[tl;dr sec] #290 – Securing MCP, AppSec Archetypes, CISO’s Guide to Protecting Crown Jewels

[tl;dr sec] #290 - Securing MCP, AppSec Archetypes, CISO's Guide to Protecting Crown Jewels

Tools to scan MCP servers and an MCP WAF, 4 AppSec archetypes, how to strategically protect your org with limited resources

I hope you’ve been doing well!

New guest post from my friend Caleb Sima! In his first CISO role, Caleb had the overwhelming feeling of needing to “secure all the things” and put out every fire.

Which led him to develop a more focused, practical approach: the crown jewels strategy.

His new guide, “Intent Over Tactics,” shares this framework. It’s for any security leader struggling with limited resources but facing huge expectations.

Caleb explains why focusing on an attacker’s intent is more effective than chasing their tactics, and he walks through the exact steps to identify, protect, and get buy-in for a strategy that actually makes your company safer.

P.S. If you’re going to Vegas next week and want to hang out, I’ll be at:

  • Tuesday: Dig This then Omega Mart

  • Wednesday: Crying into my pillow Writing this newsletter

  • Thursday: Semgrep’s Black Hat booth 1pm-2:30pm then Level Up

Hope to see you there I’ll have some cards and stickers.

New data from Harmonic Security reveals that 22% of files and 4.37% of prompts submitted to GenAI tools contain sensitive content like source code, credentials, and PII. In Q2 alone, the average enterprise saw 23 new GenAI tools in use…including hidden AI features in common SaaS apps. With much of this usage occurring via personal accounts, enterprises need visibility, data monitoring, and context-aware controls to prevent leaks.

Wow, 1 million prompts and 20,000 uploaded files across more than 300 GenAI and AI-enabled SaaS applications is a pretty big dataset. The post has some interesting stats on the most prevalent types of sensitive content uploaded  

AppSec

Exploiting Self-XSS Using Disk Cache
Meydi describes a technique to exploit self-XSS vulnerabilities by leveraging disk caching and window relationships to access victim data across sessions. The method involves opening multiple windows, performing a login CSRF, redirecting to the XSS endpoint, and using different query parameters to manipulate browser caching. The technique can be mitigated by setting Cache-Control: no-store.

In this post, CyberArk’s Ari Novick describes AppBound encryption and describes a new technique called C4 (Chrome Cookie Cipher Cracker) that allows decrypting cookies as a low-privileged user. This technique also allowed them to abuse Google’s new security feature to attack Windows machines and access data that should typically only be available to the privileged SYSTEM user. Padding Oracle attack in the wild  

Application Security Engineer Archetypes
Larkins Carvalho discusses the diverse roles and archetypes of application security engineers across different organizational contexts, walking through how the role varies depending on factors like company size, product delivery pace, and platform maturity.

Larkins outlines three main categories based on company size: AppSec Engineer in a Centralized Organization (most orgs start here), Dedicated AppSec Engineer (core member of a product team), and Security Partner Engineer, and defines four archetypes: the Orchestrator, Builder, Specialist, and Rapid Responder – each with distinct traits and focuses.

AI tools have seeped into every corner of your org which is great for innovation, but not so great for data security.

With a free trial of Nudge Security, you can:

  • Find every AI app, even those added in the past

  • See all users, accounts, and OAuth grants

  • Get alerted as soon as new AI tools are introduced

  • Nudge users of rogue tools toward approved options

Instant gratification and scalable governance? Yes, please!

Great to have visibility into all the AI apps your company is using  

Cloud Security

Cloud Logging for Security and Beyond
Palo Alto’s Margaret Kelley and Nicole Weaver provide a guide to cloud logging best practices across AWS, Azure, and GCP, focusing on balancing security, regulatory compliance, and cost. They break down logging into key categories (audit, compute, network, secrets, storage, database, Kubernetes) and explain the differences between control plane and data plane logging. The post includes tables and figures showing where specific events appear in logs across cloud providers.

Introducing SRA Verify – an AWS Security Reference Architecture assessment tool
Jeremy Schiefer, Justin Kontny, and Matt Nispel announce SRA Verify, an open-source tool that automates checks to validate if an organization’s AWS implementation aligns with the AWS Security Reference Architecture (SRA) best practices. The tool covers multiple AWS services including CloudTrail, GuardDuty, IAM Access Analyzer, Config, Security Hub, S3, Inspector, and Macie, with plans to expand coverage over time.

Oftentimes it seems big platforms don’t take ownership for the security of software published on their platform or marketplace. Shout-out to the Google Cloud team and their “Shared Fate” approach (vs: “lol that sounds like your problem”). Though to be fair, there’s also always an inherent trade-off between more open ecosystems and tightly controlled ones.

Also shout-out to Truffle and the authors for publishing a negative result. “We tried this thing and actually Foo is kinda secure” is also a cool result, it doesn’t always have to be “ZOMG Foo got totally wrekt!1!”

Blue Team

Hunting Malicious Shortcut (.LNK) Files Using the VirusTotal API
Maveris Labs’ Manuel Arrieta demonstrates how to use the VirusTotal API to gather malicious LNK samples and build threat hunting analytics. He walks through querying VirusTotal for recent LNK files with network behavior, analyzing their target processes and command line arguments using PowerShell and Voyant Tools, and creating KQL queries to detect suspicious LNK file creation followed by execution of Cmd.exe or PowerShell.exe with specific arguments within a 2-minute window.

Differentiating between IoC , IoA and indicators of fraud
Sergio Albea explains the differences between Indicators of Attack (IoAs), Indicators of Compromise (IoCs), and Indicators of Fraud, providing practical KQL query examples for each. IoAs detect active threats in real-time (e.g., renamed PowerShell, excessive SMTP traffic), IoCs reveal post-breach evidence (e.g., file hashes, malicious IPs), while fraud indicators focus on suspicious financial behaviors (e.g., geographically impossible logins).

Why You Should be Testing Your Detection Rules
Bill Mahony discusses the importance of testing detection rules and suggests an approach focused on unit testing, linting, and integration testing. He recommends “Synthetic Integration Testing” – maintaining a library of sample events for each attack, injecting them into your SIEM regularly, and verifying alerts are received. Part 2.

Red Team

kapellos/LNKSmuggler
A Python script for creating .lnk (shortcut) files with embedded encoded data and packaging them into ZIP archives. Designed to be downloaded in a phishing campaign.

wariv/DarkLnk
By Bill Rumbaugh: Build sneaky & malicious LNK files. The DarkLnk .lnk file’s icon, properties, and context will all appear to be a valid .lnk to a chosen filetype (docx. mov, pdf, mp3, etc.). However, the .lnk file will still point towards PowerShell and execute PowerShell commands.

AI + Security

  • The Amazon Q developer extension for VS Code was briefly backdoored to nuke your computer and cloud infrastructure – 404Media, Corey Quinn 

  • Vibe coding service Replit deleted production database – SaaStr founder Jason Lemkin was impressed with his productivity after spending $600 in 3.5 days. Then he found the AI covered up bugs and issues by creating fake data and reports, then… deleted his database and the data could not be recovered.

makalin/SecureMCP
By Mehmet AKALIN: A security auditing tool designed to detect vulnerabilities and misconfigurations in applications using MCP. It proactively identifies threats like OAuth token leakage, prompt injection vulnerabilities, rogue MCP servers, and tool poisoning attacks.

kapilduraphe/mcp-watch
By Kapil Duraphe: A security scanner that detects vulnerabilities and security issues in your MCP server implementations. Features: looks for hard-coded credentials, hidden malicious instructions in tool descriptions, magic parameters that extract sensitive context, prompt injection, dynamic tool changes and rug-pull risks, triggers that steal conversation history, servers impersonating popular services, etc.

eqtylab/mcp-guardian
Manages your LLM assistant’s access to MCP servers, handing you realtime control of your LLM’s activity. Features: message logging (see traces for all of an LLM’s MCP server activity), message approvals (approve and deny individual tool call messages in real time), automated message scans (realtime automated checks for safety, privacy, etc. coming soon).

We built the security layer MCP always needed
Trail of Bits’ Cliff Smith introduces mcp-context-protector, a security wrapper for LLM apps using the Model Context Protocol (MCP), defending against risks such as line jumping attacks like prompt injection via tool descriptions. The tool implements trust-on-first-use pinning for server instructions and tool descriptions, LLM guardrail integration to scan for prompt injection payloads, and optional ANSI control character sanitization. mcp-context-protector acts as a proxy between the LLM app and the downstream server, allowing for security checks on every message before it enters the context window.

Thoughtfully designed architecture and where it fits into the ecosystem, I like it.

In security you either die a hero or live long enough to build a firewall  

Securing Model Context Protocol (MCP) with Teleport and AWS
Boris Kurktchiev, Dylan Souvage, and Thierno Diallo provide a nice overview of security challenges with MCP (over-privileged access patterns, credential management failures like static keys, audit and compliance blindness), and propose an identity-first solution for AI infrastructure. I need to think about this more, but the idea of using a single identity model that encompasses humans, machines, workloads and AI systems seems pretty nice, with each MCP server receiving a unique, cryptographically backed identity that you can authenticate and authorize for specific tasks.

For example, “Rather than persistent database credentials, the system requests just-in-time access tokens for specific queries or data sets,” so you can attribute AI queries to specific individuals and business purposes. Nice.

Misc

  • ChatGPT launched Study Mode, which helps you work through problems step by step instead of just getting an answer. This is super cool, and will hopefully be great for helping people learn.

  • Subagents – Create specialized AI subagents in Claude Code for task-specific workflows and improved context management.

  • How Anthropic teams use Claude Code – Super neat post about Anthropic’s use cases across various teams, including data science, Product Design, security engineering, Growth Marketing, Legal, etc.

Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I’d really appreciate if you’d forward it to them


Source link