[tl;dr sec] #202 – KubeHound, Supply Chain Security Vendor Landscape, CSPM Evaluation Matrix

I’m thrilled to announce that Part 2 of Francis Odum’s supply chain security report is out!

The post provides an overview of over 20 supply chain security vendors, from securing source code access and CI/CD pipelines to SCA, malicious dependencies, container security, SBOMs, code provenance, and more.

I think this is the broadest survey of this space I’ve seen in one place.

Rampant Cloud Activity? Cloud security challenges grow >exponentially< when key infrastructure migrates from on-prem environments onto public clouds. In this ebook you’ll learn how high-growth orgs can adapt their security strategy to stay secure without compromising on speed:

• How to identify top risks in your cloud environment (lateral movement, bloated patch lists, lack of visibility)

• 4 playbooks from high-growth companies navigating risks in their cloud – including emerging risks like Log4Shell

• What to look for when evaluating cloud-native security platforms (legacy vendors don’t want you to know this)

• AppSec: Secrets leaking in GitHub comments, embrace the IKEA effect in your security program

• Web Security: Tool to fuzz 401/403s, using Cloudflare to bypass Cloudflare, security options in OpenAPI

• Cloud Security: Building custom CNAPPgoat scenarios, moving to IMDSv2, CSPM evaluation matrix, dangers of Terraform’s remote-exec

• Container Security: Identify attack paths in k8s clusters with KubeHound

• Supply Chain: Tool to track apps from source to prod, browser extension to pull in metadata about OSS libs, tool collection to analyze OSS projects, sign messages with your OpenID identity

• Career: How to get fired with grace and aplomb, 25 lessons from 17 years in cybersecurity, my heart says yes but my schedule says no, how to handle opportunities that are potential distractions

• Politics / Privacy: Opening a facility in China, doxing on TikTok

• Machine Learning + Security: ChatGPT doing SAST

• Machine Learning: Obsidian plugin that integrates LLMs with LangChain, Cloudflare’s new AI tools

Thousands of GitHub Comments Leak Live API Keys
Truffle’s Joe Leon describes how they sampled a subset of GitHub’s public Pull Request and Issue comment data and discovered 721 live API keys and passwords. TruffleHog can now scan public repos for secrets in issues and PRs.

Note that when you “edit” your comment the secret is still in its history, you have to delete the comment.

Security Programs and the “IKEA Effect”
I love this post by Dustin Lehr, who points out that humans protect, defend, and care for things we’ve built or own. Therefore, we should encourage non-security people to help evaluate and select security tools, work with security to build common (secure by default) libraries, and more.

What many teams have discovered as they’ve grown their infrastructure is that traditional access control systems do not scale.

Not only does the risk of a breach increase with numerous static secrets, but forcing developers to juggle hundreds of credentials to do their jobs limits productivity and encourages insecure workarounds. This is when the largest teams in the world have discovered that identity-based access is the way out of the dilemma.

This O’Reilly book explains the concept of identity-based infrastructure access and compares it with traditional methods that rely on secrets.

intrudir/BypassFuzzer
By Intrudir: Tool that fuzzes 401/403ing endpoints for bypasses, checking headers, path normalization, verbs, etc. to attempt to bypass ACL’s or URL validation.

Using Cloudflare to bypass Cloudflare
Certitude Consulting’s Stefan Proksch describes how attackers can use their own Cloudflare accounts to abuse the trust relationship between Cloudflare and customer websites, bypassing protections like Firewall and DDoS prevention.

A Big Look at Security in OpenAPI
Justin McGuire details the five types of security options allowed in the OpenAPI v3 spec (API key, HTTP, OAuth2, MutualTLS, and OpenID Connect), and recommends using OAuth2 (or apiKey), and strongly discourages Basic Authentication, because you’re passing around usernames and passwords in every request.

The Hidden Dangers of Using Terraform’s Remote-Exec Provisioner
Cloud Security Partners’ Mike McCabe outlines the security risks around Terraform’s remote-exec provisioner, which provides the ability to execute scripts and commands on remote resources (for example, one could access and exfiltrate EC2 instance credentials). Mike concludes with best practices and a Semgrep rule to detect the use of remote-exec provisioner.

KubeHound: Identifying attack paths in Kubernetes clusters
Datadog’s Jeremy Fox, Edouard Schweisguth, and Julien Terriac announce Kubehound, an open source attack mapping tool for Kubernetes clusters that works by reading resources from the Kubernetes API, computing attack paths, and then storing the results in JanusGraph, a graph database. It can help answer questions like:

• What is the shortest exploitable path between an Internet facing service and a critical asset?

• What percentage of Internet-facing services have an exploitable path to a critical asset?

• What type of control would cut off the largest number of attack paths to a critical asset in your clusters?

They’ve also released an Attack Reference of over 25 attack types, including how to exploit and defend against them.

Chalk is now officially open source
Crash Override’s Mark Curphey announces Chalk, which aims to make it easy to trace apps from source code to production. It can be used for SBOMs, code provenance, to be SLSA level 2 compliant, to create a real-time application inventory, and more.

os-scar/overlay
A browser extension that helps you evaluate open source packages before picking them by gathering data from various sources (Snyk Advisor, Debricked, Socket.dev, and Deps.dev), and displays them on the package pages of popular registries like npm, PyPI, and Go.

microsoft/OSSGadget
A collection of tools for analyzing open source projects: locate the source code of a package, download it, identify cryptographic implementations, look for obfuscated strings, try to identify potential backdoors and malicious code, etc.

Linux Foundation, BastionZero and Docker Announce the Launch of the OpenPubkey Project
OpenPubkey (repo) enables users bind cryptographic keys to users and workloads by turning an OpenID Connect Identity Provider (IdP) into a Certificate Authority (CA), enabling users to sign messages or artifacts under their OpenID identity. This enables applications such as secure remote access or software supply chain security features such as signed builds, deployments, and code commits.

• If you don’t know how your company makes money, you don’t know how to truly protect it.

• Cybersecurity is 10% tech and 90% diplomacy.

• Saying ‘no’ as a security professional is easy; aligning security with business enablement is hard.

• The more buzzwords in a security product, the less likely it is to solve your problem.

Maybe you’re in the privileged position of having more asks than time. These may help 👇️ 

1. If they say “yes,” you’re happy because the terms or money are so good, it more than compensates for the distraction, perhaps funding the thing you really want to do.

2. If they say “no,” you’re happy because it wasn’t a great fit anyway; it’s not a worthwhile return on your time and effort.

“Think of it like another form of funding. Funding is always a distraction from actually running your business, so the amount of money you get must be transformative to the business.”

• Sequoia argues that GPU capacity is getting overbuilt, with some napkin math around the cost of GPUs, the energy cost of running them, data center spend, etc.

• John Hwang argues that vector database is not a separate database category, and that all incumbent databases will add this functionality, which will also be good for end users (use the same software, don’t need to move data around).

• Sam Altman Is the Oppenheimer of Our Age – Fascinating long profile on Sam Altman, his career, his family, and more.

• Video: RT-X and the Dawn of Large Multimodal Models: Google Breakthrough and 160-page Report Highlights

• 10 ChatGPT Vision examples: SaaS dashboard screenshot → code, explain this workflow diagram, break down human cell diagram for a 9th grader, …

• CommandBar Copilot – AI assistant that can walk users through workflows on your app and even complete them automatically.

• DeepUnitAi – Automatically generate Jest (TypeScript) unit tests.

  • Google and others have been doing this for writing fuzzing test harnesses, but I think auto-generating security-related unit tests and similar seems promising.

memgraph/odin
By Katarina Supe et al: A plugin that integrates Large Language Models (LLMs) into Obsidian using LangChain, enabling users to generate knowledge graphs and questions from Markdown files, among other features.

• Workers AI – Access physically nearby GPUs hosted by Cloudflare partners to run AI models on a pay-as-you-go basis.

• Vectorize – A vector database.

• AI Gateway – Provides metrics to enable customers to better manage the costs of running AI apps.

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I’d really appreciate if you’d forward it to them 🙏