ARTICLES

Breaking Into AppSec: Hack Your Way Into Cybersecurity!

Introduction Breaking into Application Security can feel overwhelming at first. However, it's one of the most rewarding and dynamic fields in cybersecurity. You might be a newcomer to the industry, a software engineer or product manager looking to make a career pivot, or an existing AppSec engineer looking to upskill. Whatever your background, there's a lot to learn, and we're here to help you get started! In this blog post, we’ll cover what Application Security is, the skills you need to brea

Happy AppSec New Year - 2024 Recap

What a year 2024 was for Application Security! New technologies, new incidents, new attack patterns, and so much more! The landscape of Application Security has undergone significant shifts over the past year. Artificial Intelligence continues to become a larger part of the cybersecurity scene, both on offense and defense. While some vulnerabilities were novel, in other cases, old became new again, as supply chain hijacking, injection attacks, and authorization failures were featured amongst ma

The Security Benefits of Infrastructure as Code

We have developed and delivered new ways to deliver infrastructure quickly and without these misconfigurations. Prevention is the only cure; we’ll talk about how you can implement this today.

OIDC for GitHub Actions

At Cloud Security Partners, we perform a lot of code reviews and Cloud Security Assessments. During these engagements, we see many different CI/CD patterns that cause us to raise our eyebrows. One situation in particular that we encounter relatively often is the unsafe use of AWS credentials. The CIS Benchmark for AWS indicates that Access Keys must be rotated every 90 days. And generally, IAM users should be avoided, instead roles should be utilized. OpenID Connect is an authentication standard

Preventing Overreliance: Proper Ways to Use LLMs

LLMs have a very uncanny ability of being able to solve problems in a wide variety of domains. Unfortunately, they also have a tendency to fail catastrophically. While an LLM may be able to provide accurate responses 90% of the time, due to nondeterministic behavior, one must be prepared for cases when it gives blatantly wrong or malicious responses. Depending on the use case, this could result in hilarity or, in very bad cases, security compromises. In this blog post, we’ll talk about #9 on th

The Security Benefits of Infrastructure as Code

We have developed and delivered new ways to deliver infrastructure quickly and without these misconfigurations. Prevention is the only cure; we’ll talk about how you can implement this today.

The Security Absolutist

All security practitioners know the Security Absolutist. It’s the practitioner who has a plan before the context, is unapologetic in their approach to security, and is unwaveringly confident in their solution. Seemingly always frustrated with the current state of security in business and consistently angry at why “people can’t just…” the Security Absolutist is a pained and frustrated individual, but we can help. Security Absolutism is a dangerous game, constantly creating conflict and boundarie

Preventing Overreliance: Proper Ways to Use LLMs

LLMs have a very uncanny ability of being able to solve problems in a wide variety of domains. Unfortunately, they also have a tendency to fail catastrophically. While an LLM may be able to provide accurate responses 90% of the time, due to nondeterministic behavior, one must be prepared for cases when it gives blatantly wrong or malicious responses. Depending on the use case, this could result in hilarity or, in very bad cases, security compromises. In this blog post, we’ll talk about #9 on th

Preventing Overreliance: Proper Ways to Use LLMs

LLMs have a very uncanny ability of being able to solve problems in a wide variety of domains. Unfortunately, they also have a tendency to fail catastrophically. While an LLM may be able to provide accurate responses 90% of the time, due to nondeterministic behavior, one must be prepared for cases when it gives blatantly wrong or malicious responses. Depending on the use case, this could result in hilarity or, in very bad cases, security compromises. In this blog post, we’ll talk about #9 on th

Ignore Previous Instruction: The Persistent Challenge of Prompt Injection in Language Models

Prompt injections are an interesting class of emergent vulnerability in LLM systems. It arises because LLMs are unable to differentiate between system prompts, which are created by engineers to configure the LLM’s behavior, and user prompts, which are created by the user to query the LLM. Unfortunately, at the time of this writing, there are no total mitigations (though some guardrails) for Prompt Injection, and this issue must be architected around rather than fixed. In this blog post, we will

Preventing Overreliance: Proper Ways to Use LLMs

LLMs have a very uncanny ability of being able to solve problems in a wide variety of domains. Unfortunately, they also have a tendency to fail catastrophically. While an LLM may be able to provide accurate responses 90% of the time, due to nondeterministic behavior, one must be prepared for cases when it gives blatantly wrong or malicious responses. Depending on the use case, this could result in hilarity or, in very bad cases, security compromises. In this blog post, we’ll talk about #9 on th

Ignore Previous Instruction: The Persistent Challenge of Prompt Injection in Language Models

Prompt injections are an interesting class of emergent vulnerability in LLM systems. It arises because LLMs are unable to differentiate between system prompts, which are created by engineers to configure the LLM’s behavior, and user prompts, which are created by the user to query the LLM. Unfortunately, at the time of this writing, there are no total mitigations (though some guardrails) for Prompt Injection, and this issue must be architected around rather than fixed. In this blog post, we will

The Hidden Dangers of Using Terraform's Remote-Exec Provisioner

Terraform is a powerful infrastructure as code tool that can support multi-cloud deployments. Terraform provides consistent and reliable deployments for cloud infrastructure. But as with every tool there are hidden dangers built-in we need to check for! The remote-exec provisioner in Terraform can be a valuable tool, providing the ability to execute scripts and commands on remote resources. However, it can pose significant security risks to your infrastructure without proper control and awarene

The Security Benefits of Infrastructure as Code

We have developed and delivered new ways to deliver infrastructure quickly and without these misconfigurations. Prevention is the only cure; we’ll talk about how you can implement this today.

The Security Benefits of Infrastructure as Code

We have developed and delivered new ways to deliver infrastructure quickly and without these misconfigurations. Prevention is the only cure; we’ll talk about how you can implement this today.

LASCON Recap - Infrastructure as Code

Recently, we had the privilege of participating in and sponsoring the Lonestar Application Security Conference (LASCON). Our CEO, Michael McCabe, and Ken Toler delivered a training session and a talk on exploiting Terraform for remote code execution; both received a fantastic turnout. In between operating our booth, we had the opportunity to attend some insightful talks. During the event, one presentation that stood out was delivered by Bug Bounty and focused on how to manage a bug bounty progr