We’re discussing the complexities of saying 'yes' or 'no' in the context of security decisions in today’s episode and the enduring challenge of integrating security into software development. The conversation swerves into the intriguing idea of a trade-like progression for developers, contrasting it with current knowledge work. The episode culminates in a hit parade of pop culture references, including Star Wars, Star Trek, Firefly, and more. Tune in for a thought-provoking and fun conversation!

Article Link:  How to Say 'No' Well

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

The Cyber Trust Mark, a new FCC program aimed at assuring the security of IoT devices is the topic of discussion today. We discuss various aspects of the Cyber Trust Mark, the history of similar initiatives like UL certification, and the challenges faced by consumers in determining the security of their devices. They also debate the merits and drawbacks of regulations like the EU's Cyber Resilience Act, the importance of secure-by-default design, and the limitations of relying solely on consumers or independent labs to ensure security. Throughout, they explore whether this new mark can genuinely make a difference or if it's just a rehash of old ideas.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

In this episode of the Security Table with Chris Romeo, Izar Tarandach, and Matt Coles, the team dives into the evolving landscape of modern security approaches. They discuss the shift from strategy to tactics, the impact of data breaches, and why people are becoming numb to such incidents. The episode also touches on the importance of understanding the business side of security and the role of product managers as security champions. 

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

In this episode of the Security Table, our hosts discuss the concept of the 'Shared Fate Model' in cloud security. The conversation explores how this model builds on the shared responsibility model and the implications for cloud service providers and consumers. From robust default security measures to the historical evolution of ISPs, the discussion covers technical and philosophical aspects of cloud infrastructure security. Join us for an informative and engaging session filled with the past and present of internet connectivity and cloud service security.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

In this episode of The Security Table, hosts Chris Romeo, Izar Tarandach, and Matt Coles dive into the evolving concept of threat models, stepping beyond traditional boundaries. They explore 'Rethinking Threat Models for the Modern Age,' an article by author Evan Oslick. Focusing on user behavior, alert fatigue, and the role of psychological acceptability, they debate whether broader human factors should integrate into threat modeling. 

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

In this episode of The Security Table Podcast, hosts ChriS, Izar and Matt dive into the recent statement by CISA's Jen Easterly on the cybersecurity industry's software quality problem. They discuss the implications of her statement, explore the recurring themes in security guidelines, and debate whether the core issue is with people or technology. Join the conversation as they analyze the roles of developers, QA engineers, and emerging AI tools in shaping a secure future, questioning if the industry is on the right path to real change.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

In this episode of The Security Table, Chris, Izar, and Matt discuss an article that discusses threat modeling in the context of hardware. They explore the intersection of hardware and software security, the importance of understanding attack surfaces, and the challenges posed by vulnerabilities in hardware components, such as speculative execution faults and the impact of supply chain security. Join the conversation as they examine the critical points in the ongoing dialogue around hardware and software security integration.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Join us in this episode of The Security Table as we dive into the world of cybersecurity, starting with a nostalgic discussion about our favorite security-themed movies like 'Sneakers,' 'War Games,' and 'The Matrix.' We then shift gears to explore a critical topic in modern computing: the vulnerabilities and implementation issues of Secure Boot. Discover the intricate details of key management, human errors, and the challenges of maintaining trust in hardware and software systems. The conversation extends to the practicalities of password management, passkeys, and the broader implications of securing digital identities. 

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Join Chris, Izar, and Matt as they sit around the Security Table to dissect and discuss the different stages of dealing with security incidents. In this episode, they explore the developer's stages of grief during an incident, and discuss a recent large-scale IT incident. They share insights from their multi-decade experience in security, analyze the fragility of current systems, and discuss the role of luck and probability in security failures. 

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

In this episode of 'The Security Table,' we are back from our midsummer break to discuss OpenSSH regression vulnerability. We dig into the nuances of this race condition leading to remote code execution, explore the chain of security updates, and the role of QA in preventing such regressions. We debate the necessity of SSH in modern cloud-native environments and its alternatives. Plus, we answer the critical question of who should catch these vulnerabilities first — QA teams, pentesters, or automated tools? 

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

In this episode Chris, Matt, and Izar discuss the current state of security conferences and gatherings for professionals in the field. They discuss the value and viability of different types of gatherings, the importance of networking and community-building at events, innovative approaches to conference formats and the need for something more engaging and participatory that caters to both introverts and extroverts.

Personal experiences and preferences for conference attendance and speaking engagements are discussed along with hybrid approaches that combine presentations with facilitated discussions and interactive elements.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

In this episode of the Security Table, Chris, Izar, and Matt delve into the evolving landscape of cybersecurity. The episode has a humorous start involving t-shirts and Frogger as a metaphor for the cybersecurity journey, the conversation shifts to the significant topic of cybersecurity being at a crossroads as suggested by a CSO Online article.

They explore the concept of moving from a product-centric to an architectural-centric approach in cybersecurity, discussing the design and integration of inherent capabilities rather than relying on add-on products. The hosts look into the complexities of security and privacy, analyzing their intersections, the challenges of privacy threat modeling, and the importance of understanding the broader ecosystem in which data interacts. The episode concludes with a lively discussion on the evolving nature of security and privacy regulations, the impact of complexity, and the need for continuous threat modeling.

Article mentioned in this episode:
Cybersecurity at a crossroads: Time to shift to an architectural approach  

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Hovercrafts and application security in the new year. We revisit last year's predictions on Quantum LLM, SBOMs, and whether DAST tools will make a comeback. With humor and forward-thinking, we explore what the future might hold for application security, the rise of new technologies, and even the outlandish idea of AppSec being dead. 

Episode mentioned:
AppSec Resolutions - January 9, 2024

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

In this episode of 'The Security Table,' hosts Chris Romeo, Izar Tarandach, and Matt Coles are joined by Brook Schoenfield, a seasoned security professional, to share insights and stories from his extensive career. 

The conversation covers Brook's experience in writing books on security, lessons learned from his 40-year career, and personal anecdotes about his life as a musician, including playing with legends like Bo Diddley and Chuck Berry. Brook highlights the importance of ensemble work in both security and music.

Books written by Brook Schoenfield:

Secrets Of A Cyber Security Architect (Auerbach, 2019) https://brookschoenfield.com/?page_id=331

Securing Systems: Applied Security Architecture https://brookschoenfield.com/?page_id=245

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

In this episode of 'The Security Table,' hosts Chris Romeo, Matt Coles, and Izar Tarandach discuss the CISA Secure by Design Pledge, a recent initiative where various companies commit to improving software security practices. The hosts critique the pledge, arguing that many of the signatory companies have long been focused on software security, making the pledge redundant for them. They dissect specific goals of the pledge, such as increasing multi-factor authentication (MFA) and reducing default passwords, and express concerns about their actual impact. 

Despite their skepticism of the pledge’s effectiveness and measurability, they do acknowledge CISA's intention behind the pledge is to move the industry forward.

Secure by Design pledge:  https://www.cisa.gov/securebydesign/pledge

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

The script delves into a multifaceted discussion encompassing critiques and praises of book-to-movie adaptations like 'Hitchhiker's Guide to the Galaxy', 'Good Omens', and 'The Chronicles of Narnia'. It then transitions to a serious examination of developers' evolving role in security, advocating for 'shift left' and DevSecOps approaches. The conversation navigates through challenges developers encounter in security practices, stressing the necessity of a DevSecOps framework, secure coding languages, and executive support for fostering a robust security culture within organizations.

Chris, Izar and Matt begin the episode with a lighthearted discussion about books turned into movies, including Hitchhiker's Guide to the Galaxy and The Chronicles of Narnia series. The main topic of conversation on today’s episode is an article titled "Why Developers Will Take Charge of Security, Tests in Production" by Lorraine Lawson, which interviews Larry Meshrom. The article suggests that developers should take on more responsibility for security, including testing in production environments, as security teams are often perceived as a blocker and don't understand the day-to-day work of developers. 

The guys question whether developers truly want to take on more security responsibilities, given the constantly evolving nature of security threats and the time it takes to stay up-to-date. They also discuss the role of product managers in driving security and privacy prioritization, and the need for executives to understand the business value of investing in security. The hosts argue that while mature organizations have governance processes in place to enforce security, smaller companies may lack such mechanisms. 

Ultimately, it is concluded that product managers are best positioned to communicate the business value of security to executives, as they are closest to understanding customer needs and revenue drivers. They propose that the industry should focus on educating and empowering product managers to prioritize security and privacy, and to make the case for investing in these areas to executives. This approach could help bridge the gap between security teams and developers, and drive a culture of security within organizations.

Link to article:  https://thenewstack.io/why-developers-will-take-charge-of-security-tests-in-prod/

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Chris, Matt and Izar share their thoughts on an article published by Carnegie Mellon University’s Software Engineering Institute. The list from the article covers various threat modeling methodologies such as STRIDE, PASTA, LinDoN, and OCTAVE methodology for risk management. They emphasize the importance of critical thinking in the field, provide insights into strengths, applications, and limitations of each method, and highlight the significance of annotated threat models for application security.

Mentioned in this Episode:
Article: https://insights.sei.cmu.edu/blog/threat-modeling-12-available-methods/

Podcast episode: Nobody's Going to Mess with Our STRIDE https://www.youtube.com/watch?v=TDFRe_icFmY&pp=ygUSdGhlIHNlY3VyaXR5IHRhYmxl

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Matt, Izar, and Chris delve into the complexities of open source security. They explore the topics of trust, vulnerabilities, and the potential infiltration by malicious actors. They emphasize the importance of proactive security measures, the challenges faced by maintainers, and propose solutions like improved funding models and behavior analysis for enhancing security within the open source ecosystem.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Matt, Izar, and Chris take issue with a controversial blog post that criticizes STRIDE as being outdated, time-consuming, and does not help the right people do threat modeling. The post goes on to recommend that LLMs should handle the task. The trio counters these points by highlighting STRIDE's origin, utility, and adaptability. Like any good instrument, it is important to use the right tools in the right context. 

They also touch upon the common misconceptions about threat modeling, the misuse of tools like the Microsoft Threat Modeling Tool, and the benefits of collective threat modeling practices. Throughout, they defend the foundational role of STRIDE in threat modeling, promote the value of including diverse perspectives in the threat modeling process, and encourage looking beyond narrow toolsets to the broader principles of threat analysis.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Chris, Matt, and Izar discuss a recent Secure by Design Alert from CISA on eliminating SQL injection (SQLi) vulnerabilities. The trio critiques the alert's lack of actionable guidance for software manufacturers, and they discuss various strategies that could effectively mitigate such vulnerabilities, including ORMs, communicating the why, and the importance of threat modeling. They also explore potential ways to improve the dissemination and impact of such alerts through partnerships with organizations like OWASP, the various PSIRTs, and ISACs, and leveraging threat intelligence effectively within AppSec programs. Ultimately, the trio wants to help CISA maximize its effectiveness in the software security industry.

Link to CISA SQLi Alert:
Secure by Design Alert: Eliminating SQL Injection Vulnerabilities in Software -- https://www.cisa.gov/sites/default/files/2024-03/SbD%20Alert%20-%20Eliminating%20SQL%20Injection%20Vulnerabilities%20in%20Software_508c.pdf

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Dive into the contentious world of AI in software development, where artificial intelligence reshapes coding and application security. We spotlight the surge of AI-generated code and the incorporation of copy-pasted snippets from popular forums, focusing on their impact on code quality, security, and maintainability. The conversation critically examines the diminishing role of traditional quality assurance measures versus the growing reliance on automated tools and AI, highlighting potential compromises between development speed and security integrity.

The discussion broadens to consider the future of software security tools in an AI-dominated era, questioning whether AI-generated code could make static application security testing (SAST) tools obsolete or introduce new challenges requiring more human oversight. The debate intensifies around the trustworthiness of AI in handling complex business logic and security policies without introducing vulnerabilities.

The dialogue concludes by reflecting on the balance between innovation and caution in software development. As AI advances, the conversation centers on ensuring it enhances rather than compromises application security, offering insights, anecdotes, and a dose of humor along the way. Stay tuned for more thought-provoking discussions on the intersection of AI and software security.

Helpful Links:
Article: "New study on coding behavior raises questions about impact of AI on software development" at GeekWire -- https://www.geekwire.com/2024/new-study-on-coding-behavior-raises-questions-about-impact-of-ai-on-software-development/

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Matt, Chris, and Izar talk about ensuring security within the developer toolset and the developer experience (DevEx). Prompted by a recent LinkedIn post by Matt Johansen, they explore the concept of "secure by default" tools. The conversation highlights the importance of not solely relying on tools but also considering the developer experience, suggesting that even with secure tools, the ultimate responsibility for security lies with the developers and the organization.

The trio also discusses the role of DevEx champions in advocating for security within development processes, emphasizing the need for a balance between security and usability to prevent developers from seeking workarounds. They touch upon integrating security into the developer workflow, known as "shifting left," and the potential downsides of overburdening developers with security responsibilities.

There's a recurring theme of the complexity and challenges in achieving a "secure by default" stance, acknowledging the difficulty in defining and implementing this concept. The conversation concludes with an acknowledgment that while progress is being made in understanding and implementing security within DevEx, there's still a long way to go, and the need for further clarification and discussion on these topics is evident.

Matt Johansen's Original Post:
https://www.linkedin.com/posts/matthewjohansen_i-really-feel-like-a-lot-of-security-problems-activity-7170811256856141825-lKyx

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Chris, Izar, and Matt tackle the first point of the recent White House report, "Back to the Building Blocks: a Path toward Secure and Measurable Software." They discuss the importance of memory safety in software development, particularly in the context of critical infrastructure. They also explore what memory safety means, citing examples like the dangers of using C over safer alternatives such as Java, Rust, or Go.

The debate covers the effectiveness of government recommendations on software development practices, the role of memory safety in preventing security vulnerabilities, and the potential impact on industry sectors reliant on low-level programming languages like C and C++. The dialogue highlights different perspectives on the intersection of government policy, software development, and cybersecurity, providing valuable insights into the challenges and importance of adopting memory-safe programming practices.

Helpful Links:

BACK TO THE BUILDING BLOCKS: A PATH TOWARD SECURE AND MEASURABLE SOFTWARE - https://www.whitehouse.gov/wp-content/uploads/2024/02/Final-ONCD-Technical-Report.pdf

Dance Your PhD 2024 winner, WELI, Kangaroo Time: https://youtu.be/RoSYO3fApEc

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

What makes a conference truly valuable? Is it the unexpected connections and serendipitous meetings of minds, or the chance to break free from the "security echo chamber" by exploring diverse conference experiences? We discuss the considerations that make conferences worth attending and examine whether they are compelling enough to warrant personal investment. Whether large or intimate, each conference provides a distinct journey of learning and interaction.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Matt, Izar, and Chris discuss the impact of fear, uncertainty, and doubt (FUD) within cybersecurity. FUD is a double-edged sword - while it may drive awareness among consumers, it also leads to decision paralysis or misguided actions due to information overload. The saturation of breach reports and security threats also desensitizes users and blurs the line between vigilant security practices and unnecessary panic. Fear-based security strategies do not foster a secure environment.

The proliferation of smart devices and the internet of things (IoT) make many everyday objects potential targets for cyber-attacks. However, media sensationalism surrounds these vulnerabilities, and there is a lack of follow-through in educating consumers about realistic risks and protective measures. This gap underscores the need for reliable sources of cybersecurity info that can cut through the FUD, offering actionable insights rather than contributing to fear.

They also explore the practice of weaponizing security in competitive markets. Some companies leverage security breaches, or the lack thereof, to differentiate themselves in the marketplace. These marketing strategies highlight "superior" security features while pointing out competitors' breaches. While such tactics might draw attention to security considerations, they also risk confusing what constitutes meaningful cybersecurity practices. The industry needs to balance competitive advantage with ethical responsibility and consumer education. Who will fill the gap?

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Prompted by fan mail, Chris, Izar, and Matt engage in a role-playing scenario as a VP of engineering, a security person, and a product manager. They explore some of the challenges and competing perspectives involved in prioritizing application security. They highlight the importance of empathy, understanding business needs and language, and building relationships within an organization while dealing with security threats and solutions. They end with insights into the role of AI in AppSec, its prioritization, and its limitations.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Matt, Izar, and Chris have a lively discussion about how security experts perceive open-source software. Referencing a post that described open source as a 'hive of scum and villainy,' the team dissects the misconceptions about open source software and challenges the narrative around its security. They explore the complexities of the software supply chain, the notion of 'inheritance' when it comes to security vulnerabilities, and the impact of transitive dependencies. They also discuss reputation systems, dependency injection, and the reality of accepting responsibility for incorporated software packages and their security issues. Tune in for these and other thoughtful insights about the interplay between open source solutions and security aspects in software development.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Threat modeling expert Adam Shostack joins Chris, Izar, and Matt in this episode of the Security Table. They look into threat actors and their place in threat modeling. There's a lively discussion on risk management, drawing the line between 'thinking like an attacker' and using current attacker data to inform a threat model. Adam also suggests that we must evaluate if risk assessments serve us well and how they impact organizations on various levels. The recurring theme is the constant need for evolution and adaptation in threat modeling and risk management processes. You can tune in to get a rich perspective on these key cybersecurity topics.

Link
Threat Modeling Manifesto: https://www.threatmodelingmanifesto.org/
Threat Modeling Capabilities: https://www.threatmodelingmanifesto.org/capabilities/

Threats: What Every Engineer Should Learn From Star Wars by Adam Shostack - https://threatsbook.com/

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Izar, Matt, and Chris discuss the effectiveness of bug bounty programs and delve into topics such as scoping challenges, the ethical considerations of selling exploits, and whether it is all just bug bounty theater. The hosts share their insights and opinions on the subject, providing a thought-provoking discussion on the current state of bug bounties in the security industry.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

This week around the Security Table Matt, Izar and Chris discuss the recently-published Threat Modeling Capabilities document. They explore how capabilities serve as measurable goals that organizations either possess or lack, contrasting the binary nature of capabilities with the continuum of maturity. The team shares insights on the careful definition and measurement of each capability, highlighting the creative debates and diverse perspectives that enriched the document.

They also emphasize the collaborative effort behind the document's creation. The process mirrors the successful teamwork from the Threat Modeling Manifesto, showcasing the enjoyment and effectiveness of their work together.

Finally, the team reflects on their journey from the project's start to the release of the Threat Modeling Capabilities document. They share personal stories and the collaborative spirit that led to the project's success, inviting feedback from the community to refine and improve the document further.

Links
Threat Modeling Manifesto: https://www.threatmodelingmanifesto.org/
Threat Modeling Capabilities: https://www.threatmodelingmanifesto.org/capabilities/

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Chris, Izar, and Matt address the complexities of open-source component usage, vulnerability patches, civic responsibility, and licensing issues in this Security Table roundtable. Sparked by a LinkedIn post from Bob Lord, Senior Technical Advisor at CISA, they discuss whether software companies have a civic duty to distribute fixes for vulnerabilities they discover in open-source components. They also examine if there is a need to threat model every third-party component and consider the implications of certain licenses for security patches. This is a discussion that needs to be had by anyone using open-source components in their code. Listen in and engage as we learn and think through this important issue together!

Links:

Bob Lord’s post about Open Source Responsibility:
https://www.linkedin.com/posts/lordbob_just-a-quick-thought-on-open-source-if-you-activity-7146137722095558657-z_RI

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Join us for the final episode of The Security Table for 2023. Chris, Izar, and Matt answer fan mail, make fun predictions for the upcoming year, discuss their resolutions for improving cybersecurity, and make a call to action to global listeners. Highlights include the reach of the podcast, explaining Large Language Models (LLMs), Quantum LLMs, Software Bill of Materials (SBOM), and the importance of teaching secure coding from high school level up. Chris, Izar, and Matt share their passion for making cybersecurity more accessible, practical, and effective through critical discussions and innovative ideas.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Sander Schulhoff of Learn Prompting joins us at The Security Table to discuss prompt injection and AI security. Prompt injection is a technique that manipulates AI models such as ChatGPT to produce undesired or harmful outputs, such as instructions for building a bomb or rewarding refunds on false claims. Sander provides a helpful introduction to this concept and a basic overview of how AIs are structured and trained. Sander's perspective from AI research and practice balances our security questions as we uncover where the real security threats lie and propose appropriate security responses.

Sander explains the HackAPrompt competition that challenged participants to trick AI models into saying "I have been pwned." This task proved surprisingly difficult due to AI models' resistance to specific phrases and provided an excellent framework for understanding the complexities of AI manipulation. Participants employed various creative techniques, including crafting massive input prompts to exploit the physical limitations of AI models. These insights shed light on the need to apply basic security principles to AI, ensuring that these systems are robust against manipulation and misuse.

Our discussion then shifts to more practical aspects, with Sander sharing valuable resources for those interested in becoming adept at prompt injection. We explore the ethical and security implications of AI in decision-making scenarios, such as military applications and self-driving cars, underscoring the importance of human oversight in AI operations. The episode culminates with a call to integrate lessons learned from traditional security practices into the development and deployment of AI systems, a crucial step towards ensuring the responsible use of this transformative technology.

Links:

• Learn Prompting: https://learnprompting.org/
• HackAPrompt: https://www.hackaprompt.com/
• Ignore This Title and HackAPrompt: Exposing Systemic Vulnerabilities of LLMs through a Global Scale Prompt Hacking Competition: https://paper.hackaprompt.com/

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Join Izar, Matt, and Chris in a broad discussion covering the dynamics of the security community, the evolving role of technology, and the profound impact of social media on our lives. As the trio considers what they are most thankful for in security, they navigate a series of topics that blend professional insights with personal experiences, offering a unique perspective on how these elements intersect in the modern world.

Chris begins by highlighting the importance of collaboration and learning within the ever-expanding security community. Shifting to broader security concerns, Izar emphasizes the value of mentoring and the potential for institutionalizing it through platforms like OWASP. Matt critiques over-relying on AI. He advocates for tool-assisted solutions rather than tool-performed ones and stresses the importance of accurately representing AI's capabilities.

In a particularly engaging segment, the panelists explore the influence of social media and technology on personal well-being. They share anecdotes and observations on the pursuit of simplicity in a tech-driven world, discussing the concept of 'social media sobriety' and social media's impact on happiness. They conclude with a collective call to action, urging viewers to engage in positive change through volunteering, mentoring, and contributing to open-source projects. This discussion is a must-watch for anyone interested in the intersection of technology, security, and societal trends.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

We debate the necessity and efficiency of LLMs in finding code vulnerabilities in a C library compared to traditional static code analyzers and fuzzing techniques. The conversation explores broader topics in application security testing, including the evolving landscape of Dynamic Application Security Testing (DAST), fuzzing, and the potential of emerging technologies like Application Detection and Response (ADR).

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Patrick Garrity joins the Security Table to unpack CVSS 4.0, its impact on your program, and whether or not it will change the game, the rules of how the game is played, or maybe the entire game.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Aditi Sharma joins Matt, Izar, and Chris around the Security Table to discuss Software Bill of Materials (SBOMs). The team discusses potential advantages as well as challenges of SBOMs in different contexts such as SaaS solutions, physical products, and internal procedures. The episode also explores the importance of knowing what software components a company is consuming and the significance of SBOM for vulnerability management and risk posture. The team concludes by stressing that while SBOM has great potential value, the value realization is still a work in progress.

Links:
Chris' LinkedIn post about the SBOM cycle: https://www.linkedin.com/posts/securityjourney_where-is-the-part-where-the-vulnerabilities-activity-7128757968740777986-0PQV

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Join Chris, Matt, and Izar for a lively conversation about an article that offers 20 points of "essential details" to look for in a Software Bill of Materials (SBOM). They dissect and debate various points raised in the article, including generating SBOMs, the necessary components, and how to gauge the quality of this digital inventory. Their critique is both insightful and humorously candid, and they will offer you a tour through the often complex world of software documentation.

Hear about topics ranging from open source dependency tree, the necessity – or not – of manual SBOM generation, and the importance of a Vulnerability Exploitability Exchange (VEX) document alongside an SBOM. You will hear why they think an SBOM with a VEX can transform and simplify risk assessment procedures by providing clear and actionable insights for threat management.

Links:

Forbes: 20 Tech Experts Share Essential Details To Look For In An SBOM
https://www.forbes.com/sites/forbestechcouncil/2023/10/09/20-tech-experts-share-essential-details-to-look-for-in-an-sbom/

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Matt, Chris, and Izar discuss the recently published "NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations." They review each point and critically analyze the document's content, pointing out areas where the terminology might be misleading or where the emphasis should be shifted. As they work through the top ten list, several trends and larger conversations appear out of the individual points.

The trio delves into the nuances of system configurations, emphasizing the risks associated with default settings that expose insecure protocols. Systems should not provide options that are inherently insecure! They also touch upon the challenges of network segmentation in the era of software-defined networking and the implications of poor patch management. They highlight the importance of understanding the difference between configuration problems and design flaws, particularly in password management and storage.

The discussion provides insights into the complexities of cybersecurity and the challenges of ensuring that systems are both user-friendly and secure. The dynamic exchange underscores the importance of continuous learning and adaptation in the ever-evolving field of cybersecurity.

Helpful Links:

NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations
     https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-278a

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

The Security Table gathers to discuss the evolving landscape of application security and its potential integration with development. Chris posits that application or product security will eventually be absorbed by the development sector, eliminating the need for separate teams. One hindrance to this vision is the friction between security and engineering teams in many organizations.

Many people think that security incidents have negative implications on brand reputation and value. Izar points out that, contrary to popular belief, major security breaches, such as those experienced by Sony and MGM, do not have a lasting impact on stock prices. Chris counters this by highlighting the potential for upcoming privacy legislation in the U.S., which could shift the focus and importance of security in the corporate world.

Chris envisions a future where the security team is dissolved and its functions are absorbed across various business units. This would lead to better alignment, reduced infighting, and more efficient budget allocation. Security functions need to be placed where they can have the most significant impact, without the potential conflicts that currently exist between security teams and other business units.

The second topic of discussion is the "shift left" movement in the realm of application security. There is ambiguity and potential misuse of the term. What exactly is being shifted and from where does the shift start? The term "shift left" suggests moving security considerations earlier in the development process. However, the hosts point out that the phrase has been co-opted and weaponized for marketing purposes, often without a clear understanding of its implications. For instance, they highlight that while it's easy to claim that a product or process "shifts left," it's essential to define what is being shifted, how much, and the tangible benefits of such a shift.

Matt emphasizes the idea of not just shifting left but starting left, meaning that security considerations should begin from the requirements phase of a project. Chris mentions that the concept of shifting left isn't new and cites Joe Jarzombek's late 90s initiative called "Building Security In" as a precursor to the current shift left movement. The hosts also humorously liken the shift left movement to a game of Frogger, suggesting that if one shifts too much to the left, they might miss the mark entirely. The discussion underscores the need for clarity and purpose when adopting the shift left philosophy, rather than just using it as a buzzword.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

The Security Table gathers this week to discuss expectations about tooling in the Application Security industry. Matt emphasizes that tools should essentially automate tasks that humans can perform but in a faster and more efficient manner. The conversation then shifts to the overwhelming nature of communication platforms like Slack. Izar highlights the challenges of managing attention spans and context-switching when one is part of numerous Slack channels, likening it to being in a room with a hundred simultaneous conversations.

The hosts further discuss the integration of tools and the importance of contextualization. Current tools provide too many results, lack context, and therefore fail to recommend effective solutions. They touch upon the idea of startups building their own suite of tools to ensure seamless communication between them, even if they aren't the best in their individual categories. 

The episode concludes with a thought-provoking statement from Chris, who envisions a future where AppSec might become obsolete, and development could potentially absorb the security team. He teases this topic for the next episode, urging listeners and co-hosts to ponder this radical idea.

Overall, the episode provides a look into the current state of security tooling, the challenges faced by professionals, and the potential future of the AppSec landscape.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Matt and Izar join in a debate with Chris Romeo as he challenges the paradigm of "scan and fix" in application security. Chris references a LinkedIn post he made, which sparked significant reactions, emphasizing the repetitive nature of the scan and fix process. His post critiqued the tools used in this process, noting that they often produce extensive lists of potential vulnerabilities, many of which might be false positives or not appropriately prioritized. He underscores the need for innovation in this domain, urging for a departure from the traditional methods. 

Izar gives some helpful historical context at the beginning of his response. The discussion emphasizes the significance of contextualizing results. Merely scanning and obtaining scores isn't sufficient; there's a pressing need for tools to offer actionable, valid outcomes and to understand the context in which vulnerabilities arise. The role of AI in this domain is touched upon, humorously envisioning an AI-based scanning tool analyzing AI-written code, leading to a unique "Turing test" scenario.

Addressing the human factor, Izar notes that while tools can evolve, human errors remain constant. Matt suggests setting developmental guardrails, especially when selecting open-source projects, to ensure enhanced security. The episode concludes with a unanimous call for improved tools that reduce noise, prioritize results, and provide actionable insights, aiming for a more streamlined approach to application security.

Chris encourages listeners, especially those newer to the industry, to think outside the box and not just accept established practices. He expresses a desire for a world where scan-and-fix is replaced by something more efficient and effective. While he acknowledges the importance of contextualizing results, he firmly believes that there must be a better way than the current scan-and-fix pattern.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

The Security Table gathers to discuss the upcoming ThreatModCon 2023 (https://www.threatmodelingconnect.com), the inaugural and only conference dedicated entirely to threat modeling.

ThreatModCon 2023 

Sunday, October 29, 2023

Marriott Marquis Washington, DC

The Threat Modeling Conference will cover various aspects of threat modeling, from AI integration to privacy concerns, from a brief history of threat modeling to hands-on workshops. The sessions will emphasize learning, interaction, and applying knowledge in real-world scenarios. 

~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-

From threatmodelingconnect.com:

Join us for the inaugural Threat Modeling Conference — the first annual meetup of our community — on October 29th to learn, share, and discuss how to make threat modeling approachable to everyone.

Come away with the latest trends, tools, and strategies in threat modeling, helping you stay ahead of the curve as you navigate the constantly-changing cybersecurity landscape

Meet the Speakers
Welcome / Closing: Chris Romeo
Keynote: Matthew Coles, Seba Deleersnyder, Robert Hurlbut, Tanya Janka, Brook Schoenfield, John Taylor
Workshop Leaders: Robert Hurlbut, Jonathan (Jono) Sosulska
Speakers: Michael Bernhardt, James Berthoty, Lisa Cook, Avi Douglen, Tyson Garrett, Geoff Hill, Wael Ghandour, Brenna Leath, Dr. Michael Loadenthal, Edouard Stoka, Dr. Kim Wuyts

I’m new to threat modeling, Is this conference for me?
At the heart of this inaugural threat modeling conference is our belief that “threat modeling is for everyone.” Whether you’ve heard about threat modeling for the first time or have been on this journey for decades, we believe you’ll benefit from the insightful talks, dynamic workshops, and plenty of hallway conversations. You’ll come away with the knowledge, skills, and connections needed to take your security career to new heights.

~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-

Listen in to hear what excites Chris, Matt, and Izar about ThreatModCon, and sign up to attend yourself!

Threat Modeling is for Everyone!

https://www.threatmodelingconnect.com/

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Chris Romeo, Matt Coles, and Izar Tarandach attempt to demystify the concepts of Application Security (AppSec) and Product Security (ProdSec). They find that even defining and differentiating both concepts is challenging. Various articles exist about AppSec and ProdSec, but the industry is generally confused about these terms. 

Discussing the role of hardware in product security initiates an animated debate. Questions arise about whether the presence of hardware makes something more of a "product" and how software-only products differ from those with hardware components. Supply chain challenges, the significance of hardware in security considerations, and the potential overlap between AppSec and ProdSec become central themes of their conversation.

They make progress during this spirited discussion, but the hosts conclude without arriving at a definitive answer. They humorously acknowledge their collective confusion and agree to revisit the topic in future episodes. This conversation deserves a part two, emphasizing their commitment to understanding and clarifying the nuances of AppSec and ProdSec.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Imposter Syndrome is when a person feels inadequate despite their accomplishments. Not unique to the field of cybersecurity or even software development, imposter syndrome can affect any professional as they advance and grow in their area of expertise.

Matt and Izar, both seasoned security professionals, openly discuss the dichotomy between their intellectual achievements and the emotional weight of feeling like they don't belong. They touch upon the challenges of presenting at conferences, where the internal dialogue of self-doubt might be at its loudest, yet they've learned to project confidence. 

The conversation also highlights the importance of understanding one's worth, emphasizing that it doesn't stem from external validation or the opinions of others. The hosts each share personal anecdotes, such as moments when they felt most vulnerable on stage, and how they've learned to navigate these feelings over time. 

This podcast serves as a candid exploration of the imposter syndrome, offering insights and encouragement to professionals from any field who might feel the same way.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

We discuss a controversial LinkedIn post claiming "Threat Modeling is Dead." While the STRIDE methodology may need updating, it remains a valuable "gateway" tool for teaching security concepts to developers without security backgrounds. We discuss how STRIDE serves as a useful categorization system, emphasize that dogmatic approaches to threat modeling are problematic, and argue that what matters most are results rather than strict adherence to any particular methodology. Our conclusion; STRIDE is still alive and relevant, but it could benefit from an update to demonstrate its continued applicability.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

The Security Table team dialogues about the importance of data and metrics in understanding and communicating risk. After Matt defines ROI, Izar emphasizes that while data is crucial, it doesn't always come in numerical form. Instead, risk can be expressed in various ways, such as trends, and doesn't necessarily need to be quantified in traditional terms. Chris stresses that executives need tangible metrics and data to make informed decisions, especially when communicating with legal teams and other stakeholders.

They then talk about visibility and understanding the attack surface. Izar explains that the attack surface represents an organization's exposure to potential threats. The goal is to provide a comprehensive picture of the organization's vulnerabilities and the measures taken to address them. Instead of inundating executives with technical reports, Izar suggests telling a story that conveys the essence of the risks and the steps taken to mitigate them. Chris, however, emphasizes the importance of concrete data and the challenges executives can face in understanding technical nuances.

Lastly, the dialogue touches upon the real-world implications of threat modeling and its ROI. Matt Coles highlights the potential legal and business repercussions if things go awry. The discussion underscores the evolutionary nature of threat modeling, with Izar noting that while one might start with limited expertise, continuous learning and adaptation lead to improvement over time. The overarching theme is the balance between technical details and business-oriented communication, ensuring that executives understand the value and impact of threat modeling initiatives.

Links referenced:

• US Executive Order 14028 on cybersecurity - https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity
• CISA, Secure by Design, Secure by Default - https://www.cisa.gov/securebydesign
• Secure Software Development Framework (SSDF) from NIST - https://csrc.nist.gov/Projects/ssdf

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Jim Manico joins Chris, Matt, and Izar at the Security Table for a rousing discussion on his Threat Modeling journey. They also learn about each other's thoughts about DAST, SAST, SCA, Security in AI, and several other topics. Jim is an educator at heart, and you learn quickly that he loves application security. Jim is not afraid to drop a few controversial opinions and even a rap!

Jim discusses the importance of static application security testing (SAST) and how it is becoming increasingly important in application security. He argues that SAST is a powerful tool for detecting vulnerabilities in software and that modern SAST tools can work at DevOps speed. He makes his case for why he believes SAST will be the ultimate security tool in the future.

Jim also talks about the potential of AI in the field of software security, particularly in the area of auto-remediation for SAST findings. He believes that with good data and models, AI-powered remediation engines could revolutionize the industry.

The episode also delves into threat modeling and its role in software development. The participants discuss the importance of identifying security issues early in the development process and the return on investment (ROI) of threat modeling. Jim emphasizes that threat modeling should focus on identifying issues that static analysis tools cannot easily detect, such as access control vulnerabilities. 

They conclude with a discussion on the "shift left" movement in software security and its potential benefits and challenges.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

"Secure by Design" has garnered attention with the release of a document by CISA. What does it mean? How does it fit with Threat Modeling? And do you know if Secure by Design will answer our need for secure software?

"Secure by Design" means a system is designed with secure principles. The system should come pre-hardened and pre-secured, ensuring users don't have to configure it for security after installation. On the other hand, "Secure by Default" means that the system is configured correctly for security right out of the box.

The hosts explore what it means to be secure by design. Systems can be implemented with security principles rather than relying on users to configure settings post-installation. Matt raises the concept of "de-hardening" guides for compatibility and other situations. But Chris Romeo strongly opposes the idea, fearing it might provide a roadmap for undoing the security measures put in place.

They also discuss how Threat Modeling fits with Secure by Design as a guide at the beginning and in the verification process. The episode concludes with the hosts emphasizing the importance of continuous threat modeling and the need to stay updated with the evolving security landscape.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

What happens when engineers transform into security champions? Is this beneficial, and what are the implications of this transformation? Izar reveals his transition from a naysayer to a supporter of security champions, and Chris and Matt seek to understand his current position. They explore the position of Security Champion and discuss the components of a good security champion program.

Matt defines security champions as developers with influence who can be a bridge between security and engineering. They receive advanced training and bring resources to their team to lead them to effective threat modeling. While security champion programs may have potential pitfalls, such as overloading team members, good security champion programs should benefit the individual and the business. Chris emphasizes the importance of providing opportunities for growth, learning, and networking to make the program appealing to potential champions.

With the potential issue of champions leaving an organization, they highlight the need for companies to keep up with salary expectations as champions grow in their roles. They also touch on the challenge of preventing security champions from being disliked by their team once they transition from being developers.

There are several resources for those interested in building a Champions program, including Dustin Lehr's Security Champion Success Guide and Chris Romeo's Security Champion Framework available on GitHub.

The episode concludes with a call for listener feedback and input, emphasizing the hosts' desire for an interactive and engaging conversation with their audience.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!