HACK Issue 002: Log4J, 7 stages of DevSecOps 0-day grief, and how not to announce your recent funding round

Greetings from Boise!  

Welcome to issue 002 of HACK, my newsletter where I talk about and curate news about security, marketing, community, hackers, and leadership.

I'm going to be experimenting with the format and content a bit, so do let me know any feedback you have, I would love to hear it.

What I've written this week:

It was a busier week for me life wise (started a new job!) and also on the blog. Here's what I posted this week:

From Security Twitter

Log4J is bad. Inescapably bad. Not surprisingly, most of the links this week center around that.

This made me laugh. Bug bounty is a great way to discover these issues, it's unfortunate the hacker experience is so inconsistent - something I know the HackerOne team thinks about often.

Asset management and SBOM ... you can’t protect what you don’t know you own and then you can’t improve configuration risks if you don’t see them. So attack surface management + cloud security posture management are the grail of securing the public endpoints.

Cool cool cool - Log4J is not protocol specific says Justin Kennedy.

John Hammond has got a TryHackMe module on Log4j. Impressive, quick work John!

I tweeted a diagram about Log4J, and Rob Fuller created some great ones.

This tweet by Kevin is perfection

Marketing and Community corner

I mentioned last week how I tweeted a simple tweet off the cuff and it was the most engaged tweet I've had. Well I did it again, and this time it blew up even more. Didn't gain a ton of followers from it but fascinating again how and why things get picked up. I loved this one thought because it speaks to the power of a simple visual - yay designers!

Replit CEO on how to announce your funding round vs not how to announce your funding round:

I haven't gotten into F1 but I've been considering it from a sponsorship side for Lightspin. Was fascinated to see this data: check out that growth! Huge market.

Final thoughts

Lightspin advisor and Head of Cloud Infra Security at Netflix, Srinath Kuruvadi, who I recently got to meet at a dinner in San Francisco with Lightspin CEO, Vladi Sandler, was recently on Panther security's podcast talking about Detection at Scale. The podcast is definitely worth a listen, but Srinath mentioned a Nelson Mandela quote that stuck with me:

I never lose. I either win, or I learn. - Nelson Mandela

May you never lose this week and every week.  

Subscribe to Luke Tucker

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.