Reasonable 🔐AppSec #69 - Should I Stay or Should I Go Now?, Five Security Articles and Podcast Corner

A review of application security happenings and industry news from Chris Romeo.

Hey there,

In this week’s issue, please enjoy the following:

  • Five security articles 📰 that are worth YOUR time

  • Featured focus: Should I Stay or Should I Go Now?

  • Application Security Podcast 🎙️Corner

  • Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

  1. Redefining CNAPP: A Complete Guide To the Future of Cloud Security — This report provides a holistic view of cloud security's evolution, tracing its significant milestones, a detailed breakdown of the critical vendors today, and evolving market shifts. It presents a new framework for redefining Cloud Native Application Protection Platforms (CNAPP), addressing its limitations and contradictions while offering a comprehensive roadmap to navigate the future of cloud security. [Lately, you’ve seen me comment that “I’m a big fan of…” on stuff. The same goes for this one — I’m a big fan of James Berthoty and the breath of fresh air he’s bringing to analyzing our industry.]

  2. Fake recruiter coding tests target devs with malicious Python packages — Fake recruiters target developers with malicious Python packages disguised as coding tests, posing significant security risks. The blog highlights the importance of vigilance and caution when downloading and running third-party packages to avoid falling victim to these scams. [I’ve been around a long time in this industry, but I’m always most sickened when attackers prey on desperate people.]

  3. Scorecarding Security — Scorecarding is introduced as a method for evaluating the security posture of applications and organizations through quantitative metrics. This approach helps identify strengths and weaknesses in security practices, enabling better decision-making and resource allocation to improve overall security. [Scorecards are crucial to governance, connecting results for security investments with visibility to the entire business.]

  4. 2024 Dependency Management Report — The 2024 Dependency Management Report reveals crucial insights into the challenges organizations face with software dependencies, including security vulnerabilities and management complexities. It emphasizes the need for improved practices and tools to manage dependencies and enhance overall software security. [Software supply chain should be so easy to solve.]

  5. The Road to Simplicity — Focusing on simplicity in organizational processes and tools is essential for improving team efficiency and effectiveness. By streamlining workflows and minimizing complexity, organizations can empower their members to prioritize value creation, reduce frustration, and achieve their goals more effectively. [Simple is always the answer to any problem.]

“Should I stay, or should I go now?
Should I stay, or should I go now?
If I go, there will be trouble
And if I stay, it will be double
So come on and let me know”

— The Clash

The song is famous, and you might be hearing it in your head now. (You’re welcome.) It’s got me thinking about the future of my public speaking career.

I’m at InfoSec World in Orlando, FL. They say this town and the Disney properties are “the happiest place on earth.” Based on the number of children screaming in public places at the hotel, I'm unsure. But I digress.

I’ve begun to think about my future role in our industry. Over the years, I’ve had the luxury and the gift of being invited to speak at many major conferences, from RSA to DefCon AppSec Village to OWASP Global. Speaking has been a large part of my career since 2016 after I started Security Journey. I enjoy attending conferences and sharing my experience and insights into our industry.

The question I’m pondering is when it is time to slow down and let others have a turn. Am I blocking others from having an opportunity on the stage by continuing to submit to conferences? I will ponder this over the coming months and think about my approach for 2025.

My current thought is to step back and do less speaking while continuing to contribute to the podcasts I am a part of. Podcasts have a different reach and a different lifespan than conference talks.

If I decide to proceed with this plan and step back, I’ll miss the opportunities to meet and encourage new people in our industry. I’ll miss seeing friends at various events, some of whom I worked with decades ago. Every industry has this experience where you do something for the last time. Everything we do has a “last time” you’ll do it. This is part of maturing and part of bringing a phase of a career to a close.

I won’t miss the travel and preparation that goes into each talk, but I will miss the opportunity to teach. I’m a teacher at heart. I guess I’ll have to find a new avenue to teach from. Perhaps it’s time to take what I’ve been blessed to learn and know and share it in other avenues, such as the university system. Time will tell.

If you have any thoughts on this topic, please message me. I’d love to get other perspectives on this issue.

Podcast Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

  • Application Security Podcast

    • Phillip Wylie -- Pen Testing from Somebody Who Knows about Pen TWsting (Audio only; YouTube)

      • We welcome Philip Wylie, who shares his fascinating journey from professional wrestling to becoming a renowned pen tester.

      • He offers entertaining stories and insights from his unique background.

      • The episode includes in-depth discussions on application security and valuable advice for those looking to start a career in cybersecurity, making it a rich resource for listeners interested in pen testing and career development.

  • Security Table

    • Numb to Data Breaches and How it Impacts Security of the Average Feature (Audio only; YouTube)

      • Explore the evolving landscape of modern security approaches, discussing the shift from strategy to tactics and the growing desensitization to data breaches.

      • The conversation emphasizes the importance of understanding security's business side and highlights product managers' role as essential security champions.

  • Threat Modeling Podcast

    • Nandita Rao Narla -- Privacy Threat Modeling (Audio only)

      • Hosts Chris Romeo and Izar Tarandach welcome Nandita Rao Narla, who introduces the basics of privacy in software, discussing privacy threats, threat modeling, and the principles of privacy by design.

      • The episode emphasizes the importance of understanding and mitigating privacy concerns for anyone involved in handling user information, making it an essential primer for incorporating privacy into software design.

Threat Model for Free

Welcome to Simple, Collaborative Threat Modeling by Devici.

Introducing the modern drawing tool that's user-friendly, customizable, and easy on the eyes. Individuals and teams work together – no matter their location. Devici helps build a scalable threat modeling process for multi-disciplinary and geographically dispersed teams, ensuring everyone can contribute.

Visit devici.com to experience threat modeling for free.

Where to find Chris? 🌎

  • Nothing on the docket at the moment, but stay tuned for the next webinar!

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.