[tl;dr sec] #146 - CI/CD Security, Lightweight Approach to Secure SDLC, End-to-End Threat Detection Rule Testing

It’s going to be an exciting day today. We’re watching the E-Sports All Star Battle. Eight household names in Excel…

If you are comparing the cost of a CI/CD vendor to that of a do-it-yourself project, consider that home grown systems carry the risk being “free like a puppy.” The human capital, dilution of focus and maintenance burden are easy to underestimate and can dwarf the cost of a paid service.

The basic idea is when Make runs a command, that command should only have access to a limited number of files.

If some rogue unit test accidentally tries to rm -rf /, the kernel will simply reject it using an EACCES error, because your root directory wasn’t declared as a dependency in your Makefile config.

"The trick here is going to be - how do you balance scanning whilst ensuring engineering toil is at minimum, yet providing value. You could look to roll this out in phases i.e. run a rule ad-hoc, see the results, fine-tune it to a point where you can be absolutely confident it wouldn’t produce any false positive or false negative and only then introduce it on every PR/CICD pipeline in a blocking mode. Semgrep allows us to do this because of its ability to write custom rules."

Kettle demonstrated how he was able to turn a victim’s web browser into a desync delivery platform, shifting the request smuggling frontier by exposing single-server websites and internal networks.

He was able to combine cross-domain requests with server flaws to poison browser connection pools, install backdoors, and release desync worms – in turn compromising targets including Amazon, Apache, Akamai, Varnish, and multiple web VPNs.

We’ve designed Approvals so that it only has the ability to assign roles to existing users, rather than create new roles or new users. By design, the blast radius of Granted Approvals being compromised is that existing users in your directory could be granted access to roles, rather than external users being created. Better yet — Approvals is deployed as a serverless application which runs in your own AWS account, so Common Fate won’t have access to any data in your Granted Approvals deployment.

Service-level Fault Injection Testing is a technique for identifying resilience issues in microservice-based applications in development, before code ships to production. Filibuster has been designed to be easy to use, lightweight, and able to be integrated into a continuous integration environment, like GitHub Actions or Amazon’s CodeBuild CI/CD environment.

A guide for independent organizations and state and local governments to develop a sustainable mechanism for investigating and drawing lessons-learned from cyber incidents both in the immediate aftermath of a cyber incident and long-term.

The only way to gain full confidence in our ability to detect threats is to perform end-to-end testing of our detections. Namely, we consider all our logging and processing pipelines as a blackbox; we reproduce the attacks we expect to detect and verify on the other end that an expected alert is produced.

A new AI image generator appears to be capable of making art that looks 100% human made. As an artist I am extremely concerned.

What makes this AI different is that it’s explicitly trained on current working artists. You can see below that the AI generated image(left) even tried to recreate the artist’s logo of the artist it ripped off.

This thing wants our jobs, its actively anti-artist.

Artists will be put out of jobs. This is pretty much inevitable given that work which once took multiple hours will now take seconds, or maybe minutes if it’s difficult to get a good generation. I really do need to stress that the technology is in its infancy, and 95% of the obvious problems that it has now will be solved with larger models, different approaches, or better UI.

If you’ve played around with Stable Diffusion or MidJourney or DALL-E 2, then you know how hard it is to get a good result for a specific idea you’ve had. I’ve been keeping up with the papers, and these problems are going to disappear. They’ve disappeared already in the current crop of non-public models, and they’re going to disappear from the public-facing models as well. Specificity is one of the key things that human artists have going for them right now, but it’s not something that’s going to continue.

What is fascinating about DALL-E is that it points to a future where these three trends can be combined. DALL-E, at the end of the day, is ultimately a product of human-generated content, just like its GPT-3 cousin. The latter, of course, is about text, while DALL-E is about images. Notice, though, that progression from text to images; it follows that machine learning-generated video is next. This will likely take several years, of course; video is a much more difficult problem, and responsive 3D environments more difficult yet, but this is a path the industry has trod before:

• Game developers pushed the limits on text, then images, then video, then 3D

• Social media drives content creation costs to zero first on text, then images, then video

• Machine learning models can now create text and images for zero marginal cost

In the very long run this points to a metaverse vision that is much less deterministic than your typical video game, yet much richer than what is generated on social media. Imagine environments that are not drawn by artists but rather created by AI: this not only increases the possibilities, but crucially, decreases the costs.

Machine learning generated content is just the next step beyond TikTok: instead of pulling content from anywhere on the network, GPT and DALL-E and other similar models generate new content from content, at zero marginal cost. This is how the economics of the metaverse will ultimately make sense: virtual worlds needs virtual content created at virtually zero cost, fully customizable to the individual.