🦘 Crikey!
This week I’ve been in Sydney, the first time I’ve ever been in Australia.
I’ve been enjoying the architecture and food, the streets are clean, public transport is convenient, and unlike BART, I’ve never sat a few seats away from someone sharpening a knife.
There have been some fun #PeakAustralia learnings, like the slang (brekky, mozzie, sickie, bottle-o, avo, devo). When in doubt, just shorten the word and add an -y or -o sound at the end 😂
You can also stay overnight at the Taronga Zoo, which I highly recommend. My room literally overlooked a space with kangaroos.
It seems like Aussies do zoos differently- there were multiple open area spaces where animals freely roamed. I had kangaroos, echidnas, emus, and more walk by literally 2 feet from me.
Where will I be next? Tune in next week and click on all sponsor links for more 😉
The SEC announced new regulations that go into effect in December, requiring public companies to disclose security incidents deemed material to investor confidence.
Amidst a growing cloud risk gap, the open question is – what is “material impact”?
While there’s no silver bullet, heightened security posture requires a holistic approach to the full threat lifecycle – steering away from the incessant game of whack-a-mole towards security & operations force multipliers.
For the cloud office – Microsoft 365 & Google Workspace – Material Security reduces risk in otherwise hard-to-address critical areas.
Mac
-
maxgoedjen/secretive: An app for storing and managing SSH keys in your Mac’s Secure Enclave.
-
Apple has launched a new iMessage feature, Contact Key Verification, that’s designed to detect sophisticated attacks against iMessage servers and allow users to verify that they’re messaging only with whom they intend.
Vulnerability management in the cloud is no longer just about patches and fixes. In this latest report, the Wiz Security Research team put vulnerability management theory into practice using recently identified vulnerabilities as examples.
-
Which technology & vulnerability types to prioritize
-
How to leverage CVSS metrics
-
The essential questions to ask when triaging
All this and more can be found in the 2023 Cloud Vulnerability Report.
AppSec
sshx
A web-based, collaborative terminal that lets you share your terminal with anyone by link. It has real-time collaboration, with remote cursors and chat, and is end-to-end encrypted.
Machine Learning + Security
Blackberry announced a new Generative AI powered assistant for Security Operations Center (SOC) teams.
Answering security questionnaires is full of mind-numbing work that’s…
well, almost like you’re battling Bowser in the old-school version of Super Mario Bros.
So we wrote you (the trusty security hero) into our version of an 8-bit video game.
It’s an interactive adventure about how you can use Conveyor’s AI security questionnaire automation software to destroy pesky ‘questionnaire villains’.
With the most accurate AI answers on the market, we’ve got all the features weapons you need to cruise through every portal and horror-inducing multi-tab Excel you encounter.
Scroll through the quick game (it’s fun, we promise).
Filling out security questionnaires is a great use of AI. I actually called it out as such in my talk a month or two ago before I’d seen Conveyor doing this.
Also, this game was cute and fun, I played to the end even though I should have been finishing this newsletter 😅
Machine Learning
-
New GPT-4 Turbo model that is more capable and supports a 128K context window.
-
GPT-4 and 3.5 are 2X – 3X cheaper.
-
You can use GPT Vision, DALL-E 3 and text-to-speech via API.
-
ChatGPT: knowledge cut-off is now April 2023, you can use all of the extensions (DALL·E, browsing, and data analysis) without switching between them.
-
You can attach files to let ChatGPT search PDFs and other document types.
-
New Assistants API – support for building agents that have goals and can call models and tools.
-
They’ve launched GPTs, essentially an app marketplace for developers to build and charge for custom versions of ChatGPT that combine instructions, extra knowledge, and any combination of skills.
Cloud Security
The deputy is confused about AWS Security Hub
If you’re building a product that integrates with AWS Security Hub, Plerion’s Daniel Grzelak describes a number of ‘confused deputy’ issues that can arise, for example, findings could be sent to the wrong customer due to lack of account ownership validation.
Interesting tidbits: GitHub automatically reports exposed creds to AWS who then apply a quarantine policy. The researchers removed the quarantine policy to better monitor attacker behavior, and created Terraform to programmatically spin up unrelated-appearing honeypot cloud environments for attackers to find and exploit.
Career
x1trap/websec-answers
More in-depth answers for web security interview questions by Tib3rius. This content is unreasonably good. I feel like if I had been able to read this when I first started as a security consultant I would have saved like 1-2 years of getting better.
Supply Chain
SLSA: Supply chain threats
SLSA docs page providing an introduction and nice diagram overview to possible attacks throughout the supply chain and how SLSA can help.
npm-sbom
The npm command-line now has a subcommand for generating a Software Bill of Materials (SBOM) listing the dependencies for the current project. SBOMs can be generated in either SPDX or CycloneDX format.
SBOM Benchmark
Quickly evaluate SBOM for quality, compliance and errors. Includes a collection of SBOM examples in CycloneDX and SPDX formats, generated for common open source repositories and container images using open-source SBOM tools (like trivy or syft).
Blue Team
google/localtoast
A scanner for running security-related configuration checks such as CIS benchmarks in an easily configurable manner.
Politics / Privacy
Cover Your Tracks
Project by the EFF to test your browser to see how well you are protected from tracking and fingerprinting.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.
If you find this newsletter useful and know other people who would too, I’d really appreciate if you’d forward it to them 🙏