We delve into threat modeling and software security, touching on the profound implications of the White House's recent report on memory-safe programming languages. We also dissect the systemic challenges of self-regulation in the cybersecurity market, especially in the aftermath of significant incidents like the SolarWinds attack. Adam shares his valuable insights on CISA's latest strategies to tackle vulnerabilities at their origin, emphasizing the critical need for proactive and systemic solutions in bolstering cybersecurity practices. In another segment, we examine the complexities surrounding software security regulation and self-regulation in both the US and Europe. Drawing parallels to the automotive industry, we discuss how software companies are held accountable for the components they use, similar to how car manufacturers are responsible for their parts. The conversation highlights the Biden administration's executive order requiring vendors to self-attest to software security when selling to the US government and compares this to established regulatory frameworks like SEC regulations. We also address the balance between proactive and reactive regulatory measures, referencing historical efforts such as Microsoft's Trustworthy Computing initiative and discussing the unique challenges faced by sectors like medical devices, where security and functionality must be meticulously balanced.

Key Discussion Points:

• Threat Modeling and Application Security: An in-depth look at threat modeling and its crucial role in enhancing application security.
• White House Report on Memory-Safe Programming Languages: Exploring the implications of the recent White House report and its impact on software security practices.
• Self-Regulation vs. Government Regulation: Analysis of the challenges and benefits of self-regulation in the cybersecurity market, particularly post-SolarWinds.
• CISA’s Strategies on Vulnerability Management: Insights into CISA's proactive approaches to tackling vulnerabilities at their origin.
• US and European Software Security Regulations: Comparing US and European approaches to software security regulation and the accountability of software companies.
• Biden Administration’s Executive Order: The requirement for vendors to self-attest to software security and its broader implications.
• Historical Context: Reflecting on past efforts like Microsoft's Trustworthy Computing initiative and their relevance today.
• Balancing Security and Functionality: The unique challenges faced by sectors like medical devices in maintaining both security and functionality.

What's Inside This Episode:

• 00:01 - Introduction: Francesco Cipollone introduces the podcast and guest, Adam Shostack, a leader in threat modeling and application security.
• 00:22 - Role in Threat Modeling: Adam discusses his contributions to the field of threat modeling and the importance of simplifying and organizing the process.
• 02:00 - Background and Career: Adam shares his extensive experience in application security, including his work at Microsoft and current role at Shostack and Associates.
• 03:00 - State of Application Security and Threat Modeling: Discussion on the current state of application security and the significance of the White House report on memory-safe programming languages.
• 04:00 - Regulatory Influences and Vulnerability Management: Insights into how government regulations are influencing application security and the challenges in managing vulnerabilities.
• 06:00 - Historical Context of Software Security: Reflection on historical security practices and the evolution of software security.
• 08:00 - SolarWinds SEC Lawsuit: Detailed discussion on the SEC lawsuit against SolarWinds and the importance of accurate security statements.
• 10:00 - Challenges in Implementing Security Measures: The difficulties organizations face in implementing effective security measures and the necessity of having a comprehensive asset inventory.
• 12:00 - Government Regulations and Market Self-Regulation: Debate on the effectiveness of market self-regulation versus government mandates in shaping the future of application security.
• 14:00 - Balancing Profit and Security: The conflict between maintaining profit margins and investing in security, and the role of commercial support in sustaining open-source software security.
• 16:00 - Open Source Software and Commercial Support: Discussion on the need for commercial support for open-source software and the impact of regulations on the open-source community.
• 18:00 - Self-Regulation in Software Security: The role of self-attestation in software security and the thin line between self-regulation and government mandates.
• 20:00 - Responsibilities of CISOs and Corporate Accountability: The critical responsibilities of CISOs in communicating security risks and how regulatory measures push for better accountability.
• 22:00 - Microsoft's Security Evolution: Reflection on Microsoft's journey in improving software security and the importance of initiatives like the Security Development Lifecycle (SDL).
• 24:00 - EU AI Act and Its Implications: Brief overview of the EU AI Act and its impact on high-risk applications.
• 26:00 - Dark Gemini and Modern Threats: Teaser for a future episode on Dark Gemini, an advanced AI used for nefarious purposes, and its implications for threat modeling and vulnerability management.
• 28:00 - Weaponization of Vulnerabilities: Discussion on the rapid weaponization of vulnerabilities and the need for systemic fixes in software security.
• 30:00 - Closing Thoughts: Summary of the discussion on ASPM, threat modeling, and Phoenix Security, emphasizing the positive impact of ongoing changes in security practices.
• 33:00 - Positive Message and Conclusion: Adam’s positive message about the future of software security and Francesco’s emphasis on the importance of proactive measures. Information on where to find more about Adam Shostack and his work.

Adam Shostack Adam is the author of Threat Modeling: Designing for Security and Threats: What Every Engineer Should Learn from Star Wars. He’s a leading expert on threat modeling, a consultant, expert witness, and game designer. He has decades of experience delivering security. His experience ranges across the business world from founding startups to nearly a decade at Microsoft.

His accomplishments include:

• Helped create the CVE. Now an Emeritus member of the Advisory Board.
• Fixed Autorun for hundreds of millions of systems.
• Led the design and delivery of the Microsoft SDL Threat Modeling Tool (v3).
• Created the Elevation of Privilege threat modeling game.
• Co-authored The New School of Information Security.