April 21, 2023
Web Security Headers, Elementor Plugin Flaw, Embassy Tech Pros
In this Episode:
5 Steps for Securing Your Software Supply Chain
Radical Transparency: Cybersecurity can impact business wins
RBAC exploit in K8s
Hey, it’s 5:05. Thanks for being here on Friday, April 21st, 2023 from the Sourced podcast Network in Camp Hill, Pennsylvania. This is your host, Bob Bannon. Stories in today’s episode, come from Edwin Kwan in Sydney, Australia, Mark Miller in New York, Katy Craig in San Diego, California, and Shannon Lietz in San Diego California. Pokey will be back on Monday, but for now I still have the controls. Let’s get to it.
[00:00:00] Edwin Kwan: This is Edwin Kwan from Sydney, Australia.
RSA Conference just published an article that I’ve written on the five steps for securing your software supply chain. Most modern applications are assembled from open source components with developers typically writing less than 15% of the code for their application. As the demand for open source software grows, there’s also an increase in the number of available open source software.
However, not all open source components are created equally or maintained properly. As a result, we are seeing an increase in software supply chain attacks. That increase is on average around 742% per year.
The five steps for securing your software supply chain are
#1) Having a software bill of materials or SBOM so that you understand your organization’s exposure when vulnerabilities are discovered.
#2) Performing due diligence and scanning for vulnerabilities.
#3) Having a centralized artifact repository so that only approved software is used.
#4) Keeping your software up to date so that you’re not using still components.
#5) And lastly, running a web application firewall or WAF so that you can deploy mitigating controls and give the development team additional time to remediate.
Check out the article on RSA Conference for more details.
[00:02:08] Mark Miller: The research team at Aqua have discovered evidence that attackers are exploiting Kubernetes role-based Access Control. Aqua named this attack RBAC Buster.
This is Mark Miller calling in from Albuquerque, New Mexico on the way to San Francisco for the RSA Conference.
For those of you new to the game, RBAC restricts network access based on a person’s role within an organization. Aqua noticed the adversarial activity on one of their K8s honeypots. Initial access was gained via a misconfigured API server that allowed unauthenticated requests from anonymous users with privileges.
Michael and Asif from Aqua have documented their research along with code examples and descriptions. You can find a link to their research at 505updates.com.
Just a quick reminder, most of the 5:05 team will be at the RSA Conference in San Francisco next week. Please pull us aside if you’re in the area. You can easily find us at the DevOps Connect Monday sessions at Moscone. If you can’t attend the conference, join us here each day online at 5:05 PM for updates from the conference.
[00:03:30] Katy Craig: Large language models or LLMs like ChatGPT, are trained on ginormous datasets like Google’s Colossal Clean Crawled Corpus dataset of over 15 million websites. The datasets used to train the AI marvels are critically important and help us understand the sources of information that power them because as the saying goes, “garbage in, garbage out”.
This is Katy Craig in America’s finest city, San Diego, California.
The Washington Post conducted research into the data sets used to train LLMs, and found that they are dominated by websites from industries such as journalism, entertainment, software development, medicine, and content creation. Among the top contributors to the dataset are patents.google.com, which houses text from patents issued globally, wikipedia.org, the ever popular free online encyclopedia and scribd.com, a subscription-based digital library.
But, the data set also includes b-ok.org, a known market for pirated eBooks that has since been seized by the US Justice Department. Why? Along with b-ok.org, at least 27 other sites identified by the US government as markets for piracy and counterfeits made their way into the data set .Again. Why?
There were also Florida and Colorado voter registration sites, as well as white supremacist sites. Religious sites are skewed toward the west and censorship and filtering block LGBTQ+ content while allowing swastikas and porn.
Using information from diverse industries helps to refine the AI’s knowledge and understanding, enabling it to generate more accurate and relevant responses. However, it also raises concerns about the ethical implications of using data from sources that engage in piracy and counterfeiting activities or that contain inherent biases and bigotry.
By understanding and addressing these concerns, we can work towards building more responsible and trustworthy AI systems.
This is Katy Craig. Stay safe out there.
[00:06:15] Shannon Lietz: A recent survey shared that cybersecurity can impact business wins.
This is your Radical Transparency segment with Shannon Leitz, recording from San Diego, California.
Last month, trend Micro shared the results of their risky rewards report providing insights about cybersecurity in business that build onto a changing tide within the industry highlighted by CISA.
Some highlights: In this report, Trend Micro shared that while 51% of survey respondents believe that cybersecurity is not a revenue contributor, 81% were actually concerned that not having cybersecurity credentials could impact new business opportunities. And 19% admitting that it already has.
79% of business decision makers also admit they are increasingly being asked about cybersecurity during negotiations with prospects and suppliers. Nearly two thirds of , business decision makers intend to increase security investments this year.
So what does this all say?
This tells me that cybersecurity is quickly evolving and that while we’re all thinking about this top of mind, that transparency is becoming a critical and crucial part of the go forward for big business.
Great job Trend Micro and all of the respondents for the survey.
That’s it for today’s Open Source cybersecurity update. The links to all stories and resources mentioned in today’s episode are available at 5:05 updates.com, where you can download the transcripts for easy reading or listen to our ever-growing library of more than 100 episodes. 5:05 is a sourced network production with updates available Monday through Friday on your favorite audio streaming platform. Just search for it’s 5:05. Also while you. Please subscribe. Thanks to Edwin Kwan, Mark Miller, Katy Craig , and Shannon Lietz. for today’s contributions. The executive, producer and editor is Mark Miller. The sound engineer is Bob Bannon. Music for today’s episode is by Blue Dot Sessions. We use Descript for spoken text editing and Audacity to layer in the soundscapes. The show distribution platform is provided by Captivate.fm. This is Bob Bannon, talk at you again when Pokie’s on vacation. Tune in on Monday with Pokie for It’s 5:05
Shannon LeitzCEOCum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus.