I hope you’ve been doing well!
I’ve got a few exciting announcements this week.
Come join my buds Tanya Janca and Leif Dreizler for a workshop next Tuesday Sept 19 in San Francisco, and I’ll be there for the happy hour after!
AI and LLM applications have been moving very quickly.
So I’m excited to distill the 100+ hours I’ve spent absorbing current research into a single 45min webinar with Wiz.
The focus will be: how is AI being applied to cybersecurity, across AppSec, web security, cloud security, blue team, red team, and more.
In addition to providing more tools and resources than you can shake a stick robot’s arm at, I’ll reflect on promising opportunities and where things are headed.
You can sign up here. When: next Thursday, Sept 21 at 11am PDT.
I’m stoked to announce a new long-form post!
If you keep hearing “supply chain security” but aren’t sure what that’s all about, Francis Odum has written a great intro / overview of the space.
In Part 2, he’ll analyze 12+ software supply chain vendors and their differentiators.
📣 Cloudy Visibility?
Cloud-first security teams are leading the pack in adopting Cloud Native Application Protection Platforms (CNAPP). This CNAPP Buyer’s Guide contains everything you need to know to make sure you’re adapting to the evolving threatscape and staying ahead of attackers, including:
-
What exactly is CNAPP
-
Why Gartner predicts that 80% of teams will move to CNAPP by 2026
-
How leading security orgs are consolidating their security stack (CSPM, CWPP, CIEM, CDR)
-
Bonus: An RFP template with a scorecard to assess potential solutions
Get the complete breakdown in the CNAPP Buyer’s Guide.
AppSec
Static Taint Analysis for Go
HashiCorp’s Kent Gruber has been working on a static taint analysis package for Go, which can be a building block for detecting SQL injection, XSS, etc., and walks through how it works.
📣 Large US telco pentests 3x faster with Corellium
Security testing iOS apps can get complicated. Apple releases multiple devices and iOS updates each year. Devices get bricked. And public jailbreaks are harder to come by.
With Corellium, you can easily spin-up near limitless combinations of virtual iPhone device models and iOS versions, jailbroken or not, with the click of a button. And advanced security testing tools are built into the platform for full-stack testing: OS, file, app, and network.
Read how our large US telco client was able to conduct three times as many pentests in the time it used to take to conduct one.
Whoa, 3x faster is legit 🤯
Cloud Security
A security community success story of mitigating a misconfiguration
This story by Scott Piper warms my heart. Basically, a bunch of researchers were writing about how it was easy to insecurely configure AWS IAM roles that were used by GitHub Actions, and by reaching out to AWS and Hashicorp, the defaults were changed so they became secure by default, eliminating this vulnerability from happening in the future. Let’s go!
Container Security
Container security fundamentals part 6: seccomp
Datadog’s Rory McCune continues his great series on security layers that can isolate containers not only from other processes but also from the underlying host. In this post, he discusses how seccomp filters, which can restrict which Linux syscalls a process can perform, are used as a “last line of defense” by container runtimes.
7 Ways to Escape a Container
For each, Lightspin’s Ori Abargil shares the container configuration that makes it susceptible to the escape technique, outlines the minimal capabilities required inside the container to escape, and shares concrete commands to set up the vulnerable container and escape it.
The ways: mount the host filesystem, use a mounted Docker socket, process injection, adding a malicious kernel module, reading secrets form the host, overriding files on host, and abusing notify on release.
Supply Chain
CISA Open Source Software Security Roadmap
CISA has released their 8 page roadmap covering their four key priorities: (1) establishing CISA’s role in supporting the security of open source software, (2) driving visibility into open source software usage and risks, (3) reducing risks to the federal government, and (4) hardening the open source ecosystem. OpenSSF weighs in as well and shares some useful links.
Red Team
nickvourd/Supernova
By Nick Vourd et al: A Golang tool for encrypting raw shellcode. Supports automatic conversion of encrypted shellcode into formats compatible with various programming languages, including C, C#, Rust, and Nim.
Politics / Privacy
The online portal for reporting hackable flaws includes a required entry field for details of where in the code to “trigger” the vulnerability or a video that demonstrates “detailed proof of the vulnerability discovery process,” as well as a nonrequired entry field for uploading a proof-of-concept exploit to demonstrate the flaw.
Also TIL there’s another law in China forbidding China-based executives of foreign firms from telling others at their own company about how they interact with the government. “Firms may not fully understand changes in their own local offices’ behavior because those local offices may not be permitted to talk to them about it, under pain of espionage charges.”
Machine Learning + Security
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.
If you find this newsletter useful and know other people who would too, I’d really appreciate if you’d forward it to them 🙏