Application Security Roundup - January
So many interesting articles from AI to an organizatoion of socio-technical harms, fascinating incident reports about Uber and Circle CI and some history of attack trees.
Let me kick off with an entertaining and thoughtful adaptation of Maslow’s Hierarchy of Needs, by Irfaan Santoe, The Hierarchy of Needs for Threat Modeling (IriusRisk blog), and I am not a supplier in whcih Thomas Depierre objects to that label and its implications.
There are several very interesting retrospectives:
- CircleCI incident report for January 4, 2023 security incident (Rob Zuber, CircleCI)
- A blameless post-mortem of USA v. Joseph Sullivan (Ryan McGeehan) are both interesting incident analyses. McGeehan is admirably up-front about his relationship to Uber and Joe Sullivan.
From there, we come to three interesting academic articles:
- Do Users Write More Insecure Code with AI Assistants? (Neil Perry and colleagues on Arxiv) and a shorter summary from the Register. Even shorter: Yes — in flagrant violation of Betteridge's Law!
- Sociotechnical Harms: Scoping a Taxonomy for Harm Reduction (Renee Shelby and colleagues on Arxiv). An in-depth literature review and analysis of harms from algorithmic systems.
- Shooting the Messenger: Remediation of Disclosed Vulnerabilities as CFAA “Loss,” (Riana Pfefferkorn) Law review article explaining that remediation costs should not count as CFAA costs.
Lastly, some history of attack trees. My understanding of their first formal writeup had been Ed Amoroso's 1994 book, but Alex Gantman shared a link to D. Weiss, "A System Security Engineering Process," Proceedings of the 14th National Computer Security Conference, 1991. (page 572), and Stuart Schecter pointed out that there's history back to at least 1961, and the history is in his PhD thesis (Section 2.3.1).