Intro
Hey everyone!
This year, I’ve shared 22 newsletter editions with you, and I hope you found valuable articles and materials in them. As this is the last edition of the year, I want to wish you a happy and calm Christmas, spent doing your favorite activities. Relax, load your batteries and enjoy this time. I will be back ;).
For this edition we kick things off with an intriguing read about Google’s unique internal challenge: The Great Google Password Heist. For 15 years, security teams have tested their skills by attempting to hack departing colleagues’ passwords, showcasing their creativity and technical skills. It’s a fascinating look at hacking as a culture-builder.
For developers concerned about software supply chain security, check out the Supply Chain Firewall by Datadog Security Labs, designed to protect against malicious PyPI and npm packages. Google’s Vanir also makes an appearance as a static analysis tool to detect missing patches in Java, C and C++ software, especially useful for Android developers. Meanwhile, Kubernetes enthusiasts can dive into Kubernetes Goat, a hands-on, intentionally vulnerable environment for sharpening offensive security skills.
Looking to enhance API security? OWASP Noir is an interesting open-source project for identifying attack surfaces during whitebox testing. Also, you might be interested in Threat-Compose thatr offers a simple yet effective way to integrate threat modeling into your software design process.
For those tackling vulnerability management challenges, an article on the EPSS Score Vulnerability Management explores how this scoring system can help prioritize real-world risks and reduce alert fatigue. And finally, Trail of Bits introduces 35 new Semgrep rules, perfect for securing infrastructure, supply chains, and Ruby applications.
Enjoy the materials and stay secure!
Materials
📃 The Great Google Password Heist: 15 Years of Hacking Passwords To Test Our Security
Great article about Google leaving tradition, describing a unique challenge which can be also called “hacking a hacker”. During the notice period, colleagues from security-related teams use every tool at their disposal to obtain the leaver’s plaintext password. This involves leveraging sophisticated 0-day exploits in internal systems, N-days in browsers, and even setting up tiny cameras to capture the leaver typing their password on a keyboard.
🛠️ Introducing Supply-Chain Firewall: Protecting Developers from Malicious Open Source Packages
Are you concerned about malware in open source packages? The article introduces the Supply Chain Firewall, an open-source tool by Datadog Security Labs that protects developers from malicious PyPI and npm packages. The article explains its features and setup, making it ideal for software engineers aiming to secure their development environments.
🛠️ Vanir: Missing Patch Scanner developed by Google
How can developers ensure their applications are secure from missing patches? Vanir is a static analysis tool that identifies unpatched vulnerabilities in C, C++, and Java code. Tool can be useful especially for Android vendors and developers.
🧑🎓 Kubernetes Goat – Intentionally Vulnerable Cluster Environment
Are you interested in mastering Kubernetes security? Kubernetes Goat, a deliberately vulnerable cluster environment designed for hands-on learning and practice. It’s ideal for security professionals, DevOps engineers, and anyone looking to improve their skills in Kubernetes offensive security.
🛠️ OWASP Noir – Identifying Attack Surfaces For Enhanced Security Testing
Are you looking for a solution identifying API attack surface? OWASP Noir is an open-source project specializing in identifying attack surfaces for enhanced whitebox security testing and security pipeline. This includes the capability to discover API endpoints, web endpoints, and other potential entry points within source code for thorough security analysis.
🛠️ Threat-composer – A Simple Threat Modeling Tool
Threat-Composer is a tool designed to help developers to identify and address security issues early in the design phase. Ideal for security professionals and developers, it offers insights, iterative modeling support, and a collaborative platform to enhance software security.
📃 EPSS Score Vulnerability Management: A New Standard
Are you struggling with alert fatigue from traditional vulnerability management systems? This article explores the EPSS (Exploit Prediction Scoring System) as a more effective alternative to CVSS for cybersecurity teams. It highlights how EPSS helps prioritize real-world risks, thereby improving response strategies and resource allocation. Ideal for cybersecurity professionals seeking to enhance their vulnerability management practices.
📃 35 more Semgrep rules: infrastructure, supply chain, and Ruby
What security vulnerabilities might your infrastructure face? This article introduces a new set of Semgrep rules aimed at identifying vulnerabilities in infrastructure code, particularly focusing on Ruby and HashiCorp Configuration Language (HCL) for Terraform. It’s tailored for security professionals and developers interested in enhancing their code security.
