Reasonable 🔐AppSec #8 - Five Security Articles, OWASP Top Ten from the Eye of AI, Photo, and Podcast Corner

Hey there,

In this week’s issue of Reasonable Application Security:

• Five security articles 📰 that are worth YOUR time

• Featured focus: OWASP Top Ten from the Eye 👁️ of MidJourney (by Sagiv Peer)

• Photo of the week 📷

• Application Security Podcast 🎙️Corner

Five Security Articles 📰 that Are Worth YOUR Time

• Explore Chaos in ensuring cloud-native cyber resilience, highlighting the need for clear frameworks and standards for implementing and operating effective controls and processes in cloud landscapes, and the role of Security Chaos Engineering in providing a complete development and operations lifecycle guidebook for cloud-native cyber resilience. (more)

• OWASP is developing a Top Ten list of vulnerabilities for large language model (LLM) projects, such as OpenAI's ChatGPT and Microsoft's GitHub Copilot, to provide much-needed guidance for software teams in the rapidly evolving field of AI-based software development. (more)

• Instead of developers "shifting left" and incorporating more responsibilities, they should "shift down" by fully leveraging the available technology and platforms, optimizing resources, and focusing on innovation. (more)

• Attackers can exploit the "hallucination" tendency of AI models like ChatGPT to recommend non-existent coding packages, thereby creating opportunities to spread malicious packages into developers' environments. (more)

• Large Language Models (LLMs) have potential in application security, highlighting their ability to automate and scale various security tasks such as codebase understanding, threat modeling, bug response, vulnerability reporting, and more, thereby reducing reliance on limited/expensive human expertise and significantly improving the efficiency and effectiveness of security programs. (more)

Featured focus: OWASP Top Ten from the Eye 👁️ of MidJourney (by Sagiv Peer)

(I’m reposting this with Sagiv’s permission. It caught my attention in my LI feed.)

What happens when vulnerabilities wake up to life?

I used #chatgpt4 and #midjourney to bring the #owasptop10 to life.

Each animal represents a known vulnerability.

A01:2021 - Broken Access Control: Monkey - Like a monkey can navigate through trees, broken access control allows unauthorized users to climb through access control mechanisms.

A02:2021 - Cryptographic Failures: Owl - Similar to an owl's sharp vision, cryptographic failures can lead to sensitive data exposure or system compromise.

A03:2021 - Injection: Snake - Like a snake injecting venom, injection attacks inject malicious code into a vulnerable system to exploit it.

A04:2021 - Insecure Design: Beaver - Beavers are known for their architectural skills, representing the need for specific design patterns and principles to prevent design flaws.

A05:2021 - Security Misconfiguration: Sloth - Security misconfigurations often occur due to negligence or slow response, much like a sloth's slow and relaxed nature.

A06:2021 - Vulnerable and Outdated Components: Hyena - Similar to hyenas scavenging for vulnerable prey, attackers exploit systems that use outdated or vulnerable components.

A07:2021 - Identification and Authentication Failures: Chameleon - Just like a chameleon changes its appearance, identification and authentication failures allow attackers to impersonate legitimate users and change their identity.

A08:2021 - Software and Data Integrity Failures: Elephant - Elephants are known for their strong memory, representing the need to verify software updates and critical data and maintain CI/CD pipeline integrity.

A09:2021 - Security Logging and Monitoring Failures: Eagle - Eagles are known for their keen eyesight and ability to spot prey from great distances—failures in logging and monitoring directly impact visibility, incident alerting, and forensics.

A10:2021 - Server-Side Request Forgery: Octopus - Octopuses are known for their flexibility and ability to reach out and manipulate their environment. Server-side request forgery involves using the server to perform unauthorized actions on behalf of an attacker.

Photo of the week 📷

We had plenty of photos above to cover our “Photo of the Week” segment.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes they are my podcasts. Other times they are podcasts that have caught my attention.

• Application Security Podcast

  • François Proulx -- Actionable Software Supply Chain Security

    • François delves into the complexities of the software supply chain, emphasizing the importance of branch protection, tag protection, and understanding your dependency tree for secure operations. He also introduces the concept of keyless signatures via the SIG store project, discusses potential security vulnerabilities in Terraform modules, and recommends resources like the OpenSSF and deps.dev for enhancing security postures and scanning open-source repositories.

• Security Table

  • We Don't Know What We Don't Know

    • Certificate pinning, a client-side operation that enhances the security of the Transport Layer Security (TLS) protocol, is explained as a method for the client application to verify the server's certificate against a known copy. The conversation underscores the extensive knowledge required in #AppSec, highlighting the necessity for continuous learning and the courage to acknowledge and address gaps in understanding.

• Threat Modeling Podcast

  • A new episode is coming soon — Engineering-led threat modeling.

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.