CramHacks Chronicles #70: Weekly Cybersecurity Newsletter!

CramHacks recently had a big wave of new subscribers; welcome all!

This past week felt pretty uneventful. I suspect this is partly due to the current state of politics in the United States. Whether we like it or not, software supply chain security is primarily a byproduct of regulatory guidance, and right now, it’s difficult to predict which holds water.

Let’s look at Executive Order 14144 (Strengthening and Promoting Innovation in the Nation's Cybersecurity). This order builds on Executive Order 14028, which is well-known for starting the SBOM-craze.

Sec. 2. Operationalizing Transparency and Security in Third-Party Software Supply Chains.
The executive order emphasizes the Nation’s reliance on software providers and gaps in software acquisition practices.

• Mandating Transparency: Federal software providers must submit secure software development attestations, validation artifacts, and a list of Federal Civilian Executive Branch (FCEB) customers to CISA's Repository for Software Attestation and Artifacts (RSAA).

• Centralized Verification: CISA will verify attestation completeness, validate samples using provided artifacts, and address deficiencies directly with providers. Public validation results will highlight noncompliance and may trigger legal action.

• Updating Security Standards: NIST will refine guidance (SP 800-218, SP 800-53) for secure software development, delivery, and patching.

• Integrating Risk Management: Agencies must adopt supply chain cybersecurity programs, incorporating NIST SP 800-161 practices across acquisition and contract lifecycles.

• Open Source Security: Agencies will receive guidelines for assessing, patching, and contributing to open source software, ensuring innovation while managing vulnerabilities.

👋 Overall, I give this executive order a 👍️. But we’ll see if it still stands in the coming weeks. The section on AI in cybersecurity is interesting, requiring the Secretary of Defense to establish a program to use AI models for cyber defense.

Newsletter 

Be Careful When Installing Homebrew
Ryan Chenkie points out that Homebrew has (yet again) been targeted by a malicious Google ad. The ad tricks users into visiting a Homebrew site clone that provides a cURL command to malware instead of the Homebrew installation script.

Google’s Patch Rewards Program
Google's Patch Rewards Program offers financial incentives, up to $15,000, to open-source developers who improve security in eligible projects. The program also provides a reward multiplier to encourage a focus on memory safety issues —up to $45,000.

Vigilante Justice on GitHub
Truffle Security’s Dylan Ayrey shares how to graffiti other people’s GitHub activity if they create an issue on a repository where you have push permissions 🤣.

Are LLMs making StackOverflow irrelevant?
Gergely Orosz discusses StackOverflow’s downfall, accelerated by AI, stagnant innovation, and frustrating moderation policies. Since ChatGPT launched, StackOverflow has received 76.5% fewer questions.

👋 Per Theodore R. Smith, who shares the raw data in a gist, the last time StackOverflow received so few questions was in May 2009!

Everything you ever wanted to know about the CRA
Tobie Langel kickstarted a GitHub repository containing a FAQ and Inventory of resources for the Cyber Resilience Act.

👋 The Council of the European Union adopted the CRA on October 10th, 2024. I suspect this FAQ section will be especially beneficial in 2025 as we learn the nuances.

Until Next Time! 👋

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.