[tl;dr sec] #173 - What Software Will Be Post GPT-4, the Cybersecurity Landscape, Reducing Attack Surface in AWS
The AI-based architecture that’ll replace most existing software, overview of cybersecurity companies and acquisitions, how to lock down instance creds and regions/services in AWS.
I hope you’ve been doing well!
In case you weren’t familiar, March 14th (3.14) was National Pi Day.
I celebrated with friends by eating some delicious chicken pot pie and apple pie.
But sometimes I wonder… there are so many holidays these days. How many of them are true celebrations, vs the capitalist machine hell-bent on getting us to consume more?
Maybe Pi Day is just propaganda from Big Pharma Math 🤔
📢 Start Secure, Stay Secure!
Cloud misconfiguration is the third highest cause of security breaches.
Misconfigurations are easier to prevent than to fix. Developers report it can take days to weeks to provision infrastructure, and it shouldn't!
Creating a win-win is possible. Where developers get the cloud infrastructure they need faster than they can get a coffee break. The best part – it's built on a library of golden patterns and protected by guardrails. Netflix Information Security teams call these solutions paved roads.
Resourcely offers cloud infrastructure paved roads as a service.
📜 In this newsletter...
AppSec: E2EE through Kafka, Cloudflare's next gen proxy framework, Semgrep’s beta support for Rust, A Deeper Look at Modern SAST Tools, Multi-repository variant analysis via VS Code and CodeQL
Supply Chain: Tool to find vulnerable packages, Easier and More Secure Signature Technology for Java with Sigstore
Cloud Security: Tool to list cloud assets, Reducing Attack Surface with AWS Allowlisting, How to use policies to restrict where EC2 instance credentials can be used
Container Security: Migrating From Pod Security Policies to Pod Security Standards, Kubernetes WithOut Kubelet, How to secure Kubernetes Ingress
Machine Learning: AI Esther Perel, connect LLMs with external data, GPT ib Neovim, ChatGPT in Discord, threat modeling Kubernetes with GPT-3, GPT-4 announced, GPT-4 overview, How AI is Eating the Software World, The Bitter Lesson
Misc: Unlocking the Cybersecurity Landscape, Silicon Valley Bank bank run, banking in very uncertain times
Oxy is Cloudflare’s Rust-based next generation proxy framework
Cloudflare’s Ivan Nikulin describes Oxy in detail, which is a foundation of several Cloudflare projects, including the Zero Trust Gateway, the iCloud Private Relay second hop proxy, and the internal egress routing service.
Announcing Semgrep’s beta support for Rust
Red Canary’s Matt Schwager helped improve Semgrep’s Rust support to Beta and contributed the first Rust rules to the Semgrep community. Awesome to see the community making Semgrep better for everyone 🚀
Multi-repository variant analysis: a powerful new way to perform security research across GitHub
By GitHub’s Walker Chabbott and James Fletcher. You can now easily run CodeQL queries against a list of up to 1,000 repositories from within VS Code. Neat!
📢 Keep pace against the rapidly evolving threat landscape with Cloudflare
Cloudflare is your all-in-one enterprise security solution for applications, networks, and employees – trusted by millions of organizations around the world to keep their businesses secure and resilient.
Evaluating enterprise security solutions takes both time and resources. For projects that can't wait, start with Cloudflare Business, an easy-to-deploy and configure solution designed for customizable security and performance that’s PCI compliant.
By Ossilate: A tool that can detect malicious, vulnerable, abandoned, typo-squatting, and other “risky” packages from popular open-source package registries, such as NPM, RubyGems, and PyPI.
Towards Easier, More Secure Signature Technology for the Java Ecosystem with Sigstore
Project Sigstore provides an update on the consistent progress that the Sigstore Java client has been making and how many in the Java ecosystem, including Maven and Gradle, are considering Sigstore as an alternative to PGP signing. Benefits of Sigstore:
Users don’t manage keys; keys are single use
Email addresses associated with signing are verified by cert authority/OIDC provider
Auditing via transparency logs
By ProjectDiscovery: A multi-cloud tool for getting Assets from Cloud Providers, intended to be used by the blue team to augment Attack Surface Management efforts by maintaining a centralized list of assets across multiple clouds.
Reducing Attack Surface with AWS Allowlisting
Figma’s Rami McCarthy describes how they implementing Region & Service allowlisting in AWS, removing ~80% of the control plane attack surface for their org. Side benefits: it offers a service inventory for targeted detection development and lowers compliance burden. Great example of categorically reducing risk / eliminating classes of issues. Secure defaults ftw! 🤘
How to use policies to restrict where EC2 instance credentials can be used from
There are two new global condition context keys that make it simpler to write policies in which EC2 instance credentials work only when used on the instance to which they are issued, without hard-coding VPC IDs or IP addresses in the policy.
From Scott Piper:
From Pod Security Policies to Pod Security Standards – a Migration Guide
Pod Security Policies were removed in Kubernetes v1.25. Wiz’s Shay Berkovich and Amir Lande Blau discuss migration strategies, offer guidance, and point out potential migration restrictions and limitations.
Introducing KWOK: Kubernetes WithOut Kubelet
KWOK is a toolkit that enables you to create a cluster of thousands of nodes in seconds, enabling you to simulate real nodes with a low resource footprint and test your Kubernetes controller at scale without spending much on infrastructure.
Instead of simply speaking with a therapist, I created an ai one.
Alex Furmansky trained a custom GPT-3 model on Esther Perel’s work. It has a number you can text and interact with.
A project that provides a central interface to connect your LLM’s with external data.
A plugin for neovim that provides commands to interact with ChatGPT, like code completion, refactorings, generating docs, etc.
Discord updates its bot with ChatGPT-like features, rolls out AI-generated conversation summaries and more
@Clyde is now powered by ChatGPT, so it can recommend playlists, send you a GIF or five interesting facts about cats, etc.
New model released by OpenAI, and as expected, it’s a massive improvement. It can accept image and text input, pass a bar exam with a score around the top 10% of test takers, summarize an article in words that only begin with a specific letter, generate web page HTML from a photo of a hand drawn mock, explain why an image is funny, and more.
The Multi-modal, Multi-model, Multi-everything Future of AGI
Great overview of GPT-4 by Shawn Wang.
How AI is Eating the Software World
Fascinating post by Daniel Miessler on why he thinks LLMs “understand” things (and don’t just complete text), and how he believes that software may be replaced by AI models informed by your company’s State (data, telemetry), Policy (your desired state and what you don’t want to happen), and Action (the recommendations or actions that can be performed to bring the State in line with the Policy).
And an excellent follow-up post:
SPQA: The AI-based Architecture That’ll Replace Most Existing Software that includes applications to security domains.
The Bitter Lesson
Interesting examples (Chess, Go, speech recognition, computer vision) of trying to leverage human knowledge or customizing to a domain being less effective than simply more computation.
Silicon Valley Bank: An ‘It’s a Wonderful Life’ bank run for the digital age
Last Thursday, Peter Thiel’s Founders Fund began advising its portfolio companies to withdraw their money from SVB. Other VCs caught wind of this and advised the same, leading SVB to fail. It’d be interesting see if anyone involved in causing SVB’s failure had an economic incentive to do so. More perspective here from an insider.
See also this deep dive: The Demise of Silicon Valley Bank>
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!