- tl;dr sec
- Posts
- [tl;dr sec] #173 - What Software Will Be Post GPT-4, the Cybersecurity Landscape, Reducing Attack Surface in AWS
[tl;dr sec] #173 - What Software Will Be Post GPT-4, the Cybersecurity Landscape, Reducing Attack Surface in AWS
The AI-based architecture that’ll replace most existing software, overview of cybersecurity companies and acquisitions, how to lock down instance creds and regions/services in AWS.
Hey there,
I hope you’ve been doing well!
Pi Day
In case you weren’t familiar, March 14th (3.14) was National Pi Day.
I celebrated with friends by eating some delicious chicken pot pie and apple pie.
But sometimes I wonder… there are so many holidays these days. How many of them are true celebrations, vs the capitalist machine hell-bent on getting us to consume more?
Maybe Pi Day is just propaganda from Big Pharma Math 🤔
Sponsor
📢 Start Secure, Stay Secure!
Cloud misconfiguration is the third highest cause of security breaches.
Misconfigurations are easier to prevent than to fix. Developers report it can take days to weeks to provision infrastructure, and it shouldn't!
Creating a win-win is possible. Where developers get the cloud infrastructure they need faster than they can get a coffee break. The best part – it's built on a library of golden patterns and protected by guardrails. Netflix Information Security teams call these solutions paved roads.
Resourcely offers cloud infrastructure paved roads as a service.
📜 In this newsletter...
AppSec: E2EE through Kafka, Cloudflare's next gen proxy framework, Semgrep’s beta support for Rust, A Deeper Look at Modern SAST Tools, Multi-repository variant analysis via VS Code and CodeQL
Supply Chain: Tool to find vulnerable packages, Easier and More Secure Signature Technology for Java with Sigstore
Cloud Security: Tool to list cloud assets, Reducing Attack Surface with AWS Allowlisting, How to use policies to restrict where EC2 instance credentials can be used
Container Security: Migrating From Pod Security Policies to Pod Security Standards, Kubernetes WithOut Kubelet, How to secure Kubernetes Ingress
Machine Learning: AI Esther Perel, connect LLMs with external data, GPT ib Neovim, ChatGPT in Discord, threat modeling Kubernetes with GPT-3, GPT-4 announced, GPT-4 overview, How AI is Eating the Software World, The Bitter Lesson
Misc: Unlocking the Cybersecurity Landscape, Silicon Valley Bank bank run, banking in very uncertain times
AppSec
End-to-end encryption through Kafka
Walkthrough by Ockam on how to easily set up end-to-end encryption for your data flowing through Kafka, from many producers all the way to end consumers.
Oxy is Cloudflare’s Rust-based next generation proxy framework
Cloudflare’s Ivan Nikulin describes Oxy in detail, which is a foundation of several Cloudflare projects, including the Zero Trust Gateway, the iCloud Private Relay second hop proxy, and the internal egress routing service.
Announcing Semgrep’s beta support for Rust
Red Canary’s Matt Schwager helped improve Semgrep’s Rust support to Beta and contributed the first Rust rules to the Semgrep community. Awesome to see the community making Semgrep better for everyone 🚀
A Deeper Look at Modern SAST Tools
Yahoo’s Joe Rozner compares CodeQL and Semgrep as a vulnerability researcher, including licensing, tooling, language support, and automatic fixes.
Multi-repository variant analysis: a powerful new way to perform security research across GitHub
By GitHub’s Walker Chabbott and James Fletcher. You can now easily run CodeQL queries against a list of up to 1,000 repositories from within VS Code. Neat!
Sponsor
📢 Keep pace against the rapidly evolving threat landscape with Cloudflare
Cloudflare is your all-in-one enterprise security solution for applications, networks, and employees – trusted by millions of organizations around the world to keep their businesses secure and resilient.
Evaluating enterprise security solutions takes both time and resources. For projects that can't wait, start with Cloudflare Business, an easy-to-deploy and configure solution designed for customizable security and performance that’s PCI compliant.
Supply Chain
ossillate-inc/packj
By Ossilate: A tool that can detect malicious, vulnerable, abandoned, typo-squatting, and other “risky” packages from popular open-source package registries, such as NPM, RubyGems, and PyPI.
Towards Easier, More Secure Signature Technology for the Java Ecosystem with Sigstore
Project Sigstore provides an update on the consistent progress that the Sigstore Java client has been making and how many in the Java ecosystem, including Maven and Gradle, are considering Sigstore as an alternative to PGP signing. Benefits of Sigstore:
Users don’t manage keys; keys are single use
Email addresses associated with signing are verified by cert authority/OIDC provider
Auditing via transparency logs
Cloud Security
projectdiscovery/cloudlist
By ProjectDiscovery: A multi-cloud tool for getting Assets from Cloud Providers, intended to be used by the blue team to augment Attack Surface Management efforts by maintaining a centralized list of assets across multiple clouds.
Reducing Attack Surface with AWS Allowlisting
Figma’s Rami McCarthy describes how they implementing Region & Service allowlisting in AWS, removing ~80% of the control plane attack surface for their org. Side benefits: it offers a service inventory for targeted detection development and lowers compliance burden. Great example of categorically reducing risk / eliminating classes of issues. Secure defaults ftw! 🤘
Now, we can focus our energies on providing a paved, well protected road across the services we actually use, without leaving attackers with so many options.
How to use policies to restrict where EC2 instance credentials can be used from
There are two new global condition context keys that make it simpler to write policies in which EC2 instance credentials work only when used on the instance to which they are issued, without hard-coding VPC IDs or IP addresses in the policy.
From Scott Piper:
This appears to be roughly the equivalent of the benefits of enforcing IMDSv2, but possibly less of the usability pain of the access denieds.
See also Ermetic’s Lior Zatlavi post: A New Incentive for Using AWS VPC Endpoints.
Container Security
From Pod Security Policies to Pod Security Standards – a Migration Guide
Pod Security Policies were removed in Kubernetes v1.25. Wiz’s Shay Berkovich and Amir Lande Blau discuss migration strategies, offer guidance, and point out potential migration restrictions and limitations.
Introducing KWOK: Kubernetes WithOut Kubelet
KWOK is a toolkit that enables you to create a cluster of thousands of nodes in seconds, enabling you to simulate real nodes with a low resource footprint and test your Kubernetes controller at scale without spending much on infrastructure.
How to secure Kubernetes Ingress?
Armo’s Ben Hirschberg discusses how to secure Ingress resources via adding TLS to Ingress and then procuring TLS/SSL certificates.
Machine Learning
Instead of simply speaking with a therapist, I created an ai one.
Alex Furmansky trained a custom GPT-3 model on Esther Perel’s work. It has a number you can text and interact with.
jerryjliu/llama_index
A project that provides a central interface to connect your LLM’s with external data.
dpayne/CodeGPT.nvim
A plugin for neovim that provides commands to interact with ChatGPT, like code completion, refactorings, generating docs, etc.
Discord updates its bot with ChatGPT-like features, rolls out AI-generated conversation summaries and more
@Clyde is now powered by ChatGPT, so it can recommend playlists, send you a GIF or five interesting facts about cats, etc.
More on GPT-3 and threat modeling
Adam Shostack asks a series of prompts about Kubernetes-related threats. Overall I don’t feel like it did a very good job at making them Kubernetes-specific.
GPT-4
New model released by OpenAI, and as expected, it’s a massive improvement. It can accept image and text input, pass a bar exam with a score around the top 10% of test takers, summarize an article in words that only begin with a specific letter, generate web page HTML from a photo of a hand drawn mock, explain why an image is funny, and more.
24min announcement livestream - very cool
Join the GPT-4 API waitlist
The Multi-modal, Multi-model, Multi-everything Future of AGI
Great overview of GPT-4 by Shawn Wang.
How AI is Eating the Software World
Fascinating post by Daniel Miessler on why he thinks LLMs “understand” things (and don’t just complete text), and how he believes that software may be replaced by AI models informed by your company’s State (data, telemetry), Policy (your desired state and what you don’t want to happen), and Action (the recommendations or actions that can be performed to bring the State in line with the Policy).
Start thinking about your business’s first principles. Ask yourself very seriously what you provide, how it’s different than competitor offerings, and what your company will look like when it becomes a set of APIs that aren’t accessed by customers directly. Is it your interface that makes you special? Your data? Your insights? How do these change when all your competitors have equally powerful AI?
Focus on the questions. When it becomes easy to give great answers, the most important thing will be the ability to ask the right questions.
And an excellent follow-up post:
SPQA: The AI-based Architecture That’ll Replace Most Existing Software that includes applications to security domains.
The Bitter Lesson
Interesting examples (Chess, Go, speech recognition, computer vision) of trying to leverage human knowledge or customizing to a domain being less effective than simply more computation.
The biggest lesson that can be read from 70 years of AI research is that general methods that leverage computation are ultimately the most effective, and by a large margin. The ultimate reason for this is Moore’s law, or rather its generalization of continued exponentially falling cost per unit of computation.
Seeking an improvement that makes a difference in the shorter term, researchers seek to leverage their human knowledge of the domain, but the only thing that matters in the long run is the leveraging of computation.
Misc
Unlocking the Cybersecurity Landscape
Nice deep dive by Contrary Research’s Francis Odum.
Analyzing over 3,500 cybersecurity companies, Momentum Cyber found that cybersecurity e companies recorded more than $77 billion in M&A deals and over $29 billion in private investments in 2021, making it a landmark year. In addition, despite the recent slowdown, the industry has seen over $16.5 billion in financing activity and $111 billion in M&A so far in 2022.
Global spending on information security and risk management is estimated to grow 11% to $188 billion in 2023.
Silicon Valley Bank: An ‘It’s a Wonderful Life’ bank run for the digital age
Last Thursday, Peter Thiel’s Founders Fund began advising its portfolio companies to withdraw their money from SVB. Other VCs caught wind of this and advised the same, leading SVB to fail. It’d be interesting see if anyone involved in causing SVB’s failure had an economic incentive to do so. More perspective here from an insider.
See also this deep dive: The Demise of Silicon Valley Bank>
Banking in very uncertain times
Extensive overview and context about the situation from Patrick McKenzie (patio11) on why banks are failing, a useful heuristic from bond math, and more.
The decision to sharply manage down the price of eggs was, indirectly but inescapably, also a considered decision to cause large notional losses to all holders of financial assets. That includes everyone with a mortgage, every startup employee with equity, and every bank.
That is the proximate cause of the banking crisis, if in fact we are in a crisis. Three banks failed first, because for idiosyncratic reasons they were exposed to sudden demands for liquidity, which makes large declines in the value of one’s assets unsurvivable. But there are many more banks which have a similar issue on their balance sheet.
We went multiple years without a bank failure, of any size, in the United States. We then had three in a week, including one (by some measures) larger than any during the last financial crisis. It would take a very brave and confident person to forecast no additional bank failures in the next two weeks.
Banks do not need to pay out all deposits simultaneously. Functionally no bank anywhere could do that, and the theoretical exception is considered not desirable as a matter of public policy and therefore does not exist.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!
Cheers,
Clint