CramHacks Chronicles #85: Weekly Cybersecurity Newsletter!

Hello, and Happy Monday!

I’ve been having some great chats recently with founders and researchers in the software supply chain security space, and I’d love to keep that going! If you’d like to chat, send me a message on LinkedIn or reply to this email 🙂.

Also, here’s a Nalu update (the real reason y’all subscribed). We took her to another dog beach this weekend where she overcame her fears of the water. She swam for the first time 😅.

Newsletter

OSS-Fuzz integrations via agent-based build generation
The latest update on leveraging AI for OSS-Fuzz integrations. The agent-based build generator takes a single input, a project URL and outputs a set of OSS-Fuzz projects with fuzzing harnesses. Testing its effectiveness included a sample of 225 projects, resulting in 88 OSS-Fuzz valid build scripts being generated.

👋 Late 2024 I spent quite a bit of time experimenting with OSS-Fuzz. Despite being a Fuzzing noob, I found that I could write basic harnesses and find meaningful crashes in test projects. That said, I experienced a lot of difficulties with onboarding projects to OSS-Fuzz. I wouldn’t have had any success if it weren’t for the AdaLogic videos; albeit I wish the documentation was more friendly.

So You’re Still Just docker build && docker push? Let’s Fix That
Kaan Yagci highlights the importance of supply chain security and offers risk mitigating suggestions (with steps) for hardening builds and deployments. This includes vulnerability scanning, SBOM generation, provenance attestations, and policy enforcement through admission controllers.

NOVA: Prompt pattern hunting to detect abuse of LLM applications
An open source prompt pattern matching system written by Thomas Roccia that can be used to detect types of prompt content, e.g., abusive usage.

👋 H/T Zack Allen for sharing this project!

US Government Launches Audit of NIST’s National Vulnerability Database
The official letter from the US Department of Commerce’s Office (DoC) of Inspector General states that the audit will begin immediately and that the objective is to “verify the effectiveness of NIST’s sustainable processes for managing NVD submission volumes, including the long-term effectiveness of its backlog reduction strategies and measures to prevent future processing delays.”

👋 My gut tells me NIST is going to get annihilated (morally) by this audit.

CycloneDX: Abandons bug bounty program funded by Sovereign Tech Fund
Maintainer Lars Francke announced on LinkedIn that the project received roughly 20 submissions, but not a single one was deemed a true positive. Per Lars, they were almost exclusively AI-generated spam reports.

👋 This project received €248,960.00 from the Sovereign Tech Fund for 2023-2024. No offense to anyone involved, but wtf… As far as I can tell, the project only supports generating CycloneDX SBOMs for Cargo based Rust projects. The last release was in November 2024 and if they’re following Semantic Versioning, they didn’t have a single stable release. I know, I’m acting like this is millions of dollars, but when it comes to open source, I do kind of expect money to go further than usual—though I probably shouldn’t.

Again, I mean no offense whatsoever. For all I know this project was a major success. And if not, I’m sure there were valuable lessons learned.

Until Next Time! 👋

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.