Shostack + Friends Blog

 

Appsec Roundup - Oct 2024

If you say liability three times, it appears! a photograph of a robot, sitting in a library, working on a jigsaw puzzle

Secure by Design, threat modeling and appsec

Regulation

  • The European Parliament has passed a directive on liability for defective products. As a non-lawyer, I don’t understand what “liability without fault” means, but quick searches indicate that it’s equivalent to strict liability. Also, I’ll note that this seems to apply even to open source software, if there’s a ‘commercial activity.’ (See para 14 on page 7.) Tom Uren describes it as “By contrast, the EU has chosen to set very stringent standards for product liability, apply them to people rather than companies, and let lawyers sort it all out.”
  • The BSI (Germany’s Cyber Agency) has released BSI TR-03183: Cyber Resilience Requirements for Manufacturers and Products, which “aims to provide manufacturers with advance access to the type of requirements that will be imposed on them by the future Cyber Resilience Act (CRA) of the EU.” I’m not going to do a full review, but I’ll note that its unfortunate that section 4.2.1 requires that the TOE contains both threats and threat agents. As I’ve documented in Threat Modeling: Designing for Security that’s not a good use of time or energy. A similar point can be made about requiring an estimate of probability of relevant threats.

Games

The games I got in October
  • SemGrep released Tanya Janca’s Cards Against Appsec, a Cards Against Humanity variant.
  • Colin Watson, creator of Cornucopia, sent me Cornucopia Digital Benefits and Disbenefits, a serious game focused on delivering social benefits. It uses many of his Cornucopia enhancements to the EoP design, and is the first “second generation” derivative.
  • Michael Novack released Byte Club, “The learning goal is for anyone to understand the fundamentals of cybersecurity activities so they can understand any cyber event/news.”
  • Learned about Data Breach; it turns out there’s two games with the same name!

Shostack + Associates updates

  • We did our first ever trade show booth at ThreatModCon San Francisco! Adam participated in the keynote, and we talked to lots of folks about how we can help them threat model. (If we can help you, please don’t hesitate to reach out.)
  • We’re launching a course, Scaling Threat Modeling, and there’s a survey at the end of that blog announcement.

Image by Midjourney: “a photograph of a robot, sitting in a library, working on a jigsaw puzzle”