Reasonable šŸ”AppSec #74 - The absence of vulnerability, Five Security Articles and Podcast Corner

A review of application security happenings and industry news from Chris Romeo.

Hey there,

In this weekā€™s issue, please enjoy the following:

  • Five security articles šŸ“° that are worth YOUR time

  • Featured focus: The absence of vulnerability

  • Application Security Podcast šŸŽ™ļøCorner

  • Where to find Chris? šŸŒŽ

Five Security Articles šŸ“° that Are Worth YOUR Time

  1. Cloud Guardrails ā€” Check out a comprehensive suite of tools designed to enhance security and compliance for cloud environments by automating governance policies and best practices. Organizations can proactively manage risks by implementing these guardrails, ensuring their cloud operations align with industry standards and regulations. [I am a huge fan of guardrails, and this resource is a catalog of guardrails that you can mix and match.]

  2. The struggle for software liability: Inside a ā€˜very, very, very hard problemā€™ ā€” The White House faces challenges establishing cybersecurity software liability standards as stakeholders express concerns about the potential implications for innovation and security practices. The effort aims to create a framework that holds software developers accountable for vulnerabilities, but balancing regulatory measures with industry needs remains contentious. [Can anyone say ā€œNIGHTMAREā€? The good news is the first case will get tied up on appeal for a decade.]

  3. The Global Surveillance Free-for-All in Mobile Ad Data ā€” Mobile advertising data has become a new battleground for global surveillance, with companies increasingly collecting and monetizing personal information from users without clear consent or oversight. The article highlights concerns over the implications of this pervasive data collection on user privacy and security and the challenges regulators face in establishing meaningful protections in an industry driven by profit. [I didnā€™t realize the depth of mobile ad data and how it is misused.]

  4. DEF CON 32 Main Stage Talks ā€” This playlist features a wealth of insights into the latest trends and challenges in cybersecurity, with discussions covering topics such as ransomware defenses, AI implications, and innovative vulnerabilities. Listeners can expect to learn from industry leaders and gain valuable perspectives on enhancing security practices in today's rapidly evolving digital landscape. [Missed Vegas? Donā€™t fret; the DC talks are on YouTube.]

  5. The Ultimate Guide to Reachability Analysis Which reachability is good for you: Enhancing Code, Library, and Container Security with ASPM ā€” ASPM (Application Security Posture Management) reachability analysis provides a method to assess the accessibility of an applicationā€™s components, identifying potential vulnerabilities based on how these components interact with each other and the external environment. By understanding reachability, organizations can enhance their security posture, ensuring that only necessary access points are exposed and reducing the risk of exploitation. [Iā€™m bullish on ASPM, so I'm sharing a resource to help you unpack its capabilities.]

On a soon-to-be-released AppSec Podcast episode, Matin, our guest, offered a definition of security that Iā€™ve never heard before, and itā€™s got me thinking. He defines security as ā€œthe absence of vulnerabilities.ā€ Stop and think about that for a secondā€”the absence of vulnerabilities?

Iā€™ve always considered security an active issue. As a programmatic thinker, I approach problems by considering how we can systemize a solution that will allow the scaling of resources to address the problem at all levels.

Security is people, processes, tools, and governance. The people secure the things, while the processes guide and attempt to make things unilateral. The tools make things easier for the people (in theory), and governance ensures that the right things are done at the correct times to protect the right things.

Matinā€™s definition is a measurable state of a thing instead of a program to create a thing. This definition makes me wonder whether this is the Matrix.

Tune in to this episode next week to hear Matinā€™s explanation for this definition and the exploration of anti-requirements. It will cause you to stop and think. If you have an epiphany on this definition, hit reply and share it with me. Iā€™d love to hear other opinions.

Podcast Corner

I love making podcasts. In Podcast Corner, you get a single place to see what Iā€™ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

  • Application Security Podcast

    • FranƧois Proulx - Arbitrary Code Execution 0-day in Build Pipeline of Popular Open Source Packages (Audio only; YouTube)

      • Hosts Chris Romeo and FranƧois Proulx discuss the discovery of security vulnerabilities in build pipelines, emphasizing how attackers can exploit this often-overlooked aspect of the software supply chain.

      • To combat this issue, FranƧois's team developed an open-source scanner called Poutine, designed to identify vulnerable build pipelines at scale and provide remediation guidance, leveraging his extensive experience in application security and his role as founder of the NorthSec conference in Montreal.

  • Security Table

    • Everything is Boring (Audio only; YouTube)

      • Hosts Chris, Izar, and Matt delve into the perception that recent cybersecurity topics, such as vulnerabilities and ransomware, have become less exciting, prompting a discussion about the waning interest in these issues.

      • They explore the roles of Governance, Risk, and Compliance (GRC), the complexities of cyber insurance, and the fading novelty of AI, emphasizing that while essential security tasks may seem mundane, they remain crucial to maintaining effective security practices.

  • Threat Modeling Podcast

    • The Four Question Framework with Adam Shostack (Audio only)

      • Chris and Adam dive into the four-question framework for threat modeling, explaining the meaning and purpose of each question to simplify the process.

      • They discuss the importance of retrospectives, the evolution of the framework, and its application in various situations, highlighting that the questions serve as a practical foundation for threat modeling.

Threat Model for Free

Welcome to Simple, Collaborative Threat Modeling by Devici.

Introducing the modern drawing tool that's user-friendly, customizable, and easy on the eyes. Individuals and teams work together ā€“ no matter their location. Devici helps build a scalable threat modeling process for multi-disciplinary and geographically dispersed teams, ensuring everyone can contribute.

Visit devici.com to experience threat modeling for free.

Where to find Chris? šŸŒŽ

šŸ¤” Have questions, comments, or feedback? I'd love to hear from you!

šŸ”„ Reasonable AppSec is brought to you by Kerr Ventures.

šŸ¤ Want to partner with Reasonable AppSec? Reach out, and letā€™s chat.