Last week's must-read news and stories from the DevSecOps community
Zeno
 
Remarkable posts, stories, tools, tutorials and tips from the DevSecOps community!
🌐 View in your browser   |  ✍️ Publish on FAUN   |  🦄 Become a sponsor
 
 
Patrons
 
bytevibe.co bytevibe.co
 
Awesome Developer Mugs 😎
 
 
Check out our new collection of mugs! Warm your soul with a beautiful mug.
 
 
faun.dev faun.dev
 
Advertise with FAUN
 
 
FAUNplify your business to developers campaigns and reach more than 95k developers and software engineers. Reach an engaged audience, understand your results using our post-campaign stats and more!

Meet developers where they are, not where you want them to be. Read more!
 
 
 
From FAUNers 🐾
 
faun.dev faun.dev
 
IaC Security and Compliance Tools
 
 
6 IaC security and compliance tools you may need to secure your cloud.

By @boldlink
 
 
 
Publication
 
faun.pub faun.pub
 
Security Patches for Popular 2022 Vulnerabilities
 
 
A quick overview of the the most important security patches of 2022 including Log4j vulnerability, Log4Shell, Cloud data breaches, IoT vulnerabilities, ransomware attacks and credential stuffing.
 
 
 
From the web
 
github.blog github.blog
 
SCA vs SAST: what are they and which one is right for you?
 
 
The two commonly-used security tools and detailing how they can help secure your projects.
 
 
www.philvenables.com www.philvenables.com
 
Crucial Questions from CISOs and Security Teams   ✅
 
 
This post focuses on the questions from CISOs and security teams. This builds on many related topics covered in the two prior posts on crucial questions from CIOs/CTOs and Boards and executives.
 
 
simonwillison.net simonwillison.net
 
You can’t solve AI security problems with more AI
 
 
Prompt injection attacks are where an AI language model backed system is subverted by a user injecting malicious input. The fundamental challenge is that large language models remain impenetrable black boxes.

One of the most common proposed solutions to prompt injection attacks is to apply more AI to the problem. This isn’t safe.
 
 
www.bitsight.com www.bitsight.com
 
BitSight Analyzed Exposed SSO Credentials of Public Companies
 
 
BitSight research found that 25% of the S&P 500 and half of the top 20 most valuable public U.S companies have had at least one SSO credential for sale on the web.
 
 
medium.com medium.com
 
Lambda Networking
 
 
Considering when to apply or not apply VPC networking to a Lambda function and how to secure Lambda networking.
 
 
www.cidersecurity.io www.cidersecurity.io
 
How we Abused Repository Webhooks to Access Internal CI Systems at Scale   ✅
 
 
As adoption of CI systems and processes becomes more prevalent, organizations opt for a CI/CD architecture which combines SaaS-based source control management systems with an internal, self-hosted CI solution. Many organizations using such architectures allow these CI systems to receive webhook events from the SaaS source control vendors, for the simple purpose of triggering pipeline jobs.

To allow the webhook requests to access the internally-hosted CI system, the SaaS-based SCM vendors provide IP ranges from which their webhooks requests arrive, so these ranges can be allowed in the organization’s firewall.

This blog post dives into the potential security pitfalls of this control, and explains why it provides organizations with a false sense of security.
 
 
www.armorcode.com www.armorcode.com
 
How to Scale Your Application Security
 
 
What do AppSec maturity levels look like?
 
 
pedrodelgallego.github.io pedrodelgallego.github.io
 
Using Software Bill of Materials to Secure the Software Supply Chain Continuously
 
 
A software bill of materials (SBOM) is similar in nature. Essentially is a machine-readable inventory of all software components and dependencies utilized in an application. Software is becoming increasingly complex and increasingly composed. Without an SBOM, organizations lack visibility into the license and security risks associated with the software they are building or consuming.
 
 
bishopfox.com bishopfox.com
 
(In)Secure by Design
 
 
Improve your organization's application security by applying secure design patterns, avoiding anti-patterns, and adding security architecture analysis.
 
 
www.computerweekly.com www.computerweekly.com
 
Security Think Tank: Creating a DevSecOps-friendly cyber strategy
 
 
When slowing down is not an option, you need to find a security strategy that is DevSecOps friendly, says Airbus Protect’s Olivier Allaire
 
 
 
Quick Hits
 
 
Ox Security lands $34M in seed funding to strengthen software supply chains. Ox promise is to automatically block risks introduced into the pipeline and ensure the integrity of each workload, all from a single location.
 
 
Cado Security announced the availability of its platform in the Microsoft Azure Marketplace, an online store providing applications, and services for use on Azure. Cado Security customers can now take advantage of the productive and trusted Azure cloud platform, with streamlined deployment and management.
 
 
Cloud migration yields security gains, even in the heavily regulated financial services and healthcare sectors, according to a new report commissioned by digital services provider Presidio.
 
 
Zero-trust security startup Illumio Inc. announced a new endpoint solution designed to prevent breaches from spreading to clouds and data centers from laptops.
 
 
With the latest addition of Difenda Microsoft Information Protection & Governance, Difenda now offers eight managed and professional security services on the Microsoft Azure Marketplace, an online store providing applications and services for use on Azure. 
 
 
Endpoint security firm SentinelOne announced a $100 million venture fund that the publicly-traded company will use to invest other security startups.
 
 
MS-SQL servers with weak protection are being targeted. An ongoing campaign is looking to distribute the FARGO ransomware to as many Microsoft SQL servers as possible, experts have found. 
 
 
Jobs
 
 
- Stream is looking for a Remote DevOps Engineer (Visa sponsorship) .
- Code.org is looking for a Remote Software/Security Engineer .

🚀 Get featured in our weekly newsletters (95k subscribers) and Linkedin page (18k followers) by posting your job to JobsForDevOps.com
 
 
Tools
 
github.com github.com
 
Razor-Sec/go-sonar-scanner
 
 
This tools for custom quality gate when scanning sast in sonarqube.
 
 
github.com github.com
 
Arachni/arachni
 
 
Web Application Security Scanner Framework
 
 

Zeno #341: How we Abused Repository Webhooks to Access Internal CI Systems at Scale
Legend: ✅ = editors' choice / ♻️ = Old but gold / ✨ = sponsored / 🔰 = beginner friendly

You received this email because you are subscribed to FAUN.
🐾 FAUN is a world wide community of developers 👣 We help developers learn and grow by keeping them up with what matters.

You can manage your subscription options here (recommended) or leave immediately at anytime here.