Appsec Roundup - May 2025

Lots of fascinating threat model-related advances, new risk management tools, games, and more!

Patrick Opet, Chief Information Security Officer of JP Morgan Chase wrote an An open letter to third-party suppliers. Gunnar Peterson has some thoughts, as does Mike Schwartz. I like Mike’s suggestion of leveraging Capabilities (in the sense of unforgable access tokens), but not his new terminology.
Paco Hope has some insightful thoughts in on ways people get threat modeling wrong linkedin post, including assumptions that input is complete and correct, treating threat models as a deliverable, and the need for context.
He also has an article, Amazon S3 Shows How LLMs Get Things Wrong, because of the quantities of training data that have outdated information. That’s highly relevant to how a lot of people hope to use LLMs to threat model, but cuts much more broadly.
Archival video from Michael Howard presenting on threat modeling to Microsoft’s Trustworthy Computing Academic Advisory Board in 2003.

Jason Chan has a long article in TL;DRSec, Security for High Velocity Engineering, which is worth reading. One of the key points he makes is to focus on high-leverage work, which he defines as impact produced divided by time invested. There are two ways to do this, but the easier way is to drive down time investments through tooling and then ruthless process optimization. Many organizations have developed threat modeling programs that are paperwork-heavy and tedious, and it’s hard to get value from them. But if you drive down the time investment in ways that maintain value, then your leverage improves.

AIRiskButt is now launched, and I’m really impressed by the hard work that’s gone into it.

The UK has released a voluntary Software Security Code of Practice. It’s somewhat redundant. For example, it starts with “1.1 Follow an established secure development framework.” Then it continues with 1.2, do SCA and 1.3, follow secure by design principles. Is there a secure development framework that misses those things? If not, why are they there? Are they extra important? Are they more important than say, threat modeling? I don’t believe they are. Similarly, 3.3, detect and manage vulns in components seems like it overlaps with 1.2 “assess risks linked to the ingestion and maintenance of third-party components throughout the development lifecycle.” I encourage them to rebuild it to clearly state what’s addititive to established frameworks. That’s undifferentiated work, and the creators ought to do it once and authoritatively.

The Cyber
Attack Chain game

I got a copy of Cyber Attack Chain, and it came with a nice handwritten note.

Adam and Erik will be training at OWASP Global Appsec Barcelona (May 27-28). A few seats remain.
Adam will be giving the opening talk at ThreatModCon Barcelona, right after OWASP Global Appsec.
We’re delivering free training for displaced Federal workers. It’s a distributed, live instruction version of the course.
Adam will be training at Blackhat USA, Aug 2-3 or 4-5.

Image by Midjourney: “a photograph of a robot, sitting in a library, working on a jigsaw puzzle”

Originally published by Adam on 21 May 2025
Categories: application security software engineering security