• tl;dr sec
  • Posts
  • [tl;dr sec] #161 - ChatGPT, Scaling Vulnerability Management in Microservices, Supply Chain

[tl;dr sec] #161 - ChatGPT, Scaling Vulnerability Management in Microservices, Supply Chain

Many varied examples of using ChatGPT, how Lyft precisely fixes OS and OS-package level vulnerabilities across ~1,000 services, Sigstore and dangerous subtleties in the GitHub download artifacts API.

Hey there,

I hope you’ve been doing well!

🧙‍♂️ Announcing: Staff Security Engineer

How do you get to Staff level in security?

It can be hard to know, as there’s not much guidance out there. Where is the staffeng.com for security?

I’m thrilled to announce that my bud Rami McCarthy went out and got stories from 8 Staff+ Security Engineers and collected them into an awesome resource.

If you find it useful and want to like, retweet or share on Twitter or LinkedIn, I’d much appreciate it!


📢 New: Dastardly, from Burp Suite

Developers running real-world dynamic scans in their pipeline is no longer a pipe dream.

Dastardly finds seven front-end security issues, by looking at your application from an attacker’s perspective - catching issues not found by SAST. Enable web devs to secure their code, by deploying Dastardly for free.

📜 In this newsletter...

  • Conferences: Black Hat USA 2022 videos posted, AWS security, compliance, and identity track videos

  • Supply Chain: Sigstore the easy way, using Sigstore to meet FedRAMP compliance, dangers around downloading artifacts in GitHub Action workflows

  • AppSec: Semgrep 1.0, RCE in VS Code, CVE/NVD challenges for open source and supply chain security, code scanning via listening to SCM events

  • Cloud Security: 10 impactful re:Invent announcements, Amazon Verified Permissions, AWS VPC Lattice

  • Container Security: Launchpad for apps deployed on Kubernetes, OCI registry on Cloudflare Workers

  • Blue Team: Making Cobalt Strike harder for threat actors to abuse, building Cribl Cloud using Substation, how Lyft does vuln management with microservices

  • Politics / Privacy: Former Twitter head of trust and safety weighs in on Twitter's future

  • ChatGPT: Tons of use case examples

  • Machine Learning: Napkin ideas around what changes to expect post-ChatGPT, AI homework

  • Misc: The Making of Steven Spielberg, behind the scenes of making iconic Disney movies


Black Hat USA 2022
Video playlist released.

AWS re:Invent 2022
Video playlist from the Security, Compliance, & Identity track.

Supply Chain

Sigstore The Easy Way
An easy way to getting started with software signing & securing software supply chains, by Rewanth Tammana.

Using Sigstore to meet FedRAMP Compliance at Autodesk
Autodesk’s Jesse Sanford describes using Sigstore and included tools (Cosign for container signing, Fulcio for root certification authority) to fulfill FedRAMP requirements, including container provenance and vulnerability scanning attestation.

Novel Pipeline Vulnerability Discovered; Rust Found Vulnerable
Legit Security’s Noam Dotan describes how, because GitHub Actions don’t allow downloading artifacts created in different workflows, there’s a risk of artifact poisoning (replacing a legitimate artifact with a modified malicious one), when users try to overcome this limitation.

The “download artifacts” API (and various custom actions encapsulating it) doesn’t differentiate between artifacts that were uploaded by forked repositories and base repositories, which could lead privileged workflows to download artifacts that were created by forked repositories and that are potentially poisoned.


Releasing Semgrep 1.0
Semgrep creator and all around program analysis wizard Yoann Padioleau describes the journey to Semgrep 1.0. Read to the end to see why this man living in Italy quotes Papa John’s 🤣 

Visual Studio Code: Remote Code Execution · Advisory
Via opening a malicious Jupyter Notebook. Nice writeup by Google’s Thomas Shadwell.

An attacker could, through a link or website, take over the computer of a Visual Studio Code user and any computers they were connected to via the Visual Studio Code Remote Development feature. This issue affected at least GitHub Codespaces, github.dev, the web-based Visual Studio Code for Web and to a lesser extent Visual Studio Code desktop.

CVE / NVD doesn’t work for open source and supply chain security - part one, what’s wrong
Mark Curphey provides some history of CVE and NVD and discusses challenges, including: they were built for a different era, their data is often incorrect and not technically verified, they can’t deal with the rate of vuln ingestion, and some interesting discussion of prior work in the space.

See some discussion on Mark’s post here, and a detailed response by Walter Haydock here.

What is Pipelineless Security?
Arnica’s Nir Valtman discusses trade-offs between different ways to do code security scanning (IDE/git hooks, CI/CD pipelines, GitHub Checks) and proposes “pipelineless security” as instead listening to events from Source Code Management (SCM) tools. The benefit of this being it doesn’t require code or configuration changes and isn’t per repo.

Cloud Security

  1. VPC Lattice

  2. Lambda SnapStart

  3. Step Functions have added the Distributed Map step type

  4. Amazon Verified Permissions

A scalable, fine-grained permissions management and authorization service for custom applications. The service centralizes fine-grained permissions for custom applications and helps developers authorize user actions within applications.


A new capability of Amazon VPC that gives you a consistent way to connect, secure, and monitor communication between your services. With VPC Lattice, you can define policies for traffic management, network access, and monitoring so you can connect applications in a simple and consistent way across AWS compute services (instances, containers, and serverless functions).


📢 Bob let a burdensome access security posture get in the way of developers. Don’t be like Bob.

Arnica's dynamic approach to permissions security eliminates excessive access risk without creating developer friction, actively securing source code while eliminating long waits for permissions approvals.

This is the first time a sponsor has used a cartoon. Pretty cool!

Container Security

By Stakater: A control panel which dynamically discovers and provides a launchpad to access applications deployed on Kubernetes.

An experimental prototype OCI registry on Cloudflare Workers, aiming to use Cloudflare’s R2 for egress-cost-free image distribution, by Chainguard.

The experiment worked (yay!!), but we don’t expect to proceed with this code, so it’s available as open source for anybody interested in trying it out.

Blue Team

Making Cobalt Strike harder for threat actors to abuse
Google’s Greg Sinclair announces the release of open-source YARA Rules and their integration as a VirusTotal Collection to help the community flag and identify Cobalt Strike’s components and its respective versions. Since many threat actors rely on cracked versions of Cobalt Strike, fingerprinting its version allows you to disrupt likely attackers using older versions while leaving legitimate red teams alone.

Building Cribl Cloud Using Substation
Brex’s Josh Liburdi describes how users can build their own version of Cribl Cloud using their recently released Substation, Brex’s free and open source cloud-native data pipeline toolkit. Both are extract, transform, and load (ETL) systems that address similar use cases.

Vulnerability Management at Lyft: Enforcing the Cascade - Part 1
In a microservice ecosystem, if a service has a vulnerability, it’s difficult to tell if it was inherited from a base image or introduced by the service itself. Lyft’s Alex Chantavy describes how they used a graph-based approached to know how to precisely fix OS and OS-package level vulnerabilities across ~1,000 services on Kubernetes in a timely manner. This post is 🔥

Politics / Privacy

What’s Twitter’s Future? The Former Head of Trust And Safety Weighs In
Regardless of what Elon wants to do, Yoel Roth argues that Elon is fundamentally constrained by keeping Twitter’s discourse suitable for advertisers (currently 90% of revenue), abides by U.S. and international laws to avoid massive fines, and potentially “the most significant check on unrestrained speech on the mainstream internet: the app stores operated by Google and Apple.” Because if you’re not in the app stores, you’re missing out on billions of users. I found this discussion of constraints interesting.

OpenAI released a chat interface for GPT-3, and the Internet immediately exploded with people posting examples of them using it.

Here are a few:

Machine Learning

Napkin Ideas Around What Changes to Expect Post-ChatGPT
Fascinating reflections by Daniel Miessler on the future of machine learning and work. topics: work replacement, talent magnification, solopreneurs, ai specialists, idea dominance, use cases, and more.

AI Homework
Stratechery’s Ben Thompson weighs in, pointing out a number of areas where ChatGPT is wrong.

We predict that lots of people will just change the way they think about individual creativity. Just as some modern sculptors use machine tools, and some modern artists use 3d rendering software, we think that some of the creators of the future will learn to see generative AI as just another tool – something that enhances creativity by freeing up human beings to think about different aspects of the creation.

In other words, the role of the human in terms of AI is not to be the interrogator, but rather the editor.

Here’s an example of what homework might look like under this new paradigm. Imagine that a school acquires an AI software suite that students are expected to use for their answers about Hobbes or anything else; every answer that is generated is recorded so that teachers can instantly ascertain that students didn’t use a different system. Moreover, instead of futilely demanding that students write essays themselves, teachers insist on AI. Here’s the thing, though: the system will frequently give the wrong answers (and not just on accident — wrong answers will be often pushed out on purpose); the real skill in the homework assignment will be in verifying the answers the system churns out — learning how to be a verifier and an editor, instead of a regurgitator.


The Making of Steven Spielberg
“The Fabelmans” is a lightly fictionalized dramatization of the famous director’s childhood. Reminds me of the Martin Scorsese quote, “The most personal is the most creative.”

Jodi Benson Recording Part Of Your World
Wow! A behind the scenes coaching session of an iconic song. Very cool.

Jodi Benson in the studio with Howard Ashman recording “Part Of Your World” from “The Little Mermaid.” From the bonus features of the film “Waking Sleeping Beauty”.

Apparently there’s another documentary, Howard, about the life of songwriter Howard Ashman, who wrote many of the songs from The Little Mermaid, Beauty and the Beast and Aladdin.

Also, I’m melting from this A Whole New World Recording Session.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!