• CramHacks
  • Posts
  • CramHacks Chronicles #61: Weekly Cybersecurity Newsletter!

CramHacks Chronicles #61: Weekly Cybersecurity Newsletter!

CISA's Top Exploited CVEs, Snyk's Probely Acquisition, Dependabot's Copilot Autofix, OSS Maintainers on Vulnerability Management, and Perforce’s Puppet Source Shift

Author

Kyle Kelly
November 13, 2024

Hello! I hope that you are doing well.

I’ve recently found myself obsessing over Sherlock Holmes (again). Looking closer, I’ve realized a trend: Suits, Billions, Succession, Sherlock Holmes, etc., have something in common - an obsession with their work, which I can relate with all too well.

I’m excited for the projects to come and the impact they will have 🥂.

Newsletter

CISA 2023 Top 15 Routinely Exploited Vulnerabilities
The US, Australia, Canada, New Zealand, and the UK report on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2023.

👋 Citrix, Fortinet, Progress (Moveit), Atlassian, Apache (log4j), Barracuda Networks, Zoho, PaperCut, Microsoft, Jetbrains, and ownCloud products made the top 15.

OSS Maintainers On Vulnerability Management and Platform Security Features
UC Irvine’s Jessy Ayala, Yu-Jye Tung, and Joshua Garcia investigate the perspective of OSS maintainers who’ve experienced a previous GitHub Security Advisory issued for at least one of their projects. Eighty maintainers were surveyed, and twenty-two were interviewed.

👋 The data from this research supports the reality that these are software developers and not security engineers. Almost half of the respondents weren’t even aware of private vulnerability reporting through the platform's security features.

Securing the open source supply chain: The essential role of CVEs
Madison Oliver, Manager of GitHub’s Advisory Database Curation team and CVE Board Member shares some history and data on the CVE Program and GitHub’s contributions.

👋 Within five years, GitHub has become the 5th largest CVE publisher, reporting almost 7% of all CVEs ever published!

Sentry: Just Gave $750,000 to Open Source Maintainers
Sentry, who launched the Open Source Pledge earlier this year, has given $750,000 to open-source maintainers in 2024, up 50% from last year. With 129 engineers, this is almost $6,000 per developer.

👋 Sentry is a $100M+ ARR company that started open source. In the grand scheme, $750K is only crazy compared to what others are contributing. Call me crazy, but I hope we get to a point where a $750K company contribution would be shameful. For now, kudos to Sentry; I love the mission, and thanks for leading the charge 🙏.

Snyk Acquires Developer-First DAST Provider Probely
Snyk has acquired Probely, a dynamic application security testing (DAST) known for its API security testing and web application scanning capabilities.

👋 While I tend to pick SAST over DAST, I’d instead pick both. For instance, DAST can be used to identify reachable API endpoints, and SAST can be utilized for performant analysis of potential vulnerabilities.

Perforce has all but closed the Puppet source
Ben Ford at Overlook InfraTech notes concerns about Perforce’s decision to fork open-source projects internally for future development, with only their word that these changes will eventually make it to their public counterparts. The public statement is here.

👋 This doesn’t sit well with me, albeit I’ve never and likely will never use Puppet. My reasoning is mainly because this will include security fixes. This means that paid versions will receive security fixes before open-source, and they have stated they won’t be committing to any SLAs.

Microsoft: Publishing machine-readable CSAF files
MSRC will now add CSAF files, a standard machine-readable format Common Security Advisory Framework, to its CVE data for faster customer vulnerability response.

Copilot Autofix for Dependabot now available for TypeScript repositories
GitHub’s new Copilot Autofix for Dependabot (in private preview for TypeScript) now automatically identifies and suggests fixes for dependency updates that break CI.

👋 This is neat, but I’m not a huge fan of relying on CI failures. Still, it’s better than nothing!

ubuntu-latest: Notice of breaking changes for GitHub Actions
The Ubuntu-latest migration to Ubuntu 24 brings Artifacts v3 brownouts, stricter forked PR validation, a new webhook rate limit, and updated network allow lists for self-hosted runners.

Official v1.0.0 Release of Scraperr, the self-hosted webscraperr
Scraperr is a self-hosted tool enabling users to scrape data from specified web elements on webpages using XPath, with scraped data displayed in an organized table.

👋 I remember trying to build web scrapers using beautifulsoup in high school; I sure wish this existed back then.

Y Combinator: Requests for Startups
YC invites startups to innovate in government software, public safety tech, US manufacturing, advanced stablecoins, chip design with LLMs, Fintech 2.0, space exploration, AI engineering tools, and large-scale job creation.

Until Next Time! 👋

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.