Reasonable 🔐AppSec #9 - Five Security Articles, Nobody Knows Everything, and Podcast Corner

Hey there,

I’m in Eastern Europe running a summer camp this week, but I still had time to ponder and produce Reasonable AppSec.

In this week’s issue of Reasonable Application Security:

• Five security articles 📰 that are worth YOUR time

• Featured Story: Nobody Knows Everything 🤔

• Application Security Podcast 🎙️Corner

Five Security Articles 📰 that Are Worth YOUR Time

• ChatGPT can threat model, or can it? An example using the STRIDE method guides the reader through generating a system with elements, applying STRIDE to identify potential threats, drilling down into specific categories of threats, and brainstorming mitigations, all with the help of ChatGPT. (more)

• A popular model of smart pet feeder has serious security issues, such as hard-coded credentials and an insecure firmware update process. What will our pets do? These vulnerabilities could allow an attacker to gain unauthorized access to the device, steal sensitive information like video footage, tamper with feeding schedules, and even use the feeder as a hub to launch attacks against other devices in the network. (more)

• CVSS has limitations in managing and prioritizing software vulnerabilities. Shaffer proposes a shift towards the Stakeholder-Specific Vulnerability Categorization (SSVC) model, which uses decision trees to determine actions for addressing each vulnerability, taking into account factors such as exploit intelligence and systems intelligence, thus providing a more context-aware and practical approach to vulnerability management. (more)

• There is a significant issue in the npm ecosystem where a package's manifest is published independently from its tarball, and the contents of the two are never fully validated against each other. This situation allows bad actors to hide malware and scripts in undetected dependencies, leading to potential security risks such as cache poisoning, installation of unknown dependencies, execution of unknown scripts, and potential downgrade attacks. (more)

• "Elegant Objects" is a philosophy of object-oriented programming that advocates eliminating traditional techniques such as null references, getters-and-setters, static methods, and implementation inheritance. It promotes a more streamlined and efficient approach to programming, but is it better for security? (more)

Featured Story: Nobody Knows Everything 🤔

In a past Security Table episode, we started talking about certificate pinning. I know, one of your favorite topics. You probably discussed it with your family over dinner this past week.

At the beginning of the discussion, I let on that I had no idea what certificate pinning was doing or how it worked. As my career has gotten longer and I’ve spent more time studying different things, I’ve realized that I don’t know everything about AppSec. And I’m okay with that.

When I was early in my career, I felt the pressure always to have the answer to any question thrown my way. I felt an expectation from my leadership and peers to be the subject matter expert that they needed me to be. If I didn’t know the answer, I felt like I was failing in my job. Perhaps this pressure was self-applied. Either way, I felt the pressure to know all the answers.

The longer I’ve worked in this field (26 years), the more I’ve realized that I don’t know everything. And I’m perfectly okay with that fact. I strive to learn new things every day — I strive to make new connections between things that I didn’t know connected. I surround myself with people that I can learn from.

But I’m also okay saying, “I don’t know.” I’m not afraid that peers or even people listening to my shows will think less of me. If someone else has the answer, I’m happy to listen.

Embrace this idea that you don’t always have the answer. It opens your mind to learn from others or research the question more deeply.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes they are my podcasts. Other times they are podcasts that have caught my attention. Sometimes I share recordings to conference talks I’ve done that you should check out.

• My RSA Conference talk for 2023 on “The State of Application Security.”

• Application Security Podcast

  • Kim Wuyts -- The Future of Privacy Threat Modeling

    • Kim Wuyts discusses the LINDDUN framework, a privacy threat modeling approach that analyzes threats across multiple categories and has become a recognized approach in the field. She emphasizes the importance of integrating privacy and security and emerging privacy trends, particularly concerning AI, while advocating for increased awareness and collaboration between security and privacy teams.

• Security Table

  • Lack of Reasonable or Everything Wrong with Security Requirements

    • We discuss the concept of "reasonable security" in vendor evaluation, emphasizing the need for a standard that both vendor and buyer can agree upon. They propose that reasonable security should encompass a comprehensive threat model covering what is built, how it is built, and how it is deployed, along with documentation and open conversation about the threat model between the buyer and builder.

• Threat Modeling Podcast

  • A new episode is coming soon — Engineering-led threat modeling.

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.