tj-actions Lessons Learned, US Cyber Offense, this week’s enterprise security news – Dimitri Stiliadis – ESW #417
Interview Segment - Lessons Learned from the tj-actions GitHub Action Supply Chain Attack with Dimitri Stiliadis
Breach analysis is one of my favorite topics to dive into and I’m thrilled Dimitri is joining us today to reveal some of the insights he’s pulled out of this GitHub Actions incident. It isn’t an overstatement to say that some of the lessons to be learned from this incident represent fundamental changes to how we architect development environments.
Why are we talking about it now, 4 months after it occurred? In the case of the Equifax breach, the most useful details about the breach didn’t get released to the public until 18 months after the incident. It takes time for details to come out, but in my experience, the learning opportunities are worth the wait.
Topic Segment - Should the US Go on the Cyber Offensive?
Triggered by an op-ed from Dave Kennedy, the discussion of whether the US should launch more visible offensive cyber operations starts up again. There are a lot of factors and nuances to discuss here, and a lot of us have opinions here. We'll see if we can do any of it justice in 15 minutes.
News Segment
Finally, in the enterprise security news,
- We discuss the latest fundings
- a few acquisitions
- a vibe coding campfire story
- how to hack AI agents
- zero-days in AI coding apps
- more AI zero days
- why Ivanti vulns are still alive and well in Japan
- how wiper commands made their way into Amazon’s AI coding agent
- it seems like vulnerabilities and AI are pairing up in this week’s news stories!
All that and more, on this episode of Enterprise Security Weekly.
Dr. Dimitri Stiliadis is the Co-Founder and Chief Technology Officer of Endor Labs. He brings a deep background in distributed systems, security, and networking. Before Endor Labs, he co-founded and served as CTO of Aporeto and Nuage Networks. He also led cloud and NFV strategy as CTO of Alcatel-Lucent Ventures and played a key role in developing security solutions like the OmniAccess Nonstop Laptop Guardian.
Earlier in his career, Dimitri held research and leadership roles at Bell Labs, contributing to advancements in traffic management, router architectures, and packet classification. He holds a PhD in computer engineering from UC Santa Cruz, has authored over 50 research papers, and holds more than 20 patents. He was also co-recipient of the IEEE Fred W. Ellersick Prize.
Adrian Sanabria
- FUNDING: Courtesy of the Security, Funded newsletter, issue #203 – Porto Folio Management
Last week's vibe check asked, "which security tradeoff is most underappreciated today?
The winning answer was, "user experiences vs security", with "innovation vs control" taking a close second place.
FUNDING
- Vanta raises a $150M Series D simultaneously acquire Riskey, a company in the real-time third-party risk monitoring market. This Series D, led by Wellington Management, values them at $4.15B and brings total funding to just over $500M. Almost exactly a year ago, Vanta's Series C, led by Sequoia, also raised $150M for the company, but at a lower $2.45B valuation.
- Crash Override, a United States-based application security platform, raised a $28.0M Seed from Google Ventures and SYN Ventures.
- Zip Security, a United States-based security and compliance automation platform for small businesses, raised a $13.5M Series A from Ballistic Ventures.
- Empirical Security, a United States-based platform offering AI models for threat and vulnerability management programs, raised a $12.0M Seed from Costanoa Ventures.
ACQUISITIONS
- Riskey, an Israel-based third-party vendor risk management platform, was acquired by Vanta for an undisclosed amount. Riskey has not previously disclosed any funding events.
- Redjack, a United States-based cyber attack surface management platform, was acquired by Lansweeper for an undisclosed amount. Redjack has not previously disclosed any funding events.
- NEW SERVICES: Vulnerability announce service
- TUTORIALS: How to Hack AI Agents and Applications
- BREACHES: Lawsuit says Clorox hackers got passwords simply by asking
- AI TRENDS: A vibe coding campfire story from Jason Lemkin, CEO of SaaStr.ai
I'm 50% feeling like the tech just isn't ready yet, or ever going to get there
and 50% feeling like maybe some folks are using it wrong, assuming it can do things GenAI just can't do
- VULNERABILITIES: The zero-day that could’ve compromised every Cursor and Windsurf user
- VULNERABILITIES: Google says ‘Big Sleep’ AI tool found bug hackers planned to use
- VULNERABILITIES: Fixed Ivanti Bugs Still Haunt Japan Orgs 6 Months Later
- SUPPLY CHAIN: Hacker Plants Computer ‘Wiping’ Commands in Amazon’s AI Coding Agent
