The Good, the Bad, and The Ugly
🎵Now you're stuck with the theme song in your mind for the rest of the day 🎶
Tis the time o’ year when we all go enjoy a movie in the park, perhaps a drive-in, or even a fly-in (yes, they were a thing). And there are few movies that characterize summer more than the sun-gorged and action-packed Sergio Leone. Also, nothing like an earworm to get the week going.
A fistful of dollars 💰
This week has seen quite a bit of fundraising and M&A activity. In the Venn of Authorization & AI, Protect AI just announced Salesforce and Samsung are investing $60M to help with the development of security for AI. This area is becoming increasingly vibrant.
Closer to home, AuthZed - the Authorization-as-a-Service platform - is raising Series A Funding from General Catalyst for a sweet $12 million of Series A fundraising! This is a huge vote of confidence for Zanzibar-driven approaches.
In their series D, Cybersecurity Startup Abnormal Security Locks Up $250M At $5.1B Valuation. Abnormal looks to stop attacks and find compromised accounts across email and connected applications through leveraging machine learning and AI to understand human behavior.
Fortinet acquires data security company Next DLP: Fortinet plans to integrate Next DLP’s cloud-native software-as-a-service (SaaS) data protection platform, its AI anomaly detection and classification capabilities with its current infrastructure.
For a few dollars more 👽
On Tuesday August 13, Pinecone is screening a webinar on Access Control in RAG Applications. Yes, Even AI needs authorization!
The Good… 💼
Generally, security is sold to CISOs as part of a FUD strategy. If you don’t do this or that, you will be hacked, you will be in breach… As such security is seen as a necessary and costly evil. Think again! CISOs are finding new measures to quantify the business value of cybersecurity investments that can show how a security team’s work supports a company’s top and bottom lines.
We all need to make security easier to adopt from step one. This is Prisma Cloud’s goal. Find out more in their blog post: One Small Step for Developers, One Giant Leap for Security
New NSA tool aims to automate cyber-defense tests: The Autonomous Penetration Testing platform aims to replace much of the manual labor involved in searching for vulnerabilities and gauging the robustness of cyber defenses.
And speaking of the NSA, did you know it offers no-cost cybersecurity services to any company that contracts with DoD (sub or prime) or has access to non-public DoD information.
The (not) Bad (at all) 🏖️
Let’s start with some stunning EFF artwork. BTW EFF is a non-profit and they’re always looking for new supporters. Their work is fundamental to guarantee our freedom of speech, privacy, and more.
Speaking of fine-print, there’s a new licensing model in town: fair source aka Software Sharing for Modern Companies. Check out these examples:
And the Ugly 💀…
Docker Security Advisory: AuthZ Plugin Bypass Regression in Docker Engine Authorization plugins bypassed for Docker's very coarse-grained authorization model? Well, it's hard to have access control when that happens. Luckily, "[t]he base likelihood of this being exploited is low."
AWS 'Bucket Monopoly' attacks could allow complete account takeover. What happens when non-human identities are at play?
Zenity CTO Michael Bargury revealed his Microsoft Copilot exploits at Black Hat.
"It's actually very difficult to create a [Copilot Studio] bot that is safe," Bargury told The Register in an interview ahead of conference talks, "because all of the defaults are insecure."
On July 19, 2024, as part of regular operations, CrowdStrike released a content configuration update (via channel files) for the Windows sensor that resulted in a widespread outage. Here’s the report as to what really happened: Channel File 291 Incident RCA is Available. No mention of 🛫airlines though.
The Wild Bunch 👶
There’s always room for new competition. Stack Auth and Logto are here to challenge the Auth0/Okta status quo:
https://news.ycombinator.com/item?id=41194673
https://github.com/logto-io/logto: 🧑🚀 The better identity infrastructure for developers and the open-source alternative to Auth0.
Heimdall is a cloud native identity aware proxy and access control decision service inspired by the Zero Trust idea. It brings together authentication and authorization systems and can be thought as an orchestrator for these in front of your services, allowing however completely retaining control even without the need for any type of maintenance in your own code.
And here’s some more from 🎩(yes, I know, not the right kind of hat)
Analyst & Conference Updates 🗣️
My peer from SGNL, Atul Tulshibagwale, and I attended IETF 120. Here’s a summary of what happened in his own words. And speaking of RFC, check out RFC 9614: Partitioning as an Architecture for Privacy. It describes the principle of privacy partitioning, which selectively spreads data and communication across multiple parties as a means to improve privacy by separating user identity from user data.
Do you want to attend and speak at a conference? You have a few days left to submit a poster at International Workshop on Security.
One of our AuthZ heroes and newest Gartner addition, Espen Bago, has just released a report on authorization: Should I Use OPA, OAuth, Zanzibar, Cedar or XACML for My Authorization Use Cases? Gartner clients can read the report here.
Further Reading 📚
Your kids are busy with their summer reading list. How about you dive in and brush up on your skills with these additional links worthy of your attention?
Kubernetes security fundamentals: Authorization | Datadog Security Labs
Every Microsoft employee is now being judged on their security work
Thanks for reading
We have fun putting these newsletters together but they’re only relevant if you give us feedback and content. So, don’t be shy, write to us! We love fan mail.