[tl;dr sec] #202 - KubeHound, Supply Chain Security Vendor Landscape, CSPM Evaluation Matrix

Software Supply Chain Vendor Landscape

I’m thrilled to announce that Part 2 of Francis Odum’s supply chain security report is out!

The post provides an overview of over 20 supply chain security vendors, from securing source code access and CI/CD pipelines to SCA, malicious dependencies, container security, SBOMs, code provenance, and more.

I think this is the broadest survey of this space I’ve seen in one place.

You can read part 2 here.

Sponsor

📣 AWS, Azure, or GCP customer?

Rampant Cloud Activity? Cloud security challenges grow >exponentially< when key infrastructure migrates from on-prem environments onto public clouds. In this ebook you’ll learn how high-growth orgs can adapt their security strategy to stay secure without compromising on speed:

• How to identify top risks in your cloud environment (lateral movement, bloated patch lists, lack of visibility)

• 4 playbooks from high-growth companies navigating risks in their cloud – including emerging risks like Log4Shell

• What to look for when evaluating cloud-native security platforms (legacy vendors don’t want you to know this)

📜 In this newsletter…

• AppSec: Secrets leaking in GitHub comments, embrace the IKEA effect in your security program

• Web Security: Tool to fuzz 401/403s, using Cloudflare to bypass Cloudflare, security options in OpenAPI

• Cloud Security: Building custom CNAPPgoat scenarios, moving to IMDSv2, CSPM evaluation matrix, dangers of Terraform’s remote-exec

• Container Security: Identify attack paths in k8s clusters with KubeHound

• Supply Chain: Tool to track apps from source to prod, browser extension to pull in metadata about OSS libs, tool collection to analyze OSS projects, sign messages with your OpenID identity

• Career: How to get fired with grace and aplomb, 25 lessons from 17 years in cybersecurity, my heart says yes but my schedule says no, how to handle opportunities that are potential distractions

• Politics / Privacy: Opening a facility in China, doxing on TikTok

• Machine Learning + Security: ChatGPT doing SAST

• Machine Learning: Obsidian plugin that integrates LLMs with LangChain, Cloudflare’s new AI tools

AppSec

Thousands of GitHub Comments Leak Live API Keys
Truffle’s Joe Leon describes how they sampled a subset of GitHub’s public Pull Request and Issue comment data and discovered 721 live API keys and passwords. TruffleHog can now scan public repos for secrets in issues and PRs.

Note that when you “edit” your comment the secret is still in its history, you have to delete the comment.

Security Programs and the “IKEA Effect”
I love this post by Dustin Lehr, who points out that humans protect, defend, and care for things we’ve built or own. Therefore, we should encourage non-security people to help evaluate and select security tools, work with security to build common (secure by default) libraries, and more.

Sponsor

📣 What is Identity-Native Infrastructure Access?

What many teams have discovered as they've grown their infrastructure is that traditional access control systems do not scale.

Not only does the risk of a breach increase with numerous static secrets, but forcing developers to juggle hundreds of credentials to do their jobs limits productivity and encourages insecure workarounds. This is when the largest teams in the world have discovered that identity-based access is the way out of the dilemma.

This O'Reilly book explains the concept of identity-based infrastructure access and compares it with traditional methods that rely on secrets.

Web Security

intrudir/BypassFuzzer
By Intrudir: Tool that fuzzes 401/403ing endpoints for bypasses, checking headers, path normalization, verbs, etc. to attempt to bypass ACL's or URL validation.

Using Cloudflare to bypass Cloudflare
Certitude Consulting’s Stefan Proksch describes how attackers can use their own Cloudflare accounts to abuse the trust relationship between Cloudflare and customer websites, bypassing protections like Firewall and DDoS prevention.

A Big Look at Security in OpenAPI
Justin McGuire details the five types of security options allowed in the OpenAPI v3 spec (API key, HTTP, OAuth2, MutualTLS, and OpenID Connect), and recommends using OAuth2 (or apiKey), and strongly discourages Basic Authentication, because you’re passing around usernames and passwords in every request.

Cloud Security

Building Custom Scenarios with CNAPPgoat
Ermetic's Noam Dahan describes how you can now construct and import your own vulnerability scenarios into CNAPPgoat using the IaC platform Pulumi.

Get the full benefits of IMDSv2 and disable IMDSv1 across your AWS infrastructure
Detailed guide by AWS on identifying IMDSv1-enabled EC2 instances, checking for IMDSv1 calls, and disabling IMDSv1 to fully get the benefits of IMDSv2.

Nextdoor's Cloud Security Posture Management (CSPM) Evaluation Matrix
fwd:cloudsec 2023 presentation by David White sharing Nextdoor’s criteria for evaluating CSPM vendors across configuration and vulnerability management.

The Hidden Dangers of Using Terraform's Remote-Exec Provisioner
Cloud Security Partners' Mike McCabe outlines the security risks around Terraform's remote-exec provisioner, which provides the ability to execute scripts and commands on remote resources (for example, one could access and exfiltrate EC2 instance credentials). Mike concludes with best practices and a Semgrep rule to detect the use of remote-exec provisioner.

Container Security

KubeHound: Identifying attack paths in Kubernetes clusters
Datadog’s Jeremy Fox, Edouard Schweisguth, and Julien Terriac announce Kubehound, an open source attack mapping tool for Kubernetes clusters that works by reading resources from the Kubernetes API, computing attack paths, and then storing the results in JanusGraph, a graph database. It can help answer questions like:

• What is the shortest exploitable path between an Internet facing service and a critical asset?

• What percentage of Internet-facing services have an exploitable path to a critical asset?

• What type of control would cut off the largest number of attack paths to a critical asset in your clusters?

They’ve also released an Attack Reference of over 25 attack types, including how to exploit and defend against them.

Supply Chain

Chalk is now officially open source
Crash Override’s Mark Curphey announces Chalk, which aims to make it easy to trace apps from source code to production. It can be used for SBOMs, code provenance, to be SLSA level 2 compliant, to create a real-time application inventory, and more.

os-scar/overlay
A browser extension that helps you evaluate open source packages before picking them by gathering data from various sources (Snyk Advisor, Debricked, Socket.dev, and Deps.dev), and displays them on the package pages of popular registries like npm, PyPI, and Go.

microsoft/OSSGadget
A collection of tools for analyzing open source projects: locate the source code of a package, download it, identify cryptographic implementations, look for obfuscated strings, try to identify potential backdoors and malicious code, etc.

Linux Foundation, BastionZero and Docker Announce the Launch of the OpenPubkey Project
OpenPubkey (repo) enables users bind cryptographic keys to users and workloads by turning an OpenID Connect Identity Provider (IdP) into a Certificate Authority (CA), enabling users to sign messages or artifacts under their OpenID identity. This enables applications such as secure remote access or software supply chain security features such as signed builds, deployments, and code commits.

Career

Corey Quinn: How to Get Fired With Both Grace and Aplomb
Empathetic thread with some good advice.

25 Hard-Hitting Lessons from 17 Years in Cybersecurity
By Mike Privette. A few I especially liked:

• If you don't know how your company makes money, you don't know how to truly protect it.

• Cybersecurity is 10% tech and 90% diplomacy.

• Saying 'no' as a security professional is easy; aligning security with business enablement is hard.

• The more buzzwords in a security product, the less likely it is to solve your problem.

Maybe you’re in the privileged position of having more asks than time. These may help 👇️ 

Sorry. My heart says yes, but my schedule says no.
HubSpot co-founder Dharmesh Shah shares the detailed note he gives people when he doesn’t have time to meet with them. I like the tone, his reasoning, and the resources he shares.

Never say “no,” but rarely say “yes.”
Great post by Jason Cohen on how to handle opportunities that may be potential distractions- set the conditions so that:

1. If they say “yes,” you’re happy because the terms or money are so good, it more than compensates for the distraction, perhaps funding the thing you really want to do.

2. If they say “no,” you’re happy because it wasn’t a great fit anyway; it’s not a worthwhile return on your time and effort.

“Think of it like another form of funding. Funding is always a distraction from actually running your business, so the amount of money you get must be transformative to the business.”

Politics / Privacy

Jason Haddix: CISO story of opening a facility in China
And oh, the listening devices they found 😅 

The End of Privacy is a Taylor Swift Fan TikTok Account Armed with Facial Recognition Tech
404 Media’s Joseph Cox describes how a viral TikTok account is using off-the-shelf facial recognition (PimEyes, FaceCheckID) to dox people who appeared in other viral videos, or people suggested to the account in the comments. TikTok said the account does not violate their terms of service. I mean, did you think the CCP TikTok cares about user privacy?

Machine Learning + Security

LinkedIn thread: On ChatGPT doing code review/SAST
This post by Chris Romeo has some interesting discussion.

Machine Learning

Quicklinks

• Sequoia argues that GPU capacity is getting overbuilt, with some napkin math around the cost of GPUs, the energy cost of running them, data center spend, etc.

• John Hwang argues that vector database is not a separate database category, and that all incumbent databases will add this functionality, which will also be good for end users (use the same software, don’t need to move data around).

• Sam Altman Is the Oppenheimer of Our Age - Fascinating long profile on Sam Altman, his career, his family, and more.

• Video: RT-X and the Dawn of Large Multimodal Models: Google Breakthrough and 160-page Report Highlights

• 10 ChatGPT Vision examples: SaaS dashboard screenshot → code, explain this workflow diagram, break down human cell diagram for a 9th grader, …

• CommandBar Copilot - AI assistant that can walk users through workflows on your app and even complete them automatically.

• DeepUnitAi - Automatically generate Jest (TypeScript) unit tests.

  • Google and others have been doing this for writing fuzzing test harnesses, but I think auto-generating security-related unit tests and similar seems promising.

memgraph/odin
By Katarina Supe et al: A plugin that integrates Large Language Models (LLMs) into Obsidian using LangChain, enabling users to generate knowledge graphs and questions from Markdown files, among other features.

Cloudflare launches new AI tools to help customers deploy and run models
“Build, deploy and run AI models at the network edge.” They’re also partnering with Hugging Face, and Cloudflare will become the first serverless GPU partner for deploying Hugging Face models. Products:

• Workers AI - Access physically nearby GPUs hosted by Cloudflare partners to run AI models on a pay-as-you-go basis.

• Vectorize - A vector database.

• AI Gateway - Provides metrics to enable customers to better manage the costs of running AI apps.

Misc

Quicklinks

• Microsoft C.E.O. Testifies That Google’s Power in Search Is Ubiquitous

• How I rewired my brain in six weeks - On the power of meditation, exercise, and learning new things. Free meditation course.

• Study: About half of 11- to 17-year-olds get at least 237 phone notifications a day. Some get nearly 5,000 in 24 hours.

Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler