[tl;dr sec] #208 - Cybersecurity GPT Agents, Supply Chain Security, Kubernetes Pentest Image
List of >100 security-focused GPT agents, join Chris Hughes and I's supply chain security webinar, Docker image with k8s pentesting tools
I hope you’ve been doing well!
(Expect more details about my travel jaunts next week, this week I miscalculated timezones 😅 )
I first came across Chris because he’s always sharing useful resources on LinkedIn. We then crossed paths in Vegas this year and immediately hit off.
Since we’re both passionate about supply chain security (and Chris published a book on it), we decided to do a live webinar together! We’ll discuss:
The core areas of supply chain security
Securely using open source software
Where a company should focus first on their journey and high ROI investments
Typical supply chain security challenges companies face and ways to navigate them
How the U.S. government approaches supply chain security, what industry can learn, and vice versa
We’ll leave plenty of time for questions, so we can address whatever is most relevant to your security program today.
When: November 29, 2023 at 11 AM PT
📣 Actionable Kubernetes Security Best Practices
In this new Kubernetes security cheat sheet, Wiz shares 10 advanced steps to safeguard your Kubernetes Clusters. In this 6-page cheat sheet, we'll cover best practices in the following areas of Kubernetes:
End-to-end TLS communications for etc
Securing the API server via third-party authentication
Monitoring traffic and communication
Admission controllers and validating admission policies
Common Vulnerability Scoring System Version 4.0
New version of CVSS released. Changes include: reinforce the concept that CVSS it not just the Base score, finer granularity through the addition of new Base metrics and values (Attack Requirements, User Interaction: passive or active), additional focus on OT/ICS/Safety, and more.
📣 Not all vulnerabilities are a risk to your business.
So how do you prioritize which AppSec alerts need to be addressed now vs. later vs. never? What about which vulns, misconfigs, secrets, etc., should block a PR or build?
Apiiro’s ASPM platform, with deep code analysis and runtime context, helps answer those questions. By correlating and prioritizing your SAST, SCA, DAST, secrets, etc. alerts based on risk likelihood and business impact, Apiiro saves you time triaging your backlog so you can focus on what matters.
To see how Apiiro unifies your application risk visibility, assessment, prioritization, and remediation, talk to one of our experts.
Detect transitive access to sensitive Google Cloud resources
P0’s Komal Dhull describes the risks of transitive access via service accounts in Google Cloud, and how to detect transitive access via Google Policy Analyzer, IAM Console, or the REST API.
Also, congrats to P0 for raising $5M in seed funding.
Key takeaways from the Wiz 2023 Kubernetes Security Report
Wiz shares stats based on scans of over 200,000 cloud accounts: it takes only 22 minutes for a newly created Kubernetes cluster to start receiving initial malicious scanning attempts, only 9% of clusters use network policies for traffic separation within the cluster, and concludes with defense in depth recommendations.
OWASP SCVS BOM Maturity Model
This maturity model by the OWASP Software Component Verification Standard (SCVS) provides a formalized structure in which bill of materials can be evaluated.
Don't just give me a list; Tell me which ones can be reached and targeted
Minder: An open source platform that helps teams automate and enforce security practices like artifact signing and verification consistently across multiple repos.
Trusty: A free-to-use service uses statistical analysis of factors like author and repo activity, along with source-of-origin verification and other safety checks, to provide a clear signal about a package’s trustworthiness.
Repo by @BertJanCyber containing open source freely usable Threat Intel feeds that can be used without additional requirements. Contains multiple types such as IP, URL, CVE and Hash.
Lessons from the SEC’s Lawsuit against SolarWinds and Tim Brown
Ryan McGeehan gave a thorough read to the entire lawsuit and shares lessons for security organizations.
Ryan covers the five major claims from the SEC claim against SolarWinds and some summary themes, including: public and regulatory statements create a shadow compliance framework, the lawsuit draws a line between passive and active security teams, SEC expectations might be unrealistic for security teams, and the VPN issue is an evergreen security story.
By Sheila A. Berta: A repo containing Nuclei templates to detect well-known open-source honeypots, such as: ADBHoney, Conpot, Cowrie, Dionaea (multiple services), ElasticPot, Mailoney, Redis Honeypot, Snare, among others.
By Cedric Owens: A macOS enumeration tool uses Swift code to perform system enumeration, checking for things like: full disk access, the presence of common macOS security tools, can dump the clipboard, list running apps, local users, searches for SSH and cloud creds, reads browser history, checks for Slack cookies and workspace info, and more.
SwiftBelt aims to be stealthy by avoiding using separate CLI tools and doing things that trigger pop-ups.
Machine Learning + Security
A Terraform module to opt out of AWS AI/ML data collection.
The Offensive ML Playbook
A database of offensive ML TTP’s, broken down by supply chain attacks, offensive ML techniques and adversarial ML by Adrian Wood. It aims to simplify how to target ML in an organization, and includes examples like poisoning an LLM’s ground truths, how to put malware in a model and distribute it, and more.
Introducing AI-powered application security testing with GitHub Advanced Security
GitHub’s Asha Chakrabarty and Laura Paine announce previews for three AI-powered features:
Detecting generic secrets that don’t follow a standard regex.
English → regex to make writing custom secret detections easier.
Grammarly’s new GenAI feature can learn your style and apply it to any text, which is it learns passively as you use their product.
Is It Cheating If She’s a Sex Bot? GQ asking the important questions. Watch out for bots commenting on your posts who later try to scam you.
depot/depot.ai: An open-source Docker registry that allows easy integration of the top 100 public machine learning models from Hugging Face into your Dockerfile, using tools like BuildKit and eStargz for optimal image building and lazy-loading support.
Docus.ai: Talk to an AI Health Assistant, generate your health report, validate it with a doctor from the US & Europe.
Postwise: “Your personal AI ghostwriter, trained on engaging, viral content.”
Morise.ai: Helps you come up with content ideas, titles, descriptions, tags, community posts.
LinkedIn has launched an AI job coach that can help job seekers see if certain roles are a good fit, research companies, shape their profiles for the best shot at a position, and prepare for interviews.
TikTok launched an AI “meme maker” that’s brutally roasting users. And that’s not even what the CCP officers are saying about your videos.
continuedev/Awesome-DevAI: Repo with links to resources about using LLMs while building software.
Pressure Testing GPT-4-128K With Long Context Recall - Great empirical testing by Greg Kamradt, who found that GPT-4’s recall performance started to degrade above 73K tokens, less context = more accuracy, and facts placed at the very beginning and 2nd half of the document seem to be recalled better.
Why We'll Have AGI by 2025-2028
Daniel Miessler argues that AGI won’t be a single model or component, but rather a system of agents that focus on different tasks and coordinate to achieve a goal, like an organization within a company.
Daniel predicts a 60% chance of AGI in 2025 and a 90% of AGI in 2028, where AGI is “An AI system capable of replacing a knowledge worker making the average salary in the United States.”
Five Questionable Things About Top Ten Security Lists
CrashOverride’s Mark Curphey questions the trustworthiness of top ten security lists: the authors are often consultants or tool vendors, you can’t verify the underlying data, they haven’t seemed to move the security needle (the OWASP Top 10 has barely changed in 15 years), and their advice is rarely actionable for developers.
Cal Newport OpEd on productivity: “It’s in rethinking how we organize our work, not just in how fast we can accomplish it, where the real improvements are to be found.”
Fascinating deep dive into Ursus Magana and 25/7 Media, a talent management agency for the TikTok era, including his strategies for helping clients go viral and sign big record or sponsorship deals.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!