How GitHub’s CSO Blends Security & Engineering

I had the pleasure of interviewing Michael Hanley, CSO and SVP of Engineering at GitHub. We discussed:

- As an engineering AND security leader, how do you balance the two?

- How GitHub leans into secure defaults

- How AI is transforming security and software development at GitHub, and across the industry

Between GitHub's Copilot and being a part of Microsoft, with its close ties to OpenAI, I think Mike has a unique view into how AI will impact both security and engineering.

Especially with GitHub being a platform for so much of the world's software development.

- and lots more!

(P.S. I’m trying a new experiment- some summaries have more details but they’re only visible on the web version to keep this email shorter. Let me know what you think!)

Sponsor

⚔️ Slash your cloud permissions attack surface by 92% overnight!

No hero enters battle without the right weaponry to defeat their foes.

So why would you approach excessive cloud permissions differently?

Conquer the challenge of achieving true least privilege effortlessly with the Cloud Permissions Firewall!

A one-click solution that removes excessive permissions and unused services, quarantines unused identities and restricts specific regions within the cloud. Later, maintain this level of security by automatically enforcing policies as new accounts, roles, permissions, and services are added to your environment.

Seize this heroic opportunity!

AppSec

A basic guideline on implementing auth for the web
Pilcrow's Copehagen Book is a guide for implementing authentication for the web. The opinionated guidance includes code samples, and pairs well with OWASP cheat sheets. Covers: server-side tokens, sessions, password auth & resets, email verification, OAuth, MFA & passkeys, and more.

A New Portal for Managing Internal Authorization
Discord has open-sourced Access, their internal access management portal that integrates with Okta. It uses role-based access control (RBAC) and offers features like delegated control, time-bounded access, access requests, audit views, group and app tagging, expiring access pages, bulk renewal, and notifications. The portal is a React+Typescript single-page application with a Flask API, and has a great set of TODOs queued if you'd like to get involved! By Peter Collins and Elisa Guerrant.

Securing CodeQL queries with Semgrep
You can now write Semgrep rules to find bugs in CodeQL queries (“Yo dawg, I heard you like code scanners, so I…”). This was launched on April 1st, but it’s not a joke- it works. I thought this was a cool demonstration of Semgrep’s extensibility, as it took one engineer (Brandon Wu) working part time to do it.

Also, if you’re an OSS Semgrep user and want to influence its future / hear about what we’re building next, here’s the scheduling link of one of my product manager buds. She only sometimes wears Patagonia and Allbirds.

Sponsor

📣  Strengthen Your Password Security: Conduct a Free Active Directory Audit with Specops Password Auditor

Take control of your organization's password security with Specops Password Auditor. This powerful, read-only audit tool scans your Active Directory, providing a comprehensive report on user and password policy vulnerabilities for free. 

• Identify over 1 billion weak or compromised passwords

• Assess domain password policies

• Maintain compliance with industry standards

Specops Password Auditor equips IT Security professionals with the tools they need to strengthen password protection in one quick gut-check report. 

Weak or compromised passwords is a common inroad for attackers, good to check 👍️ 

Cloud Security

Monitoring Your Assets in the Face of Emerging Cloud-Squatting Attacks
TikTok’s Abdullah Husam Al-Sultani describes how TikTok prevents subdomain takeovers. See also Abdullah’s BSides Belfast talk on the same.

AWS LEGO: Organizing the Org
Rich Mogull has kept cranking on his Cloud Security Lab A Week (Cloud S.L.A.W) project, of free weekly hands-on labs. This lab is great, but even better is Rich's explanation of the what, why, and how behind using an AWS Organization. Keep it up Rich 🙌 

Ultimate guide to secrets in Lambda
AJ Stuyvenberg has pulled together a definitive resource on how to handle secrets with AWS Lambda, looking at four different AWS services (Lambda Environment Variables, AWS Systems Manager Parameter Store, AWS Secrets Manager, KMS), and compares them across ease of use, cost, auditability, rotation complexity, and capability.

In short: use SecureStrings from Parameter Store, unless you have regulation or rotation reasons for Secrets Manager. Use KMS if you really have a compelling reason, a common one being cost-at-scale. I should note though: I don't think his cavalier attitude towards secrets in Lambda environment variables is necessarily good general guidance.

Container Security

loomhq/eks-ng-ami-updater
By Andrzej Wisniewski: Loom's EKS NG AMI Updater automates updates for (AWS EKS) Kubernetes node group images, as a weekly cronjob. By default it will find all node groups in all your EKS clusters and update them to the newest node group AMI if there is one available.

Supply Chain

The xz backdoor
It's been hard to avoid news of CVE-2024-3094. I'm going to just spread a few breadcrumbs to some of the best posts I've read in the past week.

• Russ Cox has the best timeline of the incident I've seen

• Binarly stood up https://xz.fail/ to scan ELFs for the backdoor

• Jack Naglieri has great advice on detection

• Some hot takes 🌶️ from Dev (sandboxing!), lcamtuf ("you can’t out-Mossad the Mossad!"), and fedora-devel (read it so you can join me in dying a little inside)

• amlweems/xzbot by Anthony Weems includes a honeypot and technical exploration of the backdoor

• Wiz's Danielle Aminov put together a good overview sketch, and Wiz has a nice overview blog

Blue Team

montysecurity/C2-Tracker
By monty: A free daily feed of IP addresses associated with C2 tools, infostealers, and botnets. Powered by a set of Shodan queries.

A Beginner's Guide to Tracking Malware Infrastructure
Matthew Brennan provides tips for tracking malware infrastructure, by identifying distinctive configuration patterns used by the creator to build queries against. This is useful to expand a small set of malware samples into a large pool of IOCs. Useful configuration signals: certificate information, server headers, location, ASN, JA3 hashes, port configuration, data in HTTP responses, open directories.

A review of zero-day in-the-wild exploits in 2023
This annual report on in the wild exploits is always a highlight. This year, we see:

• 97 zero-days exploited in-the-wild (up >50% over 2022, but lower than the 2021 peak)

• Overall, 41.4% each by Commerical Surveillance Vendors and Espionage, but CSVs were 75% of the exploits targeting Google products

• Attackers are now shifting focus to third-party components and libraries

One really important point to celebrate, we're making progress! 🥳

“In 2023 there were no use-after-free vulnerabilities exploited in Chrome for the first time since we began seeing Chrome zero days in-the-wild.”

“Both Chrome and Safari have made exploiting JavaScript Engine vulnerabilities more complex through their V8 heap sandbox and JITCage respectively.”

“Lockdown Mode would have protected users from the majority of the exploitation chains discovered [in 2023] targeting iOS.”

Red Team

RedefiningReality/Cobalt-Strike
By John Ford: Various resources to enhance Cobalt Strike's functionality and its ability to evade antivirus/EDR detection. Includes loader, malleable C2 profiles, and sleep mask kit & process injection kit modifications. Also features post-exploitation utilities to run Powershell and .NET assemblies, and to simplify executing run or shell commands on all active Cobalt Strike beacons.

outflanknl/RedELK
RedELK is "the Red Team's SIEM," from Outflank. It offers a central landing zone for collecting logs across red team infrastructure during long running operations. By enriching traffic logs from redirectors, red teams get a chance to detect blue team investigations into their infrastructure. Especially useful for multi-scenario, multi-teamserver, multi-member and multi-month operations.

SO-CON 2024
The slides are now available from SpecterOps's SO-CON conference. Overall, a big focus on graph based defense. A few talks I found interesting:

• NTLM: The Legacy Protocol That Won't Die - Elad Shamir: a great review of NTLM risks and mitigations - discussing a protocol that's older than most readers, not recommended since 2010, and won't be disabled by default until ~2028...

• The New SaaS Cyber Kill Chain - Luke Jennings: a nice survey of how the traditional kill chain phases map to a more SaaS-based environment

• Project Apeman: Mapping AWS Identity Attack Paths - Daniel Heinsen: a graph-based look at identifying identity attack paths, announcing an upcoming open source tool (reminiscent of PMapper)

AI + Security

TracecatHQ/tracecat
By Tracecat: The open source alternative to Tines / Splunk SOAR. Build AI-assisted workflows, orchestrate alerts, and close cases fast.

fabric/create_investigation_visualization
Neat new prompt by my friend Daniel Miessler that creates a nice overview image of an investigation. See UL 426 for examples of images generated based on a recent John Hammond video on the Apex Legends tournament hack, as well as the Havana Syndrome investigation.

Applying LLMs to Threat Intelligence
Thomas Roccia walks through prompt engineering, few shot prompting (e.g. output Mermaid mindmap), using Retrieval Augmented Generation (RAG) to ask questions of MITRE ATT&CK Groups information, and building a ReAct Agent that wraps a number of functions from MSTICpy (a Python library dedicated to threat intelligence investigations) as Tools, enabling the Agent to autonomously do things like query VirusTotal for a specific IP address, fetch samples from VirusTotal that communicate with a given IP address, and more.

Thomas has also launched The Intel Brief, a weekly newsletter that gives you an LLM-distilled summary of the top five threat intel reports and a mind map summary. He has kindly shared a Jupyter notebook that uses few-shot learning to automatically generate the summary and visualization.

A Retrospective in Engineering Large Language Models for National Security
Report by CMU’s Software Engineering Institute (SEI) that attempted to answer: How might the Intelligence Community (IC) set up a baseline, stand-alone LLM? How might the IC customize LLMs for specific intelligence use cases? How might the IC evaluate the trustworthiness of LLMs across use cases?

The report found the following potential LLM use cases for national security: enhanced wargaming; synthetic data generation; interfacing with knowledge management systems; and writing, querying, modifying, and summarizing documents. The report focuses on document question answering and summarizing. “LLM output cannot be trusted for high-stakes applications without expert review… Current methods for quantitively evaluating the output of LLMs are not practical for many national security-related topics.”

OSINT / Recon

edoardottt/csprecon
By Edoardo Ottavianelli: a clever little reconnaissance tool that scrapes all the domains from a Content Security Policy. You can search the CSPs of a list of domains for all possible results belonging to specific target.

yousseflahouifi/moniorg
Tool by Youssef Lahouifi that leverages crt.sh to monitor domains of a target.

g0ldencybersec/gungnir
By Gunnar Andrews: A Golang CLI tool for continuously monitoring certificate transparency (CT) logs for newly issued SSL/TLS certificates. Supports filtering down to monitor specific root domains.

While gungnir seems pitched towards offensive professionals, I highly recommend CT log monitoring for defenders - it's a great way to keep an eye on your attack surface, and unexpected entries are a great prompt for security to reach out to teams and understand changes!

Misc

• Bruce Schneier remembering security legend Ross Anderson, who passed away this week ✊ I never met Ross unfortunately, but I’ve read his papers. Amazing person.

• The April Cools' Club: a fun digression from normal April Fools' Day trickery - a group of (most technical) creators picking new topics or formats for the day. e.g Decaf is good, actually

• Neat deep dive on The Matrix, which is now 25 years old. Still one of my favorite movies of all time.

• You can now write Cloudflare Workers in Python, with bindings to their vector DB and HuggingFace models, R2 (their S3), as well as a subset of popular Python packages like FastAPI, Langchain, and more. This is exciting, because I feel like every time I write JavaScript a fairy loses its wings.

  • See also the announcement on pipelines, event notifications, and workflows.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler