[tl;dr sec] #178 - DevOps Threat Matrix, LLMs in Security, Supply Chain Security

Hey there,

I hope you’ve been doing well!

BSidesSF and RSA

If you’re visiting San Francisco over the next week, welcome! We’re excited you’re coming 🙌

I hope you’ve been getting extra sleep, hydrating, and taking your vitamins, because soon it’s going to be a montage of conferences, socializing, and evening festivities.

Here are a few things on my agenda:

Friday: Semgrep SF Community Happy Hour

BSidesSF

• Workshop: Finding Bugs and Scaling Your Security Program with Semgrep

• Panel: Level Up Your Career: A Panel on Staff + Engineering

• Talk: When is a vulnerability, not a vulnerability? Overcoming the inundation of noisy security alerts

RSA

• Executive Breakfast with Jim Manico and Tromzo

• Learning Lab: Adding SAST to CI/CD, Without Losing Any Friends with my bud Tanya Janca

Come say hi, I’d love to meet you 😀 I’ll have stickers.

Have fun out there, make some new friends, and stay safe.

Minimize permissions, just-in-time access, improve security and developer experience- I’m about it 👍

AppSec

Exploiting and Securing Jenkins Instances at Scale with GroovyWaiter
Nvidia’s Dylan Makowski introduces GroovyWaiter, a Python script that can scan at scale for Jenkins instances that allow unauthenticated access to their Script Console. The Script Console, if configured insecurely, can be used to access secrets, execute system commands, and potentially pivot into an organization’s infrastructure.

Semgrep (formerly r2c) lands $53M investment to grow code security platform
I now drive a ‘lambo, slick back my hair, and give people finger guns at least 3 times a day. And by that I mean I can afford to live in a small closet in the Bay Area. If the company does well, I hope to upgrade to a closet with a window 🤞 

Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default
15 page whitepaper by CISA on security-by-design, security-by-default, tactics, and more. Nothing that surprising or revolutionary, but it’s nice to see official endorsement of the approach forward-thinking tech companies have been promoting for 5-10 years. Jack Cable has a nice overview Twitter thread.

Supply Chain

pypa/gh-action-pip-audit
A GitHub Action that uses pip-audit to scan Python dependencies for known vulnerabilities. Maintained in part by Trail of Bits with support from Google.

Hijacking Arch Linux Packages by Repo Jacking GitHub Repositories
Joren Vrancken examines how many Arch User Repository packages could be taken over via GitHub repo jacking (re-registering a username that has been deleted or changed).

DevOps threat matrix
Using the MITRE ATT&CK framework as a base, Microsoft’s Ariel Brukman et al collected techniques and attack vectors associated with DevOps environments and created a matrix dedicated to DevOps attack methods, from initial access phase to exfiltration.

Announcing the deps.dev API: critical dependency data for secure supply chains
Google announces the deps.dev API, which provides free access to the deps.dev dataset of security metadata, including dependencies, licenses, advisories, and other critical health and security signals for more than 50 million open source package versions from the Go, Maven, PyPI, npm, and Cargo ecosystems.

Supply chain security for Go, Part 1: Vulnerability management
Google’s Julie Qiu and Oliver Chang describes how Go helps you manage vulnerabilities in open source packages: the Go package discovery site includes info from deps.dev (includes vulnerability info, security score form OpenSSF Scorecard, etc.), the Go vulnerability database includes detailed information (e.g. affected functions) so you can prioritize what’s actually a risk, and more.

Cloud Security

Zero Trust Access to Private Webapps on AWS ECS with Cloudflare Tunnel
Marco Lancini explains how to use Cloudflare Tunnel to securely access a Flask web app running in a private subnet in ECS on Fargate, without exposing the app to the public Internet or requiring a VPN.

Containing Compromised EC2 Credentials Without (Hopefully) Breaking Things
FireMon’s Rich Mogull shares 4 alternatives for containing compromised instance credentials and preventing attackers from pivoting into our AWS infrastructure:

• Add a Deny All Policy to the Role

• Revoke the session

• Change the IAM Role and Deny the old role

• Insert a VPC endpoint

Container Security

Container security fundamentals part 3: Capabilities
Datadog’s Rory McCune explains what Linux capabilities are, how to examine them using tools like pscap and filecap, and how they’re used in containers. Relatedly, I believe unprivileged containers are what the kids mean when they talk about #NoCap on the social medias.

Two Ways to Access EKS: Kubernetes RBAC and AWS
IAMMike Levan describes two methods to manage access with Elastic Kubernetes Service (EKS): Kubernetes RBAC and configuring an IAM OIDC identity provider using AWS IAM.

Managing Kubernetes secrets like a Pro
Tanat Paul Lokejaroenlarb from Adevinta writes about how the native approach used by Kubernetes to store secrets does not work in all scenarios, especially when dealing with account credentials. He shares two alternative approaches, sealed-secrets and external-secrets, which aim to provide a secure and scalable way to manage secrets across multiple clusters and teams.

New Kubernetes security audit complete and open sourced
The CNCF has published an audit of the project architecture and code base of Kubernetes 1.24, performed by NCC Group. Report here. The Security Architecture Review section is worth a read.

Blue Team

Harvesting Logs for Fun and Profit
Gerald Benischke describes how application logs, while helpful in debugging issues, can also expose sensitive info, such as personally identifiable information (PII) and credentials. Gerald provides recommendations for preventing this and useful Kibana queries for identifying PII.

Data Driven Detection Engineering
Julien Vehent reflects on the changes that have occurred in the detection and response industry and how it has shifted to focus on data-driven detection engineering and Detection as Code. This approach leverages complex data models that use pipelines to detect threats through anomalous behaviors. Julien discusses how modern threat detection systems will require solid software engineering skills, and he shares some stories about the engineering challenges he has encountered throughout his career.

Building Better Detection Systems: Introducing KRANG at Carta 
Carta’s John Sonnenschein announces KRANG (Knowledge, Reports, Alerts, & Normalization Generator), an automated framework for applying CI/CD practices to field normalization and detection engineering in a Splunk environment. Detection as Code ftw 🤘 

How to Yubikey: a configuration cheatsheet
A comprehensive guide that demonstrates various use cases for a Yubikey, providing command-line examples in a cheatsheet format. Learn how to use your Yubikey to secure a Keepass database, as a second factor for full disk encryption, as a smartcard, and more.

How we rolled out security keys at Twitter
2021 post by Nick Fohs and Nupur Gholap on how Twitter migrated to using security keys as their only supported 2FA method on internal systems, lessons learned, and where the security key ecosystem still needs to improve.

Misc 

Love at First Line
Gives you the first line of a number of books so you can choose based on what sounds the most interesting.

Toolkit for Sleep
Andrew Huberman’s list for how to get better at sleepinp.

everythingishacked/Semaphore
Use your whole body as a keyboard. Semaphore uses OpenCV and MediaPipe’s Pose detection to let you type via flag semaphore (that thing people do on boats with flags). I guarantee you will smile or laugh if you watch the ~5 second demo video. Delightful.

Machine Learning

Quicklinks:

• nat/natbot: Drive a browser with GPT-3.

• MarkPrompt - Build a delightful GPT-4 prompt for your Markdown docs.

• felixbade/assistant - A mobile-friendly human interface for the ChatGPT API. No back-end server, easily host it yourself.

• mckaywrigley/chatbot-ui - An open source ChatGPT UI.

• Auto-GPT - An experimental project to make GPT-4 fully autonomous by chaining together “thoughts” to achieve whatever goal you set.

• OpenAI’s CEO Says the Age of Giant AI Models Is Already Over - Sam Altman says we need new ideas, not just to train bigger models, to continue progressing. GPT-4 cost >$100M to train. They are not currently training GPT-5.

Guardrails.ai
A Python package that lets a user add structure, type and quality guarantees to the outputs of large language models (LLMs). If you’ve ever tried to get LLMs to output a specific format (like JSON), you know why this is useful.

The ChatGPT plugin OpenAI was using to assess the security of other plugins
rez0 shares the prompt, which was broken down into instructions, facts, and OpenAI’s policy.

Attacking LLM - Prompt Injection
Intro and overview of LLMs and prompt injection by LiveOverflow.

Prompt injection: What’s the worst that can happen?Simon Willison gives a nice overview of the impact of prompt injection and challenges in preventing it.

Threat Prompt #13 - AI Security is Probabilistic Security
Threat Prompt is a newsletter by Craig Balding on the intersection of AI and cybersecurity. In this issue, he discusses the challenges of dealing with prompt injection as well as useful links and resources.

Building LLM applications for production
Fantastic deep dive by Chip Huyen on:

1. The key challenges of productionizing LLM applications and solutions she’s seen.

2. How to compose multiple tasks with control flows (e.g. if statement, for loop) and incorporate tools (e.g. SQL executor, bash, web browsers, third-party APIs) for more complex and powerful applications.

3. Some of the promising use cases she’s seen companies building on top of LLMs and how to construct them from smaller tasks.

VCs on Machine Learning

Large language models in security
Innovation Endeavors’s Davis Treybig discusses a number of areas where he believes LLMs can be applied or integrated within security: SIEM, SAST, email security and phishing, SOAR, data loss prevention and data security, remediation, translating between security and everyone else, and vendor security questionnaires and compliance.

A Foundation Model Primer - March 2023
Very detailed deck by Innovation Endeavors’s Davis Treybig.

Every Company Needs an AI Strategy
Slides by Conviction’s Sarah Guo.

Developer Tools 2.0

GitHub’s Copilot has been immediately vastly popular, but Sequoia argues that there’s still massive opportunity for AI to transform software engineering and for new founders to build a generational company.

✉️ Wrapping Up 

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint