Appsec Roundup - August 2024

The most important stories around threat modeling, appsec and secure by design for August, 2024.

Brett Crawley released Threat Modeling Gameplay with EoP: A reference manual for spotting threats in software architecture, published by Packt, a full book on the game. Awesome! (I was honored to write the Foreword.)
In a blog post at Forbes, Zak Doffman discusses a New Warning As ‘Spike’ In GPS Spoofing Attacks Hit Passenger Planes, citing a rise from 200 daily incidents to 900 in Q2, 2024. It’s really nice to see quantified rates, and this echos a theme, that the threat to GPS location is growing.
Chris Martorella of Miro has released a template, Threat Modeling - STRIDE on their platform.
The Australian government led a coalition who released Best Practices for Event Logging and Threat Detection. It’s probably useful for reviewing operational logging practice, despite a focus on APTs (to the exclusion of ransomware or other attackers), and a confusion about the relationship of “baseline” to “best.”

Crowdstrike released what they call an RCA. Before they did, I said I’d judge it based on clarity, depth and scope, and it fails on all three. There’s no “five whys”, there’s no discussion of management choices or funding. Rushing root cause work gets you shallow analyses and you get shallow improvement.
Narrowing the Software Supply Chain Attack Vectors: The SSDF Is Wonderful but not Enough by Laurie Williams (from March, but I’d missed it).
Simon Tatham lists Code review antipatterns, none of which specifically mention security, but code reviews are often associated with security, and the “Late breaking design review” pattern certainly ties into threat modeling either done or communicated badly.

Mike Privette released an AI AI Security Shared Responsibility Model. I’m sad that it excludes “AI-enabled products,” but happy the exclusion is explicit.
Google Deepmind released a paper and post, Mapping the misuse of generative AI. Interesting taxonomy, I’m skeptical that ‘analyzing media reports’ is the right path to a frequency count, and it’s tempting to say that lacking AI incident reporting and a Bureau of Cyber Public Health, it’s all we can reasonably get? I have a list of incident databases in my lessons learned resource page.

Adam will be keynoting ThreatModCon San Francisco (Sept 28-29), immediately after OWASP Global Appsec... and we’ll have our first ever trade show booth! We hope to see you there.
Also, our fall is filling up with training deliveries, so if you’re considering doing something, now is a great time to get on the schedule.
Lastly, each year large companies come to us wanting to spend budget by the end of the year. We usually make it work, but contracting often leads to delays. We’ve had customers for whom that phase takes 90 days or longer, and so if you think you’d like to invest in threat modeling training, why not reach out and get started?

Image by Midjourney: “a photograph of a robot, sitting in a library, working on a jigsaw puzzle”

Originally published by Adam on 02 Sep 2024
Categories: application security software engineering security