Reasonable 🔐AppSec #71 - Threat modeling a vacation, or the lack thereof, Five Security Articles and Podcast Corner

Hey there,

Before you dive in — we’re doing a threat modeling game for Cyber Security Month, so if you’d like to check it out and sign up, check out our landing page. It’s a free game where you’ll join a team and perform a threat modeling exercise against other teams, battling to be THE threat modeling champion! P.S. Custom Lego sets from Devici are the prize for winning.

In this week’s issue, please enjoy the following:

• Five security articles 📰 that are worth YOUR time

• Featured focus: Threat modeling a vacation, or the lack thereof

• Application Security Podcast 🎙️Corner

• Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

1. Moving DevOps Security Out of 'the Stone Age' — Managing the security posture of DevOps practices is essential for organizations to avoid falling behind in an increasingly complex threat landscape. By adopting proactive security measures and integrating them into the development lifecycle, companies can strengthen their defenses and ensure a more resilient application security framework. [Nice summary of the current state of DevOps and where things need to move forward for better success. I still think DevSecOps is dead.]

2. Mental Toughness in Cybersecurity: Preparing Teams for High-Pressure Situations — Developing mental toughness is crucial for cybersecurity professionals to navigate the challenges and stresses inherent in the field. By fostering resilience, adaptability, and a positive mindset, individuals can enhance their performance and cope with the demands of a rapidly evolving cybersecurity landscape. [The career field we have chosen is challenging — no matter your job description. This article caught my attention, given the nature of building mental toughness. I love the concept.]

3. Things You Need to Know About Your Tech Salary — Understanding key factors influencing tech salaries, such as skills, experience, and industry demand, is essential for professionals navigating their careers. By staying informed about market trends and salary benchmarks, individuals can better advocate for themselves and make informed decisions regarding their compensation. [You must advocate for yourself, your salary, and your career. Know before you go into that salary discussion with your boss.]

4. The 20-year application security blindspot: Can ADR finally fix it? — A longstanding blindspot in application security has hindered organizations' ability to detect and respond to threats effectively, often leaving vulnerabilities unaddressed for years. Application detection and response (ADR) offers a potential solution by enhancing visibility and enabling proactive security measures throughout the software lifecycle to bridge this critical gap. [I’m fascinated by ADR and reading everything I can about it. It could genuinely bridge the gap and bring AppSec truly into the fold.]

5. Rogue WHOIS server gives researcher superpowers no one should ever have — A rogue WHOIS server has emerged that grants unauthorized access to sensitive information, allowing researchers to exploit domain name registration data in ways that could pose significant security risks. This development raises concerns about privacy and potential abuse, highlighting the need for improved oversight and security measures in domain registration practices. [This is a reminder about the legacy stuff that exists on the Internet and how it can be used to create modern-day nightmares.]

Featured Focus: Threat modeling a vacation, or the lack thereof

This past week, I decided to take a short vacation. A friend was available to join me, and one of his bucket list items was seeing and experiencing the Grand Canyon. At this point, I’ve never seen the Grand Canyon in person, only from the window of a plane on the way to the West Coast. I thought, “I need to see the Grand Canyon at some point in this life, so let’s do it.”

We have a family friend who is a vacation planner/travel agent, so I called her and empowered her to plan the trip. She asked for a word to describe the trip, and I went with “adventure.” She generated an itinerary for us with activities around the Grand Canyon, and last Monday morning, we went off to the airport.

We arrived in Flagstaff, found our hotel, and prepared for our first adventure the following day. We had a hike planned with a guide at the Grand Canyon. I did not do any due diligence on what this meant, the two words “a hike.” My mental model was a pleasant stroll down a controlled, paved path with guard rails. What I found was something that was initially extraordinarily shocking.

Hiking the Grand Canyon means walking down a trail four to six feet wide, with one side being the cliff face and the other sometimes a drop of thousands of feet. I forgot to mention earlier that my fear of heights has been exacerbated as I've gotten older. So, there I was, beginning the descent down the trail, and I caught a glimpse over the side of the trail. (My hands are sweating again now as I replay the experience.)

At that point, I had a choice: I could turn around and give up, as many people had done at the same spot, or I could push through and face my fear. I was more driven in my decision because my friend’s bucket list item was to hike the Grand Canyon, and if I turned around, it would ruin his experience.

So we pressed on. Our guide, Kevin, was excellent. He told me that if I wanted to continue, he would walk next to me, on the drop side, and allow me to walk nearest the cliff wall. We began our descent, with me staring at the ground, Kevin at my side, and my friend taking in all the sights.

We crossed through the “Oh Ah” point, which, as Kevin explained, is where most people turn around and go back up. Kevin asked if we wanted to continue, and I said we’ll go for it.

We continued our descent and reached Cedar Ridge, a vast plane 1.5 miles down the trail into the Canyon. It was a nice break to be in such a flat space. I could eat dinner, recharge, and enjoy the sunset's views.

I did look on as two young folks creating influencer videos stood on a dead tree at the edge of the Canyon to capture a video of themselves. The threat modeling person within was about to scream. Dead tree, side of Canyon with thousand-foot drops—you get the picture.

Then we began our 1.5-mile ascent, which was a chore, but cresting the final hill and walking back across the parking lot gave me the opportunity for a victory dance. I had reached Cedar Ridge, a place within the Grand Canyon that only 1% of visitors will ever see.

I’m proud that I pushed through and faced my fear, and I also learned some things to apply to application security from this experience.

1. Security, too, is about the people: Kevin, the hiking guide, taught me techniques for walking down and up the trail and coached me through. He also kept the conversation going nonstop to take my mind off the danger I felt. Security people must strive to coach and walk alongside developers, showing empathy toward their situations.

2. Spend time on the ground, not just looking from the plane's window: When you roll up your sleeves and connect with the people on the ground, you learn more about your organization. Build your security strategy based on the details you can see from the ground.

3. Find people who love what they do: People who love what they do are infectious. Kevin is a perfect example of somebody who loves their job so much they would do it for free. Find security champions passionate about security and help them unlock their security knowledge and experience.

4. Threat model your vacation destinations!: I’m glad I didn’t threat model this experience because I would never have begun descending the Canyon. In general, threat model your experiences to ensure you know the risk.

Podcast Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

• Application Security Podcast

  • Steve Wilson -- The Developer's Playbook for Large Language Model Security: Building Secure AI Applications (Audio only; YouTube)

    • We welcome Steve Wilson to discuss his book 'The Developer’s Playbook for Large Language Model Security, which covers AI hallucinations, trust, and future AI challenges.

    • Steve offers insights on security boundaries and LLM-specific testing tools and addresses vital concerns in the evolving AI landscape.

• Security Table

  • A Show About Nothing That Turned into Something (Audio only; YouTube)

    • Chris Romeo, Izar Tarandach, and Matt Coles discuss how Application Security tools should automate tasks that humans can perform but with incredible speed and efficiency.

    • Izar highlights the difficulty of managing attention spans and context-switching across multiple Slack channels, while Chris teases the possibility of AppSec becoming obsolete.

• Threat Modeling Podcast

  • What is the Essence of Threat Modeling? (Audio only)

    • Chris Romeo discusses different definitions of threat modeling, exploring whether it overlaps with risk assessment and emphasizing early threat identification and mitigation through structured brainstorming.

    • He highlights the Threat Modeling Manifesto's definition, noting that threat modeling blends art, science, and collaboration to address security and privacy concerns in systems.

Threat Model for Free

Welcome to Simple, Collaborative Threat Modeling by Devici.

Introducing the modern drawing tool that's user-friendly, customizable, and easy on the eyes. Individuals and teams work together – no matter their location. Devici helps build a scalable threat modeling process for multi-disciplinary and geographically dispersed teams, ensuring everyone can contribute.

Visit devici.com to experience threat modeling for free.

Where to find Chris? 🌎

• Nothing on the docket now, but stay tuned for the next webinar!

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.