Intro
Hi everyone!
I hope you’re doing great. This edition is a little later than usual because I went down a rabbit hole last week, working on a personal project using the recently released Claude 3.7 Sonnet LLM and GitHub Copilot in agentic mode.
I’m a developer who started programming about 15 years ago. Having worked primarily with web applications, I’ve observed how development practices have evolved over time. While I currently work as a security engineer, I’m still actively developing and learning new things. To be fair, no matter what setup you use for development, LLMs can significantly speed up the workflow. When I find the time, I’ll write a dedicated blog post about my personal setup, where I can control how I implement things and which files should be adjusted to reduce potential issues introduced accidentally.
Since I’ve already touched on AI topic, I’d recommend checking out this insightful article – Can AI Actually Find Real Security Bugs?. It compares the latest large language models for vulnerability detection with traditional SAST tools.
If you’re a penetration tester or a bug bounty hunter, you might be interested in Leaking the Email of Any YouTube User for $10,000 which explains how leaked identifiers could be exploited to obtain users’ email addresses.
For cloud security professionals, there is an excellent research piece on a name confusion attack that can be performed when using Amazon Machine Images (AMI) in AWS – whoAMI: A Cloud Image Name Confusion Attack.
For DevSecOps, application security engineers and developers, I recommend taking a look at this repository – Semgrep Rules for Detecting Malicious Code. It may help you identify first-party malicious code placed in your repositories.
Enjoy the materials and stay secure!
Materials
🤖 Can AI Actually Find Real Security Bugs?
Can AI effectively identify real security vulnerabilities in code? This article explores experiments using recent large language models (LLMs) for vulnerability detection. It discusses performance comparisons with traditional static analysis tools, making it valuable for developers, security professionals, and researchers interested in AI applications for cybersecurity.
🛠️ Semgrep Rules for Detecting Malicious Code
How can you protect your codebase from first-party malicious code? This repository contains Semgrep rules to detect dynamic code execution and obfuscation, patterns found in most malicious code incidents reported to this day. Based on the description of the repo – only rules with low false-positive rates and strong correlation with malicious code are included.
🕵️ whoAMI: A cloud image name confusion attack
This article discusses the “whoAMI” name confusion attack affecting AWS users who use Amazon Machine Images (AMI). The presented attack is an instance of a name confusion attack and could be used to perform supply chain attacks against organisations using AWS. Recommended for cloud security professionals and developers using AWS technologies.
🕵️ Leaking the email of any YouTube user for $10,000
Great research presenting a vulnerability that lead to revealing user’s email addresses. It’s a great article for penetration testers and cybersecurity enthusiasts.
🛠️ The OSS Review Toolkit
The OSS Review Toolkit (ORT) is a FOSS policy automation and orchestration toolkit that you can use to manage your (open source) software dependencies in a strategic, safe and efficient manner.
📄 Path Traversal and Remediation in Java
How to remediate Path Traversal in Java? This article focuses on Path Traversal and its risks in Java applications. It explains how attackers can exploit this flaw to access sensitive files and provides remediation recommendations, making it valuable for developers and application security professionals.
📄 Understanding OWASP’s Top 10 list of non-human identity critical risks
What are the critical risks associated with non-human identities in context of cybersecurity? This article explores the OWASP Top 10 list of risks related to non-human identities, highlighting improper offboarding, secret leakage, and insecure authentication as key concerns. It’s essential reading for IT leaders and cybersecurity professionals seeking to strengthen their organization’s security posture.
📄 How to manage three top Kubernetes security vulnerabilities
How can organizations secure their Kubernetes environments against growing vulnerabilities? This article highlights critical security risks such as insecure container images, poorly managed secrets, and ineffective access control. Aimed at IT professionals and security teams, it provides actionable strategies to enhance Kubernetes security in a rapidly adopting landscape.
🕵️ Airtable Formula Injection – abusing formulas to steal data
Is it possible to perform a formula injection in Airtable? This article explores Airtable Formula Injection, detailing how untrusted input can compromise data security. It outlines exploitation techniques, detection methods, and potential remediation steps. It’s a must-read for web developers and security professionals aiming to safeguard their applications.
