- CramHacks
- Posts
- CramHacks Chronicles #39: Weekly Cybersecurity Newsletter!
CramHacks Chronicles #39: Weekly Cybersecurity Newsletter!
How good are LLMs at patching vulnerabilities? GitHub Artifact Attestations, MegaLinter, Malware distributed via StackOverflow
🥳 Happy Monday! 🥳
If you missed my LinkedIn post, my time at Bancsec has ended as of last week. I'm sorry to anyone I missed saying goodbye to in my final days. Reach out and stay in touch!
For those wondering what I’ll be doing with my newfound free time, I’m now available for application security, DevOps, and security automation engagements; reach out to [email protected], and let's talk about how I can help you.
Table of Contents
Events w/ CramHacks
Best Practices and Innovations in Software Supply Chain Security
I look forward to being on this panel along with Ali Diamond, Nicole Schwartz, Kayla Underkoffler, and Andrew King!
Shoutout to Semgrep’s Leyla Arabian for hosting 🙌
From MMORPG to Cybersecurity Master: My Story
Last week, I was on Unscripted with David Raviv! This was really fun. I had no idea we would dig so much into my video game obsession, but I truly enjoyed the discussion.
I vividly remember trying to write argumentative papers about video games' positive influence, but they were always shot down by teachers and parents. Well! At this stage, I think I can do a better job 😉. Stay tuned for a blog post on this topic.
General News
GitHub and JFrog partner to unify code and binaries for DevSecOps
Now, teams using both GitHub and JFrog’s Artifactory can manage source code and binaries from a single interface.
👋 JFrog offers quite a bit regarding software supply chain security, but it’s largely binary-based. So, in my opinion, this partnership's biggest pro is enabling more streamlined security scanning via JFrog Xray, which does binary analysis.
SBOM and the Bill that is Coming
Checkmarx’s John Allison discusses the impending US government mandate for Software Bill of Materials (SBOM) to enhance software supply chain security. Agencies like DHS, CISA, and DoD will require SBOMs in contracts to ensure transparency and risk management.
👋 Check out my blog post, Software Bill of Materials (SBOM): The Gateway Drug to Supply Chain Security, for more on SBOMs.
Malware / Exploits
PyPI crypto-stealer targets Windows users, revives malware campaign
Sonatype reveals a new PyPI crypto-stealer, "pytoileur," which targets Windows users by downloading trojanized binaries for surveillance and crypto-theft.
👋 A now-suspended StackOverflow user was attempting to exploit community members seeking help by directing them to install this malicious package.
Open Source
Flexion: 5 ways MegaLinter upped our DevSecOps game
Wes Dean shares the role MegaLinter plays at Flexion. One that stood out to me was “Help our developers develop” 😍. I 100% agree that linters can have a dual role in improving the dev experience and, when done correctly, can get developers excited about using it for security!
👋 MegaLinter, an open-source project maintained by OxSecurity, leverages more than 50 language linters (including Semgrep!), 22 formatters, and 21 tooling linters to analyze the consistency of your code, IAC, configuration, and scripts.
Understanding GitHub Artifact Attestations
Ian Lewis outlines GitHub's Artifact Attestations, improving supply chain security by linking artifacts to source code and GitHub Actions, aiming for SLSA Build Level 2 compliance via the attest-build-provenance GitHub Action.
👋 Also, shoutout to the slsa-github-generator project, which Ian actively contributes to. While not as user-friendly as a GitHub Action, it can achieve SLSA Build L3. Ian advises to see if L3 is possible for your project and, if not, pursue L2 or L2+ via the GitHub Action.
Some Thoughts on AI & Security within the SDLC
Dana Epp explains how API linting can be used to identify security vulnerabilities by analyzing API descriptions for inconsistencies and deviations from best practices. Open-source tools like Spectral enable security experts to create custom rules for detecting potential attack vectors, enhancing API security assessments.
Vulnerability Management
First-Ever CVE Authorized Data Publisher (ADP) Now Enhancing CVE Records — CISA ADP
This initiative aims to improve the accuracy and completeness of vulnerability data, supporting better cybersecurity practices. The ADP role allows selected organizations to enrich CVE entries with additional context and related information.
👋 This doesn’t seem like the right approach. Firstly, it’s long been known that the CVE Numbering Authorities (CNAs) are a problem. At the end of the day, they’re the ones approving these grossly misinformed “vulnerabilities”.
Additionally, this adds confusion by splitting things up; “All ADP updates to the CVE Records occur in a separate organizational ‘ADP container’.” Why keep them separate if the ADPs contribute high-quality and accurate data? Or is this a sign of the quality expectations?
How good are LLMs at patching vulnerabilities?
Patched finds that LLMs can fix about 2/3 of issues on the first try. Challenges include handling dependencies, avoiding breaking changes, and maintaining code context. Strategies like custom prompts, retries, and AST analysis can improve accuracy.
Leveraging their open-source framework, Patchwork, they’ve optimized LLM performance to reach an 82.86% fix rate (up from 69.74%). That’s pretty 🔥.
Assessing Static Application Security Testing Tools With Synthetic Applications
Chris Campbell critiques using synthetic applications to evaluate Static Application Security Testing (SAST) tools, emphasizing that these apps don't reflect real-world code complexities.
👋 I hope this is a no-brainer for most CramHacks readers, but we need to spread the word. SAST tools must be easy to deploy and scale for your organization. If you’re evaluating a tool, do it in your environment. Is it too noisy? Does it find no issues? Is deployment scalable? These are all things you can find out BEFORE buying it.
Unsafe Rust in the Wild: Notes on the Current State of Unsafe Rust
The Rust Foundation discusses the current state of Unsafe Rust, noting its necessity for low-level programming while highlighting the safeguards in place to minimize risks. Approximately 20% of Rust crates use `unsafe, primarily for interfacing with non-Rust code. The Foundation emphasizes ongoing efforts to ensure safety and security through tools and community collaboration.
Until Next Time! 👋
Hey, you made it to the bottom – thanks for sticking around!
Questions, ideas, or want to chat? Slide into my inbox! 💌
Don’t hesitate to forward if someone could benefit from this.
See you next Monday!
-Kyle
P.S. CramHacks now has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.