CramHacks Chronicles #26: Weekly Cybersecurity Newsletter!

🥳 Happy Monday! 🥳

Special thank you to Cloud Security Alliance’s San Francisco Chapter for reaching out and having me present my talk, Tackling Vulnerabilities in Third-Party Packages, this past Thursday!

Table of Contents

• Application Security

• Artificial Inteligence

• Breaches

• Cloud Security

• Miscellaneous

• Software Supply Chain Security

• 📚️ What I’m Reading 📚️

• Until Next Time! 👋

Application Security

Synopsys: 2024 Open Source Security and Risk Analysis Report
Open source has become integral to modern software development, with 96% of codebases containing open-source components and 84% harboring at least one vulnerability amidst a 54% surge in high-risk vulnerabilities. Despite its widespread use, 49% of codebases lack recent open-source updates, and 91% of assessed codebases use components that are significantly outdated, highlighting a critical need for enhanced maintenance practices.

👋 Ungated report here

Preview: OWASP DevSecOps Automation Matrix (DAM)
The OWASP DAM guides teams in exploring security automation. In its first edition, it outlines 64 essential controls to mitigate security threats effectively. By adopting these controls and integrating custom automation tools, teams could reduce security vulnerabilities by as much as 95%.

Artificial Inteligence

Stack Overflow and Google Cloud Announce Strategic Partnership to Bring Generative AI to Millions of Developers
Gemini for Google Cloud will now be able to provide answers from Stack Overflow utilizing the new OverflowAPI. Additionally, developers using Gemini for Google Cloud will be able to access Stack Overflow directly from the Google Cloud console.

Cloudflare announces Firewall for AI
A new layer of protection designed to safeguard Large Language Models (LLMs) from abuse by pre-screening inputs.

Get the most out of Microsoft Copilot for Security with good prompt engineering

Breaches

Oakley, California, declares state of emergency after ransomware attack

Hackers Behind the Change Healthcare Ransomware Attack Just Received a $22 Million Payment
A ransomware attack targeting medical firm Change Healthcare has crippled pharmacies across the United States. Notably, a BitCoin wallet known to be controlled by the AlpV / BlackCat ransomware group has just received a $22 million transaction 🤔.

Cloud Security

Cloud Security Maturity Model Version 2.0
The Cloud Security Maturity Model (CSMM), developed by IANS, Securosis, and the Cloud Security Alliance, guides organizations in evaluating and enhancing their cloud security maturity with a comprehensive framework in its Version 2.0.

It offers a tailored diagnostic report assessing cloud security across 12 categories, helping organizations pinpoint and prioritize improvements.

Miscellaneous

Vending machine error reveals secret face image database of college students
Students discovered that the M&M-branded smart vending machines on the University of Waterloo campus were collecting facial-recognition data without their consent.

FedRAMP: Penetration Test Guidance Public Comment Period
FedRAMP is soliciting feedback on its draft Penetration Test Guidance update, which outlines the requirements for conducting penetration tests, including annual testing mandates across various security baselines, the introduction of Red Team Testing Requirements, and encourages stakeholders to suggest additional attack vectors relevant to current threats, with a submission deadline of April 24, 2024.

Waymo can now operate its Waymo One service in Los Angeles
👋 For those who don’t know, these are self-driving cars you can request, similar to an Uber.

Technical Debt: The Invisible $1.52 Trillion Problem: Clunky Old Software

Software Supply Chain Security

GitHub besieged by millions of malicious repositories in ongoing attack
Someone is cloning GH repositories, embedding obfuscated malware, uploading them back to GH, and then forking them thousands of times.

OpenRewrite now supports driving action on transitive Gradle dependencies
The open-source dependency vulnerability fixing recipe is now capable of updating transitive dependencies with known vulnerabilities.

👋 I haven’t tested this myself, and I’ve expressed some of my concerns in the LinkedIn comments, but I’m very glad to see even just an attempt at remediating transitive vulnerabilities, which is typically >90% of your vulnerabilities.

Tornado Cash Notes Exploit From Jan 1st and the actions you must take
A malicious actor impersonating a contributor, embedded malicious JavaScript code into the opens-ource Tornado Cash project. Private deposit notes (cryptocurrency) were leaked to the malicious actor and could be re-routed to an account under their control.

📚️ What I’m Reading 📚️ 

Cyber for Builders: The Essential Guide to Building a Cybersecurity Startup by Ross Haleliuk
Published in December 2023, Ross Haleliuk’s book has already sold over 1,500 copies! I finished it ~two weeks ago.

The book might appear elementary to those with prior experience building startups. Yet, it provided an enlightening introduction to the nuances of financing, detailing the mechanisms of investment and the diversity of funding sources. Although I have not personally considered the pursuit of funding, preferring the bootstrapping approach to business ventures, the insights offered have enriched my understanding of the broader business landscape.

While countless resources cover this material in a broader sense, I appreciated the focus on the cybersecurity industry. Whether through prior knowledge or a quick Google search, the examples discussed throughout the book were relatable and easy to digest.

Upon reflection, I found the book’s reliance on expert opinions somewhat excessive and varying in quality. The examples provided were beneficial, offering clarity. Yet, other advice seemed redundant, such as the significance of choosing the right co-founders.

I would recommend this book 💯

Zero: The Biography of a Dangerous Idea by Charles Seife
Roughly 50 pages in, and this book is wild. You have to be a serious nerd to appreciate it, but in short, I’m learning about the history of the number ‘0’, its applications to infinity, and, ultimately, calculus. But the detail of how civilizations worldwide came to find the number ‘0’ and how those who chose to ignore it were impacted is 🤯.

👋 Reading this back has helped me confirm that I am a nerd.

The Case for Faith: A Journalist Investigates the Toughest Objections to Christianity by Lee Strobel
This book has been on my nightstand for a while, but I’m not making much progress; I think I’m 50% through it. So far, I’ve been questioning Lee’s “investigative skills.” But reading the perspective of those with deep faith has been interesting.

Until Next Time! 👋 

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle