CramHacks Chronicles #66: Weekly Cybersecurity Newsletter!

Hello! I hope you’re having a great week thus far 🙂.

Are any of you playing Path of Exile 2? I haven’t taken a video game seriously in years, but I’m enjoying this one. I thought we’d do one more boss last night, and I’d be in bed within 10 minutes; instead, it took ~20 attempts and almost 2 hours.

Newsletter

Find and fix Actions workflows vulnerabilities with CodeQL (Public Preview)
Code scanning in GitHub via CodeQL now offers a “GitHub Actions” language option to analyze Actions workflows for vulnerabilities.

👋 GitHub workflow vulnerabilities have been a hot topic recently. Although the common vulnerabilities have been known for years, exploit automation like Gato-X and real-world incidents like Ultralytics have made them a hot topic. I’m curious how CodeQL will compare to other tools like Zizmor.

AI-Powered Security Research: How We Prioritized 40,000 GitLab Servers for Exposed Secrets
Cycode’s Oreen Livni details how they narrowed their focus using AI (Langflow). From the 5,000 active and affected GitLab servers, they used AI to identify the top 300 based on company size, sensitive domain type, industry type, repository activity score, and sensitive repo scores.

👋 They then scanned the top 300 for exposed secrets and found 219 👀.

Meet Intel: Aikido’s Open Source threat feed powered by LLMs.
Akido’s Mackenzie Jackson shares how their AI-powered threat feed and in-house research team identify unreported vulnerabilities in open-source packages. Their data shows that 67% of software vulnerabilities silently patched were never disclosed. Intel has discovered 511 vulnerabilities not disclosed publicly.

👋 This happens constantly. A PR is made for a security fix, but the issue is never formally disclosed. It’s becoming more common for SCA vendors to build internal vulnerability databases, ingest data from sources like package PRs and Issues, compare version diffs to identify affected versions, and include them in their DB. This is a great feature but can be expensive to build and manage.

Secure your container images with signature verification
Datadog’s Bowen Chen shares how image signing and verification can mitigate supply chain attacks. The article also sheds light on how Datadog implemented this internally using a signing service leveraging gRPC that pushes signatures to their OCI registry. Images are then verified at runtime via contained.

2024 Open Source Software Funding Report
GitHub, the Linux Foundation, and researchers from Harvard University summarize insights regarding how organizations fund, contribute to, and otherwise support open source software. 159 respondents reported labor or financial contributions adding up to $1.7B in annual value to open source. Extrapolating on this data, organizations worldwide contribute $7.7B annually. 86% of this contribution is in employee labor, converted using an hourly wage of $45.

👋 Harvard’s January 2024 study reported open source is worth up to $8.8T. What is a reasonable annual contribution from organizations globally?

ClearlyDefined: 2024 in review – milestones, growth and community impact
A recap of the open source initiative’s ClearlyDefined project, including expanded license coverage (added support for LicenseRefs), a new harvester for Conda packages, integration with GUAC, and a new online presence.

👋 ClearlyDefined aims to offer “clearly defined” licensing data for open source projects. Many vendors in the space are using poor-quality data to build tools, so I love the focus on quality data!

Ask a hacker: A conversation with ahacker1
👋 Per the bug bounty leaderboard for targets such as GitHub and GitLab, ahacker1 is a savage (in a good way). It's a worthy listen for those interested in bug bounty hunting. A key takeaway was that he focuses on niche technologies, e.g., SAML, where documentation is fruitful but industry expertise is uncommon.

Until Next Time! 👋

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.