Appsec Roundup - Jan 2025
An exciting month, with new threat modeling tools, cool thoughts on STAMP, bounds checking, ADRs and more!
What a month! It was even eventful in the appsec world, with new threat modeling tools, a self-servingly dramatic fork of semgrep, and oh, let's not talk about “regulation.” Oh, fine, lets, but only towards the end.
Secure by Design and threat modeling
- Hendrik Ewerlin shared ThreatPad, a lightweight editor with some nice prompts . (It could use more emojis, somehow. 😉)
- Guardio is another lightweight tool for recording threats.
- Generating 1000 Threat Models Using Gemini 2.0 and AI Security Analyzer by xvnpw. Fascinating.
- The Evolution of SRE at Google: Using STAMP to improve resilience in Google production systems is fascinating. I think one of the advantages of rebuilding tech stacks the way Google does is that it gives you a chance to think about interfaces and the optionality they give a caller. The models that evolved for successful interactive computing have very flexible interfaces, where adding controls and ensuring they do what you want is hard.
Appsec
- Story-time: C++, bounds checking, performance, and compilers by Chandler Carruth.
- How to create Architectural Decision Records (ADRs) — and how not to and How to review Architectural Decision Records, both by Doc SoC in April, 2023 but I'd missed them.
- What’s going on with (Sem|open)grep? by Josh Grossman and relatedly Opengrep - The Security Industry Deserves Better by Mark Curphey.
Regulation
- HHS proposes major overhaul of HIPAA security rule by Jim Dempsey gives an overview of a proposed update to regulation for hospitals.
- Secure by Demand Priority considerations for operational technology owners and operators when selecting digital products (I like the Australian version, in HTML.)
- The final Biden executive order on cyber is out, and this Reuters article (As China hacking threat builds, Biden to order tougher cybersecurity standards) gives some good context: “Biden's proposal calls for tougher standards for secure software development, the ability to verify that those standards have been met, and a process for the Cybersecurity and Infrastructure Security Agency (CISA) to evaluate the process, according to the draft.” And while that’s a lot of process, it reflects a growing perception that the “impose costs” team has failed to score a goal, and the “norms” people have been hoisted on their own peTAOrd.
As of this writing on Feb 3, neither seems to be cancelled, and Joe Menn reports that the cybersecurity one may not be.
Books
I’m enjoying Medical Device Cybersecurity for Engineers and Manufacturers, Second Edition by Axel Wirth, Christopher Gates and Jason Smith. I expect to write up a fuller review, but it’s an excellent broad overview. Wish I’d had it when I started collaborating with the FDA.
Shostack + Associates updates
- We delivered a new mini-course overlay, “Facilitating Effective Threat Modeling” for a longtime customer. The course helps experienced threat modelers add nuance to their practice as they support their teams.
- My paper, Who are we: Power Centers in Threat Modeling was accepted for Rossfest.
- Our Quad paper, Lessons for Cybersecurity from the American Public Health System was released by the Computing Research Association.
- The final version of Handling Pandemic-Scale Cyber Threats: Lessons from COVID-19 was added to the ACM library.
- At RSA, Adam and Tanya Janca will be presenting “Red Teaming AI: 50 Years of Failure, But This Time, For Sure!” (May 1, 10:50 AM).
Image by Midjourney: “a photograph of a robot, sitting in a library, working on a jigsaw puzzle”