• Reasonable Application Security
  • Posts
  • Reasonable 🔐AppSec #75 - Why the 'Secure by Design' pledge won't save us from AppSec failures, Five Security Articles and Podcast Corner

Reasonable 🔐AppSec #75 - Why the 'Secure by Design' pledge won't save us from AppSec failures, Five Security Articles and Podcast Corner

A review of application security happenings and industry news from Chris Romeo.

Hey there,

In this week’s issue, please enjoy the following:

  • Five security articles 📰 that are worth YOUR time

  • Featured focus: Why the 'Secure by Design' pledge won't save us from AppSec failures

  • Application Security Podcast 🎙️Corner

  • Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

  1. Chaos Engineering in IT Systems: Embracing Failure and Security Testing for a More Resilient Future — Chaos Engineering and Security Chaos Engineering allows organizations to proactively identify vulnerabilities and improve resilience by intentionally introducing failures and simulating security incidents. By employing strategies like continuous monitoring, safety mechanisms, and fostering a blameless culture, these methodologies help ensure systems can withstand and recover from unexpected disruptions and cyber threats. [I’ve been a fan of chaos since its early days — never had a chance to implement it, but it makes sense to change things up and break the status quo.]

  2. Software developers are spending more time every week fixing security issues – and it’s costing companies a fortune — Software developers are increasingly spending more time each week addressing security issues, which is costing companies significant amounts of money. This trend highlights the growing complexity of software security and the need for improved tools and processes to help developers manage vulnerabilities effectively and reduce the financial impact on organizations. [If software developers had implemented secure and private by design and default, they’d spend much less time fixing issues.]

  3. Deceptive Delight: Jailbreak LLMs Through Camouflage and Distraction — Large language models (LLMs) can be manipulated through tactics such as camouflage and distraction, which exploit their vulnerabilities and influence their outputs. These techniques raise significant concerns about the security and reliability of AI systems, particularly in critical applications where accuracy and trustworthiness are paramount. [This just in — LLMs have security problems.]

  4. Technologist Bruce Schneier on security, society and why we need 'public AI' models — Bruce Schneier emphasizes the critical need for public AI models to enhance security and societal benefits, advocating for transparency and collaboration in the development of AI technologies. He argues that public models can improve accountability and foster a more equitable digital landscape, mitigating risks associated with proprietary systems. [Schneier says one or two things worth paying attention to per year — you decide if this is one of them.]

  5. 'Shift Left' Gets Pushback, Triggers Security Soul Searching — The pushback against the "shift left" approach in application security has prompted a period of introspection among security professionals, highlighting challenges in balancing speed and security in the development process. This reflection reveals a need for improved collaboration between development and security teams to address the complexities of integrating security measures early in the software lifecycle. [Shift left is a joke.]

[I’m giving a talk on this topic later this week, so I decided to use my column to gather my thoughts into a semi-cohesive pile.]

CISA’s ‘Secure by Design Pledge’ brought much hope for a kinder, gentler, more secure world. The only problem is that it has no teeth. It is a toothless pledge with no ramifications for lack of meeting or exceeding the goal.

The content is acceptable—the requirements are precise and point us in the right direction as an industry: multi-factor authentication, reducing default passwords, reducing entire classes of vulnerabilities, increasing the installation of secure patches, publishing a vulnerability disclosure policy, transparency in reporting CVEs, and increasing the ability to gather evidence after an incident.

Here is my first rub — ‘this is a voluntary pledge … a good-faith effort to work towards the goals.’ This means nothing — voluntary in that nobody has to participate, and good faith is the most wishy-washy terminology that could be used. Good faith means I’ll try my best, and no matter where I land, I’ll get a trophy for participation.

Ladies and gentlemen, I've produced the ‘Secure by Design Pledge Trophy’ for participation. I’ll mail one to each of the pledge signers.

My second rub is that you can divide the companies that have signed on to the pledge into two categories—those that already meet all the requirements and those that want to kiss a** to CISA and think they’ll gain some marketing advantage by signing. Nobody is doing this for the good of the Internet or the world; everybody has the motivation to try to get something for nothing.

Do you want to make a pledge that has some teeth? Write the requirements in any way you want — for the sake of argument, we’ll keep what they have today. The thing we’ll change is the consequences. If you don’t demonstrate 10% improvement in all categories identified, you must donate 10% of your gross profit to a technology-focused charity that brings new folks into our industry. Now, we’d have a pledge with teeth, and nobody would sign up to play.

Podcast Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

  • Application Security Podcast

    • Kayra Otaner -- DevSecOps (Audio only; YouTube)

      • Hosts Chris and Robert welcome Kayra Otaner, the Director of DevSecOps at Roche, who asserts that traditional DevSecOps is "dead" and emphasizes the need for organizations to tailor their approaches based on size and specific needs.

      • Kayra introduces "security as code" and "policy as code" as more effective strategies and highlights the emergence of Application Security Posture Management (ASPM) tools as the "SIEM for AppSec," suggesting that AI-enhanced tools can help manage the influx of security alerts faced by development teams.

  • Security Table

    • We'll Be Here Until We Become Obsolete (Audio only; YouTube)

      • We explore the multifaceted concept of obsolescence in technology, discussing its planned, unplanned, and forced forms while highlighting the security implications of outdated devices and software.

      • The conversation focuses on vulnerabilities in cloud-connected vehicles, examines architectural decisions and regulatory requirements, and reflects on real-world incidents like the OnStar hack, underscoring the necessity for robust security protocols.

  • Threat Modeling Podcast

    • Akira Brand -- Gaining Experience by Threat Modeling (Audio only)

      • Hosts Chris and Akira Brand discuss her journey into threat modeling, emphasizing the importance of collaboration, understanding applications, and utilizing tools and diagrams to enhance the process.

      • Akira draws parallels between surgical checklists and the STRIDE model, highlighting how her hands-on approach and teamwork across engineering, data analytics, and security led to successful threat modeling outcomes.

Threat Model for Free

Welcome to Simple, Collaborative Threat Modeling by Devici.

Introducing the modern drawing tool that's user-friendly, customizable, and easy on the eyes. Individuals and teams work together – no matter their location. Devici helps build a scalable threat modeling process for multi-disciplinary and geographically dispersed teams, ensuring everyone can contribute.

Visit devici.com to experience threat modeling for free.

Where to find Chris? 🌎

  • Speaking at the Elephant in AppSec Conference on Thursday, November 7, 14:25 Eastern time, on “Why the ‘Secure by Design’ pledge won’t save us from AppSec failures.”

  • I’m at Triangle Infosecon in Raleigh this Friday, November 8, and I'll give a talk at 15:30 on “The Paradox of Secure and Private by Design and Default.”

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.