CramHacks Chronicles #34: Weekly Cybersecurity Newsletter!

🥳 Happy Monday! 🥳

I hope all is well! I’ve managed to surf 🏄‍♂️ every day so far this week. My arms hurt, I’m sunburnt, and I love every bit of it.

May 15th, 2024, I’ll be co-presenting How to Shift Left with the Semgrep AppSec Platform; come learn how to keep engineers sane while promoting secure code!

May 21st, 2024, I’ll be on the Absolute AppSec Podcast! I’m excited to complain about all things software supply chain security 🤣.

Table of Contents

• General News

• Malware / Exploits

• Open-Source Tooling

• Vulnerability Management

• Until Next Time! 👋

General News

Securing millions of developers through 2FA
GitHub's Mike Hanley outlined their initiative to mandate two-factor authentication (2FA) for code contributors by the end of 2023, which significantly boosted the adoption of this crucial defense against account takeovers and supply chain compromises.

Google lays off staff from Flutter, Dart and Python teams
A lot of discussion occurred on Hacker News, including a Python team member sharing the team’s day-to-day. Super impressive what they’ve managed to do with such a lean team. There was also some Dart/Flutter discussion on Twitter (X).

GitHub Copilot Workspace: The Copilot-native developer environment
With the new GitHub Copilot Workspace, developers can now manage the entire coding lifecycle—from planning to execution—entirely in natural language.

👋 I feel this is a great tool for more senior developers. Everyone knows someone who can explain exactly how the project should be completed but hasn’t written code in years. GitHub Copilot Workspace is essentially a robot army of junior developers.

Malware / Exploits

Dependency Confusion Vulnerability Found in Apache Project
Legit Security’s Ofek Haviv details a recently disclosed dependency confusion vulnerability in an archived Apache project, showing how outdated third-party projects can still pose significant security risks.

👋 Dependency confusion is a software supply chain attack where malicious packages with the same names as private ones are prioritized by package managers, leading to the unintended installation of harmful code.

Open-Source Tooling

Gradle partners with GitHub on supply chain security
Gradle and GitHub partner to offer a new GitHub Action for Gradle that submits dependency data to GitHub's dependency graph for better vulnerability management and Dependabot alerts.

👋 Gradle projects, specifically multi-project ones, are a pain in the !@# to identify all software dependencies. Developing a Gradle plugin seems to be the most effective solution used by SCA tools.

google/osv-scalibr
SCALIBR (Software Composition Analysis Library) is an extensible file system scanner used to extract software inventory data (e.g., installed language packages) and detect vulnerabilities.

👋 SCALIBR will be merged into OSV-scanner in the near future, as per the readme.

Vulnerability Management

Chainguard: Hardened Container Images: Images for a Secure Supply Chain
John Speed Meyers and Paul Gilbert announce The State of Hardened Container Images Report. Key takeaways include:

• Popular Debian-based community images typically contain around 300 CVEs and consist of nearly 300 components.

• Updating packages to their latest available version reduced CVEs by only five percent.

• Container debloating technology shows a 65 percent reduction in CVEs, proving moderately effective.

• The top 50 most downloaded images in Iron Bank, a U.S. Air Force repository of hardened container images, have an average of 110 CVEs

The Rise Of Application Security Posture Management (ASPM) Platforms
Chris Hughes explains that the proliferation of tools and fragmented team responsibilities can obscure visibility, which has contributed to the emergence of ASPM platforms.

Until Next Time! 👋 

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle