Great talk on how one could bypass a TF plan, along with advanced tips on preventing it. Demo at 23'
https://www.youtube.com/watch?v=QN3fLLSfAgs

Hey folks, can anyone tell me what devsecops features do Harbor registry provides? Also which would be better choice trow/quay(selfHosted)/harbor for hosting registry. I want to focus more on security aspects

Hi folks, what is everyone doing to get keep their ECR images updated and free of vulns? Looking for new ideas for image pipeline, esp for nervous engineers.

Anyone who has a Data Security Questionnaire they can share with me for 3rd party services processing data with AI? I need some inspiration and assurance that I'm covering the basics in our questionnaire

Hey there,
I have been asked to do an assessment of our DevSecOps practices and have been asked to implement hashicorp vault. I am hoping to pick someone's brain on how they have done it for their org. Appreciate the help I can get thanks

Excited to share our latest NXT1 blog post by our Co-Founder and CTO, Darren House. In "Redefining Roles in Application Security," Darren explores the need for a shift in responsibility away from end users in securing commercial technologies. He emphasizes the importance of adopting a long-term perspective, integrating GenAI into the development process, and fostering a culture of shared responsibility among educators, industries, and users. Dive into the full article to discover how we can build a safer future together.

https://nxt1.cloud/cybersecurity/redefining-roles-in-application-security/?utm_medium=blog&utm_source=communities&utm_term=slack

Another social engineering takeover attempt: https://therecord.media/researchers-stop-credible-takeover-xz-utils

when this xz happened at the first time, I got a question on my mind, the English commit messages are so fluent, https://research.swtch.com/xz-timeline. Did the xz owner Lasse Collin talked to Jia Tan before, either face to face or voice? Did anyone know Lasse Collin or see him before? When did ssh include liblzma?

The open-source project owners who are experiencing mental health issues are the targets of social engineering

Hi Everyone! Does anyone know a good alternative to freeipa? Is freeipa the best for managing access to Linux machines?

yoo anybody know any good alternative to Weaveworks Ignite Firecracker vm -- that has docker images lol (Weaveworks is shutting down apparently)

Hey everyone! Given that 3DES ciphers are susceptible to SWEET32 attacks, I’m on a mission to secure our CloudFront domains. However, I’ve hit a snag: the most up-to-date security policy I can apply is TLSv1.2, which, to my surprise, still supports 3DES. Does anyone know if there’s a method to exclude 3DES ciphers from CloudFront? Alternatively, is there a way to customize the security policy manually? Appreciate any insights or guidance!

Hi All, Anyone who can recommend a company doing pen-testing of NodeJS frontend, Python backend deployed in AWS. Purpose of the pen-test is audit requirement, but we are also very interested in learning from the experience and validating our internal effort on security.

https://easybreach.dragonsecurity.io

Type in a password
The client side generates a sha1 hash as you type and the sha1 gets checked against my easybreach api in near realtime, seeded with the hibp password list.

LogoFAIL is a technique to take advantage of image parsing functions that do not properly validate input arguments and allow for buffer overflows in UEFI bootloaders. The attack is to inject a trojan-horse'd vendor logo into the EFI System Partition. Apple devices not vulnerable due to not using UEFI, but others should make sure they check for BIOS updates from their manufacturer.

For anyone interested, I’ve just released a threat intel feed aggregator -dstif.io
Feel free to add the rss feed to your own slack/discord/feeds (hint hint @Erik Osterman (Cloud Posse) )

This would be great to have in SOPS. Makes the secret story much better to be able to encrypt for a recipient, without having access to their KMS.

This is a pattern we follow, so can't adopt SOPS yet, to encrypt offline without touching the environment. It also allows developers, who do not have privileged access to production environments to pass us secrets for target systems.

https://github.com/getsops/sops/issues/684

Q: For access to Kubernetes APIs (for kubectl, helmfile, k9s, …) do you allow access direct from your engineers local machines (laptops) or do you require them to jump into a bastion or other host (via SSH, SSM, InstanceConnect, …)?

let the games begin https://defcon.org/

https://downfall.page/ Another speculative execution attack has been announced. Seems like AWS is patched already, but workstations using Intel chips will likely need firmware updates.

Anyone have recomendations on tooling for Compliance as Code? I used chef inspec like 5 years ago to implement controls for AWS accounts. It was quite nice for being "compliance" oriented and using a real programming language. I'm not sure of the future of inspec along with it's licensing change, is there something else comparable. Has compliance as code progressed at all? What resources can I consume to get ramped up on the current state of affairs. Everything I've found so far makes me think the whole movement died 2 years ago.

Hey Folks,

I’m thrilled to share our journey towards Continuous Security Audits at Dgraph Labs Inc. In our blog post, we delve into how we detect and remediate potential Security Issues within our offerings. Our new setup integrates a selection of toolsets and aids in “Improved Visibility” and “Faster Security Issue Resolution” for our organization (and our esteemed customers). Within a concise timeframe (~3 months), we’ve successfully addressed over 2k+ security issues with this, significantly bolstering our SOC2 compliance endeavors. Learn more about our Security Landscape, Layers, Tools in our blog post. https://www.sudhishkr.com/posts/20230609_how-we-fixed-2kplus-security-issues/

#DevSecOps #SecurityAudit #DgraphLabs #ContinuousSecurity #OpenSource #DevOps #CVEs #Linters #GitHubActions #SecureCoding

Anyone have experience simplifying a SSO login page which provides multiple ways of logging in by using multiple vanity login domains instead. For example a menu asking user to choose a way to sign in between "microsoft account" and "google account" would be converted into two domains ms.example.com and ga.example.com. What are the negatives to such an approach (besides increase in resources to manage)? Is this against some best practice? Is this somewhat common?

Dang it Gigabyte. https://www.wired.com/story/gigabyte-motherboard-firmware-backdoor/

@Jonathan Eunice has joined the channel

@Jonathan Eunice https://trufflesecurity.com/blog/running-trufflehog-in-a-github-action/

We've launched a #compliance channel to discuss topics like FedRAMP, HIPAA, SOC2, PCI/DSS, HITRUST, etc.

🚨 If you are using an iPhone, be sure to lock it down (watch the whole video for background on why this is important). This is countering an active threat that will ruin more than just your day if you fall victim. Additional mitigation includes using 1Password rather than iCloud Keychain for access to accounts.

Let the supply chain attack vs patch management battle begin!

How to auto-approve and merge dependabot PRs.

On the topic of SBOMs, a new company that Rob Mee (of Pivotal fame) started will help customers manage (and keep up to date with patches) legacy enterprise software using Elixir.

GitHub updated their ssh key after they accidentally leaked their private key.

https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/

Anyone used or familiar with https://oak9.io/ ? Did https://indeni.com/ pivot? doesn't look like they are focus so much on IaC anymore.

Hi, I'm using Github Actions with OIDC to auth against AWS and looking for ways to make it work with dependabot, so that PRs opened by dependabot can trigger workflows that pull stuff from ECR. Anyone with a similar setup?

Hello all! I wanted to see if anyone had suggested training for breaking into security. My brother is looking for a career change and is currently looking into a security bootcamp through ASU. The bootcamp is pretty pricey at $15k, but it is a 6 month program. I'm helping him learn git/bash/etc, but I'm probably less efficient at teaching him security related stuff

In my quest to get the company ISO27001 certified I have come across a control where I need to document where I'm signed up for Security alerts and updates.. Anyone know of good emailing lists or services updating you on the latest trends in security?

Oh dang, GitHub, you just made credential scanning easy, no more needing to enforce credential scanning pre-commit hooks! GitHub can be configured to reject credentials on push!

sooo who's up deploying openssl fixes? 😉

https://security.humanativaspa.it/automating-binary-vulnerability-discovery-with-ghidra-and-semgrep/

@Soren Jensen - this is as close to what I can share at the minute - working with our team on a broader writeup

Any write up on how you did it and what the results were?