Security Engineering roundup - May 2024

The most important stories around threat modeling, appsec and secure by design for May, 2024.

a photograph of a robot, sitting in a library, working on a jigsaw puzzle

A memorial service for Ross Anderson will be held June 22 in Cambridge. Bruce Schneier wrote an obituary for Ross at CACM. I’m told there will be a way to view the service remotely, and will add it here.

Threat Modeling

Ron Thompson and co-authors have released "There are rabbit holes I want to go down that I'm not allowed to go down": An Investigation of Security Expert Threat Modeling Practices for Medical Devices, an academic interview study.
Loren Kohnfelder talks about how “We understand software security best through specific threats and mitigations, articulated by threat models shared openly. Without this context we avoid much needed meaningful security discussions” in Better security discussions.
Solar storms are going to get more common, and that means if you have GPS dependencies, you should be thinking about what both accidental and deliberate GPS issues do to your system. You might think of these as tampering or denial of service. (Prompted by Solar Storm Knocks Out Farmers' Tractor GPS Systems.)

Appsec

The OpenSSF released their Compiler Options Hardening Guide for C and C++. It's very good, and I hate that people need to read it. I'd like to see more than good documentation, I’d GCC + Clang options such as -security-openssf-current, -security-openssf-2024a, or even -no-security-openssf that does the right thing. The various forms could clear how the right thing is being defined, as current (most secure) or by date (least likely to break something). This is more than a random opinion, I’ve been talking about the problem, as it turns out, for almost a full twenty years, going back to a 2004 blog, Ranum on the root of the problem.

Regulation

The UK Government has solicited views on the Code of Practice for Software Vendors, which is open through 10 July.
In the US, Steve Lipner has a long article in Lawfare, Incentives for Improving Software Security: Product Liability and Alternatives.
Lastly, CISA has announced a set of vendors who are committing to secure design.

Shostack + Associates updates

We have upcoming open trainings at OWASP Global AppSec Lisbon June 25-26 and >Blackhat, August 3-4 and August 5-6.
Adam will be speaking at ThreatModCon Lisbon, and Shostack + Associates is sponsoring. We have discount codes to give out, contact us!
Also, the magic is back... Magic Security Dust that is. (Our training magic never left.) Visit Agile Stationery to order, the website will be updated soon to reflect the new stock.

Image by Midjourney: “a photograph of a robot, sitting in a library, working on a jigsaw puzzle --ar 8:3”

Originally published by Adam on 30 May 2024
Categories: application security software engineering security