DevSecOps Weekly Newsletter, Zeno. Curated DevSecOps news, tutorials, tools and more!
🌐 View in your browser   |  ✍️ Publish on FAUN   |  🦄 Become a sponsor
 
Allow loading remote contents and showing images to get the best out of this email.
Zeno
 
 
 
 

🎉🔗 Tech Enthusiasts, Assemble! 🔗🎉

Calling all DevOps heroes, Kubernetes sailors, Golang wizards, and Cloud-natives! 🚀
FAUN has Subreddits just waiting for you. Join the community, where sharing is caring, and knowledge is limitless! 🌟


Engage in thought-provoking discussions, share your mighty projects, soak in wisdom from industry gurus, and forge bonds with tech aficionados around the globe! 🌍🔗💬

The realms of knowledge are infinite – let's explore them together! 🚀🔥

 
 
🔗 From the web
 
www.gosecure.net www.gosecure.net
 
AWS WAF Clients Left Vulnerable to SQL Injection Due to Unorthodox MSSQL Design Choice
 
 
The Microsoft SQL Server has an undocumented design choice that allows it to bypass web application firewalls (WAFs) due to a lax attitude towards SQL parsers. This unorthodox design choice can potentially be exploited by hackers to bypass security protections provided by WAFs.
 
 
security.googleblog.com security.googleblog.com
 
Supply chain security for Go: Compromised dependencies
 
 
The rise in supply chain attacks on software has made it crucial for open-source developers using Go to monitor and assess the risks of their dependencies. Go provides built-in protections to help trust the integrity of packages, including the ability to detect and prevent malicious versions or withdrawals of dependencies.
 
 
blogs.manageengine.com blogs.manageengine.com
 
MOVEit zero-day exploit: Ongoing updates and what's next
 
 
Late in May, a SQL injection vulnerability was discovered in the file sharing application Moveit Transfer, leading to a potential breach of high-profile customer data. The Clop ransomware gang is believed to be behind the attack, using the exploit to target multiple organizations.
 
 
labs.hakaioffsec.com labs.hakaioffsec.com
 
Hunting for Nginx Alias Traversals in the wild   ✅
 
 
Nginx, a dominant web server since 2004, is widely used across websites and Docker containers. This article explores Nginx's intricacies, including the location and alias directives, potential vulnerabilities arising from misconfigurations, and real-world case studies showcasing the risk of data exposure.
 
 
www.wiz.io www.wiz.io
 
How to get rid of AWS access keys – Reducing Privileges
 
 
Reduce privilege and tighten IAM policy by identifying and removing unnecessary access keys, using IAM access advisor for service level adjustments, and considering alternative authentication solutions to minimize risk associated with AWS access keys.
 
 
x64.sh x64.sh
 
ServiceNow Insecure Access Control To Full Admin Takeover
 
 
A vulnerability in ServiceNow allows a low-privilege user to gain unauthorized full administrative access to the platform. By exploiting certain vulnerabilities, such as insecure access control and session token manipulation, an attacker can escalate their privileges from a standard user to an administrator on the ServiceNow instance.
 
 
kubernetes.io kubernetes.io
 
Use Confidential Virtual Machines and Enclaves to improve your cluster security   ✅
 
 
Confidential computing, using hardware-enforced trusted execution environments (TEEs) like secure enclaves, improves cluster security in the cloud-native ecosystem, particularly in Kubernetes. TEEs provide a secure and trusted execution environment for critical cryptographic operations and protect sensitive data, while technologies like AMD SEV, Intel SGX, and Intel TDX offer TEE capabilities that are closely integrated with the userspace, providing low overhead and specific use case optimizations.
 
 
media.defense.gov media.defense.gov
 
NSA and CISA's Cybersecurity Information Sheet for DevSecOps   ✅
 
 
This CSI explains how to integrate security best practices into typical software development and operations (DevOps) Continuous Integration/Continuous Delivery (CI/CD) environments, without regard for the specific tools being adapted, and leverages several forms of government guidance to collect and present proper security and privacy controls to harden CI/CD cloud deployments. As evidenced by increasing compromises over time, software supply chains and CI/CD environments are attractive targets for malicious cyber actors (MCAs).
 
 
obkio.com obkio.com
 
What is Packet Duplication & How to Identify It   ✅
 
 
Unleash your inner network admin and conquer the mystery of packet duplication in the digital landscape of modern business. Learn how to identify and mitigate packet duplication to maintain data integrity and optimize network performance.
 
 
positive.security positive.security
 
Hacking Auto-GPT and escaping its docker container
 
 
Auto-GPT arbitrary code execution and docker escape: Researchers discovered a vulnerability in Auto-GPT that allowed attackers to execute arbitrary code by injecting prompts and manipulating the user approval process. They also found a method to escape the Auto-GPT docker image and gain access to the host system. These vulnerabilities were addressed in version 0.4.3.
 
 

 
⭐ Supporters
 
leanpub.com leanpub.com
 
Exclusive 20% Discount on "Cloud Native Microservices With Kubernetes" - Limited Time Offer!
 
 

We are thrilled to announce a special offer for our widely acclaimed book, "Cloud Native Microservices With Kubernetes - A Comprehensive Guide to Building, Scaling, Deploying, Observing, and Managing Highly-Available Microservices in Kubernetes".

Starting today and running until July 31st, we're offering an exclusive 20% discount off the regular price!

To take advantage of this offer, simply use this coupon link .

Don't miss this opportunity. Remember, the offer is only valid until July 31st. Grab your copy now and unlock the full potential of cloud-native microservices with Kubernetes!

We look forward to empowering your journey in the world of cloud computing!

Happy learning!
FAUN Team

 
 
👉 Spread the word and help developers find you by promoting your projects on FAUN. Get in touch for more information.
 
🛍️ Swag Store
 
 
ByteVibe New Arrivals: Desk Mats
 
❤️ 20% exclusive discount for FAUNers on all products (+free shipping included) when you use the code "THANKSFAUN".
 
ℹ️ News
 
cloud.google.com cloud.google.com
 
GKE Security Posture now generally available with enhanced features
 
 
Google Kubernetes Engine (GKE) has announced the availability of its security posture dashboard, which offers a streamlined interface for managing the security of GKE clusters. The dashboard includes features such as misconfiguration detection and vulnerability scanning to ensure the safety and security of applications in large and complex clusters.
 
 
 
⚙️ Tools
 
github.com github.com
 
americanexpress/earlybird
 
 
EarlyBird is a sensitive data detection tool capable of scanning source code repositories for clear text password violations, PII, outdated cryptography methods, key files and more.
 
 
github.com github.com
 
GTFOBins/GTFOBins.github.io
 
 
GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems
 
 
github.com github.com
 
SecurityLab/actions-permissions
 
 
Token permissions Monitor and Advisor actions
 
 
👉 Spread the word and help developers find and follow your Open Source project by promoting it on FAUN. Get in touch for more information.
 
🤔 Did you know?
 
 

The Apollo 11 guidance computer, which helped land humans on the moon, had less processing power than a modern-day smartphone.

 
 
😂 Meme of the week
 
 
 
 
❤️ Thanks for reading
 
 
👋 Keep in touch and follow us on social media:
- 💼LinkedIn
- 📝Medium
- 🐦Twitter
- 👥Facebook
- 📰Reddit
- 📸Instagram

👌 Was this newsletter helpful?
We'd really appreciate it if you could forward it to your friends! You can also donate to help us keep this newsletter going.

🙏 Never miss an issue!
To receive our future emails in your inbox, don't forget to add community@faun.dev to your contacts.

ℹ️ Have a question or feedback?
Feel free to reply to this email. We'd love to hear from you!

🤩 Want to sponsor our newsletter?
Reach out to us at sponsors@faun.dev and we'll get back to you as soon as possible.
 

Zeno #381: NSA and CISA's Cybersecurity Information Sheet for DevSecOps
Legend: ✅ = Editor's Choice / ♻️ = Old but Gold / ⭐ = Promoted / 🔰 = Beginner Friendly

You received this email because you are subscribed to FAUN.
🐾 FAUN is a world wide community of developers 👣 We help developers learn and grow by keeping them up with what matters.

You can manage your subscription options here (recommended) or use the old way here (legacy). If you have any problem, read this or reply to this email.

Important: We are gradually migrating to a new system. If you don't create an account on FAUN (here), you will stop receiving our weekly newsletter.