Reasonable šŸ”AppSec #72 - Highlighting some good folks, Five Security Articles and Podcast Corner

A review of application security happenings and industry news from Chris Romeo.

Author

Chris Romeo
October 15, 2024

Hey there,

Weā€™re doing a threat modeling game for Cyber Security Month, and itā€™s fast approaching. The event will occur on October 24, 2024, at Noon Eastern/US. Sign up now, as you are almost out of time. Check out our landing page. Itā€™s a free game where youā€™ll join a team and perform a threat modeling exercise against other teams, battling to be THE threat modeling champion!

P.S. Custom Lego sets from Devici are the prize for winning.

In this weekā€™s issue, please enjoy the following:

  • Five security articles šŸ“° that are worth YOUR time

  • Featured focus: Highlighting some good folks

  • Application Security Podcast šŸŽ™ļøCorner

  • Where to find Chris? šŸŒŽ

Five Security Articles šŸ“° that Are Worth YOUR Time

  1. Answering "Dumb Security Questionnaires" ā€” The Developer Security Questions (DSQs) framework enhances software development security by offering teams a structured approach to identify and address security concerns early. By integrating DSQs into the software development lifecycle, organizations can cultivate a security-focused culture and improve collaboration between development and security teams. [Security questionnaires have been the bane of many folkā€™s existence for YEARS. Canā€™t we all agree on a standard way of describing this stuff? (and donā€™t say SOC2).]

  2. When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying ā€” Exploiting hosted models poses significant security risks, as attackers can manipulate vulnerabilities in the underlying infrastructure to gain unauthorized access or disrupt services. The article highlights the importance of implementing robust security measures and monitoring practices to protect against such threats and ensure the integrity of hosted applications. [AI is scary, and itā€™s not even Halloween yet!]

  3. MISHAPS: A New Approach to Threat Modeling ā€” Ryan Heffernan reflects on recognizing and learning from mishaps in professional settings, emphasizing that mistakes can lead to valuable insights and growth. By sharing personal experiences, he advocates for fostering a culture that encourages openness and accountability, ultimately enhancing team dynamics and performance. [I applaud the effort, but it lacks the simplicity that makes STRIDE so powerful and makes folks want to build something new and better.]

  4. Is Retro = Threat Modeling a Team? ā€” Retro threat modeling focuses on analyzing and identifying security vulnerabilities in systems after their development, emphasizing the importance of collaboration among team members. The article advocates for a structured approach to retroactive assessments to improve security measures and foster a proactive security culture within organizations. [I like Hendrikā€™s thought processes on threat modeling, so check out how he wraps retro and TM together.]

  5. The Strategic Use of Attack Trees in Cybersecurityā€”Attack trees help organizations visualize potential attack vectors and improve risk assessment processes. By systematically identifying vulnerabilities, attack trees enable teams to prioritize security efforts and enhance their defenses against cyber threats. [Attack trees do not replace TM but provide a different perspective.]

I donā€™t listen to content about application security. GASP, I know; I host three AppSec-focused podcasts. I feel like I get enough AppSec by interviewing and debating with people while recording.

That said, I want to highlight some folks in our industry doing great things to advance content and provide you with learning opportunities.

  1. The Elephant in AppSec (Alexandra Charikova)ā€”I was honored to appear on this show for an episode about why Shift Left is wrong.

  2. Confidence Staveley ā€” I was honored to write the foreword for Confidenceā€™s API security book and find her API Kitchen show, which melds security and cooking.

  3. Chris Hughes ā€” Chris writes the Resilient Cyber newsletter and podcast and has authored a few books. He is a force of nature when it comes to content creation. His newsletter is well-written, researched, and thought out.

If you have a platform, highlight folks others need to know about. Our industry must continue to expand, and we encourage that behavior through new sources of information.

Podcast Corner

I love making podcasts. In Podcast Corner, you get a single place to see what Iā€™ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

  • Application Security Podcast

    • Varun Badhwar -- The Developer Productivity Tax (Audio only; YouTube)

      • Varun Badhwar joins to discuss the "Developer Productivity Tax," highlighting the challenges developers face when overwhelmed by vulnerabilities that often lack actionable context.

      • Varun emphasizes the integration of SBOM plus VEX to improve vulnerability management, advocating for "Scanning with Context" to reduce false positives and ensure that only relevant threats are addressed effectively.

  • Security Table

    • Experts Want to Excel (Audio only; YouTube)

      • We explore the criteria that define an expert in threat modeling, discussing the cultural references and intricacies of threat modeling practices and the roles of facilitators.

      • The conversation humorously addresses the challenges of scaling practices in large organizations while highlighting how expertise can inspire others. It includes tangents on movies, old media technologies, sports analogies, and competitive Excel.

  • Threat Modeling Podcast

    • Product-led threat modeling (Audio only)

      • Explore the connection between threat modeling and product development, emphasizing the importance of understanding user needs while applying lean product management principles.

      • They discuss best practices for conducting threat modeling sessions, including methodologies like rapid risk assessment and STRIDE, and stress the significance of collaboration and communication among product managers, architects, and technical leaders to align threat modeling with product goals.

Threat Model for Free

Welcome to Simple, Collaborative Threat Modeling by Devici.

Introducing the modern drawing tool that's user-friendly, customizable, and easy on the eyes. Individuals and teams work together ā€“ no matter their location. Devici helps build a scalable threat modeling process for multi-disciplinary and geographically dispersed teams, ensuring everyone can contribute.

Visit devici.com to experience threat modeling for free.

Where to find Chris? šŸŒŽ

  • Nothing on the docket now, but stay tuned for the next webinar!

šŸ¤” Have questions, comments, or feedback? I'd love to hear from you!

šŸ”„ Reasonable AppSec is brought to you by Kerr Ventures.

šŸ¤ Want to partner with Reasonable AppSec? Reach out, and letā€™s chat.