👎️ What Sucks in Security? Research findings from 50+ security leaders

I’m thrilled to announce a new guest post from my friend Maya Kaczorowski, who interviewed 57 security leaders to understand their biggest pain points in our industry, and has kindly shared the results.

Neat insights, served with a delightful side of snark 👌 

The top technology pain points were:

• Ticket-based and inconsistent access management

• Disparate vulnerability prioritization and remediation workflows

• And obtaining and using SaaS logs

👉️ Read the full post here 👈️ 

Relatedly, from Geoff Belknap (former CISO of LinkedIn, Slack, Palantir): “The hardest problems in Security aren’t really ‘Security’ problems: Asset Inventory, Patching Automation, Config Management, Device Administration.”

P.S. Unrelatedly, I’m thinking about taking a trip to Bali. If you have any tips or recommendations on what to do, where to stay, or things I should know, please let me know, I’d much appreciate it! 🙏 

Sponsor

📣 Your Comprehensive Guide to CDR 

Cloud attacks are evolving, so is detection and response.

For modern security teams, the cloud presents both a blessing and a curse. Abundant telemetry allows for unparalleled visibility and control, but traditional security operations tools (like SIEM) are not designed to handle complex cloud signals. That’s why a new category of tools is emerging – Cloud Detection and Response (CDR) - bringing the “assume-breach” mindset into the cloud.

In this Practical Guide to Cloud Threat Detection, Investigation and Response, you’ll learn:

• What is Cloud Detection and Response (CDR)

• Why you need a CDR solution (and how other tools fall short for Cloud use cases)

• Key benefits and capabilities of CDR tools

👉 Get the Guide 👈

AppSec

BSidesSF 2025 Call For Participation
The Call for Participation (CFP) and Call for Villages (CFV) deadline has been extended to Tuesday, January 7! Hope to see you there, BSidesSF is 🔥 

specfy/stack-analyser
By Specfy: Extract 500+ technologies from any repository. Detect Languages, SaaS, Cloud, Infrastructure, Dependencies and Services.

35 more Semgrep rules: infrastructure, supply chain, and Ruby
Trail of Bits’ Matt Schwager and Travis Peters release 35 new custom Semgrep rules, covering supply chain issues (lack of short-lived OIDC tokens in GitHub Actions), infrastructure as code (Vault, Nomad), and Ruby application security. The post explores Semgrep's regex mode vs. generic mode, providing heuristics for when to use regex, and highlights HCL support for IaC security, sharing rules to detect disabling TLS verification and hardcoded credentials in Terraform and Nomad configurations.

Access approvals considered harmful
I love this post by Alex Smolen, in which he argues that workflows that gate risky actions behind multi-party workflows are often more harmful than helpful, that the people doing the approving may not have the appropriate context, and what to do instead, building off him and I chatting on the Modern Security Podcast.

• Find ways to make direct prod access (which is risky) unnecessary for normal workflows: config files can be viewed safely when they’re IaC, system logs can be shipped to observability stacks, and prod changes can be orchestrated through CI/CD.

• LaunchDarkly created a GitHub repo with templated Go scripts for common tasks. Once reviewed, approved (with full context), and merged, the code uses GitHub Actions to launch AWS Fargate tasks that perform the sensitive tasks from within their prod environments (no direct prod access needed).

• Don’t use approvals to prevent spoofing, ask for identity evidence instead- MFA re-authentication, device trust check, etc.

• Study the justifications for why risky actions are needed, then build safer alternatives for those workflows over time.

Sponsor

📣 AI Meets Containers: Overcoming Security, Performance, and Dependency Challenges

Modern AI applications are increasingly deployed in containerized environments. This deployment choice introduces novel engineering and security challenges as popular open-source containers for frameworks like PyTorch and Tensorflow are bloated and full of vulnerabilities. Robust AI applications also carry complex dependency trees, creating a perfect storm of performance and security risks. In this webinar, AI developers explore how their teams manage container bloat, address security vulnerabilities, and navigate complex dependency sprawl to build secure and effective AI applications. 

👉 Watch Now 👈

Helping secure AI apps and workloads?! As the kids say these days, let’s gooo! 🤘 

Cloud Security

AWS re:Invent 2024 Security Talks
YouTube playlist of 33 talks, curated by the gentleman and scholar, Daniel Grzelak.

Exploiting Public AWS Resources - CLI Attack Playbook
Eduard Agavriloae provides a playbook for exploiting publicly accessible AWS resources, covering services like S3 buckets, AMIs, EBS snapshots, RDS snapshots, IAM roles, SSM documents, and more. The guide includes CLI commands for enumerating, accessing, and exfiltrating data from misconfigured resources, using the AWS CLI and tools like CloudShovel and coldsnap.

Securing AWS Lambda | How Misconfigurations Can Lead to Lateral Movement
SentinelOne’s Yehonatan Bitton demonstrates how misconfigurations in AWS Lambda can lead to lateral movement attacks, using a fictional e-commerce company as an example. The attack chain involves exploiting a prototype pollution vulnerability, achieving code execution, accessing the Lambda’s environment variables, and leveraging overly permissive IAM roles to move laterally and exfiltrate data.

offensive-actions/terraform-provider-statefile-rce
By Benedikt Haußner: A Terraform provider that can be used to get remote code execution by injecting a dummy resource in a writeable state file. That is, if an attacker has write access to a Terraform state file, this provider will give them RCE in the deployment pipeline. A weaponized version of Daniel Grzelak's POC in Hacking Terraform State for Privilege Escalation, usable in red teams and penetration tests.

The Dark Side of Domain-Specific Languages: Uncovering New Attack Techniques in OPA and Terraform
Tenable’s Shelly Raban explores techniques for abusing infrastructure-as-code and policy-as-code tools, focusing on Open Policy Agent (OPA) and Terraform. For OPA, Shelly demonstrates extracting AWS credentials from IMDSv2 and exfiltrating data via DNS tunneling using built-in Rego functions. For Terraform, she shows how malicious data sources and provisioners in newly created pull requests can lead to credential theft and code execution during CI/CD.

See also Shelly’s fwd:cloudsec talk: Who Watches the Watchmen? Stealing Credentials from Policy-as-Code Engines.

Sponsored Tool

📣 Modern infrastructure NEEDS modern privileged access 

Modern, ephemeral infrastructure is a complex beast to manage. Scaling privileged access across it all presents unique challenges, and relying on traditional PAM technology alone is insufficient (or, requires significant overhead… 😬)

Read this “Modern Infrastructure Demands a Modern Approach to Privileged Access” guide to explore (and start solving) the key challenges that arise when scaling access control across the dynamic multi-cloud, cloud-native, and containerized infrastructure of today. Key challenges include credential sprawl, manual management burden, and limited compatibility with modern DevOps toolkits.

👉 Read the Guide 👈

Supply Chain

Catalog of Supply Chain Compromises
A CNCF repo cataloguing links to various software supply chain compromises, with the goal being to capture many examples of different kinds of attack, so that we can better understand the patterns and develop best practices and tools.

Announcing the launch of Vanir: Open-source Security Patch Validation
Google announces Vanir, an open-source security patch validation tool for Android platform developers (e.g. OEMs) that uses static analysis to identify missing security patches. Like: here is known vulnerable code, find copy/pasted or similar code to this. Currently Vanir supports C/C++ and Java targets and covers 95% of Android kernel and userspace CVEs with public security patches, integrates with OSV for up-to-date vulnerability data, and can be easily adapted for other ecosystems beyond Android.

Introducing Supply-Chain Firewall: Protecting Developers from Malicious Open Source Packages
Datadog’s Ian Kretz announces Supply-Chain Firewall, an open-source tool that protects developers from malicious PyPI and npm packages by introspecting pip and npm commands before installation (e.g. $ scfw run npm install <foo>). The tool queries packages against OSV.dev and Datadog's internal database, blocking known-malicious packages and warning about potentially vulnerable ones.

Blue Team

moval0x1/NoDelete
By Charles Lomboni: A tool that assists in malware analysis by locking a folder where malware drops files before deleting them.

It’s Baaack… Credit Card Canarytokens are now on your Consoles
Thinkst Canary's Jacob Torrey announces the new credit card canary tokens, designed to alert organizations when stolen card info is used. A low noise way to be alerted when an attacker is probably all up in your biz-ness™️.

Automated Hunting
Censys announces Censeye, a new open-source tool that automates pivoting through Censys data to discover related infrastructure, for example, uncovering previously unknown malicious infrastructure by pivoting from known C2 servers. The pivoting can be done by attributes of hosts that exceed a given semi-unique threshold (e.g. TLS fingerprint, SSH fingerprint, IP address, HTTP response, …), and the tool supports recursively searching discovered related hosts.

Red Team

An offensive Rust encore
HN Security's Marco Ivaldi shares a number of intermediate Rust resources, and walks through blindsight, a new Rust red teaming tool to dump LSASS memory, bypassing common countermeasures.

skerkour/black-hat-rust
A book by Sylvain Kerkour covering topics like reconnaissance (multi-threaded attack surface discovery), exploitation (writing shellcode in Rust), building a modern RAT in Rust, and more. Previously mentioned in tl;dr sec #101, but including again as it’s relevant to 👆️ 

Linux LKM Persistence
Hal Pomeranz describes how to achieve Linux kernel module persistence using systemd-modules-load, using the Diamorphine LKM rootkit as an example. He explains how to install Diamorphine, configure systemd to load it on boot, and hide the artifacts. Hal also provides detection techniques, including checking kernel taint status with a custom chktaint.sh script, and recommends tools like chkproc and chkdirs for finding hidden processes and directories.

AI + Security

ucsb-seclab/chainreactor
ChainReactor is a research project that leverages AI planning to discover exploitation chains for privilege escalation on Unix systems. The project models the problem as a sequence of actions to achieve privilege escalation from initial access to a target system. See also the corresponding Usenix Security 2024 paper and talk recording by Giulio De Pasquale et al.

Agentic Security Marketmap
Brandon Dixon gives an overview of the emerging AI-powered security startup landscape, categorizing companies based on their scope and level of autonomy. He highlights three key areas: Incident Triage (e.g. Dropzone AI, CommandZero), Code Vulnerability Analysis (e.g. Pixee AI), and Security Copilots/Agents (e.g. Microsoft Security Copilot, SentinelOne's Purple AI, Simbian AI). Other notable startups: XBOW (offensive security), Torq (SOC automation), Bricklayer (multi-agent architectures), Opnova (workflow automation), and Splx (AI red teaming).

Agentic AI's Intersection with Cybersecurity
Friend of the newsletter Chris Hughes discusses the rise of Agentic AI in cybersecurity, including its potential to transform areas like AppSec, GRC, and SecOps through autonomous, multi-step task completion. He highlights the market opportunity from the VC point of view, andghlights how AI agents could automate vulnerability management, streamline compliance processes, and enhance SOC operations.

Misc

• SNL - Gladiator II: The Musical

• 8 months of OCaml after 8 years of Haskell in production

• Egoless Engineering - A fantastic talk on engineering culture

• A USB-C connector with evil inside

• Markwhen - A Markdown-like journal language for plainly writing logs, Gantt charts, blogs, feeds, notes, journals, diaries, TODOs, timelines, calendars, and more

• Genesis: Artificial Intelligence, Hope and the Human Spirit - Video overview of the new book by former Google CEO Eric Schmidt

• OnlyFans Models Are Using AI Impersonators to Keep Up With Their DMs

• What the Murder of the UnitedHealthcare C.E.O. Means to America - New Yorker piece on people’s positive reactions (“The whiff of populist anarchy in the air is salty, unprecedented, and notably across the aisle.”). Apparently there are a number of ‘Wanted’ posters being put up in NYC for other health insurance CEOs.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler