Secure by Design roundup - April 2024
A less busy month in appsec, AI, and regulation, but still interesting storiesI’m going to kick off with two interesting engineering stories. First, the Washington Post reports on how Officials studied Baltimore bridge risks but didn’t prepare for ship strike that discusses the challenges of securing bridges against modern cargo ships. It turns out that additional barriers were a known tradeoff. “‘That’s a pretty tight channel,’ the former senior transportation official said. ‘You might actually create a hazard rather than mitigate one.’ From a cybersecurity perspective, we often struggle to reach the point where we’re evaluating tradeoffs. Second, Voyager 1 is talking again after JPL rewrote chunks of code to jump around, almost ROP style, to work around bad memory.
Regulation
Getting into the core roundup, the White House keeps leading with important news. This time, it’s Office of the National Cyber Director Convenes Professors & Think Tank Experts at a Legal Symposium on Software Liability. They wouldn’t bother with symposia like these if they weren’t serious about the liability options in the National Cyber Strategy.
AI
Kantega has released Elevation of MLSec, a card deck based on the Berryville Institute’s LLM ARA.
Application Security
- The Open Source Community is Building Cybersecurity Processes for CRA Compliance.
- John Viega has a long essay (15,000 words) on the technical benefits and tradeoffs of memory safe language adoption.
- Microsoft has doubled down on security, with an all-staff memo from CEO Satya Nadella saying “do security.” MSN story, a blog post from VP Charlie Bell, and an analysis by skeptic Kevin Beaumont. My own comment: the work at the secure by design end of the Secure Future Picture that Charlie presents is focused on “protect identity and secrets,” “protect tenants and isolate production,” and that’s a thin subset of how CISA thinks about secure by design, with their focus on memory safe language transitions, or how I think about threat modeling as informing design and redesign decisions.
Threat Modeling
Jamie Dicken presented Teaching Software Engineers to Threat Model: We Did It, and So Can You at RSA, and her talk made Security Boulevard’s 8 hot talks list.
Shostack + Associates updates
We released Magic Security Dust as an April Fool’s Day thing. We made a few and they sold out almost instantly. More are on the way, and I encourage you to get your orders in soon!
Image by Midjourney: “a cow is riding on the back of a horse. The cow is dressed as a cowboy with a hat and a lasso, and she is rounding up robots. there are lots of robots scuttling around”