Adam and Jerod are joined by Ken Kantzer, co-founder of PKC Security. Ken and his team performed upwards of 20 code audits on well-funded startups. Now that itâs 7 or 8 years later, he wrote up 16 surprising observations and things he learned looking back at the experience. We gotta discuss âem all!
Rob Barnes (a.k.a. Devops Rob) and Rosemary Wang (author of Infrastructure as Code - Patterns & Practices) are joining us today to talk about infrastructure secrets.
What do Rosemary and Rob think about committing encrypted secrets into a repository? How do they suggest that we improve on storing secrets in LastPass? And if we were to choose HashiCorp Vault, what do we need to know?
Thank you Thomas Eckert for the intro. Thank you Nabeel Sulieman (ep. 46) & Kelsey Hightower (ep. 44) for your gentle nudges towards improving our infra secrets management.
Chain-bench is an open source tool for auditing your software supply chain stack for security compliance based on a new CIS Software Supply Chain benchmark.
You can run the tool from a CLI, assuming your code is hosted on GitHub (more SCM hosts coming soon):
chain-bench scan --repository-url <REPOSITORY_URL> --access-token <TOKEN> -o <OUTPUT_PATH>
I couldnât find a comprehensive list of what checks are in the benchmark, but it appears they are referring to this guide. You can see what an example runâs results like like in the README.
dot (aka Deepfake Offensive Toolkit) makes real-time, controllable deepfakes ready for virtual cameras injection. dot is created for performing penetration testing against e.g. identity verification and video conferencing systems, for the use by security analysts, Red Team members, and biometrics researchers.
Whatâs crazy is dot deepfakes donât require any additional training. đ¤Ż
Ken Kantzer was part of ~20 code audits of companies that had just raised their A or B rounds of funding:
It was fascinating work â we dove deep on a great cross-section of stacks and architectures, across a wide variety of domains. We found all sorts of security issues, ranging from catastrophic to just plain interesting. And we also had a chance to chat with senior engineering leadership and CTOs more generally about the engineering and product challenges they were facing as they were just starting to scale.
In this post he shares some of the more surprising things heâs learned from the experience. Thereâs a lot to digest in this post, but Iâll highlight my favorite to whet your whistle:
Simple Outperformed Smart. As a self-admitted elitist, it pains me to say this, but itâs true: the startups we audited that are now doing the best usually had an almost brazenly âKeep It Simpleâ approach to engineering. Cleverness for cleverness sake was abhorred. On the flip side, the companies where we were like âwoah, these folks are smart as hellâ for the most part kind of faded.
This is the post-KubeCon CloudNativeCon EU 2022 week. Gerhard is talking to Matt Moore, founder & CTO of Chainguard about all things Knative and Sigstore.
The most important topic is swag, because none has better stickers than Chainguard.
The other topic is the equivalent of Letâs Encrypt for securing software.
This week weâre talking with Bruce Schneier â cryptographer, computer security professional, privacy specialist, and writer (of many books). He calls himself a âpublic-interest technologistâ, a term he coined himself, and works at the intersection of security, technology, and people.
Bruce has been writing about security issues on his blog since 2004, his monthly newsletter has been going since 1998, heâs a fellow and lecturer at Harvardâs Kennedy School, a board member of the EFF, and the Chief of Security Architecture at Inrupt. Long story short, Bruce has credentials to back up his opinions and on todayâs show we dig into the state of cyber-security, security and privacy best practices, his thoughts on Bitcoin (and other crypto-currencies), Tim Berners-Leeâs Solid project, and of course we asked Bruce to share his advice for todayâs developers building the software systems of tomorrow.
Today we are at KubeCon CloudNativeCon EU 2022, talking to Adolfo GarcĂa Veytia about securing Kubernetes releases. Adolfo is a Staff Software Engineer at Chainguard, and one of the technical leads for SIG release, meaning that he helps ship Kubernetes. You most likely know him as Puerco, and have seen first-hand his passion for securing software via SBOMs, cosign and SLSA. Puercoâs love for bikes and Chainguard are a great match đ´ââď¸
Mike Hanley on GitHubâs blog:
The software supply chain starts with the developer. Developer accounts are frequent targets for social engineering and account takeover, and protecting developers from these types of attacks is the first and most critical step toward securing the supply chainâŚ
Today, as part of a platform-wide effort to secure the software ecosystem through improving account security, weâre announcing that GitHub will require all users who contribute code on GitHub.com to enable one or more forms of two-factor authentication (2FA) by the end of 2023.
This is a big step in the right direction and their new(ish) 2FA for GitHub Mobile feature helps make the burden not as cumbersome as it might be otherwise.
After recording Ship It! #46, Nabeel Sulieman and Gerhard stuck around to pair on getting KCert (a simpler alternative to cert-manager) set up on our LKE infra. It works!
You might not need this curated checklist of 300+ tips for protecting digital security and privacy (you probably do), but I bet thereâs someone in your life who does (you probably do, too).
Feross has been working on something big. He joins Chris and Nick, along with guests Bret Comnes and Mik Lysenko to discuss Socket, what it is, and its focus on the security of the JavaScript supply chain.
Nabeel Sulieman, Senior Software Engineer at Vercel, talks about KCert, a simpler alternative to cert-manager that he built. Gerhard tried it out, and he thinks that Nabeel is onto something. If you want to see the video that they recorded, ping us on Twitter or Slack.
We love this story, especially the long-term approach of working on something that one truly believes in, and the only reason is because itâs fun. The world needs more people like Nabeel, and we hope that this episode inspires you to go all out, and do just that.
Wireshark is a seriously cool piece of software for packet sniffing and analysis. Why might you want to use it on yourself?
This opens up possibilities to not only reverse engineer web app private APIs in a deeper way, but also to do the same kind of research against desktop apps for purposes such as data scraping, automation, vulnerability research and privacy analysis.
This week weâre joined by the âmad scientistâ himself, Feross AboukhadijehâŚand weâre talking about the launch of Socket â the next big thing in the fight to secure and protect the open source supply chain.
While working on the frontlines of open source, Feross and team have witnessed firsthand how supply chain attacks have swept across the software community and have damaged the trust in open source. Socket turns the problem of securing open source software on its head, and asksâŚâWhat if we assume all open source may be malicious?â So, they built a system that proactively detects indicators of compromised open source packages and brings awareness to teams in real-time. We cover the whys, the hows, and whatâs next for this ambitious and very much needed project.
Said root access is achieved on DevOops â a medium-rated, retired machine on HackTheBox. The hack begins with a web server that hosts XML file uploads and ends with⌠well, I wonât spoiler it for you. Follow along and try to get root for yourself!
Avi Lumelsky shares his journey finding and reporting databases with sensitive data about Fortune-500 companies, hospitals, crypto platforms, startups during due diligence, and more.
His major entry point: misconfiguration
Tobie Langel, Open source strategist and Principal at UnlockOpen, joins Chris, Feross, and Amal to discuss recent widespread incidents affecting the JavaScript community (and breaking CI builds) around the globe. Two widely used npm libraries were self-sabotaged by their single maintainer, yet again, highlighting the many gaps in our OSS supply chain security, sustainability and overall practices. We explore all these topics and solution on what our ecosystem needs to be more resilient to these types of attacks in the future.
Linux users on Tuesday got a major dose of bad newsâa 12-year-old vulnerability in a system tool called Polkit gives attackers unfettered root privileges on machines running any major distribution of the open source operating system.
Previously called PolicyKit, Polkit manages system-wide privileges in Unix-like OSes. It provides a mechanism for nonprivileged processes to safely interact with privileged processes. It also allows users to execute commands with high privileges by using a component called pkexec, followed by the command.
Oh my. It requires local access first, which is the only good news here.
Oliver Brotchie developed this CSS fingerprinting technique that requires no Javascript or Cookies to function and avoids anti-tracking methods such as NoScript, VPNs or browser extensions.
CSS Fingerprinting is a technique of tracking and gathering information on site visitors. This method exploits the nature of CSS to track various characteristics about the visitorâs browser and device, which can later be used to either identify or track said visitor.
Right now, at current spec, this method doesnât scale, but with the next upcoming draft of the CSS specification, CSS Values 4, it will become far more scalable and precise.
We laugh so that we do not have time to cry. (via Zachary Taylor in our community Slack)
We have been researching the Log4J RCE (CVE-2021-44228) since it was released, and we worked in preventing this vulnerability with our customers. We are open-sourcing an open detection and scanning tool for discovering and fuzzing for Log4J RCE CVE-2021-44228 vulnerability. This shall be used by security teams to scan their infrastructure for Log4J RCE, and also test for WAF bypasses that can result in achiving code execution on the organizationâs environment.
In Firefox 95, weâre shipping a novel sandboxing technology called RLBox that makes it easy and efficient to isolate subcomponents to make the browser more secure. This technology opens up new opportunities beyond whatâs been possible with traditional process-based sandboxingâŚ
Turns out using WebAssembly to isolate potentially-buggy code is a pretty big win:
Going forward, we can treat these modules as untrusted code, and â assuming we did it right â even a zero-day vulnerability in any of them should pose no threat to Firefox.
This the best intro to zk proofs Iâve seen. She starts simple with a Whereâs Waldo example and works her way up to Sudoku.
In cryptography, zero knowledge proofs let you convince me that you know something, or have done something, without revealing to me what your secret thing was.
If youâre unaware of what Trojan Source attacks are, or how unicode characters injected into a codebase could be used in malicious ways, refer to the README of the anti-trojan-source source code repository.
This ESLint plugin is based on the library and command-line tool anti-trojan-source.
