Reasonable Application Security
Posts
Reasonable 🔐AppSec #73 - It is my birthday, Five Security Articles and Podcast Corner

Reasonable 🔐AppSec #73 - It is my birthday, Five Security Articles and Podcast Corner

A review of application security happenings and industry news from Chris Romeo.

Chris Romeo
October 22, 2024

Hey there,

We’re doing a threat modeling game for Cyber Security Month, and it’s fast approaching. The event will occur on October 24, 2024, at Noon Eastern/US. Sign up now, as you are almost out of time. Check out our landing page. It’s a free game where you’ll join a team and perform a threat modeling exercise against other teams, battling to be THE threat modeling champion!

P.S. Custom Lego sets from Devici are the prize for winning.

In this week’s issue, please enjoy the following:

Five security articles 📰 that are worth YOUR time
Featured focus: It is my birthday
Application Security Podcast 🎙️Corner
Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

Eliminating Memory Safety Vulnerabilities at the Source — Google's Android team has successfully reduced memory safety vulnerabilities from 76% in 2019 to 24% in 2024 by transitioning to memory-safe languages, such as Rust. This shift focuses on preventing new vulnerabilities through safe coding practices, which have been shown to lower overall security risks without extensive rewrites of older code. [The proof is in the pudding, and this proof is tasty and expected — memory-safe languages improve security.]
Threat modeling and binary analysis: Supercharge your risk strategy — Threat modeling and binary analysis are essential for improving software risk management strategies, particularly in securing supply chains. By integrating these approaches, organizations can better anticipate vulnerabilities, manage risks proactively, and enhance the security posture of their software assets.[I was featured in this article, sharing thoughts about the intersection of threat modeling and software supply chain.]
Attacking APIs using JSON Injection — JSON injection can exploit APIs by inserting malicious data into JSON streams, leading to vulnerabilities like SQL injection and remote code execution. It highlights the risks posed by inconsistencies in how different JSON parsers handle data, emphasizing the importance of thoroughly vetting API components to prevent such attacks. [I had never looked at JSON injection before, and this one gave me context and perspective.]
New ConfusedPilot Attack Targets AI Systems with Data Poisoning — The ConfusedPilot attack targets AI systems, particularly Retrieval-Augmented Generation (RAG) models like Microsoft 365 Copilot, by introducing malicious content into documents the AI references. This data poisoning can cause the AI to generate misinformation or incorrect responses, posing a significant risk to organizations relying on such systems for decision-making. [Data poisoning fleshed out deeper than what you’ll find in the OWAP Top Ten for LLM.]
How to do Vulnerability Prioritization — Effective Vulnerability Prioritization moves beyond simple CVSS base scores and incorporates factors such as exploit status, environmental context, and patch availability. It emphasizes the importance of using a comprehensive threat intelligence approach and scalable data platforms to manage large numbers of vulnerabilities. [Challenging thing for teams — James provides an easy-to-follow structure that considers the data.]

Featured Focus: It is my birthday

Today is my birthday. I wouldn’t say I like celebrating birthdays, but I should be excited to be experiencing another lap around the solar system. I’m not writing this because it’s my birthday, but instead, because this concept of celebration got me thinking.

We don't celebrate enough in security, and application security specifically. I’m from a generation where the thought of everyone getting a trophy makes us nauseous, so I’m not talking about everybody being recognized. We don’t celebrate our small and big wins with enough fervor.

As a general principle, at Security Journey, we had an all-hands meeting for the 20+ team members each Monday. A segment of that meeting was always small wins, where folks could send in small victories that they experienced or saw others experience, and we could all celebrate those victories together and recognize the success.

We need to do more of this in security. We need to pinpoint the small wins and find ways to celebrate them. Celebration is more than just the security team—look for ways to celebrate with the security and privacy supporting teams, development, operations, and anyone else. Culture was created over time, and Rome wasn’t built in a day. Celebrate.

Podcast Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

Application Security Podcast
- Varun Badhwar -- The Developer Productivity Tax (Audio only; YouTube)
  - Varun Badhwar joins to discuss the "Developer Productivity Tax," highlighting the challenges developers face when overwhelmed by vulnerabilities that often lack actionable context.
  - Varun emphasizes the integration of SBOM plus VEX to improve vulnerability management, advocating for "Scanning with Context" to reduce false positives and ensure that only relevant threats are addressed effectively.
Security Table
- Experts Want to Excel (Audio only; YouTube)
  - We explore the criteria that define an expert in threat modeling, discussing the cultural references and intricacies of threat modeling practices and the roles of facilitators.
  - The conversation humorously addresses the challenges of scaling practices in large organizations while highlighting how expertise can inspire others. It includes tangents on movies, old media technologies, sports analogies, and competitive Excel.
Threat Modeling Podcast
- Product-led threat modeling (Audio only)
  - Explore the connection between threat modeling and product development, emphasizing the importance of understanding user needs while applying lean product management principles.
  - They discuss best practices for conducting threat modeling sessions, including methodologies like rapid risk assessment and STRIDE, and stress the significance of collaboration and communication among product managers, architects, and technical leaders to align threat modeling with product goals.

Threat Model for Free

Welcome to Simple, Collaborative Threat Modeling by Devici.

Introducing the modern drawing tool that's user-friendly, customizable, and easy on the eyes. Individuals and teams work together – no matter their location. Devici helps build a scalable threat modeling process for multi-disciplinary and geographically dispersed teams, ensuring everyone can contribute.

Visit devici.com to experience threat modeling for free.

Where to find Chris? 🌎

Webinar: Supercharge Threat Modeling with Software Supply Chain Security — Tuesday, October 29 @ noon (Eastern)

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.