Intro
Hey everyone!
I’m excited to bring you this edition packed with insightful cybersecurity materials. From powerful DevSecOps tools to thought-provoking industry discussions, there’s something for everyone this week.
First up, let’s take a look at interesting Mixeway Flow, an open-source tool designed to be the Swiss army knife for DevSecOps. Whether you’re a developer or security engineer, this tool’s features like vulnerability scanning, Git integration, and a unified dashboard can streamline your security processes and boost your productivity.
In this edition, I included a few talks from the DEF CON 32 – AppSec Village. One standout session explores how to use the Exploit Prediction Scoring System (EPSS) for improved vulnerability management, while another dives into effective SBOM management with real-world case studies from Schneider Electric. If AI and ethical disclosures pique your interest, don’t miss the talk on balancing transparency and security when disclosing AI vulnerabilities.
I’ve also included a valuable Reddit thread that delves into the real value of threat modeling, sparking conversation about its effectiveness and practical benefits. It’s a great read for anyone involved in security design or risk assessment.
Finally, be sure to check out the Okta vulnerability involving an insecure authentication mechanism related to long AD/LDAP credentials. This flaw affected the platform for a few months, highlighting the importance of vigilance in cryptographic practices.
Enjoy the materials and stay secure!
Materials
🛠️ Mixeway Flow – Open-source Swiss Army Knife for DevSecOps
What if you could streamline security in your DevOps processes effortlessly? The Mixeway Flow is a versatile and comprehensive tool designed to serve as the ultimate Swiss army knife for DevSecOps processes. It is composed of various features including vulnerability scanning, seamless Git integration, and a unified dashboard for threat management, making it an interesting tool for developers and security engineers.
🎥 DEF CON 32 – AppSec Village – Using EPSS for Better Management Vulnerability Management
This talk explores the Exploit Prediction Scoring System (EPSS), a data-driven tool that leverages current CVE data and real-world exploit information to assess the likelihood of vulnerability exploitation. It provides an in-depth look at the EPSS model and practical steps for integrating it into CI/CD pipelines and traditional system patching.
🎥 DEF CON 32 – AppSec Village – The Missing Link – How We Collect And Leverage SBOMs
This presentation explores how Schneider Electric successfully integrated thousands of SBOMs into its corporate product CERT to enhance vulnerability management and response times. Highlighting real-world applications during the Log4j and OpenSSL incidents, it outlines modified policies and processes for efficient SBOM collection and usage. Key takeaways include lessons learned, practical suggestions, and areas for future improvement in SBOM management practices.
🎥 DEF CON 32 – AppSec Village – Got 99 Problems But Prompt Injection Ain’t Watermelon
This talk explores the complex challenges of ethical and secure vulnerability disclosure in AI, focusing on balancing transparency with security. It addresses issues like data bias exploitation and model manipulation, emphasizing the need for responsible management. Using real-world examples, it aims to inspire a unified approach to improve disclosure processes and strengthen public trust in AI systems.
🧵 [Thread] What is the real value of threat modeling?
A very insightful Reddit discussion on the value of threat modeling, initiated by an internal security engineer who transitioned from the pentesting field to focusing more on design reviews.
🕵️ CVE-2024-9264: Grafana Arbitrary File Read via SQL Expressions
A Grafana Labs engineer recently discovered a Local File Inclusion (LFI) vulnerability introduced in Grafana 11 through the experimental SQL Expressions feature. This feature, designed for post-processing query results using SQL, was mistakenly enabled by default due to an implementation oversight, allowing potential programmatic access via the API. Exploitation requires an authenticated user with Viewer permissions and the presence of the DuckDB binary in Grafana’s environment path.
🤖 How Facebook is leveraging AI for efficient incident response
How can AI revolutionize incident response in tech? This article explains Meta’s innovative AI-assisted root cause analysis system that enhances the efficiency of system reliability investigations, achieving 42% accuracy in identifying issues. It is targeted at engineers and tech professionals interested in AI applications in operational excellence.
🔓 Okta Insecure Authentication Mechanism for Long AD/LDAP Credentials
Okta internally identified a vulnerability that could allow to authenticate using only username under specific conditions. Based on the advisory, it looks like Bcrypt algorithm was used to create a cryptographic key using userID + username + password. Unfortunately, Bcrypt allows to use up to 72 bytes maximum input length of 72 bytes for most implementations. Input exceeding the maximum length is truncated. Summarising, for usernames longer than 52 characters, passwords did not take part in the Bcrypt cryptography operation. The vulnerability was existing between 2024-07-23 and 2024-10-30. There are no details how many users were affected.
