[tl;dr sec] #272 – AI Agent Security, Kubernetes Security, ‘State of CloudSec’ Reports: Insights or Self-Owns?

BSidesSF and RSA are coming up, which means… it’s time to get spammed by vendors.

I mean… hear about how an old company is now AI-first.

Errr I mean meet cool people and make new friends  

I’m hoping there will be some great new marketing highlights, like last year’s guy hawking a security product while balancing on a board on a cylinder while in a straitjacket, choreographed ninjas dancing, or Keanu Reeves repping a product.

Don’t let me down marketing budgets  

Parties
I’m looking forward to Semgrep’s pre-BSidesSF party on Friday April 25 with Code Red, ProjectDiscovery, and Prophet Security at Emporium Arcade Bar. Hope to see you there!

You can see other Semgrep RSA events here, including my bud Tanya Janca doing signings of her new book Alice & Bob Learn Secure Coding.

Modern bots are smarter than ever—executing JavaScript, storing cookies, rotating IPs, and even cracking CAPTCHAs with AI. As attacks grow more sophisticated, traditional detection just isn’t enough.

Enter WorkOS Radar—your all-in-one bot defense solution. With just a single API, you can instantly secure your signup flow against brute force attacks, leaked credentials, and disposable emails. Stop bots in their tracks and keep your real users safe.

secureCodeBox/secureCodeBox
An OWASP project by iteratec. A Kubernetes-based, modular toolchain that automates continuous security scans for software projects, integrating >15 OSS security tools.

Fun with Timing Attacks
Robbie Ostrow describes a practical timing attack against a function that takes user input and checks if it matches a secret using startsWith, exploiting early-exit behavior in the string comparison. He discusses an optimized guessing technique using Thompson Sampling and a Trie data structure, and provides an interactive demo using a web worker in your browser.

This post contains some serious deep HTML nuance wizardry. Wow.

This CISO guide addresses the key questions:

• How much visibility does the security team have into human and non-human identity-related activities and potential threats within your organization?

• What do cloud identity attacks look like across different cloud environments, and how do they differ from traditional on-premise identity attacks?

• What best practice strategies are available for detecting, preventing, and remediating identity-based attacks?

• Plus many more.

Identity is both critical and tricky, it’s great to see more guidance on getting visibility into identity-related risks and detection & response

Understanding RCPs and SCPs in AWS: Choosing the Right Policy for your Security Needs
Fog Security’s Jason Kao discusses how to effectively combine Resource Control Policies (RCPs) and Service Control Policies (SCPs), including an example of how to migrate from an SCP to RCP. Recommendations: Use RCPs when you’re protecting resources in S3, STS, KMS, SQS, or Secrets Manager, are enforcing consistent security standards for resources, are running out of attachment room or space in SCPs, or you want to use NotResource in your policy. Use SCPs if you need to restrict a service not covered by RCPs or you want to use NotAction.

PowerUserAccess vs. AdministratorAccess from an attacker’s perspective
OffensAI’s Eduard Agavriloae describes how the AWS managed policy PowerUserAccess can be as dangerous as AdministratorAccess in complex AWS environments. For example, through PowerUserAccess, attackers can escalate privileges by modifying and invoking a Lambda function with inappropriate IAM permissions, using SSM SendCommand to exfiltrate access credentials from an EC2 instance with an overly permissive role, or altering a CloudFormation template with AdministratorAccess to include a privilege escalation vector.

State of ‘State of Cloud Security’ Reports: Insights or Self-Owns?
Rami McCarthy takes a critical look at “state of cloud security” reports published by CSPM vendors, highlighting how these reports may reflect more on the product’s effectiveness than the actual state of cloud security, and how certain stats might not represent real security risk or there may be a legit reason for the observed state. “Often, the statistics presented are as much a reflection of limitation in collected or analyzed data, or the product, as any specific research perspective.”

I like this angle, and in general I think as an industry we should do a better job at critically analyzing “state of the union” type reports, evaluations/benchmarks, etc.

She also makes good points about the potentially questionable reliability of industry reports and metrics (e.g. X% of orgs have ), because a) this is based on one vendor’s customers (which may not be representative of all companies), and b) the sample size/which customers are included may vary from year to year, so stats might naturally fluctuate.

The vulnerabilities stem from improper input sanitization, allowing attackers to inject arbitrary directives in the NGINX configurations, as well as gain RCE via uploading a malicious shared library using NGINX client body buffering and loading it via an injected ssl_engine directive during configuration testing.

The exploit chain for configuration injection → RCE is pretty rad Wiz bringing that IDF/8200 energy.

ATT&CK Evaluations Library
MITRE‘s ATT&CK Evaluations Library is a collection of adversary emulation plans, each providing a comprehensive approach to emulating a specific threat actor (ALPHV BlackCat, CL0P, DPRK, FIN7, LockBit, Sandworm, …), from initial access through exfiltration.

Each plan contains an intelligence summary, an operational flow covering a high-level summary of the captured scenario(s), and step-by-step procedures in both human and machine-readable formats, allowing for end-to-end scenario execution or individual technique testing.

Rust for Malware Development
Bishop Fox’s Nick Cerne discusses Rust and C for malware development, highlighting Rust’s advantage of being more difficult to reverse engineering given the current functionality of Ghidra. He then demonstrates how to build a Rust-based malware dropper that enumerates processes, injects shellcode using remote mapping injection, and executes a Sliver C2 payload in the context of notepad.exe.

BitM Up! Session Stealing in Seconds Using the Browser-in-the-Middle Technique
Google’s Truman Brown et al give an overview of Browser in the Middle (BitM) attacks (serving a legitimate site through an attacker-controlled browser, making it challenging for victims to distinguish from the real site), which is an effective way to compromise sessions across various web applications, bypassing MFA. Unlike transparent proxies like Evilginx2 that require significant customization, BitM frameworks can target any website in seconds with minimal configuration.

Mitigations: requiring client certificates for authentication, or hardware-based MFA solutions like FIDO2 compatible security keys.

nwiizo/tfmcp
By @nwiizo: A Terraform Model Context Protocol tool. An experimental CLI tool that enables AI assistants to manage and operate Terraform environments. It supports reading Terraform configurations, analyzing plans, applying configurations, and managing state with Claude Desktop integration.

AI Model Context Protocol (MCP) and Security
Cisco’s Omar Santos discusses the security implications of the Model Context Protocol (MCP), an open standard for connecting AI models to data sources and tools. Omar describes how security controls (e.g. authN/authZ, logging, …) can be added to the Agentic App <> MCP Server <> Tool flow.

The post includes some nice diagrams and tables covering key security considerations when implementing MCP transport mechanisms (authN/authZ, data security, network security), considerations when exposing tools (input validation, access control, error handling), and more.

AI agent authentication: it’s just OAuth
Maya Kaczorowski argues that existing OAuth standards are sufficient for authenticating and authorizing AI agents, entirely new solutions aren’t needed. OAuth provides a standardized way to delegate limited access to resources without sharing full credentials, and allows applications to request specific permissions on behalf of users, with those users explicitly approving what access they’re granting. Instead of giving an agent full access to an API, granular permission scopes in OAuth lets you grant specific read or write permissions to particular resources.

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I’d really appreciate if you’d forward it to them