Appsec Roundup - Oct 2024
If you say liability three times, it appears!
Secure by Design, threat modeling and appsec
- Loren Kohnfelder wrote a longish, excellent post Flaunt your threat models. We’ve been talking about this, and I think flaunting models at the level of the one released by Curl make so much sense it’s hard to see why it’s not standard.
- Google has released information on their Secure by Design commitment, including a blog and white paper.
- The producers of Transmit have said that it’s the End of the Road for Google Drive in Transmit, because of the costs of Cloud Application Security Assessments.
Regulation
- The European Parliament has passed a directive on liability for defective products. As a non-lawyer, I don’t understand what “liability without fault” means, but quick searches indicate that it’s equivalent to strict liability. Also, I’ll note that this seems to apply even to open source software, if there’s a ‘commercial activity.’ (See para 14 on page 7.) Tom Uren describes it as “By contrast, the EU has chosen to set very stringent standards for product liability, apply them to people rather than companies, and let lawyers sort it all out.”
- The BSI (Germany’s Cyber Agency) has released BSI TR-03183: Cyber Resilience Requirements for Manufacturers and Products, which “aims to provide manufacturers with advance access to the type of requirements that will be imposed on them by the future Cyber Resilience Act (CRA) of the EU.” I’m not going to do a full review, but I’ll note that its unfortunate that section 4.2.1 requires that the TOE contains both threats and threat agents. As I’ve documented in Threat Modeling: Designing for Security that’s not a good use of time or energy. A similar point can be made about requiring an estimate of probability of relevant threats.
Games
- SemGrep released Tanya Janca’s Cards Against Appsec, a Cards Against Humanity variant.
- Colin Watson, creator of Cornucopia, sent me Cornucopia Digital Benefits and Disbenefits, a serious game focused on delivering social benefits. It uses many of his Cornucopia enhancements to the EoP design, and is the first “second generation” derivative.
- Michael Novack released Byte Club, “The learning goal is for anyone to understand the fundamentals of cybersecurity activities so they can understand any cyber event/news.”
- Learned about Data Breach; it turns out there’s two games with the same name!
Shostack + Associates updates
- We did our first ever trade show booth at ThreatModCon San Francisco! Adam participated in the keynote, and we talked to lots of folks about how we can help them threat model. (If we can help you, please don’t hesitate to reach out.)
- We’re launching a course, Scaling Threat Modeling, and there’s a survey at the end of that blog announcement.
Image by Midjourney: “a photograph of a robot, sitting in a library, working on a jigsaw puzzle”