Reasonable 🔐AppSec #67 - Priorities, Five Security Articles and Podcast Corner

Hey there,

In this week’s issue, please enjoy the following:

• Five security articles 📰 that are worth YOUR time

• Featured focus: Priorities

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

1. TL;DR: Every AI Talk from BSidesLV, Black Hat, and DEF CON 2024 — Key insights from AI-focused talks at BSidesLV, Black Hat, and DEF CON 2024 are summarized, covering emerging trends, critical discussions, and advancements in AI security. [Kudos to Clint Gibler for summarizing the action from Vegas for those who don’t like desert climates or couldn’t make the trip.]

2. Bypassing airport security via SQL injection — A security researcher discovered a vulnerability in the TSA's Known Crewmember (KCM) system due to an SQL injection flaw in FlyCASS, allowing unauthorized individuals to bypass security checks. Despite disclosing the issue to the Department of Homeland Security, the TSA downplayed the risk, although the flaw was later fixed after the system was disabled. [SQLi continues to pay off in 2024 — oh, when will we ever get this thing to disappear? 2042?]

3. When your puzzle has a few broken pieces — We greatly rely on open-source software (OSS) in software development, emphasizing its benefits and security risks. While OSS accelerates innovation, it also introduces vulnerabilities, highlighting the need for organizations to adopt secure practices such as software composition analysis (SCA) and rigorous code reviews to mitigate risks associated with malicious or vulnerable packages. [Another well-thought-out and researched analysis by Derek Fisher.]

4. Rethinking Threat Models for the Modern Age — Traditional threat models need to be expanded to account for modern communication habits and external human factors, such as the decline in answering phone calls and alert fatigue. Organizations should incorporate behavioral insights and external risks into their threat modeling to enhance security, ensuring their applications remain effective and resilient in a rapidly evolving technological landscape. [We discussed this on the Security Table and debated it to some degree.]

5. Server-Side Template Injection: Transforming Web Applications From Assets to Liabilities — Server-Side Template Injection (SSTI) is a vulnerability that allows attackers to inject and execute malicious code on a server via template engines. This can result in server compromise, data theft, and remote code execution, highlighting the need for secure coding practices, regular vulnerability assessments, and prompt patching to protect web applications from such exploits. [This feels like it’s been around for a while, but it could be moving up the ranks as we mature past things like CSRF.]

Featured Focus: Priorities

A few months ago, I experienced a momentous life achievement: I became a grandfather for the first time. Yes, to all you parents out there, what they say is true: raising grandchildren differs from raising your kids.

A few additional decades of age have caused me to appreciate a baby more than I did before with my kids. We were a crazy house with four children separated by a total of four and a half years, so we were always on the move, and we lived an orderly, chaotic life, if it is even possible to put those two things together.

Now, I stare into this kid's eyes and think about how I need to teach him to code securely to prevent XSS and SQLi and how to threat model. I kid, I kid. I’ll be happy if he has nothing to do with cybersecurity, but I won’t object if he wants to follow in his Granddad’s footsteps.

You’re wondering what this article is doing in an application security-focused newsletter. I want to use this as an opportunity to remind you about priorities in life. Cybersecurity can consume us day and night, and our families can be the ones to suffer. Remember that you cannot return those days, months, and years with your children. Put down the laptop, throw the phone out the window, and enjoy prioritizing life focused on the people that matter the most. The work will be waiting for you in the morning.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • Steve Springett -- Software and System Transparency (Audio only; YouTube)

    • Steve Springett discusses CycloneDX and the BOM landscape, highlighting new projects that aim to unify the security industry and enhance secure software development.

    • The episode also offers a personal glimpse into Steve’s life outside of technology, sharing insights into his hobbies and interests.

• Security Table

  • Innovations in Threat Modeling? (Audio only; YouTube)

    • Hosts Chris Romeo, Izar Tarandach, and Matt Coles explore the evolving concept of threat models, examining the impact of user behavior, alert fatigue, and psychological acceptability on modern threat modeling.

    • They discuss the article "Rethinking Threat Models for the Modern Age" by Evan Oslick, debating integrating broader human factors into threat modeling practices.

• Threat Modeling Podcast

  • Akira Brand -- Gaining Experience by Threat Modeling (Audio only)

    • Akira Brand discusses her journey into threat modeling, highlighting the critical role of collaboration, understanding the application, and using visual tools like data flow diagrams to ensure comprehensive security solutions.

    • Drawing parallels between surgical checklists and the STRIDE model, Akira emphasizes that successful threat modeling involves practical, hands-on approaches and teamwork across engineering, data analytics, and security to address potential risks.

Threat Model for Free

Welcome to Simple, Collaborative Threat Modeling by Devici.

Introducing the modern drawing tool that's user-friendly, customizable, and easy on the eyes. Individuals and teams work together – no matter their location. Devici helps build a scalable threat modeling process for multi-disciplinary and geographically dispersed teams, ensuring everyone can contribute.

Visit devici.com to experience threat modeling for free.

Where to find Chris? 🌎

• Webinar: The Synergy Between Threat Modeling & Security Champions, with Dustin Lehr — Tuesday, September 10 @ 2 PM (Eastern)

• Webinar: Threat Modeling and Secure Coding with Tanya Janca — Thursday, September 19 @ noon (Eastern) — registration is open!

• InfoSec World — Sept 22-25, 2024

  • The Modern Application Security Rocket Ship — Monday, Sept 23, 10:15 AM

  • The Paradox of Secure and Private By Design — Tuesday, Sept 24, 1:30 PM

  • Workshop: Threat Modeling Championship: Breaker vs. Builder — Sunday, Sept 22, 9 AM - 12 PM

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.