CramHacks Chronicles #41: Weekly Cybersecurity Newsletter!

🥳 Happy Monday! 🥳

The latest CramHacks blog post, Dirty Little Secrets of Vulnerability Management, was a big hit! Thank you, everyone, for checking it out and sharing.

In that same vein, I seemingly hit the algorithm on LinkedIn by complaining (no surprise there) about how the industry treats CISOs versus practitioners. Numerous comments and DMs shared stories of how CISOs and even Boards have pushed teams to purchase less-favorable products.

Perhaps it was good timing, as the industry questions ethics regarding certain venture capital funds - specifically, the infosec-focused VC fund Cyberstarts. Cyberstarts reportedly entices CISOs that work with the fund to be initial purchasers. Dubbed the Gili Ra’anan model, they promise an initial annual revenue of $2 million in their first year of sales, which helps spike the valuation to $100-200 million, allowing them to raise more money more easily.

Table of Contents

• Career

• General News

• Malware / Exploits

• Open Source

• Vulnerability Management

• Until Next Time! 👋

Career

Consistently Prepared: Year-round strategies for career growth
Leif Dreizler, Senior Manager at Semgrep, shares tips and tricks to accelerate career growth. This includes maintaining a “hype list,” understanding the performance review process and preparing for career development discussions.

👋 I love this blog post. Personally, I hate doing all these things, but as Leif points out, your manager isn’t going to plan your career for you. Hold yourself responsible for your own career development.

6 Questions to Ask When Interviewing for an AppSec Role
Well-thought-out questions that can give insights into the team you are interviewing for.

👋 I’m a big fan of “5. What are the next three things you need to solve in your AppSec program?”

General News

Insights from the World’s Top CISOs and DevSecOps Leaders
Cycode interviewed 20 well-known industry professionals and recorded the Q&A. There were several mentions of risks relevant to open-source software dependencies! Lots of other good insights as well.

👋 Kudos to Cycode for this one. I appreciate that, for the most part, questions weren’t tailored to promote their product.

BlackBerry: The State of Software Supply Chain Security [Research]
BlackBerry's latest survey reveals that over 75% of organizations experienced a supply chain cyberattack within the last twelve months. Of these, 64% resulted in financial loss.

The survey also revealed that 68% of respondents expressed high confidence regarding their suppliers’ ability to identify and prevent vulnerabilities. 41% request “proof of compliance,” e.g., a Software Bill of Materials (SBOM) or a Vulnerability Exploitability eXchange (VEX) artifact.

👋 The 68% reporting high confidence in their suppliers is very concerning. Maybe I have trust issues 🤷.

Malware / Exploits

How a Single Vulnerability Can Bring Down the JavaScript Ecosystem
Lupin & Holmes discovered that registry.npmjs.org was vulnerable to a cache poisoning denial of service (CPDoS) attack. An attacker can inject headers that make the registry cache “Not Found” responses, potentially making targeted packages temporarily inaccessible. This has been fixed.

👋 As per the blog post, an attacker can target a package such as “express” with over 30 million downloads per week and effectively make the package unavailable to developers. This would have major implications.

Open Source 

VulnCheck's official command line tool
vci can browse and list indices, download backups, request vulnerabilities related to CPE or PURL, and scan repositories for vulnerabilities.

👋 I didn’t intuitively know what “indices” were. It turns out they are sources for security advisories and holy sh@! VulnCheck covers a ton. I counted 369 difference indices.

TruffleHog Partnering With Elastic to Scan for Secrets
This partnership brings TruffleHog’s secret scanning capabilities to Elasticsearch via a native integration that allows you to stream documents straight out of Elastic into TruffleHog. v1 source code

API Security Mindmap + References
David Sopas, hosts a mindmap for API Security reconnaissance and testing, combining years of accumulated knowledge as a researcher and through collaboration with peers. The mindmap includes links to tools and resources.

👋 There is also a well-organized references tab containing suggested recordings, must-reads, practice challenges, and more.

Vulnerability Management

Ubuntu Security Notices now available in OSV format
Canonical has announced that Ubuntu Security Notices (USNs) are now available in the Open Source Vulnerability (OSV) format.

Until Next Time! 👋 

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks now has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.