Appsec Roundup - Nov 2024

The PDF version of Ross Anderson’s Security Engineering is now freely available.

Secure by Design and threat modeling

• Android ‘Find My Device’ Has Gotten a Major Upgrade. Wired reports that “Android devices that are powered off or that have dead batteries can be located for “several hours” after they go dark. ... the phone needs specialized hardware that enables a low-power Bluetooth signal to be broadcast, even if the handset itself isn't turned on.” This is a fascinating threat to location privacy, and a change to what it means for a device to be powered off.
• "I'm Getting Information that I Can Act on Now": Exploring the Level of Actionable Information in Tool-generated Threat Reports by Alvi Jawad and colleagues is an academic usability study of MS Threat Modeling Tool and Threat Dragon.
• Interesting analysis of the role of anti-requirements in an essay, Reframing Security: Unveiling the Power of Anti-Requirements by Martin Mavaddat and a response, Insight of the year, by Loren Kohnfelder.

Appsec

• Yosh has an interesting mastodon thread about how and why you can use RLBox, which compiles C++ to WASM for isolation, and is thoughtful about how it does so.

AI

• Dave Aitel wrote LLMs, Vulnerabilities, and the Quest for Understanding, in which he summarized a talk, LLMs FOR VULNERABILITY DISCOVERY: FINDING 0DAYS AT SCALE WITH A CLICK OF A BUTTON. It’s a great summary of interesting work, and talks about how to get interesting results having an LLM pretend to be a static analysis tool. Interesting claims that one should avoid over-reliance on fine tuning and RAG.
• Your AI Product Needs Evals, by Hamel Husain. I’ve been saying that structured evaluation will be the key to unlocking business value in AI.

Regulation

• Ron Müller-Knoche led the creation of Feedback to BSI on BSI TR-03185 Sicherer Software-Lebenszyklus for software development from a few of us at OWASP (link requires free access to the OWASP Slack).

Shostack + Associates updates

• We released Understanding The Four-Question Framework for Threat Modeling, a whitepaper on the Four-Question Framework.
• Adam spoke at JPL on Threat Modeling: Engineering and Science.

Image by Midjourney: “a photograph of a robot, sitting in a library, working on a jigsaw puzzle”

Originally published by Adam on 05 Dec 2024
Categories:   application security   software engineering   security