• CramHacks
  • Posts
  • [CramHacks] Newsletter #3: Supply Chain Is Popping Off!

[CramHacks] Newsletter #3: Supply Chain Is Popping Off!

CramHacks Chronicles: Key Insights On Information Security & Software Supply Chain Risks

đŸ„ł Happy Monday! đŸ„ł 

Life Update

In the past two weeks I’ve gone from San Diego → Hawaii → San Diego → New Jersey. Time zones are not to be taken lightly, and I miss the beach 😱. Nonetheless, I’m excited to be on-site for a penetration test this week and getting back into the rhythm of things. The waves will still be there when I get home!

For you infosec people, take a gander over at the Supply Chain Security links this week; it was a busy one! If you’re not sure what Supply Chain is, take a look at An Overview of Software Supply Chain Security by Clint Gibler, the creator of tl;dr sec, and Francis Odum, author of the software analyst blog.

Information Security

InfoSec news is a bit light this week, I’m staying away from MGM, Cesars, and MoveIT incidents as I’m tired of reading about it and I’m sure you are too 😄. I will say, my success rate when calling help desk and impersonating an employee is scarily high.

Oh yeah, I did also hear about Cisco’s latest $28B subscription, I mean acquisition, to Splunk. Certainly a big number - I know the deal was a long time in the making; I’m curious what’ll come of it.

I wouldn’t say this is worth a read; it can largely be summarized by the titles of the four primary objectives: 1. Defend the Nation, 2. Prepare to Fight and Win the Nation's Wars, 3. Protect the Cyber Domain with Allies and Partners, 4. Build Enduring Advantages in Cyberspace.

đŸŒ¶ïž I’m seeing a whole lotta “we need to prepare for a war”, and not a whole lotta “hey everyone, do ya’ll see this war going on?” The United States really feels like the world’s cyber range. That’s maybe not a great thing 😅.

“When The New York Times reported in April that a contractor had purchased and deployed a spying tool made by NSO, the contentious Israeli hacking firm, for use by the U.S. government, White House officials said they were unaware of the contract and put the F.B.I. in charge of figuring out who might have been using the technology.

After an investigation, the F.B.I. uncovered at least part of the answer: It was the F.B.I.”

The New York Times’ Mark Mazzetti, Ronen Bergman, and Adam Goldman do a great job of summarizing this event. Unfortunately, as is usually the case when the government is involved, there are a lot of unknowns - but if this kind of stuff interests you, it’s well worth the read.

Sonar’s Vulnerability Research Team discovered and reported an unauthenticated arbitrary code execution vulnerability in TeamCity versions 2023.05.3 and below. TeamCity is a Continuous Integration and Continuous Deployment (CI/CD) server from JetBrains. As per Sonar’s Shodan results, ~3,000 TeamCity on-premises servers are directly exposed to the Internet.

I originally had this listed under Software Supply Chain Security because I thought it was an authentication bypass impacted the CI/CD aspect of the service. The 24 second demonstration video quickly proved me wrong.

Software Supply Chain Security

Clint Gibler, the creator of tl;dr sec, and Francis Odum, author of the software analyst blog, joined forces to publish an absolute banger of a Part 1 SSC overview. In no less than 5,000 words, this article covers nearly everything you need to know about the current state of supply chain security. Very excited for Part 2 which will consist of vendor analysis.

“According to data from NightDragon’s software supply chain report, 70% of CISOs said software supply chain is a top investment priority for them in 2023, and over 96% of CISOs said they are using or considering implementing SSC solutions in the next 12 months.”

Shout out to Christine Abernathy (F5), Daniel Appelquist (Snyk), Noam Dotan (Legit Security), Chris de Almeida (IBM), and Avishay Balter (Microsoft) - oh and of course OpenSSF - for releasing this incredibly comprehensive, but easy to read & understand, list of best practices for GitHub & GitLab.

We need more people to care about this! Please đŸ„č 

Johan Carlsson discovered a critical severity vulnerability that allows attackers to run pipelines as other users via scheduled security scan policies.

Checkmarx’s Yehuda Gelb nicely summarizes SSC Security related attack vectors, threat actors, and incidents published in July & August; many of which have been included in the CramHack’s newsletter 🙂.

Congrats to Legit Security for their Series B! Their platform is said to cover Software Supply Chain Security, Application Security Control Plane, Cloud to Cloud Traceability, and Compliance & SBOM.

It’s a bit difficult to understand the maturity of the platform based on what’s available via their webpage, but I love the idea of an SDLC inventory with code to cloud traceability. Ultimately, I envision the ideal Supply Chain Security product to have traceability throughout the supply chain layers and the ability to enforce security policies at each of the layers; in real-time would be sweeet.

I’m skeptical and not really sure if there’s a need for this at the moment, but I wish them the best!

You’re probably thinking that this isn’t news. But in fact you’d be wrong! Only just this past week has Go released formal documentation on how to organize a Go project.

đŸŒ¶ïž I wouldn’t mind if every language would actively maintain something of this sort, and bonus points if the language enforces it 😈.

Until Next Time! 👋 

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or just want to chat? Slide into my inbox! 💌

If you think someone could benefit from this, don’t hesitate to forward.

See you next Monday!
-Kyle