[tl;dr sec] #192 – Google’s AI Red Teaming, OWASP on Cloud Security, Trail of Bits’ Testing Guide


I hope you’ve been doing well!

🤦‍♀️ Deck Pics

Narrator: This week, on #PeakBayArea.

A friend of mine recently told me that she had to change her job on dating apps from “VC” to “finance.”

Why? Because she kept matching with guys who’d say, “Hey… so… can I show you my pitch deck?”

She’d respond, “Sure, but you have to choose whether this is going to a romantic or business dynamic, it can only be one.”

And then a number of times she did actually end up having an impromptu pitch meeting 🤣 Who says romance is dead.

I feel like this is romcom waiting to happen. *Closes eyes, engages screenwriting mode* 

If you have any funny #PeakBayArea or dating stories you’d like to share, feel free to send them to me.

🔥 tl;dr sec t-shirts

I’m thrilled to announce that for the first time ever I’m printing tl;dr sec t-shirts and bringing 300 to Vegas.

Next week I’ll share more about where you can find me / get one.

If you’re not attending Hacker Summer Camp this year, don’t worry, I’ll give them out another time too.

📣 Wiz for CSPM: A Modern Approach to Security in the Cloud

Security risks grow exponentially as your cloud footprint increases. That’s why picking the right Cloud Security Posture Management (CSPM) solution is critical to building your security strategy. In this free resource, Wiz breaks down market trends to help you understand how to find the right solution for your org.

Here’s exactly what you’ll learn:

  • Why cloud-forward security orgs are adopting CSPM

  • What are the differences between modern vs legacy CSPM

  • How cloud security leaders use Wiz to improve security posture

  • Key features and functionality to assess in your CSPM evaluation

📜 In this newsletter…

  • AppSec: The difference between product security and application security, the Trail of Bits testing guide

  • Web Security: Using MiTMProxy as a scriptable pre-proxy for BurpSuite, web app black-box testing

  • Cloud Security: OWASP’s cloud architecture security cheat sheet, replacing AWS access keys with other options, bucket looter, IAMActionHunter,

  • Container Security: Kubernetes security basics: container deployment

  • Supply Chain: Tool to check repo for SLSA conformance, supply chain security tools for Go, tool to track software from dev to prod

  • Red Team: Tool to send Microsoft Teams phishing messages, benchmark for identifying debuggers

  • Machine Learning + Security: Google’s AI red team whitepaper, an academic’s LLM red teaming slides, tool for testing models against adversarial threats

  • Machine Learning: Explaining to NPCs that they’re not real, AI will produce the biggest K-shaped recovery, generative AI company overview, Zuck vs Elon

  • Misc: Love and tragedy are linked

AppSec

Sometimes one of them is responsible for securing the software the company writes, and the other may actually help build security features into the product (e.g. 2FA, authentication or authorization libraries or user flows, etc.).W

📣 Privileged Access Management for the Cloud, new from ConductorOne

Managing access to cloud infrastructure can be a headache. ConductorOne’s Cloud PAM solution gives teams just-in-time (JIT) access to cloud resources, drastically reducing standing access and permissions. No more tickets. No more waiting.

Find out how you can take control of accounts and permissions throughout your environment and achieve least privilege access for AWS, GCP, AzureAD, Snowflake and more.

Just in time access / least privilege for cloud environments and various apps is a hot up-and-coming area it seems. Neat to see companies tackling this.

Web Security

Web Application Black-Box Testing
YesWeHack describes black-box testing techniques for web apps, includes fuzzing, regression testing, and error guessing, which can provoke unexpected behavior and thus hopefully vulnerabilities. It also explains effective payload creation for fuzzing applications and recognizing changed behavior.

[tl;dr sec] #192 - Google's AI Red Teaming, OWASP on Cloud Security, Trail of Bits' Testing Guide

Cloud Security

Cloud Architecture Security Cheat Sheet
Nice overview guide by OWASP covering risk Analysis, threat Modeling, and attack Surface Assessments, public and private components, trust boundaries, security tooling, and self-managed tooling maintenance.

redhuntlabs/BucketLoot
By Umair Nehri: An automated S3-compatible bucket inspector that can extract assets, flag secret exposures, and search for custom keywords and regular expressions from publicly-exposed storage buckets. Can scan buckets on AWS, Google Cloud Storage, and DigitalOcean Spaces.

Container Security

Kubernetes Security Basics Series: Container Deployment
KSOC discusses the importance of verifying orchestrator configuration files’ integrity before deployment, utilizing admission controllers, immutable infrastructure, drift prevention, patching, centralized logging, monitoring, and other important topics.

Supply Chain

oracle/macaron
By Oracle Labs: A supply chain security analysis tool that focuses on the build integrity of an artifact and its dependencies- checks if a project conforms to the SLSA specification. Currently supports the Maven and Gradle Java build systems, Python’s Pip and Poetry are in progress.

Tracking software from build to production and vice versa is a challenge I’ve heard from a number of companies, excited to see how this goes!

Red Team

Octoberfest7/TeamsPhisher:
By Alex Reid: A Python tool that facilitates the delivery of phishing messages and attachments to Microsoft Teams users whose organizations allow external communications.

hfiref0x/WubbabooMark
A benchmark for identifying traces left by popular debuggers and testing how effectively they are concealed by anti-detection software. The tool implements a wide range of tests, including verification of loaded kernel modules, running processes, client threads, and examination of system handle dumps, and more.

Machine Learning + Security

  1. What red teaming in the context of AI systems is and why it’s important

  2. What types of attacks AI red teams simulate (prompt attacks, extraction of training data, backdooring the AI model, adversarial examples to trick the model, data poisoning, and exfiltration)

  3. Lessons learned.

Trusted-AI/adversarial-robustness-toolbox
By LF AI & Data Foundation: Adversarial Robustness Toolbox (ART) is a Python library for ML security that provides tools that enable developers and researchers to defend and evaluate ML models and applications against the adversarial threats of evasion, poisoning, extraction and inference.

[tl;dr sec] #192 - Google's AI Red Teaming, OWASP on Cloud Security, Trail of Bits' Testing Guide

Machine Learning

I thought his points on how AI could improve each step of the flywheel interesting: understanding what you/your company wants → understanding the challenges → creating ideas → rating ideas → testing ideas → and executing on the winners.

[tl;dr sec] #192 - Google's AI Red Teaming, OWASP on Cloud Security, Trail of Bits' Testing Guide
[tl;dr sec] #192 - Google's AI Red Teaming, OWASP on Cloud Security, Trail of Bits' Testing Guide

Misc

Love and tragedy are linked.

You can’t have one without the other. The greater the love, the greater the tragedy.

Every day around the world, millions of people die. We all go on, we all show up to work, we don’t care.

But if it’s someone you love, your sister, spouse, grandparent, a friend-it’s like the world collapses.

So really, all love stories, whether if it’s between a couple or parents and children, by definition, all love stories have to end in tragedy.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I’d really appreciate if you’d forward it to them 🙏



Source link