📡 Cybersecurity Innovation Pulse #19: OpenTF Manifesto; MongoDB Queryable Encryption; Aligning AI w/ Human Values?; and More.
Covering Aug. 10th - 17th of 2023
Welcome to Issue 19 of the Cybersecurity Innovation Pulse! I'm Darwin Salazar, your guide to the dynamic world of cybersecurity innovation. Each week, I deliver the latest on product launches, groundbreaking innovations, strategic collaborations, and other developments at the intersection of innovation and cybersecurity. If you find value in these updates, consider becoming a paid subscriber for access to our archive and exclusive posts. Subscribing ensures you receive these insights directly, saving time and keeping you ahead of the curve.
Now that the smoke has cleared and we’re a few days removed from Hacker Summer Camp, I feel that it’s a good time to look at all that has transpired over the past week. Before jumping into things though, you should go check out this LinkedIn masterclass my friend Day Johnson put together on AWS Threat Detection 🔥. Even if you’re not a blue teamer, there’s tons to learn from the course. Now, let’s get into this week’s latest stories moving the needle of innovation in cybersecurity!
The Security Implications of HashiCorp Adopting BSL and What the OpenTF?
Last week, HashiCorp announced that they would be moving all of their open-source projects, including Terraform, from the Mozilla Public License (MPL) v2.0 over to the much more restrictive Business Source License (BSL) v1.1. This sent the tech community into a bit of a frenzy because tens of thousands of organizations rely on Terraform and its ecosystem (think Spacelift and Terragrunt) to deploy and manage resources via Infrastructure as Code (IaC). The move to BSL could be a dagger to many startups and could force businesses to find alternatives which would be very painful, especially for large enterprises.
The security implications of HashiCorp's decision are also concerning:
Reduced Scrutiny: Moving away from an open-source model means the source code might not be looked at as closely. Open-source software often benefits from many eyes on the code, helping to identify and fix security issues.
Integration Challenges: Transitioning to an alternative or managing a forked version can cause problems in CI/CD pipelines, which might lead to security gaps.
Outdated Versions: Organizations might end up using an outdated version of Terraform if they consider alternatives or fork the last open-source version. This could expose them to unpatched vulnerabilities.
Potential Misconfigurations: Adopting an alternative means that teams have to learn a new IaC language. This steep learning curve increases the risk of deploying misconfigured cloud assets, which can inadvertently expose sensitive data or create security loopholes.
Luckily, 30+ organizations and plenty more individuals have committed their support and resources to keep Terraform open-source via an initiative called “OpenTF”. You can learn more about the future of keeping Terraform open-source in the OpenTF Manifesto.
White House Expedites Executive Order on AI
The White House has issued an executive order focusing on the responsible and transparent development and deployment of AI in government operations. This directive emphasizes the importance of maintaining American leadership in AI, ensuring that AI-powered systems are transparent, accountable, and respect civil liberties. The order also calls for collaboration between federal agencies to develop a consistent approach to AI, setting the stage for a more unified and strategic AI adoption in government functions. It’s very rare to see this much urgency and alignment across the board on a piece of legislation so this should be a sign of how serious things have gotten. Source
DARPA and RTX: Aligning AI with Human Values
The Defense Advanced Research Projects Agency (DARPA) is teaming up with RTX to create AI systems that resonate more with human ethics. They're working on AI models that, in situations like large-scale emergencies or disaster aid, would make choices reflecting human moral principles. My two concerns here are that “human values” widely vary and secondly, there are serious risks if an attacker tampers with the ethics-based algorithm(s). Based on this and the story covered above, I imagine we’ll be seeing a stronger push in ensuring AI is ethical and fairly. Source
Security Product Innovation
MongoDB Queryable Encryption Generally Available
MongoDB has released a new data encryption technology called Queryable Encryption. At a high level, this is a breakthrough in data security as it ensures that data is encrypted throughout its entire lifecycle, even during query processing right up until it’s rendered in the query results. To view the data, a customer-controlled decryption key is needed. Today, the solution supports integration with the managed key services of major cloud providers like Azure Key Vault and AWS Key Management System. By integrating this queryable encryption, developers can more easily secure data at the application level, enhancing overall data protection. Source
Black Hat USA 2023: Security Vendor Announcements
This year’s Black Hat saw numerous security vendors unveil their latest products and enhancements. We covered 15+ announcements in last week’s issue but this SecurityWeek article does an amazing job of encapsulating all of the notable announcements in one roundup including:
Microsoft bolstering its coverage for GCP to include sensitive data discovery a cloud security graph and attack path analysis capabilities.
Adaptive Shield launches Identity Threat Detection and Response (ITDR) capabilities.
IBM and Cloudflare collaborating to mitigate bot-based threats.
Code42 enhances source code exfiltration detection.
SentinelOne and Netskope: XDR x SASE Capabilities
SentinelOne and Netskope have collaborated to deliver an integrated solution, SentinelOne Singularity App for Netskope. This partnership will allow mutual customers to receive coverage from SentinelOne’s eXtended detection and response (XDR) capabilities with Netskope’s secure access service edge (SASE) solution in a cohesive manner. This bolsters SentinelOne’s already robust Singularity Marketplace. Source
Google Enhances TLS Security for Chrome Browser
Google is taking steps to bolster the security of the Transport Layer Security (TLS) protocol against threats posed by advancements in quantum computing. Google Chrome will now support the Kyber Key Encapsulation Mechanism (KEM) for establishing symmetric secrets in TLS starting in Chrome 116. Kyber is the chosen candidate by NIST to thwart quantum-based attacks. Source
Rootly Raises $12M of Fresh Capital
Incident management platform startup, Rootly, has secured $12 million in funding to accelerate its product development. Rootly's platform streamlines the incident response process, integrating with tools like Slack, Jira, and PagerDuty to provide a centralized response hub. Notable Rootly customers include Nvidia, Opensea, Cisco, and Elasticsearch so this is definitely a company to keep an eye on. Source
More Insights 🔎
And that's a wrap for this week, folks! Your feedback is the fuel that keeps this newsletter going, so don't hesitate to let me know what you loved, hated, or would like to see improved. If you found value in this issue, why not share it with a friend or consider becoming a paid subscriber? Each week, I sift through over a thousand headlines to bring you the most impactful stories that are driving innovation in cybersecurity. Your support lets me know that this work is making a difference. With that said, here’s a nice photo from DEF CON with two of my favorite people in the security community,from and Ashish Rajan from Cloud Security Podcast!