Appsec Roundup - July 2024
The most important stories around threat modeling, appsec and secure by design for June, 2024.
Threat Modeling
- The ThreatModCon team wrote up a ThreatModCon Lisbon recap.
- This analysis of The Problem With Google docs is fascinating from a threat modeling perspective in part because Steve breaks down the relationship between the work being done and the records being created. That problem isn’t unique to threat modeling, but threat modeling has it in spades. Ignoring it, the enormous amount of work to address it, or the “project hero” solution leads us to mis-understand threat modeling.
- Hendrik presents The Fortunately ⇆ Unfortunately of Fortunately ⇆ Unfortunately #meta.
- Loren Kohnfelder writes about Crowdstrike and the threat of friendly fire
Appsec
The Crowdstrike incident is fascinating and there’s a lot of commentary out there. I have uninformed opinions about the validation performed on content updates by the clients, and the choice to load data directly into a kernel module. But much more informed is The 2024 CrowdStrike Incident - Simply Explained by Patrick McCormack. Mr. McCormack was head of platform engineering at Crowdstrike until last year. I look forward to the full root causes analysis. I expect to judge that on clarity, depth (does it do at least a “Five Whys?”) and scope (does it cover management choices including funding for engineering and QA), and assignment of responsibility (does it throw the intern under the bus?).
Also notable about the incident is that there are widely varying estimates of the impact in terms of cost and other impacts. In cost, Coalition says $0.96B globally, while Parametrix says $5.4B in the Fortune 500 alone. Estimates of impacted systems widely quote an 8.7 million hosts number from Microsoft. I expect that’s from Windows Error Reporting, which is a lower bound because many or most enterprises turn it off. There are claims that it’s the “biggest incident ever,” but there were worms like Blaster and Slammer that infected more systems and also had a very large impact. All of these lead me to say that a Bureau of Cyber Statistics or a Bureau of Cyber Public Health could help us by analyzing and providing context.
AI
Open AI released an “instruction hierarchy” approach, and Wunderwuzzi promptly broke it: Breaking Instruction Hierarchy in OpenAI's gpt-4o-mini.
Regulation
Making Attestation Work for Software Security, by Jim Dempsey, Steven B. Lipner, James Andrew Lewis in Lawfare. I’d extend what they say by adding a requirement that attestation involve showing high level threat models, or saying “we don't have these yet” or “we can't show our threat models because they identify unaddressed issues.” Wouldn’t you prefer to be able to understand where your suppliers stand?
Shostack + Associates updates
Our fall is filling up with training deliveries, so if you’re considering doing something, now is a great time to get on the schedule.
Also, each year big organizations come to us wanting to spend budget by the end of the year. We can help. We can absolutely deliver access codes for self-pace training and we’ve done some creative things to help customers. The delay is often contracting. We’ve had customers for whom that takes 90 days or longer, and so if you think you’ll have unspent budget, why not reach out and get that started?
Image by Midjourney: “a photograph of a robot, sitting in a library, working on a jigsaw puzzle --as 8:3”