Friday, September 12, 2025 — Meeting Recap

Cloud Security Office Hours Discussion

The meeting began with Shawn welcoming participants to the Friday Cloud Security Office Hours, emphasizing its open and inclusive nature for discussing cloud security and related topics. New participants, including jlewi from the Philippines and Latoya from Michigan, introduced themselves and shared their backgrounds and interests in cloud security. Shawn encouraged networking and highlighted the session's value for career growth through mentorship and conversation. The discussion touched on various topics, including IPv6 regex patterns, agentic AI security, and a blog article co-written by Jay, with Neil mentioning an academic paper on securing agentic AI systems.

Threat Modeling for Security Fundamentals

The group discussed the importance of threat modeling in security, with Neil emphasizing that it should be a fundamental approach rather than starting with solutions. Jay shared his experience implementing threat modeling at SAP, highlighting its role in identifying potential security issues in design rather than just code. The discussion touched on practical aspects of threat modeling, including considering the attacker's return on investment and realistic threat scenarios rather than theoretical ones.

AI Security Framework Development Discussion

The team discussed the challenges and opportunities in developing frameworks for AI security, with Milos proposing the use of ontologies, graph lookups, and guard layers to control AI access and actions. Jay noted that while the field is still nascent, there is a need for standardization, and suggested looking at OWASP resources for guidance. The group agreed that open-sourcing any developed solutions would be beneficial, though the commercial potential of such technology was also acknowledged. Yashesh raised concerns about maintaining up-to-date architecture diagrams, and Jay suggested using automated tools like Terraform to generate accurate visual representations of infrastructure.

Python Study Group Initiative

D announced plans to organize a Python study group for the community, aiming to create collaborative projects and inviting members to join. Shawn highlighted the large email list and website engagement, suggesting potential for broader participation. Thomas offered support to coordinate the study group, while Tim expressed interest in running a CTF event. The group discussed the benefits of Wiz's resources and the diverse interests of its members, with several expressing enthusiasm for the initiatives.

Cloud Security Tools Evaluation Discussion

The team discussed cloud security tools and vulnerability management, with Neil sharing his experience about the tradeoffs between free open source tools like Trivia and paid solutions like Wiz or Orca. Neil explained that while free tools work well for small scale operations, paid solutions offer better central management, monitoring, and policy application as organizations grow. The group also discussed container image scanning practices, with Matthew emphasizing that automation should be mandatory for vulnerability scanning whenever new images are created. Jay highlighted the value of domain knowledge provided by companies like Wiz and Orca, noting that their products evolve rapidly with research teams constantly improving capabilities.

npm Supply Chain Attack Discussion

The group discussed a recent npm package compromise where attackers inserted cryptocurrency mining code, with Neil explaining it was a supply chain attack that targeted a node developer's packages. Jay noted that while this attack was discovered quickly and had limited impact, future attacks could be more severe if they target sensitive data instead of cryptocurrency. Dane highlighted technical challenges in fixing the compromise, including issues with version rollback and tooling support, while Shawn emphasized the broader implications of how easily malicious code can be inserted into important software components.