Reasonable 🔐AppSec #66 - Threat Modeling as Culture, Five Security Articles and Podcast Corner

Hey there,

In this week’s issue, please enjoy the following:

• Five security articles 📰 that are worth YOUR time

• Featured focus: Threat Modeling as Culture

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

1. Software's Iron Triangle: Cheap, Fast, and Good - Pick Two — Navigating the "Iron Triangle" in software development—cost, speed, and quality—requires careful balance, as focusing too heavily on one aspect often impacts the others, ultimately influencing the project's overall success and efficiency. [We’ve been saying that security is part of quality since at least the early 2000s. The challenge is nobody did anything about it. Great article by Hughes expanding on the issue — everything he writes is thorough and thought-provoking!]

2. CORS is Stupid — CORS (Cross-Origin Resource Sharing) is critical for managing how web applications interact with resources across different domains, and the article provides insights into its functionality, issues, and best practices for implementation. [CORS is stupid. I agree. Let’s make something more straightforward, such as a paved road, that works and provides the same level of protection. Anybody raising their hand?]

3. Leaked Environment Variables Allow Large-Scale Extortion Operation of Cloud Environments — A large-scale cloud extortion operation is detailed, revealing how attackers exploit cloud environments to demand ransoms, emphasizing the need for enhanced security measures to combat such threats. [This caught my attention because of the environment variable leakage. I’ve wrestled with whether it’s time to stop recommending env variables as a step toward secret vaults. It’s time to move to secret vaults as the only answer.]

4. Unraveling Privacy Threat Modeling Complexity: Conceptual Privacy Analysis Layers —

   Kim Wuyts explores the complexities of privacy threat modeling, highlighting the conceptual challenges and the need for robust frameworks to address privacy risks in various scenarios effectively. [Dr. Wuyts is brilliant — read anything she puts out.]

5. Unraveling the State of Kubernetes Security in 2024 — Kubernetes security in 2024 is assessed, focusing on the latest threats, such as vulnerabilities and misconfigurations, best practices for mitigating these risks, and evolving strategies to enhance the protection of containerized environments amidst growing complexity and adoption. [K8s feels like the forgotten component hidden deep in the infrastructure. I don’t hear much about it anymore in my circles.]

Featured Focus: Threat Modeling as Culture

I did a webinar with GitGuardian on August 29 on the topic of secure and private by design/default. During the event, we asked, “Is threat modeling currently part of your or your organization’s security strategy?”

89% of people polled are not doing threat modeling as a discipline within their SDLC. You could argue that the sample size isn’t representative of our industry. Still, based on my anecdotal evidence of talking to different organizations over the past year, I think it’s pretty darn close to correct.

Threat modeling is due for a renaissance, and all the noise we’ve made about it over the past years with the Threat Modeling Manifesto and Capabilities is just the tip of the iceberg. We have more work to do.

As I see it, the value proposition and return on investment for threat modeling are not front and center with Executives yet. There is a collection of unique companies out there that are early adopters and get the value prop, and they are building programs that are pushing threat modeling down to the developer layer. Too often, threat modeling for security and privacy is considered a security team's responsibility. This is great if you want to scale to five threat models for the entire company. I dream big, and I want developers to threat model every story. We only get there by moving the modeling down to the developer layer.

We must work toward moving threat modeling forward at the organizational level. Threat modeling must escape the security team and become seen as a crucial step in designing software.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • Mark Curphey and John Viega -- Chalk (Audio only; YouTube)

    • Mark Curphey and John Viega introduce Chalk, a new tool by Crash Override while discussing the reasons behind ZAP's departure from OWASP to join the Software Security Project and the importance of corporate contributions to open-source projects.

    • The conversation highlights the challenges large tech firms face in managing software engineering processes. Chalk offers a solution for clarity and efficiency and emphasizes the need for an "outside-in" perspective to enhance decision-making in software development.

• Security Table

  • The Illusion of Secure Software (Audio only; YouTube)

    • Hosts Chris, Izar, and Matt examine Jen Easterly’s statement on the cybersecurity industry's software quality problem, discussing its implications, recurring themes in security guidelines, and whether the core issues lie with people or technology.

    • The discussion explores the roles of developers, QA engineers, and emerging AI tools in improving security and questions whether current industry practices are leading to meaningful change.

• Threat Modeling Podcast

  • A Comprehensive Threat Modeling Strategy (Audio only)

    • Chris outlines a comprehensive strategy for effective threat modeling, emphasizing the importance of aligning it with organizational culture, tech debt, and risk posture and integrating it incrementally into the development process.

    • Successful threat modeling requires defining clear success metrics, keeping the model updated, and focusing on domain-specific problems while leveraging automation for domain-agnostic issues.

Threat Model for Free

Welcome to Simple, Collaborative Threat Modeling by Devici.

Introducing the modern drawing tool that's user-friendly, customizable, and easy on the eyes. Individuals and teams work together – no matter their location. Devici helps build a scalable threat modeling process for multi-disciplinary and geographically dispersed teams, ensuring everyone can contribute.

Visit devici.com to experience threat modeling for free.

Where to find Chris? 🌎

• Webinar: The Synergy Between Threat Modeling & Security Champions, with Dustin Lehr — Tuesday, September 10 @ 2 PM (Eastern)

• Webinar: Threat Modeling and Secure Coding with Tanya Janca — Thursday, September 19; registration link coming soon!

• InfoSec World — Sept 22-25, 2024

  • The Modern Application Security Rocket Ship — Monday, Sept 23, 10:15 AM

  • The Paradox of Secure and Private By Design — Tuesday, Sept 24, 1:30 PM

  • Workshop: Threat Modeling Championship: Breaker vs. Builder — Sunday, Sept 22, 9 AM - 12 PM

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.