SIN-06 Security and Innovation Newsletter May 4th 2025
Hello my fellow security enthusiast! Welcome back to a new another edition of the 'Security and Innovation' Newsletter. Get ready to continue diving into the world of AI security in this issue. We've packed it with research and fresh stuff you won't want to miss. Please share it with colleagues and friends to help our community grow. Happy reading!
🤖 🛡️Vibe-Securing: 4+1 Pillars of AppSec for Vibe Coding - Backslash: This article argues that the rise of "vibe coding" – a fast, AI-assisted development style – necessitates a fundamental shift in how Application Security (AppSec) operates. Traditional methods are insufficient for the speed and volume of code being generated, requiring a move from reactive scanning to proactive, contextual security integrated directly into the developer workflow. The author proposes a new foundation for AppSec built on four pillars: secure-by-default GenAI IDEs, scalable management of security debt, real-time actionable visibility, and a unified AppSec modeling engine that understands code context. The core idea is "vibe-securing" – embedding security into the development process as code is created, rather than finding issues later. This involves guiding LLMs to generate se cure code, providing developers with immediate feedback and solutions within their IDE, and automating fixes where possible. Visibility is crucial, moving beyond dashboards to understand developer behavior and prioritize risks based on actual impact. Article
🤖 System prompts from most used AI IDEs: If you ever wondered how the Prompt from the most used AI tools look like, then the GitHub project by x1xhlol is for you. This repo shares system prompts and AI tools from various sources, providing insights into their structure and functionality. It includes over 6,500 lines of data on AI models like Cursor, Manus, and others. The creator also emphasizes the importance of securing AI systems against data leaks and offers a service for startups to enhance their security. Github
🤖 🛡️ Are you ready for more complexity? According to Anthropic’s chief information security officer, Jason Clinton, fully AI-powered “virtual employees” are expected to begin operating within corporate networks within the next year. This represents a significant leap beyond current AI agents, as these virtual employees will possess autonomy, “memories,” dedicated roles, and even their own corporate accounts. However, this advancement introduces substantial cybersecurity challenges, including securing AI accounts, managing network access, and determining responsibility for potentially rogue actions. The core concern is that existing security infrastructure isn’t equipped to handle these non-human identities.
Anthropic highlights the risk of AI employees compromising systems – like a continuous integration system – while performing tasks, raising questions of accountability. Article
Cloud Snitch is an open-source project (with a SaaS option) designed to visualize and monitor AWS activity, taking inspiration from the macOS firewall application, Little Snitch. It provides a sleek interface to explore what's happening within your AWS accounts, offering summaries of activity by region, principal, IP address, and more, while highlighting errors for quick identification of potential issues.
Users can share activity links, document AWS principals, and even generate/apply service control policies to enforce least privilege access.\n\nThe project offers flexibility – you can self-host the open-source version or quickly get started with a paid individual/team plan via cloudsnitch.io. Github
🤖 Agent2Agent and MCP: An End-to-End Tutorial for a complete Agentic Pipeline: This tutorial details building an agentic pipeline using two open-source protocols: Agent2Agent (A2A) for inter-agent communication and Model Context Protocol (MCP) for accessing tools and data. The guide walks through c reating MCP servers for specific tasks – a web crawler and a stock price retriever – and then demonstrates how to inte grate these servers into a larger agentic system. The core idea is to create small, focused agents that can coordinate effectively and access external resources reliably. The tutorial provides practical code examples using Python and libraries like finnhub, requests, and Google’s Agent Development Kit (ADK). It emphasizes a hands-on approach, encouraging users to clone the provided GitHub repository, experiment with the code, and modify it to suit their needs. The author highlights challenges encountered with the initial Google A2A repository and details the modifications made to get it working.
Ultimately, the tutorial aims to showcase a complete agentic pipeline, from setting up individual MCP servers to coordinating multiple agents using A2A, all while leveraging external data sources. It positions A2A and MCP as key components for building robust and scalable agentic systems, moving beyond ad-hoc scripting towards a more cooperative and structured architecture. Article
🤖 🛡️ aws-security-mcp is a Model Context Protocol (MCP) server designed to connect AI assistants like Claude to AWS security services. This allows AI to autonomously query, inspect, and analyze AWS infrastructure for security vulnerabilities and misconfigurations – essentially enabling AI-powered cloud security assessments. The server supports a wide range of AWS services including IAM, EC2, S3, GuardDuty, SecurityHub, and more, offering features like security finding queries, misconfiguration listing, IAM analysis, and even threat modeling & blast radius analysis. It’s designed to be flexible, allowing coupling with other MCPs for enhanced functionality. Github
I found this infographic by Igor Buinevici about Strategy that looks pretty cool, and has an interesting division between Purpose, Strategy and Execution.
"What you find interesting is a better predictor of success than what you're good at. Curiosity isn't random; it's a compass." Shane Parrish
"The most valuable skill isn't inspiration but the ability to work without it." Shane Parrish
Thank you for reading,
Chris