Resilient Cyber Newsletter #11
Deep Dive into Security for AI, AWS Claims to Save 4,500 Developer Years with AI, What is Cloud Detection & Response (CDR) and Making Sense of the Application Security (AppSec) Product Market
Welcome
Welcome to another issue of the Resilient Cyber Newsletter!
It’s a bitter sweet week, as my little ones go back to school, that said the house will be just a bit quieter these days as well.
A lot of great resources this week across AI, AppSec and Security leadership, so let’s dig in!
Interested in sponsoring an issue of Resilient Cyber?
This includes reaching over 6,000 subscribers, ranging from Developers, Engineers, Architects, CISO’s/Security Leaders and Business Executives
Reach out below!
Cybersecurity Leadership & Market Dynamics
Confusion About D&O Insurance
One topic that has gotten attention due to recent cases such as SolarWinds vs. the SEC and other cases involving the CISO it the topic of Directors & Officers (D&O) insurance. This of course is due to CISO’s and Security leaders now seeking protections as they find themselves at the center of litigation and liability discussions.
Joe Sullivan, former Uber CISO who found himself at the center of a legal battle recently penned an article on D&O insurance, including a link to a video that discusses the topic as well.
This is something CISO’s increasingly need to be familiar with to ensure they are protected and carry themselves in a way that mitigates their chances of legal troubles.
Zero Trust and AI Remaining Top Federal Cyber Priorities
It was recently disclosed that the 2025 Federal budget request includes nearly $13 billion in cybersecurity spending, a jump of 10% more than last year, including a large portion set-aside for Zero Trust initiatives.
Okta Announces SaaS Startup Competition
Okta recently announced a SaaS Startup Competition, where early stage startups within the US can be evaluated and potentially receive a cash investment and support from Okta.
This includes an emphasis on the utilization of identity enabled workflows within the product and how to innovative on identity-enabled applications.
Venture Distributed to Paid-In Trends
I was recently reading a weekly edition of “The Cyber Why” when I caught a story titled “Venture Bottom or Death Spiral”. It discusses the Carta Report “VC Fund Performance: Q1 2024” that was published by the Carta data research team on August 16th.
It discusses how venture funds from 2022 until now have deployed only 43% of their cash after two years, the slowest pace ever and less than 10% of 2021 funds have seen a dime from investments in terms of returns yet.
While on the surface these metrics may be alarming (and there’s no denying a slowdown in VC, IPO’s etc. due to higher interest rates). That said, as documented by David Clark of VenCap International, they demonstrated it takes 10-12 years for a company to go from founding to IPO, and the best performing firms often don’t have high DPI’s by year 5.
Venture, like most things in life, is a long game, requiring patience, persistence and discipline.
AI
Deep Dive into the Security for AI Ecosystem
Businesses continue to rapidly adopt and explore AI. With that, there's been a ton of innovation and activity in the security ecosystem when it comes to securing its use.
That's why this Deep Dive Into the Security for the AI Ecosystem from Francis Odum and Alayzain (Zain) Rizavi is timely.
It provides a comprehensive overview and look at:
The evolving landscape of AI Security
Metrics and insights around enterprise adoption of AI/LLM's
The various categories of AI security from supply chain, governance, runtime, models and more
Current and future anticipated budget allocations for security for AI
Whether you're an AI-focused startup, looking to buy tools to help secure your organizations AI usage or just a practitioner trying to understand the various ways AI can be exploited and secured - this is a solid read.
I definitely recommend checking it out!
Microsoft Copilot Studio Exploit Leaks Sensitive Cloud Data
A story broke about a server-side request forgery (SSRF) vulnerability in Microsoft Copilot recently. It was identified by Tenable researchers and they said they used it to exploit access to Microsoft internal infrastructure, including the Instance Metadata Service (IMDS) and Cosmo DB.
This of course is concerning because of Copilot being a multi-tenant cloud service offering, and concerns about tenant isolation, data confidentiality and privacy. The researchers said they were able to access cloud data and services from multiple tenants.
These sort of concerns will only grow with AI adoption, especially via Cloud and as-a-Service models.
AWS Claims to Save 4,500 Years of Developer Work
In a story that broke last week, Amazon CEO Andy Jassy took to twitter claiming the organization saved 4,500 years of developer work through the use of Amazon’s GenAI service, Amazon Q for development work, specifically Java upgrades.
Speaking to the accuracy of the service, Andy claimed the developers were shipping the auto-generated code reviews without any additional changes 79% of the time.
This of course is a massive claim in terms of the utility and accuracy of the GenAI code generating/updating activity, especially as other academic reports point to the fact that GenAI coding is often rife with issues, defects and requires human correction before shipping to production.
This announcement came on the hears of a recent fireside chat with AWS CEO Matt Garman who predicted that the use of AI and GenAI could lead to a situation where “most developers are no longer coding as AI takes over”.
AppSec, Vulnerability Management and Software Supply Chain Security
Making Sense of the Application Security Product Market
Let's face it, the modern Application Security (AppSec) landscape is complex..
Acronyms abound, overlapping and duplicative product categories, blurred lines between platforms and products, roles and responsibilities among teams and practitioners and more.
This article by James Chiappetta "Making Sense of the AppSec Product Market" is literally one of the best AppSec articles I've read in 2024 yet.
The convergence between Cloud, App/Product, and SaaS within AppSec and the underlying acronyms and users
The need for context to drive remediation, ROI and effectiveness
How to strategically approach the product landscape when building AppSec programs
The emergence of ASPM, what it is, and what it isn't
If you're passionate about AppSec and modern secure software development, this one is a MUST read.
Strangler Pattern
If you’ve been involved in legacy modernization efforts, you’ve inevitably heard of the “strangler pattern”, coined after a blog from industry leader Martin Fowler.
Martin recently updated that blog, and joked that he had never used the phrase since the original blog, despite it catching on across the industry. The stranger pattern is often used as a methodical gradual approach to replacing, upgrading and modernizing legacy IT systems and software.
He lays out this pattern which includes a gradual process of modernization with small additions, new features, often built on top of the legacy system as aspects of the legacy system are moved to the new code base.
If you’re working in large enterprise environments, this pattern and methodology is key, as the intuitive approach of just ripping and replacing legacy systems isn’t something that works in reality due to dependencies, organizational workflows, existing business processes and more.
Martin’s blog not only speaks to the strangler pattern, but also touched on common mistakes that occur when pursuing legacy modernization initiatives.
The article lays out four high-level activities that should be done as part of the strangler approach:
Understand the outcomes you want to achieve
Decide how to break the problem into smaller parts
Successfully deliver the parts
Change the organization to allow this to happen on an ongoing basis
(I would argue this pattern can apply to many goals and areas of our life, well beyond the IT profession).
Google Cloud New Security Capability
Coming off of the heels of the hype around the potential acquisition of Wiz, Google Cloud rolled out new security related services and capabilities as part of their Google Cloud Security Summit.
Ironically, some have joked the capabilities, part of GCP’s Security Commend Center (SCC), which they positioned as a Cloud-Native Application Protection Platform (which is what Wiz also is), as having a striking similarity to the acquisition target.
What is Cloud Detection and Response (CDR)?
As we continue to see organizations adopt cloud and lean into containerization and orchestration (e.g. Kubernetes), new categories of vendors have emerged to handle detection and response in the cloud.
Among them is runtime security vendor Rad Security (whom I’m an advisor with). I previously have discussed RAD, including being both an RSA Innovation Sandbox nominee and BlackHat Spotlight company in 2024.
In an recent article, they break down what CDR ism how it works, and why it is needed to tackle emerging and relevant threats in cloud runtime environments. Most notably in the article they highlight some critical stats that help highlight the need for CDR:
95% of new application workloads are predicted to be deployed on cloud-native platforms by 2025, but 90% running containers and Kubernetes in the cloud say they had a breach in the last year
Despite 60% of the Enterprise IT spend in 2024 being dedicated to detection and response, only ⅓ of current incidents are detected by internal tools
95% of IT security leaders feel their team has been negatively impacted by the cloud security skills gap, and a full 70% of organizations have containers running in production
Less than a third of respondents consider the security team to be responsible for Kubernetes security, but authorization in Kubernetes using Kubernetes RBAC was a critical prerequisite in 3 of the 4 attacks targeting Kubernetes in 2023
Building Resilient Software: Secure-by-Design, Transparency, and Governance Remain Key Elements
I had a chance to join Sean Martin and the Redefining Cybersecurity Podcast for a wide-ranging discussing on software supply chain security, AppSec and vulnerability management.
Below are some of the key questions addressed during the discussion!
How can organizations ensure transparency and security in their software supply chains?
What strategies can be implemented to address the challenges of vulnerability management?
How can platform engineering and internal governance improve software security within organizations?