HACK Issue 002: Log4J, 7 stages of DevSecOps 0-day grief, and how not to announce your recent funding round
Greetings from Boise!
Welcome to issue 002 of HACK, my newsletter where I talk about and curate news about security, marketing, community, hackers, and leadership.
I'm going to be experimenting with the format and content a bit, so do let me know any feedback you have, I would love to hear it.
What I've written this week:
It was a busier week for me life wise (started a new job!) and also on the blog. Here's what I posted this week:
- Why I joined Lightspin: Some big personal news! Joined an exciting young startup with a unique product. It's a multi-layered cloud native application platform with a unique graph
- The 7 stages of DevSecOps 0-day grief. Had some fun, thanks d0nut for the inspiration
- Marketing and PR Case Study: The Peleton Sex and The City PR Fiasco. I mentioned this last week and it got better/worse so I wrote about it.
- Product Led Growth Correlated Webinar Notes. Product led growth is a big rage in startupland. We at Lightspin are committed to building a product led growth engine and focus on our users (many of you readers!). I've been reading a lot on this and you'll likely hear more from me on this topic. This document was my detailed notes from a webinar talking about building a marketing tech stack for PLG companies.
From Security Twitter
Log4J is bad. Inescapably bad. Not surprisingly, most of the links this week center around that.
This made me laugh. Bug bounty is a great way to discover these issues, it's unfortunate the hacker experience is so inconsistent - something I know the HackerOne team thinks about often.
Asset management and SBOM ... you can’t protect what you don’t know you own and then you can’t improve configuration risks if you don’t see them. So attack surface management + cloud security posture management are the grail of securing the public endpoints.
Cool cool cool - Log4J is not protocol specific says Justin Kennedy.
John Hammond has got a TryHackMe module on Log4j. Impressive, quick work John!
I tweeted a diagram about Log4J, and Rob Fuller created some great ones.
This tweet by Kevin is perfection
basically the perfect ending to cybersecurity in 2021 is a 90s style Java vuln in an open source module, written by two volunteers with no funding, used by large cybersecurity vendors, undetected until Minecraft chat got pwned, where nobody knows how to respond properly.
— Kevin Beaumont (@GossiTheDog) December 14, 2021
Marketing and Community corner
I mentioned last week how I tweeted a simple tweet off the cuff and it was the most engaged tweet I've had. Well I did it again, and this time it blew up even more. Didn't gain a ton of followers from it but fascinating again how and why things get picked up. I loved this one thought because it speaks to the power of a simple visual - yay designers!
Probably the best visual I’ve seen of #log4j from https://t.co/iNcCKs9ro8 pic.twitter.com/cWUzfvYCJy
— Luke Tucker 📈 (@luketucker) December 13, 2021
Replit CEO on how to announce your funding round vs not how to announce your funding round:
Series A announcement:
— Amjad Masad ⠕ (@amasad) December 10, 2021
- $30k for PR
- weeks of “crafting the story”
- talk with disinterested reporters
Result? Sad article that 4 people read.
Series B:
- make fun art
- talk to a cool blogger
- write a blog post in the morning
Millions of views & meaningful engagement.
I haven't gotten into F1 but I've been considering it from a sponsorship side for Lightspin. Was fascinated to see this data: check out that growth! Huge market.
Final thoughts
Lightspin advisor and Head of Cloud Infra Security at Netflix, Srinath Kuruvadi, who I recently got to meet at a dinner in San Francisco with Lightspin CEO, Vladi Sandler, was recently on Panther security's podcast talking about Detection at Scale. The podcast is definitely worth a listen, but Srinath mentioned a Nelson Mandela quote that stuck with me:
I never lose. I either win, or I learn. - Nelson Mandela
May you never lose this week and every week.