Reasonable 🔐AppSec #64 - Trusting AI to Fix Vulns, Five Security Articles and Podcast Corner

Hey there,

In this week’s issue, please enjoy the following:

• Five security articles 📰 that are worth YOUR time

• Featured focus: Trusting AI to Fix Vulns

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

1. Threat Modeling ‘threat’ modeling — Applying threat modeling to the process can uncover hidden risks, improve transparency, and strengthen security practices. [This one caught my eye because of my lack of threat modeling a sidewalk from last week’s featured focus. BTW, Loren is one of the folks that invented STRIDE.]

2. NIST releases new tool to check AI models’ security — NIST has released a new tool to help organizations evaluate the security and trustworthiness of their AI models, addressing growing concerns about AI vulnerabilities and biases. [Can we create a tool to check how something we don’t understand works?]

3. The Gili Ra’anan model: Questions emerging from Cyberstarts' remarkable success — Cyberstarts' remarkable success is partly attributed to a unique model that offers CISOs equity in the fund, creating potential conflicts of interest as these cybersecurity leaders may favor Cyberstarts' portfolio companies, boosting their growth and valuations. [This confirms my hypothesis that the CISO is not the best buyer of AppSec solutions. They are buried in noise from too many sources.]

4. Six Things DevOps Wants from InfoSec — DevOps teams want InfoSec to empower them with tools, clear guidance, trust, and autonomy to build secure code without hindrance. [This is a stark reminder of how to serve developers, which SHOULD be the primary focus of AppSec.]

5. HTTPS: How secure is it, and do we really need it? (Part 1 of 2) — HTTPS is essential for securing online communication, as it encrypts data, ensures privacy, and protects against cyber threats, making it a must-have for any website handling sensitive information. [Great history lesson on HTTPS and its impact over the last two decades.]

Featured Focus: Trusting AI to Fix Vulns

I keep seeing solutions claiming they can create pull requests to fix vulnerabilities using AI. GitHub is the latest that I’ve seen hit the streets. My humble opinion is that the technology behind AI is not yet ready to be trusted in such a manner.

The primary challenge to trusting an AI-related fix is predictability. When I use an LLM today and ask it a question, I often get different answers on multiple runs. With this lack of predictability in an answer, how can I guarantee that a fix eliminates the vulnerability?

The secondary challenge is the future of laziness. This is connected to my primary challenge: as I see a world where we become more dependent on AI, we will become lazy about checking its results. We could easily reach a false sense of security about automated PRs and see them automatically approved.

What is the answer then? Are you donning the hat of a Luddite and swearing off AI for security? No, that isn’t the answer. The answer is being more patient as we wait for this technology to develop. We’ll reach the point where AI can competently fix vulnerabilities, but I don’t think we’re there today. Patience isn’t something people write about or think of as a pillar of a security program, but that doesn’t mean it isn’t the best strategy for now.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • Dan Küykendall -- Why All Application Security Products Suck (Audio only; YouTube)

    • Dan Küykendall discusses his series "Why All AppSec Products Suck" and emphasizes the importance of understanding the limitations and appropriate uses of security tools.

    • The hosts remember Kevin Mitnick, explore the challenges of DAST scanners with modern apps, and highlight the need for comprehensive security training for engineers.

• Security Table

  • Computing Has Trust Issues (Audio only; YouTube)

    • Chris, Izar, and Matt discuss classic security-themed movies like 'Sneakers' and 'War Games' before delving into Secure Boot vulnerabilities and the complexities of key management.

    • They also cover password management, passkeys, and the challenges of securing digital identities in today's landscape.

• Threat Modeling Podcast

  • Product-led threat modeling (Audio only)

    • Product-led threat modeling integrates security into product management by aligning threat assessments with user needs, using methodologies like STRIDE and rapid risk assessment.

    • Michal and Chris emphasize collaboration across teams, with product managers taking ownership of security, applying lean principles, and utilizing threat libraries and cookbooks to address security challenges.

Where to find Chris? 🌎

• Webinar: Designing Secure and Private Software by Default — August 29 @ 3 PM (Eastern)

• Webinar: The Synergy Between Threat Modeling & Security Champions, with Dustin Lehr — Tuesday, September 10 @ 2 PM (Eastern)

• Webinar: Threat Modeling and Secure Coding with Tanya Janca — Thursday, September 19; registration link coming soon!

• InfoSec World — Sept 22-25, 2024

  • The Modern Application Security Rocket Ship — Monday, Sept 23, 10:15 AM

  • The Paradox of Secure and Private By Design — Tuesday, Sept 24, 1:30 PM

  • Workshop: Threat Modeling Championship: Breaker vs. Builder — Sunday, Sept 22, 9 AM - 12 PM

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.