Reasonable 🔐AppSec #68 - My favorite boss, Five Security Articles and Podcast Corner

A review of application security happenings and industry news from Chris Romeo.

Author

Chris Romeo
September 17, 2024

Hey there,

In this week’s issue, please enjoy the following:

  • Five security articles 📰 that are worth YOUR time

  • Featured focus: My favorite “boss”

  • Application Security Podcast 🎙️Corner

  • Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

  1. New Research Reveals Security Budgets Only Increased 2 Points in 2024, While 12% of CISOs Faced Reductions — Security budgets increased by only 2% in 2024, reflecting a modest rise in financial commitment to cybersecurity despite rising threats. Additionally, 12% of CISOs experienced budget reductions, signaling financial constraints and potential challenges in maintaining security investments. [This is consistent with what I’ve seen in the market — budgets are tighter, and even security teams are forced to make hard decisions.]

  2. They'll deny it, but your phone is listening in — Concerns are growing about smartphones secretly listening to conversations and collecting personal data without users' explicit consent. Despite these fears, experts highlight that many apps and services use permissions and data collection practices that are often misunderstood by users, raising questions about privacy and transparency. [We’ve invited the phone to encapsulate every angle of our lives — we are too dependent on these privacy-breaching devices that we carry around in our pockets, every place we go. I’m considering a move back to a flip phone.]

  3. Sustained Attention Fatigue in Vulnerability Analysis — Sustained attention fatigue in vulnerability analysis results in decreased effectiveness and oversight due to prolonged focus on security issues. Improved strategies and tools are necessary to manage attention and maintain vigilance against persistent security challenges. [AI could play a role in summarizing this data in such a way as to remove some of the fatigue.]

  4. Making Sense of the Application Security Product Market — Understanding the application security product market requires recognizing the diversity of tools available, from static and dynamic analysis to software composition analysis and more. Each product addresses different security needs, so evaluating their specific strengths and fit for your organization’s unique challenges is essential. [I enjoyed this view of the market — looking at how others categorize our space is helpful. It makes me think deeper about how I bucketize the different categories of what we do as an industry.]

  5. Lifting the world out of the cybersecurity poverty — Cybersecurity talent shortages and high demand drive up wages, pushing companies to invest more in training and retention strategies. To address these issues, organizations must foster a culture of continuous learning and adapt their hiring practices to cultivate and retain skilled professionals. [Grow your own — that is my strategy for any team I run. I take folks and grow them up in cybersecurity. Yes, this does mean that sometimes I invest in them, and they move on to bigger and better things, but that is a sign of success!]

My first boss at Cisco was a guy named Tom Sweeney. Tom was an early Cisco employee and is famous for being Cisco’s first employee in NYC and for wiring Wall Street during Cisco’s land grab with such a strategic part of the world. Tom had a standing pool match with Cisco's CEO at every sales conference.

Tom taught me a lot in my few years working for him, but one thing still sticks with me. He said, “Manage your career not by the number of people you manage but by the number of managers you create.” I can’t say that I understood the gravity of this statement while reporting to Tom, but as I reflect on almost three decades of my professional career, I realize the depth of this statement.

Many people judge themselves based on the size of their team, and they say, “I manage one hundred people” on my team as if that is a badge of honor. Tom would recommend counting the number of people you lead to become managers. This is the approach that I take today in my career.

Focus on growing people up. Tom gave me a functional area within our team’s business, got out of my way, and let me do my thing. Team autonomy was another lesson I learned from Tom. He did have one rule: “Don’t let somebody come after you to me without me knowing in advance.” I only had to brief him once about a team that I ticked off, and that was coming for my head. Tom had my back that day. Tom was the best manager of my career, and I’m grateful for the time I spent working with him. You never worked FOR Tom; you always worked with him. That was how he introduced you, and if you ever said, “I work for Tom,” he would correct you by saying, “We work together.”

Thank your mentors, folks. Take what you learned from them and pour it into others as they poured into you.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

  • Application Security Podcast

    • Maril Vernon -- You Get What You Inspect, Not What You Expect (Audio only; YouTube)

      • Maril Vernon highlights the importance of integrating developers and security teams through purple teaming, emphasizing how framing recommendations in developer-centric language can bridge communication gaps and make security measures more actionable.

      • She predicts a shift towards automation and AI in purple teaming. Still, she stresses that human red teamers' creative and intuitive input will remain crucial, advocating for a more holistic approach to security that fosters cross-departmental collaboration.

  • Security Table

    • Philosophizing Cloud Security (Audio only; YouTube)

      • Chris Romeo, Izar Tarandach, and Matt Coles discuss the 'Shared Fate Model' in cloud security, building on the shared responsibility model to explore its impact on cloud service providers and consumers.

      • They cover the evolution of internet service providers, technical details of cloud infrastructure security, and the philosophical implications of implementing robust default security measures.

  • Threat Modeling Podcast

    • Dr. Michael Loadenthal -- Intersectional, Harm Reduction Approach to Threat Modeling (Audio only)

      • Dr. Michael Loadenthal expands threat modeling beyond technology to include political, legal, ethical, and social dimensions, emphasizing a comprehensive and multidisciplinary approach to addressing complex challenges.

      • His unique "intersectional threat modeling" approach, influenced by social movements and activism, integrates tools like mind maps and the harm reduction framework to address various threats, benefiting diverse clients, from companies to high-profile individuals.

Threat Model for Free

Welcome to Simple, Collaborative Threat Modeling by Devici.

Introducing the modern drawing tool that's user-friendly, customizable, and easy on the eyes. Individuals and teams work together – no matter their location. Devici helps build a scalable threat modeling process for multi-disciplinary and geographically dispersed teams, ensuring everyone can contribute.

Visit devici.com to experience threat modeling for free.

Where to find Chris? 🌎

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.