- CramHacks
- Posts
- [CramHacks] Newsletter #3: Supply Chain Is Popping Off!
[CramHacks] Newsletter #3: Supply Chain Is Popping Off!
CramHacks Chronicles: Key Insights On Information Security & Software Supply Chain Risks
Kyle Kelly
September 27, 2023
đ„ł Happy Monday! đ„ł
Life Update
In the past two weeks Iâve gone from San Diego â Hawaii â San Diego â New Jersey. Time zones are not to be taken lightly, and I miss the beach đą. Nonetheless, Iâm excited to be on-site for a penetration test this week and getting back into the rhythm of things. The waves will still be there when I get home!
For you infosec people, take a gander over at the Supply Chain Security links this week; it was a busy one! If youâre not sure what Supply Chain is, take a look at An Overview of Software Supply Chain Security by Clint Gibler, the creator of tl;dr sec, and Francis Odum, author of the software analyst blog.
Information Security
InfoSec news is a bit light this week, Iâm staying away from MGM, Cesars, and MoveIT incidents as Iâm tired of reading about it and Iâm sure you are too đ. I will say, my success rate when calling help desk and impersonating an employee is scarily high.
Oh yeah, I did also hear about Ciscoâs latest $28B subscription, I mean acquisition, to Splunk. Certainly a big number - I know the deal was a long time in the making; Iâm curious whatâll come of it.
I wouldnât say this is worth a read; it can largely be summarized by the titles of the four primary objectives: 1. Defend the Nation, 2. Prepare to Fight and Win the Nation's Wars, 3. Protect the Cyber Domain with Allies and Partners, 4. Build Enduring Advantages in Cyberspace.
đ¶ïž Iâm seeing a whole lotta âwe need to prepare for a warâ, and not a whole lotta âhey everyone, do yaâll see this war going on?â The United States really feels like the worldâs cyber range. Thatâs maybe not a great thing đ .
âWhen The New York Times reported in April that a contractor had purchased and deployed a spying tool made by NSO, the contentious Israeli hacking firm, for use by the U.S. government, White House officials said they were unaware of the contract and put the F.B.I. in charge of figuring out who might have been using the technology.
After an investigation, the F.B.I. uncovered at least part of the answer: It was the F.B.I.â
The New York Timesâ Mark Mazzetti, Ronen Bergman, and Adam Goldman do a great job of summarizing this event. Unfortunately, as is usually the case when the government is involved, there are a lot of unknowns - but if this kind of stuff interests you, itâs well worth the read.
Sonarâs Vulnerability Research Team discovered and reported an unauthenticated arbitrary code execution vulnerability in TeamCity versions 2023.05.3 and below. TeamCity is a Continuous Integration and Continuous Deployment (CI/CD) server from JetBrains. As per Sonarâs Shodan results, ~3,000 TeamCity on-premises servers are directly exposed to the Internet.
I originally had this listed under Software Supply Chain Security because I thought it was an authentication bypass impacted the CI/CD aspect of the service. The 24 second demonstration video quickly proved me wrong.
Software Supply Chain Security
Clint Gibler, the creator of tl;dr sec, and Francis Odum, author of the software analyst blog, joined forces to publish an absolute banger of a Part 1 SSC overview. In no less than 5,000 words, this article covers nearly everything you need to know about the current state of supply chain security. Very excited for Part 2 which will consist of vendor analysis.
âAccording to data from NightDragonâs software supply chain report, 70% of CISOs said software supply chain is a top investment priority for them in 2023, and over 96% of CISOs said they are using or considering implementing SSC solutions in the next 12 months.â
Shout out to Christine Abernathy (F5), Daniel Appelquist (Snyk), Noam Dotan (Legit Security), Chris de Almeida (IBM), and Avishay Balter (Microsoft) - oh and of course OpenSSF - for releasing this incredibly comprehensive, but easy to read & understand, list of best practices for GitHub & GitLab.
We need more people to care about this! Please đ„č
Johan Carlsson discovered a critical severity vulnerability that allows attackers to run pipelines as other users via scheduled security scan policies.
Checkmarxâs Yehuda Gelb nicely summarizes SSC Security related attack vectors, threat actors, and incidents published in July & August; many of which have been included in the CramHackâs newsletter đ.
Congrats to Legit Security for their Series B! Their platform is said to cover Software Supply Chain Security, Application Security Control Plane, Cloud to Cloud Traceability, and Compliance & SBOM.
Itâs a bit difficult to understand the maturity of the platform based on whatâs available via their webpage, but I love the idea of an SDLC inventory with code to cloud traceability. Ultimately, I envision the ideal Supply Chain Security product to have traceability throughout the supply chain layers and the ability to enforce security policies at each of the layers; in real-time would be sweeet.
Iâm skeptical and not really sure if thereâs a need for this at the moment, but I wish them the best!
Youâre probably thinking that this isnât news. But in fact youâd be wrong! Only just this past week has Go released formal documentation on how to organize a Go project.
đ¶ïž I wouldnât mind if every language would actively maintain something of this sort, and bonus points if the language enforces it đ.
Until Next Time! đ
Hey, you made it to the bottom â thanks for sticking around!
Questions, ideas, or just want to chat? Slide into my inbox! đ
If you think someone could benefit from this, donât hesitate to forward.
See you next Monday!
-Kyle