Appsec
Crowdstrike released what they call an RCA. Before they did, I said I’d judge it based on clarity, depth and scope, and it fails on all three. There’s no “five whys”, there’s no discussion of management choices or funding. Rushing root cause work gets you shallow analyses and you get shallow improvement.
Narrowing the Software Supply Chain Attack Vectors: The SSDF Is Wonderful but not Enough by Laurie Williams (from March, but I’d missed it).
Simon Tatham lists Code review antipatterns, none of which specifically mention security, but code reviews are often associated with security, and the “Late breaking design review” pattern certainly ties into threat modeling either done or communicated badly.
Adam Shostack :donor: :rebelverified: /
npub1s7…grcqn
2024-09-03 15:20:22
in reply to nevent1q…7kxe
Author Public Key
npub1s7cghayd6cuu7tnvxw6xlxq5ddz0grs956tzwsqj59v5vvucgd7sdgrcqnPublished at
2024-09-03 15:20:22Event JSON
{
"id": "56b7ff7bc540ae5846051f14cba7378d1a9b03c64a46f9d67821d809286f635d",
"pubkey": "87b08bf48dd639cf2e6c33b46f98146b44f40e05a696274012a159463398437d",
"created_at": 1725376822,
"kind": 1,
"tags": [
[
"p",
"87b08bf48dd639cf2e6c33b46f98146b44f40e05a696274012a159463398437d"
],
[
"proxy",
"https://infosec.exchange/@adamshostack/113074295444188261",
"web"
],
[
"e",
"c541561315bc36fa9544921cee2f99e1e34bc36a24be6e56c69eb7e2c23499fd",
"",
"root",
"87b08bf48dd639cf2e6c33b46f98146b44f40e05a696274012a159463398437d"
],
[
"proxy",
"https://infosec.exchange/users/adamshostack/statuses/113074295444188261",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://infosec.exchange/users/adamshostack/statuses/113074295444188261",
"pink.momostr"
],
[
"-"
]
],
"content": "Appsec\n\nCrowdstrike released what they call an RCA. Before they did, I said I’d judge it based on clarity, depth and scope, and it fails on all three. There’s no “five whys”, there’s no discussion of management choices or funding. Rushing root cause work gets you shallow analyses and you get shallow improvement.\n Narrowing the Software Supply Chain Attack Vectors: The SSDF Is Wonderful but not Enough by Laurie Williams (from March, but I’d missed it).\n Simon Tatham lists Code review antipatterns, none of which specifically mention security, but code reviews are often associated with security, and the “Late breaking design review” pattern certainly ties into threat modeling either done or communicated badly.",
"sig": "dc6e41212eebd7d3d5d43299f69b6f18a56b3d5d8b1847e7b0501e8ea80241de482e6c16e4c0093cb2a871e0379d19263dc3246a23c7a7f6a54065145b3690a9"
}