few years, and I think of it as something cutting edge for an AppSec program. This one caught my attention as it posits that perhaps RASP is not as strong as the market believes.]

2. How a North Korean Fake IT Worker Tried to Infiltrate Us — A North Korean agent attempted to infiltrate KnowBe4 by posing as a legitimate IT worker with a stolen identity and AI-enhanced photo. Still, the scheme was detected when malware was found on the employee's device. [This scenario happens more than anyone thinks — interview well and check those references!]

3. Bitdefender Vulnerability Let Attackers Trigger SSRF Attacks — A critical vulnerability in Bitdefender's GravityZone Update Server, identified as CVE-2024-6980, could allow attackers to execute server-side request forgery (SSRF) attacks, posing significant risks to affected systems. [SSRF is still up and coming, so I added this article as a case study into what SSRF looks like in the real world.]

4. Anyone can Access Deleted and Private Repository Data on GitHub — GitHub repositories, including deleted and private ones, can still access their data through forks, posing a significant security risk by allowing unauthorized access to sensitive information. [Architecture is important, and a flaw like this is architectural, as a design decision that allowed this to happen was made somewhere in the past.]

5. Why are vulnerabilities out of control in 2024? — Vulnerabilities are surging in 2024 due to the collapse of NVD, an overwhelming number of Linux kernel CVE IDs, and insufficient resources to handle the growing volume of open-source software issues. [Is there anything different for 2024? Vulns have been consistently reported for as long as I can remember.]

Featured Focus: Slip and Fall

Last week, I was out walking my dog. I believe in threat modeling and encourage people to do it for everything they do, whether building software or going on vacation. Threat modeling has a role in every situation.

Here is how the story goes — I’m walking down the sidewalk, not paying attention, enjoying my morning walk with my dog. Tropical storm Debby had made its way through our area and dumped a lot of rain. I walked the same path every morning. As I was walking down the sidewalk, not paying enough attention, I slipped on a thin amount of mud the storm had pushed across the sidewalk and smacked down on the ground.

As I was lying there assessing my injuries, including a nice cut on my leg, elbow, and shoulder and a muscle pull in the neck, I had a thought. There is a lesson to be learned from my experience and a good reminder: I should have threat modeled the situation. I should have looked at the sidewalk before me and analyzed that representation of a quarter inch of mud. So, at the end of the day, you can use threat modeling for everything, even keeping yourself from a slip and fall.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • Irfaan Santoe -- The Power of Strategy in AppSec (Audio only; YouTube)

    • We discuss measuring AppSec maturity, ROI, and bridging gaps between CISOs and AppSec knowledge.

    • Irfaan shares his journey from consulting to being an AppSec professional, offering insights for scaling AppSec programs and aligning them with business goals.

• Security Table

  • The Stages of Grief in Incident Response (Audio only; YouTube)

    • Chris, Izar, and Matt discuss the developer's stages of grief during incidents and analyze a recent large-scale IT incident.

    • They share insights from their extensive security experience, examining system fragility and the role of luck in security failures.

• Threat Modeling Podcast

  • Gavin Klondike -- Threat modeling for large language model applications (Audio only)

    • Gavin Klondike discusses threat modeling, especially in AI and machine learning contexts.

    • Gavin shares a detailed case study, challenges of large language models (LLMs), and a comprehensive threat model for LLM applications.

Where to find Chris? 🌎

• Webinar: Secure by Design, August 29 @ 3 PM Eastern; register link coming soon.

• Webinar: The Intersection of Security Champions and Threat Modeling, with Dustin Lehr — Tuesday, September 10

• Webinar: Threat Modeling and Secure Coding with Tanya Janca — Thursday, September 19

• InfoSec World, Sept 22-25, 2024

  • The Modern Application Security Rocket Ship — Monday, Sept 23, 10:15 AM

  • The Paradox of Secure and Private By Design — Tuesday, Sept 24, 1:30 PM

  • Workshop: Threat Modeling Championship: Breaker vs. Builder — Sunday, Sept 22, 9 AM - 12 PM

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.