Reasonable 🔐AppSec #65 - Secure and Privacy by Design and Default: The Convergence with Threat Modeling, Five Security Articles and Podcast Corner

Hey there,

In this week’s issue, please enjoy the following:

• Five security articles 📰 that are worth YOUR time

• Featured focus: Secure and Privacy by Design and Default: The Convergence with Threat Modeling

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

1. Threat Modeling with ATT&CK v1.0.0 — Threat modeling with the MITRE ATT&CK framework offers a structured method for identifying and addressing potential security threats by mapping adversary tactics and techniques to strengthen defenses and improve overall security posture. [It’s about time that somebody melded these two concepts together!]

2. Cybersecurity tool sprawl is out of control – and it’s only going to get worse — As organizations increasingly adopt various disparate cybersecurity tools, the problem of tool sprawl is expected to intensify, highlighting the urgent need for improved integration and management to ensure cohesive and effective security. [It will be fun to watch and see if ASPM pays off as much as possible, offering a single place for AppSec results to gather and triage. We have too much noise and a lack of fidelity of results with the modern AppSec stack.]

3. What You ACTUALLY Need To Know For A Cybersecurity Job — To excel in cybersecurity, you need a solid understanding of core security concepts, hands-on experience with security tools and practices, and the ability to stay updated with evolving threats and technologies. [I get asked this question constantly, and this article tracks with much of what I tell people.]

4. Threat model with controls - GenAI as-is — The OWASP AI Security Overview provides a comprehensive guide to AI security. It includes a periodic table that categorizes various AI security threats and mitigations to help organizations effectively manage and protect their AI systems. [Many folks are writing about AI and security; the periodic table is a good resource to attempt to bucketize all the various threats.]

5. CVE-2022-21587(Oracle E-Business Suite RCE): Could RASP or ADR Have Prevented It? And How? — CVE-2022-21587 exposes a critical unauthenticated, remote code execution vulnerability in Oracle E-Business Suite, with the discussion focusing on how Runtime Application Self-Protection (RASP) and Automated Dynamic Analysis (ADR) can help mitigate the risk. [Thorough technical analysis of whether RASP/ADR would have prevented this issue.]

Featured Focus: Secure and Privacy by Design and Default: The Convergence with Threat Modeling

[Note: this is a post based on my primary conference talk for this year.]

In today's ever-evolving digital landscape, ensuring security and privacy isn't just a technical requirement—it's a fundamental philosophy that must permeate every aspect of software design and development. This philosophy, known as Secure and Privacy by Design and Default (SPbDD), is more than a set of guidelines; it’s a mindset shift toward prioritizing protection over new features from the very inception of a project.

Understanding Secure and Privacy by Design and Default

SPbDD is the art and science of embedding security and privacy into the DNA of your applications. It’s not just about compliance or ticking off boxes in a regulatory checklist. Instead, it’s about building solutions that inherently protect devices, data, and applications against the ever-present and inevitable security threats. Think of it as a journey, not a destination—a continuous process of refining and enhancing security and privacy measures as threats evolve.

The Customer’s Perspective

Customers have clear wants and needs regarding security and privacy. They expect that any product or service they purchase will protect their personally identifiable information (PII) or company data immediately—no extra steps are required. They want solutions that are self-updating, automated, and capable of defending themselves without user intervention. In essence, customers demand a secure and private experience by default.

Core Tenets of SPbDD

At the heart of SPbDD are four core principles:

• Holistic Security and Privacy Approach: Security and privacy must be considered whole, not isolated.

• Mindset Shift: Developers need to prioritize protection over adding new features.

• Business Priorities: Security and privacy should be business imperatives, not merely technical challenges.

• Default State: Features should be secure and private by default, requiring no extra configuration from the user.

The Challenges

While the principles of SPbDD are clear, implementing them is anything but straightforward. Traditional security practices and regulatory guidelines often fail to address the complexities of modern software ecosystems. There’s a significant gap between theory and practice, where security and privacy must be woven seamlessly into every aspect of the development process.

Designing for Security and Privacy: A Strategic Approach

Implementing SPbDD requires a strategic approach to design decisions:

• Security and Privacy-Enforcing Stack: The strength of your software stack dictates the security ceiling. Choose a stack that inherently supports secure and private operations, from memory-safe languages to privacy-protecting storage solutions.

• User Experience: Balance security and usability by creating non-disruptive user flows. Ensure that users have control over their data, with clear and transparent communication about how their information is used and stored.

• Protecting PII and Customer Data: Adopt privacy policies and data minimization, encryption, and de-identification strategies. You can only protect what you fully understand.

• Locking Down the System: Securely configure solutions to reduce the attack surface. Remove unnecessary interfaces and features to make it harder for attackers to find vulnerabilities.

• Responsible Open Source Usage: Develop a strategy for using open source software that includes data processing and security review criteria. If not managed correctly, the software supply chain can be vulnerable.

• Code Integrity: Implement standards and tools for secure coding, code review, and automated checks to ensure that the design decisions are reflected in the final product.

• Vulnerability Management: Establish clear processes for handling vulnerabilities when they arise. Transparency is key to maintaining customer trust and managing risk effectively.

What Are Security and Privacy Patterns?

Security and privacy patterns are blueprints that guide the implementation of specific controls within an application. They encapsulate best practices and provide a repeatable framework for developers to address common security and privacy concerns. By applying these patterns consistently, organizations can ensure that their applications are secure and private by default and resilient against evolving threats. Patterns + property planned for design decisions form the basis of a secure and private application.

Key Patterns

1. Authentication and Multi-Factor Authentication (MFA)

   • Description: Strong authentication mechanisms ensure only authorized users can access the system. MFA adds a layer of security by requiring more than one verification method.

   • Application: This pattern is critical for protecting against spoofing attacks and is a foundational element in any secure application.

   • Example Implementation: Integrating MFA with an Identity Provider (IdP) to support various authentication factors, such as mobile codes or hardware tokens.

2. Access Control and Authorization

   • Description: This pattern regulates what authenticated users can do within the system by enforcing strict access controls. It often employs Attribute-Based Access Control (ABAC) to provide fine-grained permissions.

   • Application: Protects against elevation of privilege attacks by ensuring users access only the necessary resources.

   • Example Implementation: Paved road authorization strategies incorporating ABAC, ensuring consistent access control enforcement across services.

3. Validation, Sanitization, and Encoding

   • Description: Helps prevent injection attacks by ensuring all input data is properly validated, sanitized, and encoded before processing.

   • Application: This pattern is essential for protecting against tampering and injection vulnerabilities, such as SQL injection or Cross-Site Scripting (XSS).

   • Example Implementation: Standard validation, sanitization, and encoding libraries are integrated into the development pipeline to ensure consistency and security.

4. Secure Logging

   • Description: Implements logging mechanisms that ensure all security-relevant events are recorded and can be audited while protecting the confidentiality and integrity of the log data.

   • Application: Helps detect and respond to incidents by providing a clear and accurate audit trail.

   • Example Implementation: Logs are securely transmitted to a Security Information and Event Management (SIEM) system, monitored, and analyzed in real time.

5. Proper Password Storage and Initiation

   • Description: Ensures that passwords are stored securely using modern hashing algorithms and that password policies enforce strong, unique passwords.

   • Application: This protects against credential stuffing and brute-force attacks by ensuring that passwords cannot be easily exploited even if compromised.

   • Example Implementation: Use bcrypt or Argon2 for hashing passwords, with strict password policies and regular rotation of credentials.

6. Data Protection

   • Description: Safeguards sensitive data through encryption, both at rest and in transit, and ensures that encryption keys are managed securely.

   • Application: Protects against information disclosure by ensuring that even if data is intercepted, it cannot be read without the proper decryption keys.

   • Example Implementation: End-to-end encryption for all data flows, with robust key management practices to prevent unauthorized access.

7. Scalability

   • Description: Designs the system to handle increased loads without compromising security or privacy. This includes ensuring high availability and redundancy.

   • Application: Protects against denial-of-service (DoS) attacks by ensuring the system can scale to meet demand and continue operating securely under load.

   • Example Implementation: Load balancing, auto-scaling, and orchestration technologies that ensure the system remains available and secure even during peak usage.

Checking the Work: The Role of Threat Modeling

Threat modeling is critical in ensuring that SPbDD principles are correctly applied. Organizations can identify potential threats and develop appropriate mitigations by assembling a diverse team and leveraging frameworks like STRIDE and OWASP. This proactive approach ensures that security and privacy are not just theoretical concepts but embedded in the application's fabric.

Measuring What Matters

To truly embrace SPbDD, organizations need to measure the effectiveness of their design decisions. Customized dashboards can track the implementation of security and privacy patterns across different product versions, providing valuable insights into the correlation between these patterns and mitigating specific threats.

Conclusion: Start the Journey Today

SPbDD is not just a trend—it’s the future of secure and private software development. By embracing this philosophy, organizations can build applications that meet today’s security and privacy standards and are resilient against tomorrow's challenges. The journey begins now, with every design decision contributing to a more secure and private digital world.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • Maril Vernon -- You Get What You Inspect, Not What You Expect (Audio only; YouTube)

    • Maril Vernon highlights the importance of purple teaming by fostering collaboration between developers and security teams, emphasizing the need to communicate remediation recommendations in developer-centric language to bridge gaps and make them actionable.

    • Looking ahead, Maril envisions automation and AI enhancing purple teaming efficiency while valuing human red teamers' irreplaceable creativity and suggesting a future where a more integrated approach or "white teams" could replace traditional purple teams.

• Security Table

  • The Intersection of Hardware and Software Security (Audio only; YouTube)

    • Chris, Izar, and Matt delve into threat modeling for hardware, focusing on the intersection of hardware and software security and highlighting challenges like speculative execution faults and supply chain vulnerabilities.

    • They emphasize the importance of understanding attack surfaces and discuss the ongoing hardware and software security integration to address these critical issues effectively.

• Threat Modeling Podcast

  • Software-Centric Threat Modeling (Audio only)

    • Farshad Abasi emphasizes the importance of asset-based and user story-focused threat modeling, recommending early architectural threat modeling and periodic reviews while integrating threat modeling into the DevSecOps process and using pull request templates for consistency.

    • He highlights the need for a simplified and developer-friendly approach to threat modeling, ensuring that it is actionable and scalable by adopting practices that align with development workflows and improve threat management.

Where to find Chris? 🌎

• Webinar: Designing Secure and Private Software by Default — August 29 @ 3 PM (Eastern)

• Webinar: The Synergy Between Threat Modeling & Security Champions, with Dustin Lehr — Tuesday, September 10 @ 2 PM (Eastern)

• Webinar: Threat Modeling and Secure Coding with Tanya Janca — Thursday, September 19; registration link coming soon!

• InfoSec World — Sept 22-25, 2024

  • The Modern Application Security Rocket Ship — Monday, Sept 23, 10:15 AM

  • The Paradox of Secure and Private By Design — Tuesday, Sept 24, 1:30 PM

  • Workshop: Threat Modeling Championship: Breaker vs. Builder — Sunday, Sept 22, 9 AM - 12 PM

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.