[tl;dr sec] #301 – Security Leadership Master Class, DEF CON Cloud Village Talks, AI-Powered Honeypot

First off, thanks so much to everyone who reached out with kind and encouraging words after my reflection last week  

It put a huge smile on my face and means a ton. (Also, I’ll respond soon )

To be honest, it felt a bit overly indulgent writing it, but people seemed to appreciate it, so I’ll try to share my reflections more often.

Some other recent updates: I’ve been absolutely cooking with Claude Code and Sonnet 4.5 this week  

Two to four sessions at the same time. Migrating code between languages, using new frameworks and libraries. Auto-writing tests.

And kicking off detailed research queries comparing various tech stacks (e.g. Cloudflare vs Supabase) and libraries (AI eval frameworks) using voice to text when I’m taking walks.

It’s actually been so fun and fast moving that it’s made me behind on some less fun but important things I need to do  

I hope your week has been full of joy too!

P.S. I’m working on a new talk on applying AI to AppSec/future of AppSec, etc. If you’re doing something cool in this space, please reach out and tell me what you’re up to  

CI/CD pipelines power modern software delivery, but securing them can be a challenge.

This new cheat sheet walks you through the OWASP Top 10 CI/CD security risks and  shares clear, actionable steps to help reduce your attack surface and strengthen your delivery processes.

• The most common CI/CD attack vectors with real-world examples

• Practical mitigations for each OWASP risk category

• How Wiz helps detect and prevent misconfigurations, exposed secrets, and supply chain threats

BSidesSF 2026 CFP is Open
The BSidesSF CFP is open until October 28th! The theme: BSidesSF: The Musical . I don’t know how this happened, but I am filled with joy.

BSidesSF is one of my favorite conferences- not too big, full of smart and friendly people, A+ networking with folks at cool companies doing awesome things. And it’s right before RSA. Hope to see you there!

• Act like a business executive, not an IT manager.

• Master business-oriented communication and influence.

• Build scalable, self-reinforcing security systems (flywheels).

• Prioritize ruthlessly and focus on leverage.

Software Factory Security Framework (SF²)
GitLab VP of Product Security Julie Davila introduces the Software Factory Security Framework, a comprehensive mental model to help security leaders scale security capabilities while improving business outcomes. The framework consists of core components including a foundation, universal stewardship responsibilities, strategic positioning, investment portfolio guidance, and contextual modifiers to adapt to specific organizational situations. SF² complements existing standards like NIST SSDF, OWASP SAMM, BSIMM, and OWASP ASVS.

In the Investment Portfolio section, I like the discussion of evaluating potential investments, designing security capabilities that compound (e.g. paved road), and more.

Google Workspace misconfigurations or disabled security settings can be easy to miss. This guide from Nudge Security provides a deep dive on the top 5 Google Workspace security settings that should be on your checklist.

For each security setting, we cover:

• Common misconfigurations to look out for

• Best practices for effective risk reduction

• Considerations for tailoring settings based on user privilege

Learn what you can do today to improve your Google Workspace security posture.

I use Google Workspace but I’m not sure what hardening steps I should be doing, I need to check this out  

• In AWS, 86% use AWS Organizations, but only 40% use Service Control Policies (SCPs) and 6% use Resource Control Policies (RCPs).

• In Google Cloud, 11% of GKE clusters and 23% of VMs are overprivileged, most often through the use of the Compute Engine default service account.

• One in two EC2 instances enforce IMDSv2, up from 32% a year ago. Enforcement is unequal and overrepresented among recently launched instances: only 14% of instances created more than two years ago enforce it.

• On average, an organization deploys 13 third-party integration roles, linked to an average of 2.5 distinct vendors.

  • 12.2% of third-party integrations are dangerously overprivileged, allowing the vendor to access all data in the account or to take over the whole AWS account.

  • 2.25% of third-party integration roles don’t enforce the use of an external ID.

PaloAltoNetworks/KIEMPossible
By Palo Alto’s Golan Myers: A tool designed to simplify Kubernetes Infrastructure Entitlement Management by allowing visibility of permissions and their usage across the cluster, to allow for real enforcement of the principle of least privilege

madhuakula/spotter
By Madhu Akula: Spotter is a comprehensive Kubernetes security scanner that uses Common Expression Language (CEL) based rules to identify security vulnerabilities, misconfigurations, and compliance violations across your Kubernetes clusters, manifests, and CI/CD pipelines. Spotter supports scanning both manifest files and live clusters with built-in rules covering OWASP Kubernetes Top 10, CIS Benchmark, and NSA/CISA guidelines, and allows custom rule creation.

Access controls don’t scale with manual approvals.

Our report shows what modern IT and security teams are doing instead:

• Enforcing requirements automatically when access changes

• Removing manager approvals that add no security value

• Letting app owners handle their own access decisions

• Automating what can be automated

Access management is one of the top things that suck in security based on interviews with >50 security leaders. Nicely detailed report, I like it  

Adversis/sketchy
By Adversis: A cross-platform security scanner that checks repositories, packages, and scripts for malicious patterns before you execute them. Sketchy detects over 25 types of suspicious behaviors including command overwrites, code execution patterns, reverse shells, credential theft, cloud metadata access, cryptocurrency miners, homograph attacks, and more. Detection patterns inspired by DataDog’s GuardDog.

Introducing Socket Firewall: Free, Proactive Protection for Your Software Supply Chain
Socket’s Dale Bustad announces Socket Firewall (sfw), a lightweight (non open source) tool that blocks malicious dependencies before they reach developer machines. The tool works by creating an ephemeral HTTP proxy that intercepts package manager traffic and checks with Socket’s API before allowing packages to be fetched, supporting npm/yarn/pnpm (JavaScript), pip/uv (Python), and cargo (Rust) with a simple prefix command pattern (e.g., sfw npm install lodash).

Interesting findings: much of the vulnerable install base was theme extensions, .env, .config.json, .mcp.json, and .cursorrules, package.json, and README.md were frequent leak sources, and some extensions are specifically for supporting a single company’s engineers or customers, but have been made public.

Adversis/mcp-snitch
By Adversis: A macOS application that intercepts and monitors MCP server communications, providing security analysis (uses AI for threat detection and pattern-based detection for sensitive data like SSH keys, credentials, system files), access control, and audit logging for AI tool usage.

A small number of samples can poison LLMs of any size
A joint study between Anthropic, the UK AI Security Institute, and the Alan Turing Institute, “found that as few as 250 malicious documents can produce a “backdoor” vulnerability in an LLM—regardless of model size or training data volume. Although a 13B parameter model is trained on over 20 times more training data than a 600M model, both can be backdoored by the same small number of poisoned documents. These results challenge the common assumption that attackers need to control a percentage of training data; instead, they may just need a small, fixed amount.”

Thus, data poisoning attacks might be much more practical than previously believed, which matters when LLMs are trained on The Internet at large, including Reddit and people’s personal websites and blog posts. And tl;dr sec *looks at issue number*

Nice round-up of a bunch of related work. The post also includes an example simple prompt of detecting malicious MCP tools.

If someone hasn’t already scanned the MCP ecosystem at scale for malicious servers/tools, someone should do that and write a blog about it.

Eavesdropping on Internal Networks via Unencrypted Satellites
CCS 2025 paper by Wenyi Morty Zhang et al: “We pointed a commercial-off-the-shelf satellite dish at the sky and carried out the most comprehensive public study to date of geostationary satellite communication. A shockingly large amount of sensitive traffic is being broadcast unencrypted, including critical infrastructure, internal corporate and government communications, private citizens’ voice calls and SMS, and consumer Internet traffic from in-flight wifi and mobile networks. This data can be passively observed by anyone with a few hundred dollars of consumer-grade hardware.”

Pixnapping: Bringing Pixel Stealing out of the Stone Age
CCS 2025 paper by Alan Wang et al: “A new class of attacks that allows a malicious Android app to stealthily leak information displayed by other Android apps or arbitrary websites. Pixnapping exploits Android APIs and a hardware side channel that affects nearly all modern Android devices.

We have demonstrated Pixnapping attacks on Google and Samsung phones and end-to-end recovery of sensitive data from websites including Gmail and Google Accounts and apps including Signal, Google Authenticator, Venmo, and Google Maps. Notably, our attack against Google Authenticator allows any malicious app to steal 2FA codes in under 30 seconds while hiding the attack from the user.”

They present Mic-E-Mouse, a signal processing and machine learning pipeline that transforms these low-quality, non-uniformly sampled vibration data into intelligible speech, achieving 80% speaker recognition accuracy and 16.79% word error rate in human evaluations. This attack requires no hardware modifications and works with existing consumer-grade mice, potentially allowing attackers to eavesdrop on conversations through a seemingly innocuous mouse.

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I’d really appreciate if you’d forward it to them

P.S. Feel free to connect with me on LinkedIn