CramHacks
Posts
CramHacks Chronicles #36: Weekly Cybersecurity Newsletter!

CramHacks Chronicles #36: Weekly Cybersecurity Newsletter!

20% of Docker Hub's repos host malicious content, OWASP Critique, and SCA Marketing Nonsense

Kyle Kelly
May 15, 2024

🥳 Happy Monday! 🥳

I’m in New York this week, running around like crazy, so here’s a short one!

May 21st, 2024, I’ll be on the Absolute AppSec Podcast! I’m excited to complain about all things software supply chain security 🤣.

Semgrep has a video game??? My high score was almost 5,750. Click the image below to play for free - Good luck 🫡

General News
Malware / Exploits
Vulnerability Management
Until Next Time! 👋

General News

Automate verifying the OWASP Application Security Verification Standard (ASVS)
Aram Hovsepyan, CEO of CODIFIC, will be sharing research at the OWASP Global AppSec Conference (Lisbon), which shows how ~58% of ASVS requirements can be automated into security test cases, potentially increased by another 10% using additional tools (E.g., ZAP and Semgrep).

OWASP Top 10 Risks for Open Source Software
The top 10 are (1) Known Vulnerabilities, (2) Compromise of Legitimate Package, (3) Name Confusion Attacks, (4) Unmaintained Software, (5) Outdated Software, (6) Untracked Dependencies, (7) License Risk, (8) Immature Software, (9) Unapproved Change, (10) Under/over-sized Dependency.

👋 I’ve heard others mention it in the past, but I had no idea OWASP was this far gone. Why is an open-source foundation allowing blatant product marketing? The color scheme, the authors, and the referenced research come from one source.

CVE/FIRST VulnCon 2024 & Annual CNA Summit Videos
40+ hours of content from the VulnCon Conference this past March! This is what heaven must be like.

Malware / Exploits

JFrog Security research discovers coordinated attacks on Docker Hub that planted millions of malicious repositories
JFrog's research reveals that nearly 20% of Docker Hub's 15 million repositories host malicious content, including millions of "imageless" repositories with harmful metadata, posing significant security challenges despite moderation efforts.

Vulnerability Management

I've become increasingly frustrated with how software composition analysis vendors misguide consumers about supply chain security features. The misuse of traditional vulnerability management tools like EPSS, CVEs, and CVSS, which were not designed to support vulnerabilities in software dependencies, is a prime example of this problem.

How AI enhances static application security testing (SAST)
According to a 2023 GitHub survey, developers identified their primary responsibility, following code writing (32%), as detecting and resolving security vulnerabilities (31%). GitHub discusses how AI helps developers manage vulnerabilities more effectively within their workflows.

Until Next Time! 👋

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle