Reasonable 🔐AppSec #70 - DevSecOps is dead, Five Security Articles and Podcast Corner

A review of application security happenings and industry news from Chris Romeo.

Author

Chris Romeo
October 01, 2024

Hey there,

In this week’s issue, please enjoy the following:

  • Five security articles 📰 that are worth YOUR time

  • Featured focus: DevSecOps is dead

  • Application Security Podcast 🎙️Corner

  • Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

  1. Raw SQL Queries are Actually Better for Security Than ORMs? — Raw SQL queries can enhance security by giving developers greater control over query structure and execution, reducing the risk of vulnerabilities associated with Object-Relational Mappers (ORMs). The article argues that while ORMs simplify database interactions, they can introduce complexity that may lead to security issues, making raw SQL a more secure choice in specific scenarios. [This seems like sacrilege — read it closer to see if you agree or disagree?]

  2. Microsoft’s largest ever security transformation detailed in new report

    Microsoft's latest security report highlights the growing importance of integrated security measures as organizations face increasingly sophisticated cyber threats. The initiative aims to strengthen collaboration between tech companies and businesses to create a more resilient security ecosystem, emphasizing proactive strategies and continuous improvement. [Going back to 2003 with the memo and the dawn of Trustworthy Computing, MSFT has pushed the envelope. I’ll be following this new movement as it progresses.]

  3. Living the Blueberry Muffin Principle: Baked-In Security for Developers

    The "Blueberry Muffin Principle" emphasizes integrating security measures directly into the development process rather than treating them as an afterthought. Organizations can enhance their security posture and reduce vulnerabilities by fostering a culture where security is fundamental to development. [I’m a sucker for a good software security illustration.]

  4. Intel Warns of 20+ Vulnerabilities, Advises Firmware Updates — Intel has notified customers about more than a dozen vulnerabilities in its processors, which could potentially allow attackers to execute arbitrary code or gain unauthorized access to sensitive information. The company is working on patches to mitigate these risks and urges users to update their systems to enhance security. [I’ve always thought that the most effective exploit possible is a processor vulnerability that allows an exploit.]

  5. Managing Github as code: A DevSecOps approach — A DevSecOps journey focused on securing and standardizing GitHub repositories aims to enhance software development security and streamline collaboration among development, security, and operations teams. The organization seeks to ensure compliance and reduce vulnerabilities by implementing best practices and automated tools. [Very thorough explanation of DevSecOps in real life.]

I feel like DevSecOps has had its moment/time in the sun/fifteen minutes of fame, and it’s time to move on. This idea was sparked by a conversation with Jeff Williams on the AppSec Podcast, mentioned below. In discussing ADR, Jeff shared the reality of the disconnect between the operations team and AppSec.

Our industry has promoted the idea that DevSecOps involves all three groups walking hand in hand toward secure software. Jeff shared that operations were never at the table and are unaware of what is happening in the AppSec world. Development and security have done an okay job of adding tooling to pipelines and focusing more heavily on security, but operations were never in sync.

Perhaps it’s time to move on from the industry's focus on DevSecOps. DevSecOps is how we build software with pipelines, but everybody I know uses Agile or Kanban to source and track work. Let’s let the hype dry up on DevSecOps in the future. It’s not like we don’t have other problems to solve. Find something else to talk about at a conference.

Podcast Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

  • Application Security Podcast

    • Jeff Williams -- Application Detection & Response (ADR) (Audio only; YouTube)

      • Hosts Chris Romeo and Robert Hurlbut engage with Jeff Williams, a pioneer in application security, to explore the transformative potential of Application Detection and Response (ADR) in production environments.

      • Jeff shares insights from his career, including the founding of OWASP and his views on security assurance, providing valuable perspectives for newcomers and seasoned professionals in the AppSec field.

  • Security Table

    • The Hamster Wheel of Scan and Fix (Audio only; YouTube)

      • Hosts Chris Romeo, Matt, and Izar engage in a lively debate about the limitations of the "scan and fix" approach in application security, with Chris critiquing the prevalent tools that often generate lengthy lists of vulnerabilities filled with false positives.

      • The discussion highlights the necessity for more innovative, context-aware security solutions, emphasizing the importance of actionable insights and the human factor in security practices, ultimately advocating for a shift away from traditional methodologies.

  • Threat Modeling Podcast

    • Nandita Rao Narla -- Privacy Threat Modeling Wins, Losses, and Tools (Audio only)

      • Hosts Chris Romeo and Nandita Rao Narla discuss the common pitfalls of privacy threat modeling programs, including high costs, friction in development processes, and a focus on compliance over risk management.

      • Nandita also shares effective strategies for improvement, such as simplifying methodologies, leveraging existing resources, and fostering a proactive mindset towards potential risks, emphasizing the need for a strong partnership between privacy and security threat modeling.

Threat Model for Free

Welcome to Simple, Collaborative Threat Modeling by Devici.

Introducing the modern drawing tool that's user-friendly, customizable, and easy on the eyes. Individuals and teams work together – no matter their location. Devici helps build a scalable threat modeling process for multi-disciplinary and geographically dispersed teams, ensuring everyone can contribute.

Visit devici.com to experience threat modeling for free.

Where to find Chris? 🌎

  • Nothing on the docket at the moment, but stay tuned for the next webinar!

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.