[tl;dr sec] #161 - ChatGPT, Scaling Vulnerability Management in Microservices, Supply Chain
Many varied examples of using ChatGPT, how Lyft precisely fixes OS and OS-package level vulnerabilities across ~1,000 services, Sigstore and dangerous subtleties in the GitHub download artifacts API.
I hope you’ve been doing well!
🧙♂️ Announcing: Staff Security Engineer
How do you get to Staff level in security?
It can be hard to know, as there’s not much guidance out there. Where is the staffeng.com for security?
I’m thrilled to announce that my bud Rami McCarthy went out and got stories from 8 Staff+ Security Engineers and collected them into an awesome resource.
📢 New: Dastardly, from Burp Suite
Developers running real-world dynamic scans in their pipeline is no longer a pipe dream.
Dastardly finds seven front-end security issues, by looking at your application from an attacker’s perspective - catching issues not found by SAST. Enable web devs to secure their code, by deploying Dastardly for free.
📜 In this newsletter...
Conferences: Black Hat USA 2022 videos posted, AWS security, compliance, and identity track videos
Supply Chain: Sigstore the easy way, using Sigstore to meet FedRAMP compliance, dangers around downloading artifacts in GitHub Action workflows
AppSec: Semgrep 1.0, RCE in VS Code, CVE/NVD challenges for open source and supply chain security, code scanning via listening to SCM events
Cloud Security: 10 impactful re:Invent announcements, Amazon Verified Permissions, AWS VPC Lattice
Container Security: Launchpad for apps deployed on Kubernetes, OCI registry on Cloudflare Workers
Blue Team: Making Cobalt Strike harder for threat actors to abuse, building Cribl Cloud using Substation, how Lyft does vuln management with microservices
Politics / Privacy: Former Twitter head of trust and safety weighs in on Twitter's future
ChatGPT: Tons of use case examples
Machine Learning: Napkin ideas around what changes to expect post-ChatGPT, AI homework
Misc: The Making of Steven Spielberg, behind the scenes of making iconic Disney movies
Black Hat USA 2022
Video playlist released.
AWS re:Invent 2022
Video playlist from the Security, Compliance, & Identity track.
Using Sigstore to meet FedRAMP Compliance at Autodesk
Autodesk’s Jesse Sanford describes using Sigstore and included tools (Cosign for container signing, Fulcio for root certification authority) to fulfill FedRAMP requirements, including container provenance and vulnerability scanning attestation.
Novel Pipeline Vulnerability Discovered; Rust Found Vulnerable
Legit Security’s Noam Dotan describes how, because GitHub Actions don’t allow downloading artifacts created in different workflows, there’s a risk of artifact poisoning (replacing a legitimate artifact with a modified malicious one), when users try to overcome this limitation.
Releasing Semgrep 1.0
Semgrep creator and all around program analysis wizard Yoann Padioleau describes the journey to Semgrep 1.0. Read to the end to see why this man living in Italy quotes Papa John’s 🤣
Visual Studio Code: Remote Code Execution · Advisory
Via opening a malicious Jupyter Notebook. Nice writeup by Google’s Thomas Shadwell.
CVE / NVD doesn’t work for open source and supply chain security - part one, what’s wrong
Mark Curphey provides some history of CVE and NVD and discusses challenges, including: they were built for a different era, their data is often incorrect and not technically verified, they can’t deal with the rate of vuln ingestion, and some interesting discussion of prior work in the space.
What is Pipelineless Security?
Arnica’s Nir Valtman discusses trade-offs between different ways to do code security scanning (IDE/git hooks, CI/CD pipelines, GitHub Checks) and proposes “pipelineless security” as instead listening to events from Source Code Management (SCM) tools. The benefit of this being it doesn’t require code or configuration changes and isn’t per repo.
Step Functions have added the Distributed Map step type
Amazon Verified Permissions
📢 Bob let a burdensome access security posture get in the way of developers. Don’t be like Bob.
Arnica's dynamic approach to permissions security eliminates excessive access risk without creating developer friction, actively securing source code while eliminating long waits for permissions approvals.
This is the first time a sponsor has used a cartoon. Pretty cool!
Making Cobalt Strike harder for threat actors to abuse
Google’s Greg Sinclair announces the release of open-source YARA Rules and their integration as a VirusTotal Collection to help the community flag and identify Cobalt Strike’s components and its respective versions. Since many threat actors rely on cracked versions of Cobalt Strike, fingerprinting its version allows you to disrupt likely attackers using older versions while leaving legitimate red teams alone.
Building Cribl Cloud Using Substation
Brex’s Josh Liburdi describes how users can build their own version of Cribl Cloud using their recently released Substation, Brex’s free and open source cloud-native data pipeline toolkit. Both are extract, transform, and load (ETL) systems that address similar use cases.
Vulnerability Management at Lyft: Enforcing the Cascade - Part 1
In a microservice ecosystem, if a service has a vulnerability, it’s difficult to tell if it was inherited from a base image or introduced by the service itself. Lyft’s Alex Chantavy describes how they used a graph-based approached to know how to precisely fix OS and OS-package level vulnerabilities across ~1,000 services on Kubernetes in a timely manner. This post is 🔥
Politics / Privacy
What’s Twitter’s Future? The Former Head of Trust And Safety Weighs In
Regardless of what Elon wants to do, Yoel Roth argues that Elon is fundamentally constrained by keeping Twitter’s discourse suitable for advertisers (currently 90% of revenue), abides by U.S. and international laws to avoid massive fines, and potentially “the most significant check on unrestrained speech on the mainstream internet: the app stores operated by Google and Apple.” Because if you’re not in the app stores, you’re missing out on billions of users. I found this discussion of constraints interesting.
OpenAI released a chat interface for GPT-3, and the Internet immediately exploded with people posting examples of them using it.
Here are a few:
Ben Tossell has a thread of examples
Write a sarcastic email to customers letting them know that their unmaintained IoT device has suffered a security breach
Writing a game from scratch that uses Elixir Phoenix and LiveView
Explain the worst-case time complexity of the bubble sort algorithm, with Python code examples, in the style of a fast-talkin’ wise guy from a 1940’s gangster movie
Imagine You’re a Database Server
Collaborative creating writing: bouncing ideas off GPT-3 and using it to write story outlines
Take the SAT - it got a 1020
Create a Set of Fantasy Creatures
Give me a Python program for how to destroy humanity
Ask for and generate fantastical living room designs
Dropping in a vulnerable EC2 Terraform script from TerraGoat and getting a detailed explanation of where the vulnerabilities exist, why they’re considered vulnerabilities, and how to fix them
Explain why I got this AWS IAM access denied error and how to fix it
Napkin Ideas Around What Changes to Expect Post-ChatGPT
Fascinating reflections by Daniel Miessler on the future of machine learning and work. topics: work replacement, talent magnification, solopreneurs, ai specialists, idea dominance, use cases, and more.
The Making of Steven Spielberg
“The Fabelmans” is a lightly fictionalized dramatization of the famous director’s childhood. Reminds me of the Martin Scorsese quote, “The most personal is the most creative.”
Jodi Benson Recording Part Of Your World
Wow! A behind the scenes coaching session of an iconic song. Very cool.
Apparently there’s another documentary, Howard, about the life of songwriter Howard Ashman, who wrote many of the songs from The Little Mermaid, Beauty and the Beast and Aladdin.
Also, I’m melting from this A Whole New World Recording Session.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!