Matt, Izar, and Chris take issue with a controversial blog post that criticizes STRIDE as being outdated, time-consuming, and does not help the right people do threat modeling. The post goes on to recommend that LLMs should handle the task. The trio counters these points by highlighting STRIDE's origin, utility, and adaptability. Like any good instrument, it is important to use the right tools in the right context. They also touch upon the common misconceptions about threat modeling, the misuse of tools like the Microsoft Threat Modeling Tool, and the benefits of collective threat modeling practices. Throughout, they defend the foundational role of STRIDE in threat modeling, promote the value of including diverse perspectives in the threat modeling process, and encourage looking beyond narrow toolsets to the broader principles of threat analysis.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

Chris, Matt, and Izar discuss a recent Secure by Design Alert from CISA on eliminating SQL injection (SQLi) vulnerabilities. The trio critiques the alert's lack of actionable guidance for software manufacturers, and they discuss various strategies that could effectively mitigate such vulnerabilities, including ORMs, communicating the why, and the importance of threat modeling. They also explore potential ways to improve the dissemination and impact of such alerts through partnerships with organizations like OWASP, the various PSIRTs, and ISACs, and leveraging threat intelligence effectively within AppSec programs. Ultimately, the trio wants to help CISA maximize its effectiveness in the software security industry.Link to CISA SQLi Alert:Secure by Design Alert: Eliminating SQL Injection Vulnerabilities in Software -- https://www.cisa.gov/sites/default/files/2024-03/SbD%20Alert%20-%20Eliminating%20SQL%20Injection%20Vulnerabilities%20in%20Software_508c.pdfFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

Dive into the contentious world of AI in software development, where artificial intelligence reshapes coding and application security. We spotlight the surge of AI-generated code and the incorporation of copy-pasted snippets from popular forums, focusing on their impact on code quality, security, and maintainability. The conversation critically examines the diminishing role of traditional quality assurance measures versus the growing reliance on automated tools and AI, highlighting potential compromises between development speed and security integrity.The discussion broadens to consider the future of software security tools in an AI-dominated era, questioning whether AI-generated code could make static application security testing (SAST) tools obsolete or introduce new challenges requiring more human oversight. The debate intensifies around the trustworthiness of AI in handling complex business logic and security policies without introducing vulnerabilities.The dialogue concludes by reflecting on the balance between innovation and caution in software development. As AI advances, the conversation centers on ensuring it enhances rather than compromises application security, offering insights, anecdotes, and a dose of humor along the way. Stay tuned for more thought-provoking discussions on the intersection of AI and software security.Helpful Links:Article: "New study on coding behavior raises questions about impact of AI on software development" at GeekWire -- https://www.geekwire.com/2024/new-study-on-coding-behavior-raises-questions-about-impact-of-ai-on-software-development/FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

Matt, Chris, and Izar talk about ensuring security within the developer toolset and the developer experience (DevEx). Prompted by a recent LinkedIn post by Matt Johansen, they explore the concept of "secure by default" tools. The conversation highlights the importance of not solely relying on tools but also considering the developer experience, suggesting that even with secure tools, the ultimate responsibility for security lies with the developers and the organization.The trio also discusses the role of DevEx champions in advocating for security within development processes, emphasizing the need for a balance between security and usability to prevent developers from seeking workarounds. They touch upon integrating security into the developer workflow, known as "shifting left," and the potential downsides of overburdening developers with security responsibilities.There's a recurring theme of the complexity and challenges in achieving a "secure by default" stance, acknowledging the difficulty in defining and implementing this concept. The conversation concludes with an acknowledgment that while progress is being made in understanding and implementing security within DevEx, there's still a long way to go, and the need for further clarification and discussion on these topics is evident.Matt Johansen's Original Post:https://www.linkedin.com/posts/matthewjohansen_i-really-feel-like-a-lot-of-security-problems-activity-7170811256856141825-lKyxFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

Chris, Izar, and Matt tackle the first point of the recent White House report, "Back to the Building Blocks: a Path toward Secure and Measurable Software." They discuss the importance of memory safety in software development, particularly in the context of critical infrastructure. They also explore what memory safety means, citing examples like the dangers of using C over safer alternatives such as Java, Rust, or Go.The debate covers the effectiveness of government recommendations on software development practices, the role of memory safety in preventing security vulnerabilities, and the potential impact on industry sectors reliant on low-level programming languages like C and C++. The dialogue highlights different perspectives on the intersection of government policy, software development, and cybersecurity, providing valuable insights into the challenges and importance of adopting memory-safe programming practices.Helpful Links:BACK TO THE BUILDING BLOCKS: A PATH TOWARD SECURE AND MEASURABLE SOFTWARE - https://www.whitehouse.gov/wp-content/uploads/2024/02/Final-ONCD-Technical-Report.pdfDance Your PhD 2024 winner, WELI, Kangaroo Time: https://youtu.be/RoSYO3fApEcFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

Matt, Izar, and Chris discuss the impact of fear, uncertainty, and doubt (FUD) within cybersecurity. FUD is a double-edged sword - while it may drive awareness among consumers, it also leads to decision paralysis or misguided actions due to information overload. The saturation of breach reports and security threats also desensitizes users and blurs the line between vigilant security practices and unnecessary panic. Fear-based security strategies do not foster a secure environment.The proliferation of smart devices and the internet of things (IoT) make many everyday objects potential targets for cyber-attacks. However, media sensationalism surrounds these vulnerabilities, and there is a lack of follow-through in educating consumers about realistic risks and protective measures. This gap underscores the need for reliable sources of cybersecurity info that can cut through the FUD, offering actionable insights rather than contributing to fear.They also explore the practice of weaponizing security in competitive markets. Some companies leverage security breaches, or the lack thereof, to differentiate themselves in the marketplace. These marketing strategies highlight "superior" security features while pointing out competitors' breaches. While such tactics might draw attention to security considerations, they also risk confusing what constitutes meaningful cybersecurity practices. The industry needs to balance competitive advantage with ethical responsibility and consumer education. Who will fill the gap?FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

Prompted by fan mail, Chris, Izar, and Matt engage in a role-playing scenario as a VP of engineering, a security person, and a product manager. They explore some of the challenges and competing perspectives involved in prioritizing application security. They highlight the importance of empathy, understanding business needs and language, and building relationships within an organization while dealing with security threats and solutions. They end with insights into the role of AI in AppSec, its prioritization, and its limitations.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

Matt, Izar, and Chris have a lively discussion about how security experts perceive open-source software. Referencing a post that described open source as a 'hive of scum and villainy,' the team dissects the misconceptions about open source software and challenges the narrative around its security. They explore the complexities of the software supply chain, the notion of 'inheritance' when it comes to security vulnerabilities, and the impact of transitive dependencies. They also discuss reputation systems, dependency injection, and the reality of accepting responsibility for incorporated software packages and their security issues. Tune in for these and other thoughtful insights about the interplay between open source solutions and security aspects in software development.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

Threat modeling expert Adam Shostack joins Chris, Izar, and Matt in this episode of the Security Table. They look into threat actors and their place in threat modeling. There's a lively discussion on risk management, drawing the line between 'thinking like an attacker' and using current attacker data to inform a threat model. Adam also suggests that we must evaluate if risk assessments serve us well and how they impact organizations on various levels. The recurring theme is the constant need for evolution and adaptation in threat modeling and risk management processes. You can tune in to get a rich perspective on these key cybersecurity topics.LinkThreat Modeling Manifesto: https://www.threatmodelingmanifesto.org/Threat Modeling Capabilities: https://www.threatmodelingmanifesto.org/capabilities/Threats: What Every Engineer Should Learn From Star Wars by Adam Shostack - https://threatsbook.com/FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

Izar, Matt, and Chris discuss the effectiveness of bug bounty programs and delve into topics such as scoping challenges, the ethical considerations of selling exploits, and whether it is all just bug bounty theater. The hosts share their insights and opinions on the subject, providing a thought-provoking discussion on the current state of bug bounties in the security industry.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

This week around the Security Table Matt, Izar and Chris discuss the recently-published Threat Modeling Capabilities document. They explore how capabilities serve as measurable goals that organizations either possess or lack, contrasting the binary nature of capabilities with the continuum of maturity. The team shares insights on the careful definition and measurement of each capability, highlighting the creative debates and diverse perspectives that enriched the document.They also emphasize the collaborative effort behind the document's creation. The process mirrors the successful teamwork from the Threat Modeling Manifesto, showcasing the enjoyment and effectiveness of their work together.Finally, the team reflects on their journey from the project's start to the release of the Threat Modeling Capabilities document. They share personal stories and the collaborative spirit that led to the project's success, inviting feedback from the community to refine and improve the document further.LinksThreat Modeling Manifesto: https://www.threatmodelingmanifesto.org/Threat Modeling Capabilities: https://www.threatmodelingmanifesto.org/capabilities/FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

Chris, Izar, and Matt address the complexities of open-source component usage, vulnerability patches, civic responsibility, and licensing issues in this Security Table roundtable. Sparked by a LinkedIn post from Bob Lord, Senior Technical Advisor at CISA, they discuss whether software companies have a civic duty to distribute fixes for vulnerabilities they discover in open-source components. They also examine if there is a need to threat model every third-party component and consider the implications of certain licenses for security patches. This is a discussion that needs to be had by anyone using open-source components in their code. Listen in and engage as we learn and think through this important issue together!Links:Bob Lord’s post about Open Source Responsibility:https://www.linkedin.com/posts/lordbob_just-a-quick-thought-on-open-source-if-you-activity-7146137722095558657-z_RIFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

Join us for the final episode of The Security Table for 2023. Chris, Izar, and Matt answer fan mail, make fun predictions for the upcoming year, discuss their resolutions for improving cybersecurity, and make a call to action to global listeners. Highlights include the reach of the podcast, explaining Large Language Models (LLMs), Quantum LLMs, Software Bill of Materials (SBOM), and the importance of teaching secure coding from high school level up. Chris, Izar, and Matt share their passion for making cybersecurity more accessible, practical, and effective through critical discussions and innovative ideas.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

Sander Schulhoff of Learn Prompting joins us at The Security Table to discuss prompt injection and AI security. Prompt injection is a technique that manipulates AI models such as ChatGPT to produce undesired or harmful outputs, such as instructions for building a bomb or rewarding refunds on false claims. Sander provides a helpful introduction to this concept and a basic overview of how AIs are structured and trained. Sander's perspective from AI research and practice balances our security questions as we uncover where the real security threats lie and propose appropriate security responses.Sander explains the HackAPrompt competition that challenged participants to trick AI models into saying "I have been pwned." This task proved surprisingly difficult due to AI models' resistance to specific phrases and provided an excellent framework for understanding the complexities of AI manipulation. Participants employed various creative techniques, including crafting massive input prompts to exploit the physical limitations of AI models. These insights shed light on the need to apply basic security principles to AI, ensuring that these systems are robust against manipulation and misuse.Our discussion then shifts to more practical aspects, with Sander sharing valuable resources for those interested in becoming adept at prompt injection. We explore the ethical and security implications of AI in decision-making scenarios, such as military applications and self-driving cars, underscoring the importance of human oversight in AI operations. The episode culminates with a call to integrate lessons learned from traditional security practices into the development and deployment of AI systems, a crucial step towards ensuring the responsible use of this transformative technology.Links:Learn Prompting: https://learnprompting.org/HackAPrompt: https://www.hackaprompt.com/Ignore This Title and HackAPrompt: Exposing Systemic Vulnerabilities of LLMs through a Global Scale Prompt Hacking Competition: https://paper.hackaprompt.com/FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

Join Izar, Matt, and Chris in a broad discussion covering the dynamics of the security community, the evolving role of technology, and the profound impact of social media on our lives. As the trio considers what they are most thankful for in security, they navigate a series of topics that blend professional insights with personal experiences, offering a unique perspective on how these elements intersect in the modern world.Chris begins by highlighting the importance of collaboration and learning within the ever-expanding security community. Shifting to broader security concerns, Izar emphasizes the value of mentoring and the potential for institutionalizing it through platforms like OWASP. Matt critiques over-relying on AI. He advocates for tool-assisted solutions rather than tool-performed ones and stresses the importance of accurately representing AI's capabilities.In a particularly engaging segment, the panelists explore the influence of social media and technology on personal well-being. They share anecdotes and observations on the pursuit of simplicity in a tech-driven world, discussing the concept of 'social media sobriety' and social media's impact on happiness. They conclude with a collective call to action, urging viewers to engage in positive change through volunteering, mentoring, and contributing to open-source projects. This discussion is a must-watch for anyone interested in the intersection of technology, security, and societal trends.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

Patrick Garrity joins the Security Table to unpack CVSS 4.0, its impact on your program, and whether or not it will change the game, the rules of how the game is played, or maybe the entire game.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

Aditi Sharma joins Matt, Izar, and Chris around the Security Table to discuss Software Bill of Materials (SBOMs). The team discusses potential advantages as well as challenges of SBOMs in different contexts such as SaaS solutions, physical products, and internal procedures. The episode also explores the importance of knowing what software components a company is consuming and the significance of SBOM for vulnerability management and risk posture. The team concludes by stressing that while SBOM has great potential value, the value realization is still a work in progress.Links:Chris' LinkedIn post about the SBOM cycle: https://www.linkedin.com/posts/securityjourney_where-is-the-part-where-the-vulnerabilities-activity-7128757968740777986-0PQVFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

Join Chris, Matt, and Izar for a lively conversation about an article that offers 20 points of "essential details" to look for in a Software Bill of Materials (SBOM). They dissect and debate various points raised in the article, including generating SBOMs, the necessary components, and how to gauge the quality of this digital inventory. Their critique is both insightful and humorously candid, and they will offer you a tour through the often complex world of software documentation.Hear about topics ranging from open source dependency tree, the necessity – or not – of manual SBOM generation, and the importance of a Vulnerability Exploitability Exchange (VEX) document alongside an SBOM. You will hear why they think an SBOM with a VEX can transform and simplify risk assessment procedures by providing clear and actionable insights for threat management. Links:Forbes: 20 Tech Experts Share Essential Details To Look For In An SBOMhttps://www.forbes.com/sites/forbestechcouncil/2023/10/09/20-tech-experts-share-essential-details-to-look-for-in-an-sbom/FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

Matt, Chris, and Izar discuss the recently published "NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations." They review each point and critically analyze the document's content, pointing out areas where the terminology might be misleading or where the emphasis should be shifted. As they work through the top ten list, several trends and larger conversations appear out of the individual points. The trio delves into the nuances of system configurations, emphasizing the risks associated with default settings that expose insecure protocols. Systems should not provide options that are inherently insecure! They also touch upon the challenges of network segmentation in the era of software-defined networking and the implications of poor patch management. They highlight the importance of understanding the difference between configuration problems and design flaws, particularly in password management and storage. The discussion provides insights into the complexities of cybersecurity and the challenges of ensuring that systems are both user-friendly and secure. The dynamic exchange underscores the importance of continuous learning and adaptation in the ever-evolving field of cybersecurity.Helpful Links:NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations     https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-278aFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

The Security Table gathers to discuss the evolving landscape of application security and its potential integration with development. Chris posits that application or product security will eventually be absorbed by the development sector, eliminating the need for separate teams. One hindrance to this vision is the friction between security and engineering teams in many organizations.Many people think that security incidents have negative implications on brand reputation and value. Izar points out that, contrary to popular belief, major security breaches, such as those experienced by Sony and MGM, do not have a lasting impact on stock prices. Chris counters this by highlighting the potential for upcoming privacy legislation in the U.S., which could shift the focus and importance of security in the corporate world.Chris envisions a future where the security team is dissolved and its functions are absorbed across various business units. This would lead to better alignment, reduced infighting, and more efficient budget allocation. Security functions need to be placed where they can have the most significant impact, without the potential conflicts that currently exist between security teams and other business units.The second topic of discussion is the "shift left" movement in the realm of application security. There is ambiguity and potential misuse of the term. What exactly is being shifted and from where does the shift start? The term "shift left" suggests moving security considerations earlier in the development process. However, the hosts point out that the phrase has been co-opted and weaponized for marketing purposes, often without a clear understanding of its implications. For instance, they highlight that while it's easy to claim that a product or process "shifts left," it's essential to define what is being shifted, how much, and the tangible benefits of such a shift.Matt emphasizes the idea of not just shifting left but starting left, meaning that security considerations should begin from the requirements phase of a project. Chris mentions that the concept of shifting left isn't new and cites Joe Jarzombek's late 90s initiative called "Building Security In" as a precursor to the current shift left movement. The hosts also humorously liken the shift left movement to a game of Frogger, suggesting that if one shifts too much to the left, they might miss the mark entirely. The discussion underscores the need for clarity and purpose when adopting the shift left philosophy, rather than just using it as a buzzword.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!