Lack of Reasonable, or Everything That Is Wrong with Security Requirements

Show Notes

How do you determine what constitutes "reasonable security" when evaluating vendors? Is “reasonable” a measure of compliance to a set standard? Is it reasonable to expect mature threat modeling practices? Some expectations are too high to be reasonable, but the minimum standard that both parties agree upon doesn’t seem like enough.

Join the hosts of the Security Table as they discuss the importance of a reasonable security standard, one that both a vendor and the buyer can agree upon.

Izar bemoans the vetting process for software vendors that can be overburdened with paperwork and checkboxes, but still lack confidence in a product’s security. Can we do better? He asks Matt and Chris what information or assurances vendors can reasonably provide to convince buyers that they truly understand and prioritize security.

Chris proposes evaluating people, process, tools, and governance as a starting point. Matt raises concerns about needing to satisfy the concerns of the end customer and internal teams and leadership. Threat modeling is proposed as a basic starting point. But, is threat modeling just a bare minimum, or is it the reasonable standard both sides of the discussion can be happy with?

The team discusses the importance of seeing the pipeline of any product being considered. 

What is reasonable? A threat model, documentation of that model, and an invitation to read and ask questions about the described process. The threat model needs to cover what and how software is built, as well as deployment into production. That is enough. That's reasonable. Is the team’s conclusion reasonable? Listen along, and watch for the upcoming discussion on LinkedIn.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Transcript

Lack of reasonable

[00:00:00] Chris Romeo: Hey folks. Welcome to another episode of the Security Table. This is Chris Romeo. I am joined by Matt Coles and Azar Teran once again sitting around the security table. And right off the bat we're gonna jump in because Izar has something for us to discuss, but he is gotta lay it out for us first. And so Izar take it away.

[00:00:30] Izar Tarandach: Yeah. So in in the past few weeks we've been talking about this reasonable security idea and apparently somebody even came out with like, I don't know, a newsletter named Reasonable Security. It sounds like a great idea. We should, we should read that. So, um, and, and, and I wanted to take that to a place that I've been battling for for a while.

[00:00:51] If I look at my past employment before I jumped into, Security products rather than product security, uh, in different organizations I met this very, very heavy process. That was every time that somebody wanted to bring a new thing into the organization, uh, be it a service, be it another product, be it, I don't know, even some desktop publication or whatever, the security team would get settled with this very, very heavy, uh, process of vetting that thing, right.

[00:01:24] And. Repeatedly. It was one of the places where people looked at me and said, what can we do to make this process lighter faster, but still have some measure of, uh, of, um, confidence in what we're bringing in? And when I think of that, and then I, I put it in light of the discussions that we have, have been having around reasonable security, that to me is one of the first places where that idea comes and, and meets real life.

[00:01:53] In it being, I should be able to turn to a vendor and say, you want to sell me something? Rather than I having a heavy process that I have to go through to satisfy my curiosity. Why don't you prove to me that you took all the reasonable, uh, uh, um, measures so that you are not raising my risk and my attack surface, and I wanted to get you guys view on what would that reasonable proof be? What, what is it that, uh, a vendor or, or anybody who wants to raise your risk and raise their attack surface, what can they put in front of you that would make you say, this person gets it.

[00:02:36] Chris Romeo: Do we need to be generic or can we, can, can we scope it a little bit to help us

[00:02:41] Izar Tarandach: Go for 

[00:02:41] Chris Romeo: define, so what if, what if we say, let, let's, let's, let me define a vendor who's gonna sell something to us. Which I think will, cuz I think there could be differences depending on what I'm buying, right? If I'm buying a dump truck versus buying a a SaaS solution, there's probably a different set. And I think we're talking about buying a SaaS solution in this, in this conversation. So let's imagine we have, let's just, let's just say it's a startup, okay? We have a startup it, they're providing a software as a service solution to us. That is providing some analysis of data that we own. And it is, we're using this tool to produce actionable results for ourselves and metrics and dashboards, and it's, and we're, we're analyzing some amount of our confidential data. So I think if that, that, that kind of helps us to, to have some, some guardrails around the conversation as far as what, uh, direction we're gonna go. So I'll let go first about what, what, he needs to see. From the vendor that would, they would provide, that would allow us to meet E's idea here,

[00:03:40] Matthew Coles: Well, so let me, let me start with, uh, wow, this sounds like a compliance question. I usually leave this to somebody else. Uh, Like literally, literally companies have whole teams of people that do this. Right? Um, but when it comes to, I'll say, so supply chain security, this is where, you know, this shows up frequently, I think in supply chain security.

[00:04:01] So first off, let me, lemme just say, obviously for those who may not be familiar with this, this happens frequently in insecurity standards. Um, uh, It was in the, um, national Cybersecurity Strategy and the cisa, secure by Design by default, uh, document and, and hosts other places. Um, it shows up in the recent attestation form that the, that, uh, CISA put together for the executive order, uh, et cetera. Um, and so, This is really what's reasonable. What's that? What's the different in that term, reasonable that, that a provider of a, so of, in this case, your SA software needs to, needs to do so that you get a, a comfortable feeling and not just a comfort filling, a justifiable position on the security assurance of the thing they're delivering. As, as Asra said, so they don't, you know, so you don't inherit risk or that you don't expose yourself to risk. So what do I need? I need to understand their security practices, right? I need to understand if they, if they have a process for addressing security in a similar way. That, and, and I'll, I'll say, I'm gonna say for me personally, obviously I'm not speaking on behalf of the company I work for or, or any of the past companies.

[00:05:20] I'm just, um, generalizing this, that. You know, I need to understand that they are putting practices in place like I would for my customers, that as a customer of them, they're putting practices in place. Like do they have secure development practices? Do they apply them on a regular basis? Do they. Generate evidence to that fact, right?

[00:05:42] It's one thing for them to say that they do it, it's another to, to be able to prove it. And they don't always have to provide that evidence right away, but they at least have to have it available. Cause if we do audit or do ask right? We, we wanna be able to get trusted verification to occur, right? A common way in practice, I think I've seen this done is a company may have reply with, well, here's my ISO certification.

[00:06:03] I'm gonna go back to ISO for a second. Uh, that may be ISO

[00:06:06] 9,001 That may be ISO 9,001. Right. Which is not a security standard, but, but is a, we have a level of rigor that we follow. And that we inject controls which can, and requirements which include security and therefore you should trust us. Um, or they have their common criteria certification, or they have their SOC two certification, right? That's a third party attestation that the company is doing what they need to do so that the level of, level of risk, and therefore the level of trust is there. I think in the bare minimum, that's what I would need. Now, what's. What is it the, what are the reasonable measures that they should do? I think that depends a lot on your use case, right? That's a SaaS service that's gonna be analyzing my data. That means they're gonna take on my data, which means I need to see that they're gonna encrypt that data and handle privacy and host of other things appropriately.

[00:07:01] Chris Romeo: Hmm. I'm gonna, I'm gonna step back and give you a framework cuz I have thought about this and just to react. I, I'll give you the framework in a second. But to, Matt mentioned common criteria in SOC two. Both of these I would say add limited value to the security that they don't solve the problem that we're trying to, to answer here,

[00:07:20] Izar Tarandach: Limited value, if any.

[00:07:23] Chris Romeo: Yeah, exactly. Like, I mean, and I worked on common criteria for five plus years of my career, so, like I've been in the trenches. I, I, I've done it and I know that sometimes I would get to the end and go, this is not adding any value. This is a checkbox 

[00:07:36] Izar Tarandach: it, it's almost, it's almost like saying that to be secure in a flight, you have to have the tsa, you don't.

[00:07:44] Chris Romeo: I mean it's, that's, that's the, the, the depth of what it was going to. And, but the challenge with it, I don't mean to make this all about common criteria, but the challenge is it could have been something so much more, but people, they operated at the least common denominator saying, I'm gonna do the minimum things to get the checkbox to sell to the, the, the people that are gonna buy the stuff. So, lemme come back around though to my, you know, to answer you the question for the SaaS platform, for me it comes down to four things. People, process, tools, governance. Uh, people, I wanna understand the depth of training that you're doing. Shocker. I'm a big fan of education, but I, I, I want to understand, are you educating your, the people that are building these things or are they just relying on this stuff in their own head? Um, people, I'm also thinking about, I'm looking for security champions. I'm looking for security coaching. I'm looking for, I'm looking for culture that's being built there. Process. I want sdl, I wanna know what your security development lifecycle is. I want you to attest. The fact that you use your sdl. That's something I saw in procurement diagram documents a number of years ago, and it made me chuckle. I'm like, we have to basically sign a paper that says we're gonna follow our own process, but we did two more things. I'll let you react. Uh, tools. So we've talked a lot about tools on the security table. Tools are are important. I want to know you have the things that, you know, the SCAs, the SaaS tools. Um, you know, I want to know that you're doing some type of pen testing at some level. I don't want it every week, but I want it at some, I want some level of external testing that you're doing there. And then governance. I wanna know that you have a management system. I. To track all of the things I've been talking about and prove so that if I ever wanna inspect it, you can show me via dashboarding and we can, we can, we can have an audit side to what we're doing here. And so people, process, tools, governance. That's how I would assess a startup and be able to sign a paper that says, Izar, I think you can buy this product because they're doing all this stuff.

[00:09:46] There's no guarantee that they're vulnerability free, but they're doing all this stuff that I think is better practice.

[00:09:52] Izar Tarandach: Okay. Uh, my nefarious plan worked and I have you guys exactly where I want you. So of, of all the things that you put forward here, it was, I want, I want, I want, I want, what I want is to know. What do you need that falls in between? I want everybody should do it and meet in the middle with, okay, that's reasonable.

[00:10:22] Matthew Coles: Oh my. So this is gonna be an interesting response. 

[00:10:24] Izar Tarandach: don't, don't, don't forget the word here. Reasonable. Why? Because now I'm coming from the side of the startup and I'm saying, Hey, you are asking all this stuff, and that's great, but for the sheer volume of work that you're asking of me here, if I give this to you, I don't have a product to give you because I won't be working on it.

[00:10:39] I'm a three person startup.

[00:10:42] Matthew Coles: So, so, alright, as a corporation. And I'm, I'll generalize, I'm gonna generalize this. And, and I'm, I'm not a business person. I'm not a lawyer. I'm not a procurement person. Uh, right. That's, that's, none of that is me. But I'm gonna suggest what this, what this is. And Chris, obviously you, you have some, actually have some experience here.

[00:11:00] I should be letting you go first. But, but, uh, but, uh, I'm, I, I'd rather make a statement and then you have, have your contradict me than, than, than not. So, uh, cause we all learn that way, Uh, so, um, Or many of us went that way, the hard way sometimes. Uh, so what I need, or, uh, business needs is one of two things, or maybe two of one, one or more of two things. I need something I can pass along to my customer that says what I build or what I'm using, and a customer or regulator or whatever has met a level of due diligence. So I need the, I need the, the slip, the slip of permission that I can pass along, or I need information that I can use to produce one of those things for myself in the, in the end, right? I think that's, so it's, I need to make my, my leadership comfortable and I need to make my consumers or stakeholders comfortable. Chris, what do you think?

[00:12:09] Chris Romeo: let me, let me reflect you. So let me give you, let me use your three person startup company and let me, let me reflect, let me give you my, my areas of my framework against that three person startup. So as a three person startup, so from the people side, I'm expecting to, to, to know that you've done something to teach the, the three of you have done something to, to have some knowledge of security. On the process side, I'm gonna give you more room here because you're building software with a small team, but I'm, I am hoping on the tools side, the tools and process together that you, you should at least be using open source. Security tools. Even if you're not spending a lot of money, even, I'm not asking you to, to buy all the big name security providers and, and spend a lot of money, but you can include an SCA in your, in your pipeline, for example.

[00:12:59] That's not, I don't think that's asking you for too much at this point. Governance, your governance is gonna be a lot less, it's gonna be a lot lighter. There's gonna be a lot, a lightweight version of this. But these are all the things like, I can't just, there is no one question that I can look at. You look at a company and go, yeah, that's secure.

[00:13:14] I just, there's, there's, there's too many variables.

[00:13:16] I can't, I can't give you a, I can't do it in one question because I'll just fail

[00:13:20] Izar Tarandach: I, I'm not looking for one question. I'm looking for the subsets. That's reasonable for both sides. It's reasonable for me to sp to, to, to figure out my risk, my risk appetite, and for them to say, it's reasonable for us to provide you with that.

[00:13:37] Chris Romeo: Okay.

[00:13:37] Izar Tarandach: Okay. So for me, for example, to me it's, it's reasonable to have a conversation with them and say, what's your threat model? What, what, what did you consider?

[00:13:47] Chris Romeo: Hmm.

[00:13:47] Izar Tarandach: Right? And that's going to already put me in the idea of, uh, where their headed concerning security. And then I can use my own. Judgment to translate that into how much training they had, kind of tools they're using, the requirements they're putting in place, the, the, uh, the infrastructure they're, they're building on.

[00:14:10] And it's not the the be all to, to all, but it, it's, it's a reasonable start for a conversation that doesn't depend on both sides feeling. 10 thousands of questionnaires and, and, you know, presenting certifications and whatnot that have absolutely no value. But everybody moves those pieces around.

[00:14:29] Chris Romeo: I agree with the point about those certifications have no value, but are you gonna lead this threat modeling session for the people you wanna buy from? Because I think the bulk of people aren't gonna, they're gonna say, I don't have a threat 

[00:14:39] Matthew Coles: Or I don't know what that is, or I don't know what that is.

[00:14:41] Chris Romeo: it? What

[00:14:41] Izar Tarandach: Nice, nice, nice, nice, nice, nice. Which moves us to something else that we, we've been seeing in the threat modeling, uh, uh, scene, which is people oversimplifying things even more than the four questions framework, right? So now people are just saying, Hey, you don't even need a threat modeling. You just have to ask, Hey, what could go wrong?

[00:14:59] Right. And in some cases, yes, that, that there is some value to that. If you have a whole framework of things around and, and things are controlled and whatnot, in, in other cases, it's not reasonable because it's not going to give you the assurance that you want. So again, I I, I'm trying to find the, the, the, not the definition, but perhaps the, uh, the bar to say that something is reasonable for both sides.

[00:15:24] Chris Romeo: I mean, you gotta have some, so we've already, we've said threat modeling. I think we can, we could put threat modeling at the center because of what you said about how it draws other things out. Like you don't have to show me if you've got a solid threat model and you can explain it to me. That to your point, I know you've been trained or you've had, you've had training, you've studied security because you came up with all these threats, and so in that conversation, that can certainly be an enabler. I would say. I'm also looking for some level of assurance in the approach you're taking from tooling in your pipeline. So I think it's reasonable to say sh to say, give me a view of your pipeline. What tools are you using in the pipeline? If there's no sca, there's no SAS being used at all. Is that, I, I, I think, I don't think I'm being unreasonable by saying my expectation is table stakes in the world of, of web app today is SCA and sas, and I would even argue rasp is table stakes.

[00:16:16] But that's, that's maybe just my,

[00:16:17] Izar Tarandach: What No dust.

[00:16:18] Chris Romeo: my view. Don't get me started. 

[00:16:21] Matthew Coles: We're talking about sa, We're talking about a SA surface here,

[00:16:23] Izar Tarandach: I am shocked.

[00:16:25] Chris Romeo: Don't even get me started. You said reasonable Izar. Reasonable was the key word.

[00:16:31] Matthew Coles: So it's important you're calling out here reasonable, not bare minimum, right? Because a quick way of answering this could be, show me your threat. Show me your threat model, and show me the results of your pen test. Right. That gives you beginning, beginning and it gives you end and you sort of assume that what happens in the middle is, is good, right? Bare minimum. But obviously there's room for subversion in the very, in the malicious case. And, and, uh, lack of clarity in the, in the non-malicious case

[00:17:04] Izar Tarandach: Mm-hmm.

[00:17:06] Matthew Coles: So you're, I think Chris has it, right? Uh, well, both of you do, right? So threat modeling, so you understand, uh, the, what's going into the process, coding, design requirement, gathering, program management, you know, or all of that can come from that threat model. And by the way, that threat model should be not only the system, but also the build process, right. That

[00:17:30] Chris Romeo: Ooh, now you're

[00:17:31] Izar Tarandach: Yes, yes. Important point.

[00:17:32] Matthew Coles: right?

[00:17:33] Chris Romeo: you're adding more stuff. Hold 

[00:17:34] Matthew Coles: No, no,

[00:17:35] Izar Tarandach: But it's reasonable. But it's still reasonable.

[00:17:37] Chris Romeo: reason? Is it, is it reasonable though? I'm only three people working my startup here. Like,

[00:17:40] Izar Tarandach: But if you know, if you don't know how you're building your stuff or if you're farming out your, your building to a third party. I want to know that. I want to know that you didn't think about any problems with your build stuff.

[00:17:52] Chris Romeo: So I guess that does expose the pipe. My, my thing about wanting to, to know the pipeline threat model of the pipeline exposes the pipeline. So you're, you're, you're doing two things at the same 

[00:18:01] Matthew Coles: that's right. 

[00:18:02] Chris Romeo: you're, you gotta show me the pipeline to show me that you thought about what the threats are 

[00:18:05] Matthew Coles: And, and by the way, so then that's what's, that's what goes in. And now what comes out Now, if I have a pen test and I have a shared responsibility model, cause we're talking sas. And so what I expect to get from my SAS provider or what I, or, or from my infrastructure provider versus what I'm presenting to you as a prov SAS provider. So now you have a three, a three tier shared responsibility model, but that's, you're basically talking two things. 

[00:18:32] A threat model. 

[00:18:32] Chris Romeo: here, though.

[00:18:33] Izar Tarandach: We are, yeah.

[00:18:35] Chris Romeo: guys. The, the, you've got the, the production, the execution in production. 

[00:18:40] Matthew Coles: You? But I, I can, I can

[00:18:42] Izar Tarandach: No, but that, that's, that's part of the deployment.

[00:18:44] Chris Romeo: I mean, but pen test, using pen test as an 

[00:18:47] Matthew Coles: Oh, sorry. Pen test, pen, 

[00:18:49] Chris Romeo: a

[00:18:50] Matthew Coles: pen test. And red and red team.

[00:18:53] Chris Romeo: but so, but we're still missing the, the, the execution of my app in my cloud provider environment. That stuff's likely not on my threat model cause it's not what I was, that's my infrastructure deployment and rollout. So is there a third tier of reasonable where I need to have a threat model of what I've built? A threat model of my build pipeline and a threat model of the infrastructure that I'm running it on.

[00:19:16] Izar Tarandach: Wait, wait. I, I want to catch something that you said there. There are no tears of reasonable. It's either reasonable or not. It could be differently, reasonable for different levels of, of maturity or, or, What's reasonable for the the three guys startup may not be the same. Most certainly isn't the same thing for the Fortune for 500 corporation.

[00:19:38] Matthew Coles: And actually, so I think I can answer this. I think I, I don't understand what the disconnect is. When I talk about threat model, I'm including the deployment environment. So when I'm threat modeling a system, I'm looking at what is, its deployed state.

[00:19:51] Chris Romeo: So you're looking, you're th you're more of a secure architecture perspective where you're seeing everything topped. You're seeing what's being built. You see, build pipeline. You see the depl where, where it's being deployed, not necessarily on the same diagram, but you're, you're there, there are multiple

[00:20:06] Izar Tarandach: There's a global view there. 

[00:20:07] Matthew Coles: Right. Exactly. And then, and, and when we do a context diagram, right? Well, how do you, when you, when you construct a context diagram, what is that? What is, what is that core thing that you're gonna be decomposing, talk to you? you're not accounting for the deployment scenario, what are you accounting for? Right? And so that's that maybe and that, so this is entirely possible just a terminology or scoping problem between us. But I think that if you are doing a threat model and you're looking at these aspects, what you're building, how you're producing it, and how it gets deployed, if that's the scope of that threat model, and you combine that with a pen test slash red team, and I think red teaming, we need to add there. Because specifically operational procedures, right? As a SaaS provider, especially if this was an on-prem business sold software, this would be completely different. But as a, as a SaaS provider where the provider is actually taking action in operations, red teaming is probably, probably necessary. gives a level of, of a third party validation of what was, what comes outta the front model. And that may be, that may be sufficient.

[00:21:13] Chris Romeo: This is, it's funny that we're, we're going through this exercise and then I'm just, the realist in me is sitting back and going, nobody's ever gonna go for this.

[00:21:21] Izar Tarandach: So it's not reasonable.

[00:21:22] Chris Romeo: people, the Well, no, I'm just saying it's reasonable to us as people who understand AppSec and understand what it takes to build software. I'm saying the people in procurement are not gonna say, this is reasonable.

[00:21:34] Izar Tarandach: Okay. So, so that's an important point to raise that there is a disconnect between us and, and the people that we are talking with. Two

[00:21:43] Chris Romeo: that manage the buying

[00:21:45] Izar Tarandach: with, yeah,

[00:21:46] Matthew Coles: Right. So what's, what's reasonable to them?

[00:21:49] Izar Tarandach: do they have different requirements?

[00:21:51] Chris Romeo: We have that. We have what's reasonable to them. Today it's filling out 700, no, that's the security team, but it's going through a 12 step process of things that I have to do to become a vendor, of which security is only one hurdle in that 12 step process of things that I have to, 

[00:22:09] Matthew Coles: Which is really, do you, can you keep my corporate data safe, my purchasing information, my account team, my,

[00:22:15] Izar Tarandach: Which is really, can you avoid somebody coming and suing me for something that I have absolutely no control of?

[00:22:20] Chris Romeo: Yeah, so if we scope this down to say we're just trying to replace the security step of the procurement process, then we can push all that other stuff off to the side and say, Procurement's gonna do what they want. They're going to have insurance requirements and they're gonna have all the other things that you have

[00:22:35] Izar Tarandach: We have no control 

[00:22:36] Chris Romeo: that's not our 

[00:22:37] Matthew Coles: It's a cost of doing business at 

[00:22:39] Chris Romeo: right now. We're talking about countering the, the 217 question thing we send out to every vendor and then interrogate them on every little point that we can have within it.

[00:22:53] Izar Tarandach: and feel good about the result.

[00:22:55] Matthew Coles: And for go and have confidence in the results.

[00:22:57] Izar Tarandach: Yes, exactly.

[00:22:58] Chris Romeo: with the way we do it today. There is really no con, I mean, I've been through that on both sides, right? As a vendor and as somebody who's buying something at a big company and you get to the end and you're like, this doesn't really feel like it solved

[00:23:08] Izar Tarandach: No, that's the thing. Yeah. That it, it, it, at some point it became too much like going through the process. For going through the process, but at the end of the day, I would wake up at three in the morning saying, what did I just do? Did I just open a huge hole here? And tomorrow morning this company is going to be in the newspaper or.

[00:23:29] Yeah, it's fine. Yeah. It's, it's gonna be okay. Like where do we have we substituted process for rigor, process for rigor, process for assurance. I'm looking for the, the word here that's going to let me sleep through the night.

[00:23:51] Matthew Coles: Mm-hmm.

[00:23:51] Chris Romeo: assurance.

[00:23:52] Matthew Coles: That's

[00:23:53] Izar Tarandach: assurance.

[00:23:53] Chris Romeo: that's what assurance means, is, is you've shown me enough evidence that I can get a good feeling to say, okay, your three person startup has done what you should, what I consider to be the best you could possibly do. And I think my data is as safe as it possibly can be with everything we know today.

[00:24:10] Matthew Coles: Uh, assurance itself, though assurance itself doesn't, it, it won't solve that a hundred percent. Assurance is the information you've told me is correct and verifiable. I. That if you're, if you measured it against your objectives, it will have met your objectives,

[00:24:31] Chris Romeo: Mm-hmm.

[00:24:32] Matthew Coles: right? That's assurance, right? So if you only ask, do you release software? I can have a hundred percent assurance you release software, do you release software that's free of vulner vulnerabilities to the extent of your knowledge and that you run, take the appropriate action during your development process to to vet those out? Answers will result in higher levels of assurance to say, yeah, what you're saying is not only what you're saying is correct, but you can ver you can prove it

[00:24:59] Chris Romeo: Yeah. 

[00:25:00] Matthew Coles: I can therefore trust you.

[00:25:01] Izar Tarandach: Okay, so, so far my takeaways are threat modeling is good. 

[00:25:08] Matthew Coles: we knew that 

[00:25:08] Izar Tarandach: lot from it. , you can learn a lot from it, so 

[00:25:11] Matthew Coles: Scop, scoping it. Scoping it is important,

[00:25:14] Izar Tarandach: Scoping it is important. Making sure that it's deep and broad is important. There isn't a a one single thing that's going to give me that assurance. What's reasonable changes a lot between different kinds of, uh, people that you are interacting with.

[00:25:37] Matthew Coles: And different technologies.

[00:25:39] Izar Tarandach: Okay. Okay. Okay. Does reasonable change based on who you are, meaning if you are a three person startup or if you are a Fortune 500, does the value of reasonable change then, huh?

[00:25:55] Chris Romeo: I don't 

[00:25:56] Matthew Coles: I don't think so.

[00:25:57] Chris Romeo: I don't think it can.

[00:25:58] Matthew Coles: I think it has to depend on, I think it has to depend on what your a again, what your objectives are, right? You're a three person startup selling to the US government. You're gonna have the same level of rigor as a Fortune 500 company saw into the US government.

[00:26:11] Chris Romeo: We've focused this too far down on the, on the technology and we've, we've focused it too down, too far down on AppSec. We need to, we need to raise above this to outcomes

[00:26:21] Izar Tarandach: I if I am 

[00:26:22] Chris Romeo: be for both.

[00:26:24] Izar Tarandach: Yeah, exactly. If, if I am a three person startup and I'm going to sell now. To someone who's going to pay a lot of money, my level of what's reasonable for them to ask for me changes.

[00:26:37] Chris Romeo: And that's why common criteria has multiple levels, right? It has evaluation assurance level one through seven, and the it allows the customer to choose for in their use case. What level of assurance am I expecting? you could do a similar model. You could say, and it's like, it's the same reason why ASVS has multiple levels and OWASP SAMM has multiple levels as maturity models is because you could, you could say, okay, I'm admitting that this is a startup and we're not giving them the keys to the kingdom of all of our data.

[00:27:10] We're giving them a segment of our data. It's you. You can scope it to say, okay, I could deal with this, this vendor being a level one at of four possible levels.

[00:27:22] Izar Tarandach: But again, now you're, now you're talking expectations. You're not talking about reasonable. Even level one might not be reasonable for someone.

[00:27:31] Chris Romeo: Well then, then you can make a business case to say, if they say level

[00:27:35] Izar Tarandach: I shouldn't work with 

[00:27:36] Chris Romeo: them.

[00:27:36] I'm not working with you. You were not, you, you, you don't even meet a, you don't even have passwords. You're telling me that you don't even use passwords 

[00:27:43] Matthew Coles: I mean, you may, you may choose other control. You may, you may choose to, you as the, as the consumer may choose to put other controls in place, gimme your source code, right. Code escrow, right? Or

[00:27:54] Chris Romeo: Does anybody do that anymore? Is that a thing 

[00:27:56] Matthew Coles: I think it does. I think it still happens. I, I will, I

[00:27:59] Izar Tarandach: I, I haven't seen it for a long 

[00:28:01] Chris Romeo: answer would be not only no, 

[00:28:05] Matthew Coles: but hell no.

[00:28:07] Chris Romeo: Am I allowing you to take my source code in this modern day and age that we live in? But

[00:28:11] Izar Tarandach: My answer, my answer will be sure, but let me give you access to my Jira as well, and, uh, please send PRS and close the tickets that you fix.

[00:28:19] Matthew Coles: Right. So, but I, I, I, okay, maybe it's a bad example, but uh, you know, it's, you would put other con, potentially put other controls in place. Now procurement may say, oh, you didn't meet my minimum bar and I'm done. But from a, again, back to a business solution standpoint. You may want to give that three person startup a chance over a, a more established company for

[00:28:41] Chris Romeo: Yeah, but if they don't have a minimum, if they're not using passwords, if they say, we don't use passwords. Oh, do you have another control? No, we just don't believe in it. So we set them all to password, 1, 2, 3, 4, and we just let this thing roll.

[00:28:53] Matthew Coles: Yep.

[00:28:53] There may be 

[00:28:54] Chris Romeo: doing business with them.

[00:28:55] Matthew Coles: there may be a 

[00:28:56] Chris Romeo: control I can put in place to deal with them being naive or foolish about what they're building.

[00:29:02] Matthew Coles: So, so here's a question. Does reasonable start after the unforgivable unforgivables?

[00:29:09] Chris Romeo: Oh,

[00:29:10] Izar Tarandach: Oh wow.

[00:29:11] Matthew Coles: So, is there a minimum bar before a reasonable even starts to, begins the conversation, right? Where if you don't have, if you don't have security controls for identity and access management in place, you know, like passwords. If you don't believe in passwords and everything's open. There is no reasonable conversation to be had. Right?

[00:29:33] Chris Romeo: Interesting.

[00:29:35] Matthew Coles: And by the way, this is a slippery slope. This is a slippery slope if we talk open source because who are you getting reasonable from? Who are you getting commitments from? Who are getting assurances from?

[00:29:50] Izar Tarandach: Yeah, but now we are going back to standards because then you want everybody to be measured by the same stick.

[00:29:59] Chris Romeo: Well, it's multiple notches on the stick that you can, and then you as the business owner, you can decide, I'm willing to accept the, you're accepting more risk if a, if you're a three person startup only is a level one in this new reasonable system we're using you as the business owner can say, I'm gonna accept the risk of the fact that they're not level three. At least I know they have these basic things that they're doing.

[00:30:28] Izar Tarandach: So what you're telling me is that level one is reasonable enough for you to accept something.

[00:30:36] Chris Romeo: Yes. And I, and, but that lets me make a risk management decision as the, as the business owner over the group is gonna use this new thing that I'm buying, I can say, eh, I'm just not comfortable with that. I'm sorry. We can't move forward with this vendor. Or I can say the, the innovation that they're driving is enough for me to say, I'm gonna take a, I'm gonna write off the risk and say this is something I'm willing to accept and maybe I am putting other controls in place,

[00:31:02] Matthew Coles: you're gonna follow risk. 

[00:31:04] Chris Romeo: I'm investing

[00:31:05] Matthew Coles: You're gonna follow other risk management. You're gonna follow regular risk management practices. You're gonna gonna transfer, you're gonna ensure you're gonna have other controls to 

[00:31:13] Izar Tarandach: that we, 

[00:31:14] Matthew Coles: Et cetera. 

[00:31:15] Izar Tarandach: but the discussion that we having now is what happens after that formal process of getting that evidence from the vendor has happened, and what I was going for is what is reasonable to ask as part of that collection, not the risk based discussion that we are going to have anyhow, but what, what is it that is reasonable to ask?

[00:31:42] Chris Romeo: And I think we've already landed on that, right?

[00:31:44] It's the threat model of the three things. Like that's the if, if we could get nothing else, if we had to boil it down to a minimum thing that we could get. Having a threat model that covers what you built, how you build it in your pipelines, and how you deploy it into production and however you do that, having you documenting that. Then letting us take a look at it and ask questions about it is enough. That's reasonable.

[00:32:12] Izar Tarandach: Yes, that's reasonable.

[00:32:15] Matthew Coles: And, and, and, and I think you do need the, did we do a good enough job answered by some analysis and, we'll, I'll say pen test, but it may not be pen test, but yeah. It's just a claim. 

[00:32:28] Izar Tarandach: just their word. Yeah, you're right.

[00:32:32] Chris Romeo: Hmm.

[00:32:32] Izar Tarandach: Right.

[00:32:34] Chris Romeo: Well, I think we've come far enough today on this journey into what is reasonable. I feel like we've moved another notch down. The, the, the, the travel across the Blue Ridge mountains. We've gone well over one more to the top of one, the crest of one more mountain or hill. And, uh,

[00:32:52] Matthew Coles: Wow, somebody's got a vacation on the brain here. It's 

[00:32:56] Chris Romeo: many more in front of us. It 

[00:32:57] Izar Tarandach: look at that.

[00:32:58] Chris Romeo: but. where we stumbled down into the valley. That's what we do here on the security table, and we pick ourselves up and, ah, climb back up again. So, Izar, thanks for, uh, for bringing this, this is a good issue and this is something that, uh, what I think we're we need to do now is we need to take this to LinkedIn. And we

[00:33:14] Izar Tarandach: Oh yeah.

[00:33:15] Chris Romeo: spread this far and wide as a question, and then we can come back in a future episode and reflect on what people, what other people have to say about this. Because there, there's like we've, we've talked about before in previous episodes. We don't have all the answers. There's lots of people that have a lot of good stuff that can inform us. We have our predispositions and our experience and we reflect through that, but it's always fun to get other people's thoughts and opinions on it. So we'll take this to LinkedIn and we'll all share it far and wide. Try to see if we can get some more opinions to come back and reflect on. So once again, thanks folks for, uh, tuning in around this security table. Keep it reasonable. I don't know, I'm trying to find a tagline to, to end our time. Keep it reasonable, y'all keep it reasonable. Have a

[00:33:55] Matthew Coles: What's your threat model?

[00:33:57] Chris Romeo: What's in your threat model?

[00:34:00] Izar Tarandach: Your threat model is not my threat model

[00:34:02] Matthew Coles: Oh

[00:34:03] Chris Romeo: That's true. That's true. All right, thanks y'all.