CramHacks Chronicles #38: Weekly Cybersecurity Newsletter!

🥳 Happy Monday! 🥳

Our new puppy, Nalu, has been relatively well-behaved with sprinkles of terror. I am nothing short of exhausted from all the research and training, but I’m confident it’ll all be worth it 🐕️.

So far, we’re down one phone charger and one puppy camera.

Table of Contents

• General News

• Malware / Exploits

• Open Source

• Vulnerability Management

• Until Next Time! 👋

I’ve seemingly stirred the pot recently on LinkedIn, after publicly questioning the direction of some software supply chain startups. Great discussion in the comments! 👋 I especially liked Steve Springett’s comment highlighting how “provenance” can have various meanings and some of the known gaps.

General News

The Great AI Challenge: We Test Five Top Bots on Useful, Everyday Skills
The WSJ’s Dalvin Brown, Kara Dapena, and Joanna Stern conducted a blind study of peers evaluating five chatbots’ usefulness. The study leveraged premium offerings where applicable (e.g., GPT-4o) and included the following topics: health, finance, cooking, work writing, creative writing, summarization, current events, coding, and speed.

👋 I hadn’t heard of Perplexity before this, but it won the summarization, current events, and coding categories 🤔. Their pro model is $20/month and allows you to select a preferred model: GPT-4o, Claude-3, Sonar Large (LLaMa 3), and more. I plan to give it a shot.

Building a GitOps CI/CD Pipeline with GitHub Actions (SOC 2)
Mathieu Larose introduces a simple, developer-friendly GitOps-based CI/CD pipeline using GitHub Actions, designed to meet SOC 2 compliance standards.

👋 A working example and detailed guide is available at https://github.com/cicd-excellence.

Malware / Exploits

Malicious PyPI packages targeting highly specific MacOS machines
DataDog’s Sebastian Obregoso & Christophe Tafani-Dereeper detail how their continuous scanning initiative using GuardDog has recently uncovered a cluster of malicious PyPI packages. Each identified package exhibited a unique but similarly malicious behavior, targeting specific MacOS file systems.

👋 GuardDog uses Semgrep! “It runs a set of heuristics on the package source code (through Semgrep rules) and on the package metadata.”

Open Source

2024 GitHub Accelerator: Meet the 11 projects shaping open source AI
Each selected project will benefit from funding, Azure credits, and other resources for accelerated growth in the open source community. These projects represent various technologies, including machine learning, robotics, and augmented reality.

YARA is dead, long live YARA-X
A complete rewrite (in Rust) of the malware identification tool YARA, which introduces a modern command-line interface, improved error reporting, and significant performance boosts. YARA-X aims for a 99% rule-level compatibility with YARA and offers ease of integration through Python, Golang, and C APIs.

flawz: A Terminal UI for browsing security vulnerabilities (CVEs)

Vulnerability Management

Proactive Software Supply Chain Risk Management Framework (P-SSCRM) Version 1
This framework is a comprehensive guide for organizations to address and manage software supply chain risks proactively. It can be used to assess or benchmark risk management against industry standards. The P-SSCRM describes effective practices observed in leading organizations, supporting informed decision-making and enhancing software and supply chain security and compliance.

👋 Honestly, this framework is perhaps all that you need as a consultant to conduct a highly effective supply chain security assessment. I will definitely be using this.

Until Next Time! 👋 

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle