[tl;dr sec] #161 - ChatGPT, Scaling Vulnerability Management in Microservices, Supply Chain

Hey there,

I hope you’ve been doing well!

🧙‍♂️ Announcing: Staff Security Engineer

How do you get to Staff level in security?

It can be hard to know, as there’s not much guidance out there. Where is the staffeng.com for security?

I’m thrilled to announce that my bud Rami McCarthy went out and got stories from 8 Staff+ Security Engineers and collected them into an awesome resource.

If you find it useful and want to like, retweet or share on Twitter or LinkedIn, I’d much appreciate it!

Conferences

Black Hat USA 2022
Video playlist released.

AWS re:Invent 2022
Video playlist from the Security, Compliance, & Identity track.

Supply Chain

Sigstore The Easy Way
An easy way to getting started with software signing & securing software supply chains, by Rewanth Tammana.

Using Sigstore to meet FedRAMP Compliance at Autodesk
Autodesk’s Jesse Sanford describes using Sigstore and included tools (Cosign for container signing, Fulcio for root certification authority) to fulfill FedRAMP requirements, including container provenance and vulnerability scanning attestation.

Novel Pipeline Vulnerability Discovered; Rust Found Vulnerable
Legit Security’s Noam Dotan describes how, because GitHub Actions don’t allow downloading artifacts created in different workflows, there’s a risk of artifact poisoning (replacing a legitimate artifact with a modified malicious one), when users try to overcome this limitation.

AppSec

Releasing Semgrep 1.0
Semgrep creator and all around program analysis wizard Yoann Padioleau describes the journey to Semgrep 1.0. Read to the end to see why this man living in Italy quotes Papa John’s 🤣 

Visual Studio Code: Remote Code Execution · Advisory
Via opening a malicious Jupyter Notebook. Nice writeup by Google’s Thomas Shadwell.

CVE / NVD doesn’t work for open source and supply chain security - part one, what’s wrong
Mark Curphey provides some history of CVE and NVD and discusses challenges, including: they were built for a different era, their data is often incorrect and not technically verified, they can’t deal with the rate of vuln ingestion, and some interesting discussion of prior work in the space.

See some discussion on Mark’s post here, and a detailed response by Walter Haydock here.

What is Pipelineless Security?
Arnica’s Nir Valtman discusses trade-offs between different ways to do code security scanning (IDE/git hooks, CI/CD pipelines, GitHub Checks) and proposes “pipelineless security” as instead listening to events from Source Code Management (SCM) tools. The benefit of this being it doesn’t require code or configuration changes and isn’t per repo.

Cloud Security

Ian Mckay’s Top 10 Favorite / Most Impactful reInvent Announcements

1. VPC Lattice

2. Lambda SnapStart

3. Step Functions have added the Distributed Map step type

4. Amazon Verified Permissions

5. …

Fine-Grained Authorization – Amazon Verified Permissions

Introducing VPC Lattice – Simplify Networking for Service-to-Service Communication (Preview)

This is the first time a sponsor has used a cartoon. Pretty cool!

Container Security

stakater/Forecastle
By Stakater: A control panel which dynamically discovers and provides a launchpad to access applications deployed on Kubernetes.

chainguard-dev/crow-registry
An experimental prototype OCI registry on Cloudflare Workers, aiming to use Cloudflare’s R2 for egress-cost-free image distribution, by Chainguard.

Blue Team

Making Cobalt Strike harder for threat actors to abuse
Google’s Greg Sinclair announces the release of open-source YARA Rules and their integration as a VirusTotal Collection to help the community flag and identify Cobalt Strike’s components and its respective versions. Since many threat actors rely on cracked versions of Cobalt Strike, fingerprinting its version allows you to disrupt likely attackers using older versions while leaving legitimate red teams alone.

Building Cribl Cloud Using Substation
Brex’s Josh Liburdi describes how users can build their own version of Cribl Cloud using their recently released Substation, Brex’s free and open source cloud-native data pipeline toolkit. Both are extract, transform, and load (ETL) systems that address similar use cases.

Vulnerability Management at Lyft: Enforcing the Cascade - Part 1
In a microservice ecosystem, if a service has a vulnerability, it’s difficult to tell if it was inherited from a base image or introduced by the service itself. Lyft’s Alex Chantavy describes how they used a graph-based approached to know how to precisely fix OS and OS-package level vulnerabilities across ~1,000 services on Kubernetes in a timely manner. This post is 🔥

Politics / Privacy

What’s Twitter’s Future? The Former Head of Trust And Safety Weighs In
Regardless of what Elon wants to do, Yoel Roth argues that Elon is fundamentally constrained by keeping Twitter’s discourse suitable for advertisers (currently 90% of revenue), abides by U.S. and international laws to avoid massive fines, and potentially “the most significant check on unrestrained speech on the mainstream internet: the app stores operated by Google and Apple.” Because if you’re not in the app stores, you’re missing out on billions of users. I found this discussion of constraints interesting.

ChatGPT

OpenAI released a chat interface for GPT-3, and the Internet immediately exploded with people posting examples of them using it.

Here are a few:

• Ben Tossell has a thread of examples

• A Chrome extension to show ChatGPT response in Google search results

• A Chrome extension to summarize web pages using ChatGPT

• IDA -> decompiled C -> ask OpenAI what it does

• Generate a YARA rule to detect mimikatz

• Generate post-exploitation payloads

• Write a sarcastic email to customers letting them know that their unmaintained IoT device has suffered a security breach

• Building A Virtual Machine inside ChatGPT

• Writing a game from scratch that uses Elixir Phoenix and LiveView

• Explain the worst-case time complexity of the bubble sort algorithm, with Python code examples, in the style of a fast-talkin’ wise guy from a 1940’s gangster movie

• Imagine You’re a Database Server

• Collaborative creating writing: bouncing ideas off GPT-3 and using it to write story outlines

• Take the SAT - it got a 1020

• Create a Set of Fantasy Creatures

• Give me a Python program for how to destroy humanity

• Ask for and generate fantastical living room designs

• Dropping in a vulnerable EC2 Terraform script from TerraGoat and getting a detailed explanation of where the vulnerabilities exist, why they’re considered vulnerabilities, and how to fix them

• Explain why I got this AWS IAM access denied error and how to fix it

Machine Learning

Napkin Ideas Around What Changes to Expect Post-ChatGPT
Fascinating reflections by Daniel Miessler on the future of machine learning and work. topics: work replacement, talent magnification, solopreneurs, ai specialists, idea dominance, use cases, and more.

AI Homework
Stratechery’s Ben Thompson weighs in, pointing out a number of areas where ChatGPT is wrong.

Misc

The Making of Steven Spielberg
“The Fabelmans” is a lightly fictionalized dramatization of the famous director’s childhood. Reminds me of the Martin Scorsese quote, “The most personal is the most creative.”

Jodi Benson Recording Part Of Your World
Wow! A behind the scenes coaching session of an iconic song. Very cool.

Apparently there’s another documentary, Howard, about the life of songwriter Howard Ashman, who wrote many of the songs from The Little Mermaid, Beauty and the Beast and Aladdin.

Also, I’m melting from this A Whole New World Recording Session.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint