Chris Hughes: Securing your Software Supply Chain 

(Expect more details about my travel jaunts next week, this week I miscalculated timezones 😅 )

I first came across Chris because he’s always sharing useful resources on LinkedIn. We then crossed paths in Vegas this year and immediately hit off.

Since we’re both passionate about supply chain security (and Chris published a book on it), we decided to do a live webinar together! We’ll discuss:

• The core areas of supply chain security

• Securely using open source software

• Where a company should focus first on their journey and high ROI investments

• Typical supply chain security challenges companies face and ways to navigate them

• How the U.S. government approaches supply chain security, what industry can learn, and vice versa

We’ll leave plenty of time for questions, so we can address whatever is most relevant to your security program today.

When: November 29, 2023 at 11 AM PT

Register here: see you there!

Sponsor

📣 Actionable Kubernetes Security Best Practices

In this new Kubernetes security cheat sheet, Wiz shares 10 advanced steps to safeguard your Kubernetes Clusters. In this 6-page cheat sheet, we'll cover best practices in the following areas of Kubernetes:

• Components 

  • End-to-end TLS communications for etc

  • Securing kubelets

  • Securing the API server via third-party authentication

• Network security

  • Network policies

  • Monitoring traffic and communication

• Pods

  • Admission controllers and validating admission policies

  • Process whitelisting

AppSec

Common Vulnerability Scoring System Version 4.0
New version of CVSS released. Changes include: reinforce the concept that CVSS it not just the Base score, finer granularity through the addition of new Base metrics and values (Attack Requirements, User Interaction: passive or active), additional focus on OT/ICS/Safety, and more.

Orange-Cyberdefense/arsenal
By Orange Cyberdefense: A quick inventory and launcher for security tools, to simplify the use of hard-to-remember commands.

Web Security

doyensec/Session-Hijacking-Visual-Exploitation
A tool that allows for the hijacking of user sessions by injecting malicious JavaScript code, by Doyensec.

Sponsor

📣 Not all vulnerabilities are a risk to your business.

So how do you prioritize which AppSec alerts need to be addressed now vs. later vs. never? What about which vulns, misconfigs, secrets, etc., should block a PR or build?

Apiiro’s ASPM platform, with deep code analysis and runtime context, helps answer those questions. By correlating and prioritizing your SAST, SCA, DAST, secrets, etc. alerts based on risk likelihood and business impact, Apiiro saves you time triaging your backlog so you can focus on what matters. 

To see how Apiiro unifies your application risk visibility, assessment, prioritization, and remediation, talk to one of our experts.

Cloud Security

Detect transitive access to sensitive Google Cloud resources
P0’s Komal Dhull describes the risks of transitive access via service accounts in Google Cloud, and how to detect transitive access via Google Policy Analyzer, IAM Console, or the REST API.

Also, congrats to P0 for raising $5M in seed funding.

Key takeaways from the Wiz 2023 Kubernetes Security Report
Wiz shares stats based on scans of over 200,000 cloud accounts: it takes only 22 minutes for a newly created Kubernetes cluster to start receiving initial malicious scanning attempts, only 9% of clusters use network policies for traffic separation within the cluster, and concludes with defense in depth recommendations.

Container Security

r0binak/MTKPI
By Sergey Kanibor: Multi Tool Kubernetes Pentest Image. A Docker image containing all the most popular and necessary tools for Kubernetes penetration testing.

RichardoC/kube-audit-rest
By Richard Tweed: Kubernetes audit logging, when you don't control the control plane (e.g. EKS, GKE or AKS). A cost-effective alternative to cloud service provider managed offerings.

Supply Chain

OWASP SCVS BOM Maturity Model
This maturity model by the OWASP Software Component Verification Standard (SCVS) provides a formalized structure in which bill of materials can be evaluated.

Don't just give me a list; Tell me which ones can be reached and targeted
The OWASP CycloneDX team announces that cdxgen 9.9.0 can now identify reachable components for Java, JavaScript, and TypeScript applications. “We invented a simplistic symbols tagger, flow analyzer, and static slicer to compute reachable flows.”

Announcing Minder and Trusty
Stacklok announces the release of:

• Minder: An open source platform that helps teams automate and enforce security practices like artifact signing and verification consistently across multiple repos.

• Trusty: A free-to-use service uses statistical analysis of factors like author and repo activity, along with source-of-origin verification and other safety checks, to provide a clear signal about a package’s trustworthiness.

Blue Team

bartblaze/FARA
By @bartblaze: A repo of intentionally flawed YARA rules so you can improve your rule writing and debugging skills.

Bert-JanP/Open-Source-Threat-Intel-Feeds
Repo by @BertJanCyber containing open source freely usable Threat Intel feeds that can be used without additional requirements. Contains multiple types such as IP, URL, CVE and Hash.

Lessons from the SEC’s Lawsuit against SolarWinds and Tim Brown
Ryan McGeehan gave a thorough read to the entire lawsuit and shares lessons for security organizations.

Ryan covers the five major claims from the SEC claim against SolarWinds and some summary themes, including: public and regulatory statements create a shadow compliance framework, the lawsuit draws a line between passive and active security teams, SEC expectations might be unrealistic for security teams, and the VPN issue is an evergreen security story.

Red Team

UnaPibaGeek/honeypots-detection
By Sheila A. Berta: A repo containing Nuclei templates to detect well-known open-source honeypots, such as: ADBHoney, Conpot, Cowrie, Dionaea (multiple services), ElasticPot, Mailoney, Redis Honeypot, Snare, among others.

cedowens/SwiftBelt
By Cedric Owens: A macOS enumeration tool uses Swift code to perform system enumeration, checking for things like: full disk access, the presence of common macOS security tools, can dump the clipboard, list running apps, local users, searches for SSH and cloud creds, reads browser history, checks for Slack cookies and workspace info, and more.

SwiftBelt aims to be stealthy by avoiding using separate CLI tools and doing things that trigger pop-ups.

Machine Learning + Security

gblues/aws-ml-opt-out
A Terraform module to opt out of AWS AI/ML data collection.

fr0gger/Awesome-GPT-Agents
Thomas Roccia has compiled a list of >100 GPT agents focused on cybersecurity (offensive and defensive), created by the community.

The Offensive ML Playbook
A database of offensive ML TTP’s, broken down by supply chain attacks, offensive ML techniques and adversarial ML by Adrian Wood. It aims to simplify how to target ML in an organization, and includes examples like poisoning an LLM’s ground truths, how to put malware in a model and distribute it, and more.

Introducing AI-powered application security testing with GitHub Advanced Security
GitHub’s Asha Chakrabarty and Laura Paine announce previews for three AI-powered features:

• AI-generated fixes for JavaScript and TypeScript alerts within pull requests (only 7 months after Semgrep Assistant was launched that also auto-recommends fixes 😉).

• Detecting generic secrets that don’t follow a standard regex.

• English → regex to make writing custom secret detections easier.

Machine Learning

Quicklinks

• Grammarly’s new GenAI feature can learn your style and apply it to any text, which is it learns passively as you use their product.

• Is It Cheating If She’s a Sex Bot? GQ asking the important questions. Watch out for bots commenting on your posts who later try to scam you.

• depot/depot.ai: An open-source Docker registry that allows easy integration of the top 100 public machine learning models from Hugging Face into your Dockerfile, using tools like BuildKit and eStargz for optimal image building and lazy-loading support.

• PatentPal: “Generative AI for Intellectual Property. Automate mechanical writing in your patent applications.”

• Docus.ai: Talk to an AI Health Assistant, generate your health report, validate it with a doctor from the US & Europe.

• Postwise: “Your personal AI ghostwriter, trained on engaging, viral content.”

• Bulletpapers: AI papers, summarized by AI (yo dawg…)

• Morise.ai: Helps you come up with content ideas, titles, descriptions, tags, community posts.

• LinkedIn has launched an AI job coach that can help job seekers see if certain roles are a good fit, research companies, shape their profiles for the best shot at a position, and prepare for interviews.

• TikTok launched an AI “meme maker” that’s brutally roasting users. And that’s not even what the CCP officers are saying about your videos.

• continuedev/Awesome-DevAI: Repo with links to resources about using LLMs while building software.

• Pressure Testing GPT-4-128K With Long Context Recall - Great empirical testing by Greg Kamradt, who found that GPT-4’s recall performance started to degrade above 73K tokens, less context = more accuracy, and facts placed at the very beginning and 2nd half of the document seem to be recalled better.

Why We'll Have AGI by 2025-2028
Daniel Miessler argues that AGI won’t be a single model or component, but rather a system of agents that focus on different tasks and coordinate to achieve a goal, like an organization within a company.

Daniel predicts a 60% chance of AGI in 2025 and a 90% of AGI in 2028, where AGI is “An AI system capable of replacing a knowledge worker making the average salary in the United States.”

Misc

Five Questionable Things About Top Ten Security Lists
CrashOverride’s Mark Curphey questions the trustworthiness of top ten security lists: the authors are often consultants or tool vendors, you can’t verify the underlying data, they haven’t seemed to move the security needle (the OWASP Top 10 has barely changed in 15 years), and their advice is rarely actionable for developers.

Cal Newport OpEd on productivity: “It’s in rethinking how we organize our work, not just in how fast we can accomplish it, where the real improvements are to be found.”

Fascinating deep dive into Ursus Magana and 25/7 Media, a talent management agency for the TikTok era, including his strategies for helping clients go viral and sign big record or sponsorship deals.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler