The Security Table

Matt, Izar, and Chris delve into the complexities of open source security. They explore the topics of trust, vulnerabilities, and the potential infiltration by malicious actors. They emphasize the importance of proactive security measures, the challenges faced by maintainers, and propose solutions like improved funding models and behavior analysis for enhancing security within the open source ecosystem.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

Matt, Izar, and Chris take issue with a controversial blog post that criticizes STRIDE as being outdated, time-consuming, and does not help the right people do threat modeling. The post goes on to recommend that LLMs should handle the task. The trio counters these points by highlighting STRIDE's origin, utility, and adaptability. Like any good instrument, it is important to use the right tools in the right context. They also touch upon the common misconceptions about threat modeling, the misuse of tools like the Microsoft Threat Modeling Tool, and the benefits of collective threat modeling practices. Throughout, they defend the foundational role of STRIDE in threat modeling, promote the value of including diverse perspectives in the threat modeling process, and encourage looking beyond narrow toolsets to the broader principles of threat analysis.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

Chris, Matt, and Izar discuss a recent Secure by Design Alert from CISA on eliminating SQL injection (SQLi) vulnerabilities. The trio critiques the alert's lack of actionable guidance for software manufacturers, and they discuss various strategies that could effectively mitigate such vulnerabilities, including ORMs, communicating the why, and the importance of threat modeling. They also explore potential ways to improve the dissemination and impact of such alerts through partnerships with organizations like OWASP, the various PSIRTs, and ISACs, and leveraging threat intelligence effectively within AppSec programs. Ultimately, the trio wants to help CISA maximize its effectiveness in the software security industry.Link to CISA SQLi Alert:Secure by Design Alert: Eliminating SQL Injection Vulnerabilities in Software -- https://www.cisa.gov/sites/default/files/2024-03/SbD%20Alert%20-%20Eliminating%20SQL%20Injection%20Vulnerabilities%20in%20Software_508c.pdfFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

Dive into the contentious world of AI in software development, where artificial intelligence reshapes coding and application security. We spotlight the surge of AI-generated code and the incorporation of copy-pasted snippets from popular forums, focusing on their impact on code quality, security, and maintainability. The conversation critically examines the diminishing role of traditional quality assurance measures versus the growing reliance on automated tools and AI, highlighting potential compromises between development speed and security integrity.The discussion broadens to consider the future of software security tools in an AI-dominated era, questioning whether AI-generated code could make static application security testing (SAST) tools obsolete or introduce new challenges requiring more human oversight. The debate intensifies around the trustworthiness of AI in handling complex business logic and security policies without introducing vulnerabilities.The dialogue concludes by reflecting on the balance between innovation and caution in software development. As AI advances, the conversation centers on ensuring it enhances rather than compromises application security, offering insights, anecdotes, and a dose of humor along the way. Stay tuned for more thought-provoking discussions on the intersection of AI and software security.Helpful Links:Article: "New study on coding behavior raises questions about impact of AI on software development" at GeekWire -- https://www.geekwire.com/2024/new-study-on-coding-behavior-raises-questions-about-impact-of-ai-on-software-development/FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

Matt, Chris, and Izar talk about ensuring security within the developer toolset and the developer experience (DevEx). Prompted by a recent LinkedIn post by Matt Johansen, they explore the concept of "secure by default" tools. The conversation highlights the importance of not solely relying on tools but also considering the developer experience, suggesting that even with secure tools, the ultimate responsibility for security lies with the developers and the organization.The trio also discusses the role of DevEx champions in advocating for security within development processes, emphasizing the need for a balance between security and usability to prevent developers from seeking workarounds. They touch upon integrating security into the developer workflow, known as "shifting left," and the potential downsides of overburdening developers with security responsibilities.There's a recurring theme of the complexity and challenges in achieving a "secure by default" stance, acknowledging the difficulty in defining and implementing this concept. The conversation concludes with an acknowledgment that while progress is being made in understanding and implementing security within DevEx, there's still a long way to go, and the need for further clarification and discussion on these topics is evident.Matt Johansen's Original Post:https://www.linkedin.com/posts/matthewjohansen_i-really-feel-like-a-lot-of-security-problems-activity-7170811256856141825-lKyxFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

Chris, Izar, and Matt tackle the first point of the recent White House report, "Back to the Building Blocks: a Path toward Secure and Measurable Software." They discuss the importance of memory safety in software development, particularly in the context of critical infrastructure. They also explore what memory safety means, citing examples like the dangers of using C over safer alternatives such as Java, Rust, or Go.The debate covers the effectiveness of government recommendations on software development practices, the role of memory safety in preventing security vulnerabilities, and the potential impact on industry sectors reliant on low-level programming languages like C and C++. The dialogue highlights different perspectives on the intersection of government policy, software development, and cybersecurity, providing valuable insights into the challenges and importance of adopting memory-safe programming practices.Helpful Links:BACK TO THE BUILDING BLOCKS: A PATH TOWARD SECURE AND MEASURABLE SOFTWARE - https://www.whitehouse.gov/wp-content/uploads/2024/02/Final-ONCD-Technical-Report.pdfDance Your PhD 2024 winner, WELI, Kangaroo Time: https://youtu.be/RoSYO3fApEcFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

Matt, Izar, and Chris discuss the impact of fear, uncertainty, and doubt (FUD) within cybersecurity. FUD is a double-edged sword - while it may drive awareness among consumers, it also leads to decision paralysis or misguided actions due to information overload. The saturation of breach reports and security threats also desensitizes users and blurs the line between vigilant security practices and unnecessary panic. Fear-based security strategies do not foster a secure environment.The proliferation of smart devices and the internet of things (IoT) make many everyday objects potential targets for cyber-attacks. However, media sensationalism surrounds these vulnerabilities, and there is a lack of follow-through in educating consumers about realistic risks and protective measures. This gap underscores the need for reliable sources of cybersecurity info that can cut through the FUD, offering actionable insights rather than contributing to fear.They also explore the practice of weaponizing security in competitive markets. Some companies leverage security breaches, or the lack thereof, to differentiate themselves in the marketplace. These marketing strategies highlight "superior" security features while pointing out competitors' breaches. While such tactics might draw attention to security considerations, they also risk confusing what constitutes meaningful cybersecurity practices. The industry needs to balance competitive advantage with ethical responsibility and consumer education. Who will fill the gap?FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

Prompted by fan mail, Chris, Izar, and Matt engage in a role-playing scenario as a VP of engineering, a security person, and a product manager. They explore some of the challenges and competing perspectives involved in prioritizing application security. They highlight the importance of empathy, understanding business needs and language, and building relationships within an organization while dealing with security threats and solutions. They end with insights into the role of AI in AppSec, its prioritization, and its limitations.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

Matt, Izar, and Chris have a lively discussion about how security experts perceive open-source software. Referencing a post that described open source as a 'hive of scum and villainy,' the team dissects the misconceptions about open source software and challenges the narrative around its security. They explore the complexities of the software supply chain, the notion of 'inheritance' when it comes to security vulnerabilities, and the impact of transitive dependencies. They also discuss reputation systems, dependency injection, and the reality of accepting responsibility for incorporated software packages and their security issues. Tune in for these and other thoughtful insights about the interplay between open source solutions and security aspects in software development.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

Threat modeling expert Adam Shostack joins Chris, Izar, and Matt in this episode of the Security Table. They look into threat actors and their place in threat modeling. There's a lively discussion on risk management, drawing the line between 'thinking like an attacker' and using current attacker data to inform a threat model. Adam also suggests that we must evaluate if risk assessments serve us well and how they impact organizations on various levels. The recurring theme is the constant need for evolution and adaptation in threat modeling and risk management processes. You can tune in to get a rich perspective on these key cybersecurity topics.LinkThreat Modeling Manifesto: https://www.threatmodelingmanifesto.org/Threat Modeling Capabilities: https://www.threatmodelingmanifesto.org/capabilities/Threats: What Every Engineer Should Learn From Star Wars by Adam Shostack - https://threatsbook.com/FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

Izar, Matt, and Chris discuss the effectiveness of bug bounty programs and delve into topics such as scoping challenges, the ethical considerations of selling exploits, and whether it is all just bug bounty theater. The hosts share their insights and opinions on the subject, providing a thought-provoking discussion on the current state of bug bounties in the security industry.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

This week around the Security Table Matt, Izar and Chris discuss the recently-published Threat Modeling Capabilities document. They explore how capabilities serve as measurable goals that organizations either possess or lack, contrasting the binary nature of capabilities with the continuum of maturity. The team shares insights on the careful definition and measurement of each capability, highlighting the creative debates and diverse perspectives that enriched the document.They also emphasize the collaborative effort behind the document's creation. The process mirrors the successful teamwork from the Threat Modeling Manifesto, showcasing the enjoyment and effectiveness of their work together.Finally, the team reflects on their journey from the project's start to the release of the Threat Modeling Capabilities document. They share personal stories and the collaborative spirit that led to the project's success, inviting feedback from the community to refine and improve the document further.LinksThreat Modeling Manifesto: https://www.threatmodelingmanifesto.org/Threat Modeling Capabilities: https://www.threatmodelingmanifesto.org/capabilities/FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

Chris, Izar, and Matt address the complexities of open-source component usage, vulnerability patches, civic responsibility, and licensing issues in this Security Table roundtable. Sparked by a LinkedIn post from Bob Lord, Senior Technical Advisor at CISA, they discuss whether software companies have a civic duty to distribute fixes for vulnerabilities they discover in open-source components. They also examine if there is a need to threat model every third-party component and consider the implications of certain licenses for security patches. This is a discussion that needs to be had by anyone using open-source components in their code. Listen in and engage as we learn and think through this important issue together!Links:Bob Lord’s post about Open Source Responsibility:https://www.linkedin.com/posts/lordbob_just-a-quick-thought-on-open-source-if-you-activity-7146137722095558657-z_RIFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

Join us for the final episode of The Security Table for 2023. Chris, Izar, and Matt answer fan mail, make fun predictions for the upcoming year, discuss their resolutions for improving cybersecurity, and make a call to action to global listeners. Highlights include the reach of the podcast, explaining Large Language Models (LLMs), Quantum LLMs, Software Bill of Materials (SBOM), and the importance of teaching secure coding from high school level up. Chris, Izar, and Matt share their passion for making cybersecurity more accessible, practical, and effective through critical discussions and innovative ideas.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

Sander Schulhoff of Learn Prompting joins us at The Security Table to discuss prompt injection and AI security. Prompt injection is a technique that manipulates AI models such as ChatGPT to produce undesired or harmful outputs, such as instructions for building a bomb or rewarding refunds on false claims. Sander provides a helpful introduction to this concept and a basic overview of how AIs are structured and trained. Sander's perspective from AI research and practice balances our security questions as we uncover where the real security threats lie and propose appropriate security responses.Sander explains the HackAPrompt competition that challenged participants to trick AI models into saying "I have been pwned." This task proved surprisingly difficult due to AI models' resistance to specific phrases and provided an excellent framework for understanding the complexities of AI manipulation. Participants employed various creative techniques, including crafting massive input prompts to exploit the physical limitations of AI models. These insights shed light on the need to apply basic security principles to AI, ensuring that these systems are robust against manipulation and misuse.Our discussion then shifts to more practical aspects, with Sander sharing valuable resources for those interested in becoming adept at prompt injection. We explore the ethical and security implications of AI in decision-making scenarios, such as military applications and self-driving cars, underscoring the importance of human oversight in AI operations. The episode culminates with a call to integrate lessons learned from traditional security practices into the development and deployment of AI systems, a crucial step towards ensuring the responsible use of this transformative technology.Links:Learn Prompting: https://learnprompting.org/HackAPrompt: https://www.hackaprompt.com/Ignore This Title and HackAPrompt: Exposing Systemic Vulnerabilities of LLMs through a Global Scale Prompt Hacking Competition: https://paper.hackaprompt.com/FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

Join Izar, Matt, and Chris in a broad discussion covering the dynamics of the security community, the evolving role of technology, and the profound impact of social media on our lives. As the trio considers what they are most thankful for in security, they navigate a series of topics that blend professional insights with personal experiences, offering a unique perspective on how these elements intersect in the modern world.Chris begins by highlighting the importance of collaboration and learning within the ever-expanding security community. Shifting to broader security concerns, Izar emphasizes the value of mentoring and the potential for institutionalizing it through platforms like OWASP. Matt critiques over-relying on AI. He advocates for tool-assisted solutions rather than tool-performed ones and stresses the importance of accurately representing AI's capabilities.In a particularly engaging segment, the panelists explore the influence of social media and technology on personal well-being. They share anecdotes and observations on the pursuit of simplicity in a tech-driven world, discussing the concept of 'social media sobriety' and social media's impact on happiness. They conclude with a collective call to action, urging viewers to engage in positive change through volunteering, mentoring, and contributing to open-source projects. This discussion is a must-watch for anyone interested in the intersection of technology, security, and societal trends.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

Patrick Garrity joins the Security Table to unpack CVSS 4.0, its impact on your program, and whether or not it will change the game, the rules of how the game is played, or maybe the entire game.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

Aditi Sharma joins Matt, Izar, and Chris around the Security Table to discuss Software Bill of Materials (SBOMs). The team discusses potential advantages as well as challenges of SBOMs in different contexts such as SaaS solutions, physical products, and internal procedures. The episode also explores the importance of knowing what software components a company is consuming and the significance of SBOM for vulnerability management and risk posture. The team concludes by stressing that while SBOM has great potential value, the value realization is still a work in progress.Links:Chris' LinkedIn post about the SBOM cycle: https://www.linkedin.com/posts/securityjourney_where-is-the-part-where-the-vulnerabilities-activity-7128757968740777986-0PQVFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

Join Chris, Matt, and Izar for a lively conversation about an article that offers 20 points of "essential details" to look for in a Software Bill of Materials (SBOM). They dissect and debate various points raised in the article, including generating SBOMs, the necessary components, and how to gauge the quality of this digital inventory. Their critique is both insightful and humorously candid, and they will offer you a tour through the often complex world of software documentation.Hear about topics ranging from open source dependency tree, the necessity – or not – of manual SBOM generation, and the importance of a Vulnerability Exploitability Exchange (VEX) document alongside an SBOM. You will hear why they think an SBOM with a VEX can transform and simplify risk assessment procedures by providing clear and actionable insights for threat management. Links:Forbes: 20 Tech Experts Share Essential Details To Look For In An SBOMhttps://www.forbes.com/sites/forbestechcouncil/2023/10/09/20-tech-experts-share-essential-details-to-look-for-in-an-sbom/FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

Matt, Chris, and Izar discuss the recently published "NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations." They review each point and critically analyze the document's content, pointing out areas where the terminology might be misleading or where the emphasis should be shifted. As they work through the top ten list, several trends and larger conversations appear out of the individual points. The trio delves into the nuances of system configurations, emphasizing the risks associated with default settings that expose insecure protocols. Systems should not provide options that are inherently insecure! They also touch upon the challenges of network segmentation in the era of software-defined networking and the implications of poor patch management. They highlight the importance of understanding the difference between configuration problems and design flaws, particularly in password management and storage. The discussion provides insights into the complexities of cybersecurity and the challenges of ensuring that systems are both user-friendly and secure. The dynamic exchange underscores the importance of continuous learning and adaptation in the ever-evolving field of cybersecurity.Helpful Links:NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations     https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-278aFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!