• CramHacks
  • Posts
  • CramHacks Chronicles #50: Weekly Cybersecurity Newsletter!

CramHacks Chronicles #50: Weekly Cybersecurity Newsletter!

WAFs are dead, will ADR save us? PyPi responds to 90% of malicious packages within 24hrs! Unprotected Container Registries

🥳 Happy Monday! 🥳

I hope you’re having a great week thus far 😃.

This week is “Focus Week” at Semgrep. That means most folks cancel meetings and get sh@! done.

Having shifted from being a Consultant responsible for managing 50+ customers and direct reports to now being a Security Researcher, every week feels like a focus week to me 🥳.

Does your employer have a similar practice? How would you feel about a week without meetings? Ultra productivity 😎.

Best Practices and Innovations in Software Supply Chain Security
Join Ali Diamond, Nicole Schwartz, Leyla Arabian, Andrew King, Kayla Underkoffler, and me tomorrow (August 22nd, 2024) at 9 am PT for a panel discussion about best practices and innovations for securing the software supply chain!

👋 Who doesn’t want to hear about software supply chain security with their morning coffee?! ☕️ 

Newsletter

Contrast Security: The Case for Application Detection and Response
Contrast Security has released a white paper discussing what a detection and response approach to AppSec looks like.

👋 I’m curious to learn more, but this largely seems like a re-positioning of the Contrast Runtime Security product offers, with telemetry data being ingested by SIEMs, CNAPs, etc., to paint a complete picture of attack chains from application vulnerability to infrastructure compromise.

PyPI Slashes Malware Response Time: 90% of Issues Resolved in Under 24 Hours
PyPI has made significant security enhancements, which is good, given that it serves over a billion daily downloads from 490,000+ projects.

  • Over 140,000 users have enabled 2FA (~80% of active users)

  • Malware responses accelerated to under 24 hours for 90% of cases, and they’ve introduced a quarantine status for dubious packages

DHS S&T Seeks Solutions for Software Artifact Dependency Graph Generation
The DHS Science & Technology Directorate's Silicon Valley Innovation Program is offering up to $1.7 million in non-dilutive funding to develop dependency-graphing technologies for homeland security applications.

👋 The White House requires software vendors to provide a software bill of materials (SBOMs) for relevant applications. I guess enterprises aren’t the only ones struggling to identify software artifacts accurately! You can’t produce an accurate SBOM without an accurate artifact dependency graph (ADG). Or can you? 🤔 

Vulnerabilities

The Growing Threat of Unprotected Container Registries: An Urgent Call to Action
Christopher Bleckmann-Dreher pleads with the internet to recognize security risks associated with unprotected container registries. In 2022, Christopher uncovered more than 20,000 unprotected registries, and in 2024, still more than 10,000.

👋 The blog post details how effortless it can be to abuse these registries by uploading malicious images that trigger reverse shells or crypto miners.

How multiple vulnerabilities in Microsoft apps for macOS pave the way to stealing permissions
Cisco Talos identified eight vulnerabilities in macOS Microsoft applications, which could allow adversaries to inject malicious libraries, steal app permissions, and potentially escalate privileges.

Deno CLI Vulnerability Repeats npm mistakes: CVE-2024-37150
Liran Tal breaks down CVE-2024-37150 which affected Deno v1.44.0. Deno would send .npmrc credentials for a scope to the tarball URL, even when the URLs for a tarball (provided by the registry) are on a different domain.

👋 As Liran notes, there was a similar vulnerability in the npm cli in 2022. History repeats itself yet again!

Open Source

Vulnetix: Automate vulnerability triage
Vulnetix, a project led by Christopher Langton, is a recently announced vulnerability management platform committed to avoiding vendor lock-in and employing automation to reduce the manual burden teams routinely face.

👋 With new tools everywhere, I appreciate the focus on standards rather than ingesting data from insert_tool_name. I suspect many readers have built similar management dashboards internally, maybe several, with dreams of deploying automation, but perhaps Vulnetix can replace that need 🤔.

Mixeway Flow: Swiss army knife for DevSecOps Teams
Offering integration with Git and CI/CD environments through webhooks, Mixeway offers SAST (Bearer), SCA (OWASP Dependency Track), IAC (KICS), and Secret Leaks (gitleaks). The project includes a frontend and a backend for viewing vulnerabilities and components.

👋 This seems very solid. I haven’t tested it (yet), but if it performs as designed, it is attractive. However, I think they should’ve used Semgrep instead of Bearer 😉.

Upcoming Events

OWASP Global AppSec US Conference
I look forward to being in San Francisco from September 25 to 27. Let me know if you’d like to meet up!

The Secure Open Source Software (SOSS) Fusion Conference
I’m unsure if I’ll be attending yet, but this is shaping to be an incredible conference for those interested in securing the open-source ecosystem. I’m hoping to make it happen. This is the first year for SOSS Fusion, so I expect it will be relatively intimate but with some seriously talented folks.

Until Next Time! 👋

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.