Weekly Short Reads #6

GRC

1. https://x.com/IndianCERT/status/1841841549300162746 - CertIn has published SBOM Guidelines. This is a welcoming move as Indian Governments are adopting transparency.

2. https://www.fca.org.uk/news/press-releases/fca-fines-starling-bank-failings-financial-crime-systems-and-controls - Starling Bank has been fined £29 million by the UK Financial Conduct Authority (FCA) for failing to properly screen accounts and transactions that potentially violated government sanctions. This penalty highlights serious shortcomings in the bank's anti-money laundering (AML) and sanctions compliance programs, as it failed to detect and prevent transactions linked to sanctioned individuals or entitie

3. https://www.dataprotectionreport.com/2024/09/california-and-artificial-intelligence-watermarking-law/ - California has enacted a new law that mandates the availability of AI detection tools to the public at no cost, taking effect on January 1, 2026. This legislation aims to increase transparency and accountability by helping users detect AI-generated content across various platforms

Appsec

1. https://security.googleblog.com/2024/10/evaluating-mitigations-vulnerabilities.html - Google's Security team has shared unique insights into the economics of attackers, focusing on ways to disrupt the profitability of their operations. By understanding how attackers make decisions based on cost, time, and effort, Google explores strategies to destabilize their business models. One key takeaway is avoiding linear thinking when hardening defenses, meaning that simply adding more layers of security may not always be effective. Instead, it’s about introducing unpredictability and complexity in defenses, making it harder for attackers to maintain consistent and profitable operations.By doing this, organizations can raise the barriers for attackers, forcing them to expend more resources while reducing the success rate of their exploits. This approach shifts security efforts from merely identifying and fixing bugs to understanding and breaking the economics that sustain cyberattacks.

2. https://cycode.com/blog/why-aspm-requires-an-independent-approach-exploring-the-role-of-aspm-vs-cnapp-part-1/ - Cycode offers a detailed explanation of Application Security Posture Management (ASPM) and compares it with Cloud-Native Application Protection Platforms (CNAPP). It's an insightful read that highlights the differences and unique benefits of each approach.

Cloudsec/SRE:

1. https://www.wiz.io/blog/cloud-logging-tips-and-tricks - Alice Klimovitsky has shared a comprehensive guideline on logging sources across various cloud service providers (CSPs). This resource serves as a useful reference for understanding how to collect logs efficiently from different cloud platforms.

2. https://monitoring2.substack.com/p/ai-agents-invade-observability - Clay Smtih explains the raise of AIAgents in observability domains. and the need of benchmarks

3. https://www.tryparity.com/blog/how-and-why-we-made-srebench-swebench-for-k8s - In a landscape crowded with numerous AI products, benchmarking becomes essential for distinguishing your offering from the competition

Trends

1. https://bishopfox.com/blog/brokenhill-attack-tool-largelanguagemodels-llm. - Bishop Fox has released the Greedy Coordinate Gradient Attack Tool, a new tool developed from their research on adversarial attacks in machine learning https://arxiv.org/pdf/2307.15043

2. https://embracethered.com/blog/posts/2024/chatgpt-macos-app-persistent-data-exfiltration/ - A recent vulnerability has been identified in the ChatGPT macOS desktop application that could potentially allow for data exfiltration

General

1. https://theskip.substack.com/p/the-burnout-paradox-in-tech - Nikhyl Singhal offers valuable insights on managing burnout, a common issue in today's fast-paced work environments

2. https://martinfowler.com/articles/legacy-modernization-gen-ai.html#DiscoveringACapabilityMapOfASystem - How GenAI could be used with AST graphs to generate requirements and help in system review.