Securely Built

Great write up on some of the features in GitLab that help support a secure SDLC!

Another great article on supply chain impacts in the financial system.

If you haven't heard of Cornucopia from OWASP® Foundation, time to check it out. This has actually been around for a while, but it's a great way to learn about #threatmodeling in an interactive and creative way. Here’s how developers can utilize OWASP Cornucopia to understand and enhance their threat modeling practices: 1. Interactive Learning through Gaming: OWASP Cornucopia is designed as a card game that facilitates interactive #learning. This approach transforms the typically technical and often tedious process of threat modeling into an engaging and collaborative activity. Developers can use this game to simulate threat identification and mitigation strategies in a dynamic and enjoyable setting, which increases participation and retention of information. 2. Integration with Industry Standards: Cornucopia aligns with major security standards and frameworks such as OWASP ASVS, MASVS, MASTG, SAFECode, SCP, and CAPEC. By using this tool, developers can ensure that their security designs and threat models are compliant with established best practices and benchmarks. This alignment helps in systematically addressing security requirements without prior extensive knowledge of these frameworks. 3. Enhanced Team Collaboration and Ownership: The game format encourages team interaction, which in turn fosters a deeper understanding and shared responsibility for security. As described in the narrative, teams not only engage more actively but also start taking initiative in the threat modeling process. This leads to better identification of security threats and the development of robust mitigation strategies. 4. Practical Application and Delegation: Utilizing Cornucopia in threat modeling sessions helps teams move from theoretical discussions to practical applications. It delegates security responsibilities effectively across team members, regardless of their initial knowledge levels. This delegation improves overall team capability in security planning and penetration testing, reducing reliance on external security assessments. 5. Real-World and Fun Learning Environment: Cornucopia makes learning about threat modeling fun, which can significantly enhance the effectiveness of security training sessions. Engaged participants are more likely to contribute actively and remember the strategies discussed. The game’s competitive nature can lead to innovative thinking and problem-solving regarding #security vulnerabilities. 6. Adaptability and Updates: The latest version, Cornucopia 2.0, includes updates like mapping to the latest OWASP ASVS and the introduction of a new mobile app edition, ensuring the tool remains relevant with current technology trends and security challenges. This adaptability makes it a sustainable choice for ongoing security education and practice.

What do you do when your puzzle has broken pieces!?

Is #SAST dead? TLDR: It's not. But is it getting better?

#vulnerabilitymanagement is like finding a single needle in the stack of needles. There can be a better way in #applicationsecurity. Read more below.

Great article on the intersection of application and product security.

Great article on how application security fits into the overall product security in an organization.

Check out the latest newsletter from Derek Fisher on utilizing #threatintelligence in #productsecurity

Securely Built is launching a newsletter 🎉 If you're curious about product security and it's overall role in cybersecurity and protecting organizations, then this newsletter is for you! [securelybuilt.substack] - link below. Please subscribe! The initial focus will be on the role of product security in technology and how organizations can consider security throughout the product life cycle while delivering value to customers. This series will dive into what product security truly means across organizations and unravel the complexities. 🛠️ In upcoming editions, we'll dive into integrating disciplines like information security, network security, and more to create a robust product security function within organizations. 💡 Did you know product security extends beyond enterprise software? We'll uncover its role in devices, vehicles, and medical devices, shedding light on their unique challenges and solutions. 🔄 Plus, we'll discuss posture management tools, compliance impacts, and regulatory frameworks shaping the landscape of product security today. Subscribe now to stay update as I release new editions. What have i wrought upon this world....hopefully good stuff 😁 #productsecurity #cybersecurity #infosec #networksecurity #iotsecurity #devicesecurity #compliance