[tl;dr sec] #259 – What Sucks in Security, Supply Chain Firewall, AWS re:Invent Security Talks

I’m thrilled to announce a new guest post from my friend Maya Kaczorowski, who interviewed 57 security leaders to understand their biggest pain points in our industry, and has kindly shared the results.

Neat insights, served with a delightful side of snark  

The top technology pain points were:

• Ticket-based and inconsistent access management

• Disparate vulnerability prioritization and remediation workflows

• And obtaining and using SaaS logs

Relatedly, from Geoff Belknap (former CISO of LinkedIn, Slack, Palantir): “The hardest problems in Security aren’t really ‘Security’ problems: Asset Inventory, Patching Automation, Config Management, Device Administration.”

P.S. Unrelatedly, I’m thinking about taking a trip to Bali. If you have any tips or recommendations on what to do, where to stay, or things I should know, please let me know, I’d much appreciate it!  

Cloud attacks are evolving, so is detection and response.

For modern security teams, the cloud presents both a blessing and a curse. Abundant telemetry allows for unparalleled visibility and control, but traditional security operations tools (like SIEM) are not designed to handle complex cloud signals. That’s why a new category of tools is emerging – Cloud Detection and Response (CDR) – bringing the “assume-breach” mindset into the cloud.

In this Practical Guide to Cloud Threat Detection, Investigation and Response, you’ll learn:

• What is Cloud Detection and Response (CDR)

• Why you need a CDR solution (and how other tools fall short for Cloud use cases)

• Key benefits and capabilities of CDR tools

BSidesSF 2025 Call For Participation
The Call for Participation (CFP) and Call for Villages (CFV) deadline has been extended to Tuesday, January 7! Hope to see you there, BSidesSF is  

specfy/stack-analyser
By Specfy: Extract 500+ technologies from any repository. Detect Languages, SaaS, Cloud, Infrastructure, Dependencies and Services.

35 more Semgrep rules: infrastructure, supply chain, and Ruby
Trail of Bits’ Matt Schwager and Travis Peters release 35 new custom Semgrep rules, covering supply chain issues (lack of short-lived OIDC tokens in GitHub Actions), infrastructure as code (Vault, Nomad), and Ruby application security. The post explores Semgrep’s regex mode vs. generic mode, providing heuristics for when to use regex, and highlights HCL support for IaC security, sharing rules to detect disabling TLS verification and hardcoded credentials in Terraform and Nomad configurations.

• Find ways to make direct prod access (which is risky) unnecessary for normal workflows: config files can be viewed safely when they’re IaC, system logs can be shipped to observability stacks, and prod changes can be orchestrated through CI/CD.

• LaunchDarkly created a GitHub repo with templated Go scripts for common tasks. Once reviewed, approved (with full context), and merged, the code uses GitHub Actions to launch AWS Fargate tasks that perform the sensitive tasks from within their prod environments (no direct prod access needed).

• Don’t use approvals to prevent spoofing, ask for identity evidence instead- MFA re-authentication, device trust check, etc.

• Study the justifications for why risky actions are needed, then build safer alternatives for those workflows over time.

Modern AI applications are increasingly deployed in containerized environments. This deployment choice introduces novel engineering and security challenges as popular open-source containers for frameworks like PyTorch and Tensorflow are bloated and full of vulnerabilities. Robust AI applications also carry complex dependency trees, creating a perfect storm of performance and security risks. In this webinar, AI developers explore how their teams manage container bloat, address security vulnerabilities, and navigate complex dependency sprawl to build secure and effective AI applications. 

Helping secure AI apps and workloads?! As the kids say these days, let’s gooo!  

Exploiting Public AWS Resources – CLI Attack Playbook
Eduard Agavriloae provides a playbook for exploiting publicly accessible AWS resources, covering services like S3 buckets, AMIs, EBS snapshots, RDS snapshots, IAM roles, SSM documents, and more. The guide includes CLI commands for enumerating, accessing, and exfiltrating data from misconfigured resources, using the AWS CLI and tools like CloudShovel and coldsnap.

Securing AWS Lambda | How Misconfigurations Can Lead to Lateral Movement
SentinelOne’s Yehonatan Bitton demonstrates how misconfigurations in AWS Lambda can lead to lateral movement attacks, using a fictional e-commerce company as an example. The attack chain involves exploiting a prototype pollution vulnerability, achieving code execution, accessing the Lambda’s environment variables, and leveraging overly permissive IAM roles to move laterally and exfiltrate data.

The Dark Side of Domain-Specific Languages: Uncovering New Attack Techniques in OPA and Terraform
Tenable’s Shelly Raban explores techniques for abusing infrastructure-as-code and policy-as-code tools, focusing on Open Policy Agent (OPA) and Terraform. For OPA, Shelly demonstrates extracting AWS credentials from IMDSv2 and exfiltrating data via DNS tunneling using built-in Rego functions. For Terraform, she shows how malicious data sources and provisioners in newly created pull requests can lead to credential theft and code execution during CI/CD.

Modern, ephemeral infrastructure is a complex beast to manage. Scaling privileged access across it all presents unique challenges, and relying on traditional PAM technology alone is insufficient (or, requires significant overhead… )

Read this “Modern Infrastructure Demands a Modern Approach to Privileged Access” guide to explore (and start solving) the key challenges that arise when scaling access control across the dynamic multi-cloud, cloud-native, and containerized infrastructure of today. Key challenges include credential sprawl, manual management burden, and limited compatibility with modern DevOps toolkits.

Catalog of Supply Chain Compromises
A CNCF repo cataloguing links to various software supply chain compromises, with the goal being to capture many examples of different kinds of attack, so that we can better understand the patterns and develop best practices and tools.

Announcing the launch of Vanir: Open-source Security Patch Validation
Google announces Vanir, an open-source security patch validation tool for Android platform developers (e.g. OEMs) that uses static analysis to identify missing security patches. Like: here is known vulnerable code, find copy/pasted or similar code to this. Currently Vanir supports C/C++ and Java targets and covers 95% of Android kernel and userspace CVEs with public security patches, integrates with OSV for up-to-date vulnerability data, and can be easily adapted for other ecosystems beyond Android.

Automated Hunting
Censys announces Censeye, a new open-source tool that automates pivoting through Censys data to discover related infrastructure, for example, uncovering previously unknown malicious infrastructure by pivoting from known C2 servers. The pivoting can be done by attributes of hosts that exceed a given semi-unique threshold (e.g. TLS fingerprint, SSH fingerprint, IP address, HTTP response, …), and the tool supports recursively searching discovered related hosts.

skerkour/black-hat-rust
A book by Sylvain Kerkour covering topics like reconnaissance (multi-threaded attack surface discovery), exploitation (writing shellcode in Rust), building a modern RAT in Rust, and more. Previously mentioned in tl;dr sec #101, but including again as it’s relevant to  

Linux LKM Persistence
Hal Pomeranz describes how to achieve Linux kernel module persistence using systemd-modules-load, using the Diamorphine LKM rootkit as an example. He explains how to install Diamorphine, configure systemd to load it on boot, and hide the artifacts. Hal also provides detection techniques, including checking kernel taint status with a custom chktaint.sh script, and recommends tools like chkproc and chkdirs for finding hidden processes and directories.

ucsb-seclab/chainreactor
ChainReactor is a research project that leverages AI planning to discover exploitation chains for privilege escalation on Unix systems. The project models the problem as a sequence of actions to achieve privilege escalation from initial access to a target system. See also the corresponding Usenix Security 2024 paper and talk recording by Giulio De Pasquale et al.

Agentic Security Marketmap
Brandon Dixon gives an overview of the emerging AI-powered security startup landscape, categorizing companies based on their scope and level of autonomy. He highlights three key areas: Incident Triage (e.g. Dropzone AI, CommandZero), Code Vulnerability Analysis (e.g. Pixee AI), and Security Copilots/Agents (e.g. Microsoft Security Copilot, SentinelOne’s Purple AI, Simbian AI). Other notable startups: XBOW (offensive security), Torq (SOC automation), Bricklayer (multi-agent architectures), Opnova (workflow automation), and Splx (AI red teaming).

Agentic AI’s Intersection with Cybersecurity
Friend of the newsletter Chris Hughes discusses the rise of Agentic AI in cybersecurity, including its potential to transform areas like AppSec, GRC, and SecOps through autonomous, multi-step task completion. He highlights the market opportunity from the VC point of view, andghlights how AI agents could automate vulnerability management, streamline compliance processes, and enhance SOC operations.

• SNL – Gladiator II: The Musical

• 8 months of OCaml after 8 years of Haskell in production

• Egoless Engineering – A fantastic talk on engineering culture

• A USB-C connector with evil inside

• Markwhen – A Markdown-like journal language for plainly writing logs, Gantt charts, blogs, feeds, notes, journals, diaries, TODOs, timelines, calendars, and more

• Genesis: Artificial Intelligence, Hope and the Human Spirit – Video overview of the new book by former Google CEO Eric Schmidt

• OnlyFans Models Are Using AI Impersonators to Keep Up With Their DMs

• What the Murder of the UnitedHealthcare C.E.O. Means to America – New Yorker piece on people’s positive reactions (“The whiff of populist anarchy in the air is salty, unprecedented, and notably across the aisle.”). Apparently there are a number of ‘Wanted’ posters being put up in NYC for other health insurance CEOs.

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I’d really appreciate if you’d forward it to them