Weekly Short Reads #5

Weekly Product Security Newsletter to be updated on what's happening

Author

Sam Benjamin Pragasam
September 30, 2024

I share weekly blog posts and book articles directly to your inbox, providing all the links product security engineers need to stay updated on what's happening across various domains. If you enjoy these weekly short reads, please post on social media to show support for the RAM newsletter. I appreciate your time spent here.

GRC

  1. NIST revision on password requirements . This is a welcoming act and moving to reasonable security https://www.linkedin.com/feed/update/urn:li:activity:7244828964349730816/ 

Appsec

  1. Ways we get non actional findings https://bughunters.google.com/blog/6302522760626176/non-actionable-findings-in-3rd-party-security-scanners-and-how-to-identify-them

  2. AI Security review report by TrailOfBits. Good information on the report https://github.com/trailofbits/publications/blob/master/reviews/2023-03-eleutherai-huggingface-safetensors-securityreview.pdf https://www.returnonsecurity.com/p/the-evolution-of-email-security

  3. Security Organisation transformation model released by Office of CISO , Google gives an idea on how organizations evolve, integrate, and streamline into future transformationhttps://services.google.com/fh/files/misc/organizing_security_digital_transformation.pdf

cloudsec

  1. fwd:cloudsec Europe2024https://www.youtube.com/watch?v=oD-d9B71yLo&t=27623s

  2. Google Zanzibar - central authorization model https://www.osohq.com/learn/google-zanzibar

  3. Google released Certificate Based Access which allows devices which have those certificate and restrict access via device restriction rather than network restriction. For a failproof access, certificate based access is more harder to break than network based access. https://cloud.google.com/beyondcorp-enterprise/docs/securing-resources-with-certificate-based-access

  4. Rami Mccarthy does a good job on laying out on adapt and buy options in AWS https://speakerdeck.com/ramimac/beyond-the-aws-security-maturity-roadmap?slide=26

Trends/General

  1. We have a new term in town , GenOps. . Google has good coverage on what is GenOps https://cloud.google.com/blog/products/devops-sre/genops-learnings-from-microservices-and-traditional-devops/

  2. Interesting to listed to resilient cyber podcast on AIBOM and how it is progressing with AISUF
    a. https://resilientcyber.substack.com/p/resilient-cyber-w-helen-oakley-exploring 
    b. https://aisuf.org/#6400643f-1716-4a2c-a7af-f577b92c5e0a

  3. Jeevan laid down salary and compensation strategy used in organisation. https://www.gyan.ca/things-to-know-about-your-tech-salary/

    Wiz blog on cups vulnerability remediation https://www.wiz.io/blog/openprinting-cups-vulnerabilities-cve-2024-47076-cve-2024-47175-cve-2024-47176-cve-2024-47177

  4. James Berthoty explains on zero day vulnerability released in CUPS protocol . He future explains the problem in vulnerability disclosure and goes on which tool in the market helps in handling zero day vulnerabilities. https://pulse.latio.tech/p/cups-vulnerability-response-resources

  5. Securing LLM using Lakera Guard by dropbox https://dropbox.tech/security/how-we-use-lakera-guard-to-secure-our-llms

Tech 

  1. Will explains testing/validation in strategies. This is good blog on testing strategies
    https://lethain.com/testing-strategy-iterative-refinement/

  2. wartime mode vs peacetime mode of operations explained by Manas https://manassaloi.com/2024/09/11/founder-mode.html

  3. John Cutler released Miro Roadmap boards. Can be used to refer
    https://cutlefish.substack.com/p/tbm-311-roadmapping-miro-board-and

Reply

or to participate.