If I'm a non-security-focused developer who realizes that I have a security requirement for my code, what's the best way to find defenses I might leverage?
-
If I'm a non-security-focused developer who realizes that I have a security requirement for my code, what's the best way to find defenses I might leverage? Is it the OWASP cheat sheet series? Assume that I'm under shipping pressure, a bit overwhelmed, don't know the jargon, and don't have time to read the 100 pages of ASVS, never mind the 336 pages of the cloud controls matrix. (Background: I have the advantage or disadvantage of having accumulated knowledge over time, and I"m looking to give more actionable guidance around the threat modeling question of "what are we going to do about it?" and... we have a lot of very, very abstract guidance. That's of course because we have a lot of technical domains like cloud or IoT, a lot of sector guidance, and more, so I'm not critiquing, but asking what a developer ought to do.)
@adamshostack I've actually found that Claude has gotten quite good at this kind of thing. So, even though I dislike the whole "just throw the problem at an LLM" angle, asking Claude / ChatGPT is a good first step to figure out what exactly the requirements are, what the potential defenses might be, and where to find additional information on them that aren't AI generated but have been written by a human. Bonus points: the LLM also helps you clear up any questions you might have about the terminology etc.
-
@adamshostack I've actually found that Claude has gotten quite good at this kind of thing. So, even though I dislike the whole "just throw the problem at an LLM" angle, asking Claude / ChatGPT is a good first step to figure out what exactly the requirements are, what the potential defenses might be, and where to find additional information on them that aren't AI generated but have been written by a human. Bonus points: the LLM also helps you clear up any questions you might have about the terminology etc.
@hacksilon I agree with you -- I've found 'I need to address threat X on stack A, B, C. Don't write code, but give me strategies and tools' works remarkably well -- and that seems like abdication. Maybe abdicating is ok here?
-
If I'm a non-security-focused developer who realizes that I have a security requirement for my code, what's the best way to find defenses I might leverage? Is it the OWASP cheat sheet series? Assume that I'm under shipping pressure, a bit overwhelmed, don't know the jargon, and don't have time to read the 100 pages of ASVS, never mind the 336 pages of the cloud controls matrix. (Background: I have the advantage or disadvantage of having accumulated knowledge over time, and I"m looking to give more actionable guidance around the threat modeling question of "what are we going to do about it?" and... we have a lot of very, very abstract guidance. That's of course because we have a lot of technical domains like cloud or IoT, a lot of sector guidance, and more, so I'm not critiquing, but asking what a developer ought to do.)
@adamshostack its a bit of a leading question.
-
@adamshostack its a bit of a leading question.
@letoams ok, so where does it lead?
-
@hacksilon I agree with you -- I've found 'I need to address threat X on stack A, B, C. Don't write code, but give me strategies and tools' works remarkably well -- and that seems like abdication. Maybe abdicating is ok here?
@adamshostack @hacksilon I don't see anything inherently wrong with abdication in the short term. Nobody is an expert at everything, and everyone starts as a newb at everything. It's what you do with it over time that matters.
-
@letoams ok, so where does it lead?
@adamshostack “assume, I am about to fail, how will AI that’s over my head to use, save me?”
-
@adamshostack “assume, I am about to fail, how will AI that’s over my head to use, save me?”
@letoams But that's not what I'm asking. I'm asking what is someone practically supposed to do, and I would love answers that are not "ask an LLM a question where the person can't evaluate the answers."
-
@adamshostack @hacksilon I don't see anything inherently wrong with abdication in the short term. Nobody is an expert at everything, and everyone starts as a newb at everything. It's what you do with it over time that matters.
@mweiss @adamshostack @hacksilon something I’ve long thought an issue with search engines is that they’re great at finding things you already know the name of. LLMs seem pretty good at finding the names of things from a description. So if someone is finding mitigations that they understand what it is, why it works and any limitations that seems like a good thing.
-
If I'm a non-security-focused developer who realizes that I have a security requirement for my code, what's the best way to find defenses I might leverage? Is it the OWASP cheat sheet series? Assume that I'm under shipping pressure, a bit overwhelmed, don't know the jargon, and don't have time to read the 100 pages of ASVS, never mind the 336 pages of the cloud controls matrix. (Background: I have the advantage or disadvantage of having accumulated knowledge over time, and I"m looking to give more actionable guidance around the threat modeling question of "what are we going to do about it?" and... we have a lot of very, very abstract guidance. That's of course because we have a lot of technical domains like cloud or IoT, a lot of sector guidance, and more, so I'm not critiquing, but asking what a developer ought to do.)
@adamshostack I think the answer should be "Defensive Design Patterns." Good security architects have built up a bank of these in their head: "It looks like you're writing an updater! Here are some best practices around that." Once somebody makes that connection that they are writing an updater, they can always search the internet (or ask AI) for the best practices part - but having that lightbulb moment is not guaranteed.
-
If I'm a non-security-focused developer who realizes that I have a security requirement for my code, what's the best way to find defenses I might leverage? Is it the OWASP cheat sheet series? Assume that I'm under shipping pressure, a bit overwhelmed, don't know the jargon, and don't have time to read the 100 pages of ASVS, never mind the 336 pages of the cloud controls matrix. (Background: I have the advantage or disadvantage of having accumulated knowledge over time, and I"m looking to give more actionable guidance around the threat modeling question of "what are we going to do about it?" and... we have a lot of very, very abstract guidance. That's of course because we have a lot of technical domains like cloud or IoT, a lot of sector guidance, and more, so I'm not critiquing, but asking what a developer ought to do.)
@adamshostack honestly this whole grammar (role+"assume" context) is giving me prompt vibe, I hope you are not trying to compare the same answer from a person and an AI haha
That being said there's no correct answer? I would suggest a PR with compulsory security review to merge, being the review manually taken from a security programmer. Problem is you could find a lot of useful things in OWASP (mostly vuln focused) as well as other sources (depending on the case) but if you don't know (...)
-
@adamshostack honestly this whole grammar (role+"assume" context) is giving me prompt vibe, I hope you are not trying to compare the same answer from a person and an AI haha
That being said there's no correct answer? I would suggest a PR with compulsory security review to merge, being the review manually taken from a security programmer. Problem is you could find a lot of useful things in OWASP (mostly vuln focused) as well as other sources (depending on the case) but if you don't know (...)
@adamshostack the jargon, or the basics, you might be implementing stuff half the way or making things worse for future reviewers. Even if you ask an AI to do the job, without this base, it might misunderstand or patch the wrong thing.
Aren't you able to ask a community for your specific needs? Are you sure you don't have time to recheck with a security team, even if they are not devs?
-
If I'm a non-security-focused developer who realizes that I have a security requirement for my code, what's the best way to find defenses I might leverage? Is it the OWASP cheat sheet series? Assume that I'm under shipping pressure, a bit overwhelmed, don't know the jargon, and don't have time to read the 100 pages of ASVS, never mind the 336 pages of the cloud controls matrix. (Background: I have the advantage or disadvantage of having accumulated knowledge over time, and I"m looking to give more actionable guidance around the threat modeling question of "what are we going to do about it?" and... we have a lot of very, very abstract guidance. That's of course because we have a lot of technical domains like cloud or IoT, a lot of sector guidance, and more, so I'm not critiquing, but asking what a developer ought to do.)
@adamshostack I would suggest to check your dev environment first and esp. the frameworks, libraries and tools you use. They may come with security controls that you can leverage incl. docs with usage examples and references to OWASP resources for further research if needed.
-
If I'm a non-security-focused developer who realizes that I have a security requirement for my code, what's the best way to find defenses I might leverage? Is it the OWASP cheat sheet series? Assume that I'm under shipping pressure, a bit overwhelmed, don't know the jargon, and don't have time to read the 100 pages of ASVS, never mind the 336 pages of the cloud controls matrix. (Background: I have the advantage or disadvantage of having accumulated knowledge over time, and I"m looking to give more actionable guidance around the threat modeling question of "what are we going to do about it?" and... we have a lot of very, very abstract guidance. That's of course because we have a lot of technical domains like cloud or IoT, a lot of sector guidance, and more, so I'm not critiquing, but asking what a developer ought to do.)
-
If I'm a non-security-focused developer who realizes that I have a security requirement for my code, what's the best way to find defenses I might leverage? Is it the OWASP cheat sheet series? Assume that I'm under shipping pressure, a bit overwhelmed, don't know the jargon, and don't have time to read the 100 pages of ASVS, never mind the 336 pages of the cloud controls matrix. (Background: I have the advantage or disadvantage of having accumulated knowledge over time, and I"m looking to give more actionable guidance around the threat modeling question of "what are we going to do about it?" and... we have a lot of very, very abstract guidance. That's of course because we have a lot of technical domains like cloud or IoT, a lot of sector guidance, and more, so I'm not critiquing, but asking what a developer ought to do.)
@adamshostack validate and sanitize your inputs, and escape your outputs.
Treat what isn't yours as "input", including anything you receive from the network, database, file system, etc.
This will get you surprisingly far.
I'm "not a security expert", so don't take this as " advice from a security expert."
-
@mweiss @adamshostack @hacksilon something I’ve long thought an issue with search engines is that they’re great at finding things you already know the name of. LLMs seem pretty good at finding the names of things from a description. So if someone is finding mitigations that they understand what it is, why it works and any limitations that seems like a good thing.
@aimaz @mweiss @adamshostack yep. It reaches its limits with more complex issues or specific technical stuff (for example, it usually gets very specific keycloak configuration strategies wrong and hallucinates features that do not exist). I actually have a personal benchmark question for LLMs where I‘m asking a question whose answer requires some specific knowledge of how TLS works, which works quite well as a differentiator for me: https://infosec.exchange/@hacksilon/116076554555995053
So, general brainstorming = good, the more specific it gets, the likelier it will lead you wrong.
-
R relay@relay.infosec.exchange shared this topic
