The Security Table Izar Tarandach, Matt Coles, and Chris Romeo

Matt, Izar, and Chris take issue with a controversial blog post that criticizes STRIDE as being outdated, time-consuming, and does not help the right people do threat modeling. The post goes on to recommend that LLMs should handle the task. The trio counters these points by highlighting STRIDE's origin, utility, and adaptability. Like any good instrument, it is important to use the right tools in the right context. 

They also touch upon the common misconceptions about threat modeling, the misuse of tools like the Microsoft Threat Modeling Tool, and the benefits of collective threat modeling practices. Throughout, they defend the foundational role of STRIDE in threat modeling, promote the value of including diverse perspectives in the threat modeling process, and encourage looking beyond narrow toolsets to the broader principles of threat analysis.
FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel
Thanks for Listening!

Chris, Matt, and Izar discuss a recent Secure by Design Alert from CISA on eliminating SQL injection (SQLi) vulnerabilities. The trio critiques the alert's lack of actionable guidance for software manufacturers, and they discuss various strategies that could effectively mitigate such vulnerabilities, including ORMs, communicating the why, and the importance of threat modeling. They also explore potential ways to improve the dissemination and impact of such alerts through partnerships with organizations like OWASP, the various PSIRTs, and ISACs, and leveraging threat intelligence effectively within AppSec programs. Ultimately, the trio wants to help CISA maximize its effectiveness in the software security industry.

Link to CISA SQLi Alert:
Secure by Design Alert: Eliminating SQL Injection Vulnerabilities in Software -- https://www.cisa.gov/sites/default/files/2024-03/SbD%20Alert%20-%20Eliminating%20SQL%20Injection%20Vulnerabilities%20in%20Software_508c.pdf
FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel
Thanks for Listening!

Dive into the contentious world of AI in software development, where artificial intelligence reshapes coding and application security. We spotlight the surge of AI-generated code and the incorporation of copy-pasted snippets from popular forums, focusing on their impact on code quality, security, and maintainability. The conversation critically examines the diminishing role of traditional quality assurance measures versus the growing reliance on automated tools and AI, highlighting potential compromises between development speed and security integrity.

The discussion broadens to consider the future of software security tools in an AI-dominated era, questioning whether AI-generated code could make static application security testing (SAST) tools obsolete or introduce new challenges requiring more human oversight. The debate intensifies around the trustworthiness of AI in handling complex business logic and security policies without introducing vulnerabilities.

The dialogue concludes by reflecting on the balance between innovation and caution in software development. As AI advances, the conversation centers on ensuring it enhances rather than compromises application security, offering insights, anecdotes, and a dose of humor along the way. Stay tuned for more thought-provoking discussions on the intersection of AI and software security.

Helpful Links:
Article: "New study on coding behavior raises questions about impact of AI on software development" at GeekWire -- https://www.geekwire.com/2024/new-study-on-coding-behavior-raises-questions-about-impact-of-ai-on-software-development/
FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel
Thanks for Listening!

Matt, Chris, and Izar talk about ensuring security within the developer toolset and the developer experience (DevEx). Prompted by a recent LinkedIn post by Matt Johansen, they explore the concept of "secure by default" tools. The conversation highlights the importance of not solely relying on tools but also considering the developer experience, suggesting that even with secure tools, the ultimate responsibility for security lies with the developers and the organization.

The trio also discusses the role of DevEx champions in advocating for security within development processes, emphasizing the need for a balance between security and usability to prevent developers from seeking workarounds. They touch upon integrating security into the developer workflow, known as "shifting left," and the potential downsides of overburdening developers with security responsibilities.

There's a recurring theme of the complexity and challenges in achieving a "secure by default" stance, acknowledging the difficulty in defining and implementing this concept. The conversation concludes with an acknowledgment that while progress is being made in understanding and implementing security within DevEx, there's still a long way to go, and the need for further clarification and discussion on these topics is evident.

Matt Johansen's Original Post:
https://www.linkedin.com/posts/matthewjohansen_i-really-feel-like-a-lot-of-security-problems-activity-7170811256856141825-lKyx
FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel
Thanks for Listening!

Chris, Izar, and Matt tackle the first point of the recent White House report, "Back to the Building Blocks: a Path toward Secure and Measurable Software." They discuss the importance of memory safety in software development, particularly in the context of critical infrastructure. They also explore what memory safety means, citing examples like the dangers of using C over safer alternatives such as Java, Rust, or Go.

The debate covers the effectiveness of government recommendations on software development practices, the role of memory safety in preventing security vulnerabilities, and the potential impact on industry sectors reliant on low-level programming languages like C and C++. The dialogue highlights different perspectives on the intersection of government policy, software development, and cybersecurity, providing valuable insights into the challenges and importance of adopting memory-safe programming practices.

Helpful Links:

BACK TO THE BUILDING BLOCKS: A PATH TOWARD SECURE AND MEASURABLE SOFTWARE - https://www.whitehouse.gov/wp-content/uploads/2024/02/Final-ONCD-Technical-Report.pdf

Dance Your PhD 2024 winner, WELI, Kangaroo Time: https://youtu.be/RoSYO3fApEc


FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel
Thanks for Listening!

Matt, Izar, and Chris discuss the impact of fear, uncertainty, and doubt (FUD) within cybersecurity. FUD is a double-edged sword - while it may drive awareness among consumers, it also leads to decision paralysis or misguided actions due to information overload. The saturation of breach reports and security threats also desensitizes users and blurs the line between vigilant security practices and unnecessary panic. Fear-based security strategies do not foster a secure environment.

The proliferation of smart devices and the internet of things (IoT) make many everyday objects potential targets for cyber-attacks. However, media sensationalism surrounds these vulnerabilities, and there is a lack of follow-through in educating consumers about realistic risks and protective measures. This gap underscores the need for reliable sources of cybersecurity info that can cut through the FUD, offering actionable insights rather than contributing to fear.

They also explore the practice of weaponizing security in competitive markets. Some companies leverage security breaches, or the lack thereof, to differentiate themselves in the marketplace. These marketing strategies highlight "superior" security features while pointing out competitors' breaches. While such tactics might draw attention to security considerations, they also risk confusing what constitutes meaningful cybersecurity practices. The industry needs to balance competitive advantage with ethical responsibility and consumer education. Who will fill the gap?
FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel
Thanks for Listening!