🤔 Reflections and Cooking

First off, thanks so much to everyone who reached out with kind and encouraging words after my reflection last week 🙏 

It put a huge smile on my face and means a ton. (Also, I’ll respond soon 😅)

To be honest, it felt a bit overly indulgent writing it, but people seemed to appreciate it, so I’ll try to share my reflections more often.

Some other recent updates: I’ve been absolutely cooking with Claude Code and Sonnet 4.5 this week 🧑‍🍳 

Two to four sessions at the same time. Migrating code between languages, using new frameworks and libraries. Auto-writing tests.

And kicking off detailed research queries comparing various tech stacks (e.g. Cloudflare vs Supabase) and libraries (AI eval frameworks) using voice to text when I’m taking walks.

It’s actually been so fun and fast moving that it’s made me behind on some less fun but important things I need to do 😆 

I hope your week has been full of joy too!

P.S. I’m working on a new talk on applying AI to AppSec/future of AppSec, etc. If you’re doing something cool in this space, please reach out and tell me what you’re up to 🤓 

Sponsor

📣 CI/CD Pipeline Security Best Practices

CI/CD pipelines power modern software delivery, but securing them can be a challenge.

This new cheat sheet walks you through the OWASP Top 10 CI/CD security risks and  shares clear, actionable steps to help reduce your attack surface and strengthen your delivery processes.

Inside, you’ll find:

• The most common CI/CD attack vectors with real-world examples

• Practical mitigations for each OWASP risk category

• How Wiz helps detect and prevent misconfigurations, exposed secrets, and supply chain threats

👉 Download Now 👈

AppSec

BSidesSF 2026 CFP is Open
The BSidesSF CFP is open until October 28th! The theme: BSidesSF: The Musical 😍. I don’t know how this happened, but I am filled with joy.

BSidesSF is one of my favorite conferences- not too big, full of smart and friendly people, A+ networking with folks at cool companies doing awesome things. And it’s right before RSA. Hope to see you there!

Security Leadership Master Class 1 : Leveling up your leadership
The first of a 7 part series where former Google Cloud CISO Phil Venables groups prior posts into a theme. “Security leadership is about building flywheels not [just] fire stations.” See the bottom of the post for his top 10 posts on various leadership topics. Essential attributes of a leader include:

• Act like a business executive, not an IT manager.

• Master business-oriented communication and influence.

• Build scalable, self-reinforcing security systems (flywheels).

• Prioritize ruthlessly and focus on leverage.

Software Factory Security Framework (SF²)
GitLab VP of Product Security Julie Davila introduces the Software Factory Security Framework, a comprehensive mental model to help security leaders scale security capabilities while improving business outcomes. The framework consists of core components including a foundation, universal stewardship responsibilities, strategic positioning, investment portfolio guidance, and contextual modifiers to adapt to specific organizational situations. SF² complements existing standards like NIST SSDF, OWASP SAMM, BSIMM, and OWASP ASVS.

💡 In the Investment Portfolio section, I like the discussion of evaluating potential investments, designing security capabilities that compound (e.g. paved road), and more.

Sponsor

📣 5 Critical Google Workspace Security Settings You Might Be Missing

Google Workspace misconfigurations or disabled security settings can be easy to miss. This guide from Nudge Security provides a deep dive on the top 5 Google Workspace security settings that should be on your checklist.

For each security setting, we cover:

• Common misconfigurations to look out for

• Best practices for effective risk reduction

• Considerations for tailoring settings based on user privilege

Learn what you can do today to improve your Google Workspace security posture.

👉 Get the guide 👈

I use Google Workspace but I’m not sure what hardening steps I should be doing, I need to check this out 👀 

Cloud Security

State of Cloud Security
Updated report from Datadog, H/T Christophe Tafani-Dereeper for sharing. Stats in the web version of this issue.

• In AWS, 86% use AWS Organizations, but only 40% use Service Control Policies (SCPs) and 6% use Resource Control Policies (RCPs).

• In Google Cloud, 11% of GKE clusters and 23% of VMs are overprivileged, most often through the use of the Compute Engine default service account.

• One in two EC2 instances enforce IMDSv2, up from 32% a year ago. Enforcement is unequal and overrepresented among recently launched instances: only 14% of instances created more than two years ago enforce it.

• On average, an organization deploys 13 third-party integration roles, linked to an average of 2.5 distinct vendors.

  • 12.2% of third-party integrations are dangerously overprivileged, allowing the vendor to access all data in the account or to take over the whole AWS account.

  • 2.25% of third-party integration roles don’t enforce the use of an external ID.

Container Security

More talks from Cloud Village DEF CON 33

• Command and KubeCTL: Kubernetes Security for Pentesters and Defenders

  • Chainguard’s Mark Manning

• Spotter - Universal Kubernetes Security Engine

  • Madhu Akula 

• Quickstart for a Breach! When Official Installations Expose Your K8 and Your Cloud

  • Microsoft’s Michael Katchinskiy & Yossi Weizman

• Don't trust Rufus, he's a mole - introducing KIEMPossible

  • Palo Alto’s Golan Myers

PaloAltoNetworks/KIEMPossible
By Palo Alto’s Golan Myers: A tool designed to simplify Kubernetes Infrastructure Entitlement Management by allowing visibility of permissions and their usage across the cluster, to allow for real enforcement of the principle of least privilege

madhuakula/spotter
By Madhu Akula: Spotter is a comprehensive Kubernetes security scanner that uses Common Expression Language (CEL) based rules to identify security vulnerabilities, misconfigurations, and compliance violations across your Kubernetes clusters, manifests, and CI/CD pipelines. Spotter supports scanning both manifest files and live clusters with built-in rules covering OWASP Kubernetes Top 10, CIS Benchmark, and NSA/CISA guidelines, and allows custom rule creation.

Sponsored Tool

📣 Stop asking managers to approve
access requests

Access controls don't scale with manual approvals.

Our report shows what modern IT and security teams are doing instead:

• Enforcing requirements automatically when access changes

• Removing manager approvals that add no security value

• Letting app owners handle their own access decisions

• Automating what can be automated

👉 Read the report 👈

Access management is one of the top things that suck in security based on interviews with >50 security leaders. Nicely detailed report, I like it 👍️ 

Supply Chain

Adversis/sketchy
By Adversis: A cross-platform security scanner that checks repositories, packages, and scripts for malicious patterns before you execute them. Sketchy detects over 25 types of suspicious behaviors including command overwrites, code execution patterns, reverse shells, credential theft, cloud metadata access, cryptocurrency miners, homograph attacks, and more. Detection patterns inspired by DataDog's GuardDog.

Introducing Socket Firewall: Free, Proactive Protection for Your Software Supply Chain
Socket’s Dale Bustad announces Socket Firewall (sfw), a lightweight (non open source) tool that blocks malicious dependencies before they reach developer machines. The tool works by creating an ephemeral HTTP proxy that intercepts package manager traffic and checks with Socket's API before allowing packages to be fetched, supporting npm/yarn/pnpm (JavaScript), pip/uv (Python), and cargo (Rust) with a simple prefix command pattern (e.g., sfw npm install lodash).

Socket Firewall Free is provided under the PolyForm Shield License 1.0.0, which has Noncompete and Competition clauses (very smart 👍️).

Dismantling a Critical Supply Chain Risk in VSCode Extension Marketplaces
Wiz’s Rami McCarthy describes how they found over 550 leaked secrets in VSCode extensions, including 100+ VSCode Marketplace PATs and 30+ OVSX Access Tokens that could allow attackers to push malicious updates to 150,000+ users. Note that extensions auto-update by default, so victims wouldn’t need to take any action to be compromised 🫠 

Interesting findings: much of the vulnerable install base was theme extensions, .env, .config.json, .mcp.json, and .cursorrules, package.json, and README.md were frequent leak sources, and some extensions are specifically for supporting a single company’s engineers or customers, but have been made public.

AI + Security

Adversis/mcp-snitch
By Adversis: A macOS application that intercepts and monitors MCP server communications, providing security analysis (uses AI for threat detection and pattern-based detection for sensitive data like SSH keys, credentials, system files), access control, and audit logging for AI tool usage.

A small number of samples can poison LLMs of any size
A joint study between Anthropic, the UK AI Security Institute, and the Alan Turing Institute, “found that as few as 250 malicious documents can produce a "backdoor" vulnerability in an LLM—regardless of model size or training data volume. Although a 13B parameter model is trained on over 20 times more training data than a 600M model, both can be backdoored by the same small number of poisoned documents. These results challenge the common assumption that attackers need to control a percentage of training data; instead, they may just need a small, fixed amount.”

💡 Thus, data poisoning attacks might be much more practical than previously believed, which matters when LLMs are trained on The Internet at large, including Reddit and people’s personal websites and blog posts. And tl;dr sec *looks at issue number* 😈

MCP Tools: Attack Vectors and Defense Recommendations for Autonomous Agents
Elastic’s Carolina Beretta, Gus Carlock, and Andrew Pease provide an overview of Model Context Protocol (MCP) tools, standard attack vectors such as tool poisoning (malicious instructions in a tool’s metadata or parameters), rug pull attacks (when a tool’s description or behavior is silently altered after user approval, turning a previously benign tool potentially malicious), and orchestration injection (attacks involving multiple tools or that cross different servers or agents).

Nice round-up of a bunch of related work. The post also includes an example simple prompt of detecting malicious MCP tools.

💡 If someone hasn’t already scanned the MCP ecosystem at scale for malicious servers/tools, someone should do that and write a blog about it.

Cool Hacks

Eavesdropping on Internal Networks via Unencrypted Satellites
CCS 2025 paper by Wenyi Morty Zhang et al: “We pointed a commercial-off-the-shelf satellite dish at the sky and carried out the most comprehensive public study to date of geostationary satellite communication. A shockingly large amount of sensitive traffic is being broadcast unencrypted, including critical infrastructure, internal corporate and government communications, private citizens’ voice calls and SMS, and consumer Internet traffic from in-flight wifi and mobile networks. This data can be passively observed by anyone with a few hundred dollars of consumer-grade hardware.”

Pixnapping: Bringing Pixel Stealing out of the Stone Age
CCS 2025 paper by Alan Wang et al: “A new class of attacks that allows a malicious Android app to stealthily leak information displayed by other Android apps or arbitrary websites. Pixnapping exploits Android APIs and a hardware side channel that affects nearly all modern Android devices.

We have demonstrated Pixnapping attacks on Google and Samsung phones and end-to-end recovery of sensitive data from websites including Gmail and Google Accounts and apps including Signal, Google Authenticator, Venmo, and Google Maps. Notably, our attack against Google Authenticator allows any malicious app to steal 2FA codes in under 30 seconds while hiding the attack from the user.”

Mic-E-Mouse: Covert Eavesdropping through Computer Mice
Paper, data, and GitHub PoC by Mohamad Fakih et al demonstrating how optical sensors in modern mice can be exploited as covert microphones, capturing speech vibrations transmitted through desk surfaces despite significant signal quality challenges.

They present Mic-E-Mouse, a signal processing and machine learning pipeline that transforms these low-quality, non-uniformly sampled vibration data into intelligible speech, achieving 80% speaker recognition accuracy and 16.79% word error rate in human evaluations. This attack requires no hardware modifications and works with existing consumer-grade mice, potentially allowing attackers to eavesdrop on conversations through a seemingly innocuous mouse.

Misc

AI

• Sam Altman says ChatGPT will soon allow adult content for adult users

• A new report from the Center for Democracy and Technology found that 19% of high school students have either had a romantic relationship with an AI chatbot, or know a friend who has.

• How a Google Gemma model helped discover a new potential cancer therapy pathway

• Jeff Bezos on AI and AI investments

Feelz

• HealthyGamer (Dr. K) - Why men turn pain into anger

• HealthyGamer - What Nobody Tells You About Your 30's - On being motivated and understanding who you are

• Chris Williamson - 21 Lessons from 999 Episodes

• The School of Life - How to 'Grow' - The Hard Truth About Growth

• Banger Chris Williamson blog on vulnerability - A snippet: “The more you expose, the closer you are. The less you show, the more distant you become. Vulnerability isn’t weakness; it’s rebellion. It’s not how little you feel that makes you strong, it’s how much you can face and stay open.”

• “Mundane Halloween” in Japan - We need this tradition in the U.S.

Politics

• Dutch government takes control of Chinese-owned chipmaker Nexperia invoking the "Goods Availability Act" to ensure continued chip supply for European industries amid escalating U.S.-China trade tensions.

• The U.S. federal government has reached an agreement with Qatar to build a facility at an Air Force base in Idaho. According to Wikipedia, Qatar is a hereditary monarchy in the Middle East whose leader holds all executive, legislative, and judicial authority. Previously Qatar gifted Trump a $400M jumbo jet to use as Air Force One.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint

P.S. Feel free to connect with me on LinkedIn 👋