Application and AI roundup - Feb 2024
A busy month in appsec, AI, and regulation.Noted cryptographer Ari Juels has a new novel, The Oracle (Update: Wendy Grossman has a review.)
Application Security
- Qualys found a set of local privilege escalation bugs in glibc that had gone un-noticed for 30 years.
- Zach Hanley of Horizon3 did an analysis of the Known Exploited Vulns list, and found that 48% exploit “insecure exposed functions,” and concludes that Rust Won’t Save Us.
- Speaking of Rust, Speykious released CVE-rs, “Blazingly 🔥 fast 🚀 memory vulnerabilities, written in 100% safe Rust.”
AI
- A widely reported story, but: Air Canada's chatbot gave a B.C. man the wrong information. Now, the airline has to pay for the mistake.
Threat Modeling
- Corey Quinn has a good article, Are AWS account IDs sensitive information? He says: “I don’t particularly care whether or not the account IDs are sensitive, personally. If they are, great! If not, super! Just answer the question authoritatively so I can avoid the mental overhead of wondering.” It’s a great point, and while he doesn’t mention threat modeling, this is the sort of question that high-functioning threat modeling can identify and prioritize for resolution.
- The 2nd Threat Modeling Connect Hackathon is still open. I’ll give an opening keynote, and one of the prizes for the winning team is an Elevation of Privilege game with me.
Regulation
- NIST released CSF2.0. Randy Sabbet of law firm Cooley has a good summary. I’ll note that more than a decade after Mark Andreesen said “All companies are software companies,” CSF 2 treats software as a “supply chain” issue, not a core competency.
- The White House has released a paper, Future Software Should Be Memory Safe. Michal Zalewski (aka lcamtuf) has A reactionary take in which he questions the cost. Regardless, your management will increasingly care, and you need a plan.
Shostack + Associates updates
Open trainings: We have a one day Essentials class at Archimedes in New Orleans (April 30), and two Intensives in person at Blackhat (both two days), which are Aug 3-4 or Aug 5-6
And last but not least, my book Threats is available in Italian!
- Una guida pratica per scrivere applicazioni sicure, con l'aiuto dei
tuoi maestri Jedi, Sith e droidi preferiti.
- Le principali minacce informatiche che ogni ingegnere dovrebbe conoscere.
- Semplici framework di sicurezza del software da integrare nei propri sistemi.
- Strategie per costruire sistemi sicuri per team di lavoro di grandi dimensioni.
- Strategie usate dagli hacker per violare sistemi.
Image by Midjourney: “A robot that looks shocked and outraged by what it's reading. The background is a library lined with books. The image is cinematic, dramatic, professional photography, studio lighting, studio background, advertising photography, intricate details, hyper-detailed, 8K UHD --ar 8:3 --v 6.0”