View More ASW Episodes

Threat Modeling That Helps the Business – Akira Brand, Sandy Carielli – ASW #316

Threat modeling has been in the appsec toolbox for decades. But it hasn’t always been used and it hasn’t always been useful. Sandy Carielli shares what she’s learned from talking to orgs about what’s been successful, and what’s failed, when they’ve approached this practice. Akira Brand joins to talk...

Full Show Notes
Segment One

Threat Modeling That Helps the Business – Sandy Carielli, Akira Brand – ASW #316

Threat modeling has been in the appsec toolbox for decades. But it hasn't always been used and it hasn't always been useful. Sandy Carielli shares what she's learned from talking to orgs about what's been successful, and what's failed, when they've approached this practice. Akira Brand joins to talk about her direct experience with building threat models with developers.

Guests
https://www.forrester.com/

Sandy is a principal analyst at Forrester advising security and risk professionals on application security, with a particular emphasis on the collaboration among security and risk, application development, operations, and business teams. Her research covers topics such as proactive security design, security testing in the software delivery lifecycle, protection of applications in production environments, and remediation of hardware and software flaws.

@akirathetroubadour

Akira Brand is the AVP of Application Security at PRAGroup, a publicly traded financial services company. An avid educator and passionate technologist, she speaks on AppSec and cybersecurity topics around the world.

Announcements

  • Security Weekly listeners save $100 on their RSAC Conference 2025 Full Conference Pass! RSA Conference will take place April 28 to May 1 in San Francisco and on demand. To register using our discount code, please visit securityweekly.com/rsac25 and use the code 5U5SECWEEKLY! We hope to see you there!

Segment Two

New SLAP & FLOP Attacks, OCSP Fades Away, DeepSeek’s ClickHouse, OAuth 2.0 Security – ASW #316

Speculative data flow attacks demonstrated against Apple chips with SLAP and FLOP, the design and implementation choices that led to OCSP's demise, an appsec angle on AI, updating the threat model and recommendations for implementing OAuth 2.0, and more!

List of Articles

Mike Shema

  1. SLAP

    New research out of the team that disclosed iLeakage back in 2023.

    • SLAP -- "Data Speculation Attacks via Load Address Prediction on Apple Silicon"
    • FLOP -- "Breaking the Apple M3 CPU via False Load Output Predictions"

    Where Spectre and its ilk expected control flow scenarios, this new research scrutinized CPU behavior, predictions, and misses in data flows.

  2. The Slow Death of OCSP | Feisty Duck

    What if a security feature was developed in response to another security feature that was unwieldy and didn't scale well?

    But then that security feature wasn't adopted by browsers for almost a decade, its failure mode meant it wasn't enforcing anything, and servers didn't support it well?

    This story strikes me more as a useful case study in correctly identifying a security problem, but creating a solution of half-measures. It also seems very reasonable to do away with OCSP. The move towards very short-lived certs -- enabled by protocols like ACME and organizations like Let's Encrypt -- shows how there's not much of a negative impact to losing OCSP and, instead, the internet is moving to better practices overall.

  3. Wiz Research Uncovers Exposed DeepSeek Database Leaking Sensitive Information, Including Chat History

    There was a great upheaval in the AI world last week, where a dose of real innovation dropped into an artificial market.

    In appsec terms, I’d call this an influencer injection attack, where a lot of strongly held opinions were put forward based on superficial extrapolations from headlines and that repeated many misleading claims. It’s similar to saying public WiFi is too dangerous to ever use or personal VPNs protect you from malware and protect your privacy by hiding your IP address.

    I still would rather cover the angle of AI demonstrating value as an appsec tool. We still seem to be at the one-off demonstration of possibility.

    So, with all that said, yes, I included one article related to DeepSeek. But I specifically wanted to highlight Wiz's point that “…the immediate security risks for AI applications stem from the infrastructure and tools supporting them.”

  4. RFC 9700: Best Current Practice for OAuth 2.0 Security

    When do you update a threat model? What should that update look like?

    This new RFC gives us a chance to talk about OAuth2, design flaws, implementation details, and creating actionable recommendations.

  5. FYI: Top 10 Web Hacking Techniques | PortSwigger Research

    The Portswigger folks will release the 2024 list of top 10 web hacking techniques on Tuesday after we record the show, but I wanted to remind everyone to check it out.

    I think my personal favorite was Iconv, set the charset to RCE: Exploiting the glibc to hack the PHP engine. I liked the persistence in research, from finding an ancient bug to the effort involved in figuring out how to exploit it, and learning about a new class of PHP attacks that I wasn't familiar with.

  6. FUN: A Tiny Linux Kernel Tweak with Massive Implications for Datacenter Efficiency

    A fun example of the disproportionate impact of a few lines of code on performance and cost savings.

    Check out the commit here.

Kalyani Pawar

  1. Do We Really Need The OWASP NHI Top 10?

    Yes, but the list also feels like an extension of the existing OWASP controls

  2. Unpatched PHP Voyager Flaws Leave Servers Open to One-Click RCE Exploits

    Vulns were reported back in Sept 2024, so its been well over 90 days but a patch hasnt been deployed

Show More

Stay in the Know, No Smoke and Mirrors – Join Our Newsletter

Get expert insights and technical breakdowns straight to your inbox.
Join Now

Related Episodes

Related Content

You can skip this ad in 5 seconds