IMO knowledge graphs are a must have for security use-cases because of how well they handle many-to-many relationships. Who has access to read each storage bucket? Via which IAM policies? Who owns each bucket? What is the shortest possible role-assumption path available from internet-exposed compute instances to read this bucket? What is the effective blast radius from a vulnerability that allows remote code execution on an internet exposed compute instance?
Or, I have a docker container image that is built from multiple base images owned by different teams in my organization. Who is responsible for fixing security vulnerabilities introduced by each layer?
We really could model these as tables but getting into all those joins makes things so cumbersome. Plus visualizing these things in a graph map is very compelling for presentation and persuading stakeholders to make security decisions.
Are there existing tools that model security stuff like this? For a few years I've wanted to build a model like this and search for vulnerabilities using something like GOAP (Goal-Oriented Action Planning)
PyPI is such an important service and as a Python user it's easy to take for granted that it just works. I recently had to make a config update from my project's GitHub repo to PyPI and lost the password and had to do account recovery, and then suddenly realized "wow, they take care of a lot of other orgs", and "wow, this is a TON of ops work" -- see the issues _just_ on account recovery: https://github.com/pypi/support/issues.
Yeah, in the recent Lightcone Podcast episode, Varun was talking about how they have a lean eng team but large sales org. I thought that was super interesting for a dev tool since I was expecting a dev tool to involve bottom-up sales to the dev instead of top-down sales to a leader like a CTO or VP of Eng
I actually think humanities become more relevant than before in tech with AI. For example, good prompts for image generation remind me of authors setting the scene for their novels, so being trained to do this well is an advantage.
Automated review tools like this are especially important for an open source project because you have to maintain a quality bar to keep yourself sane but if you're too picky then no one from the community will want to contribute. AI tools are like linters and have no feelings, so they will give the feedback that you as a reviewer may have been hesitant to give, and that's awesome.
Oh, and on the product itself, I think it's super cool that it comes up with rules on its own to check for based on conventions and patterns that you've enforced over time. E.g. we use it to make sure that all function calls that pull from an upstream API are decorated with our standard error handler.
Being able to save the emotional budget over into the creative bucket is the most god damn win-win corporate speak I accidentally ever typed on hn. This is a wonderful strategy.
> I understand that you are very early in boot-strapping, but what I was missing while skimming over the videos and links and webpage is a better high-bird view or contextualization of the apporach.
For a higher level view and contextualization, can you share more on what you mean? This would help give us a better idea on what to build.
> I was considering a demo, but the two options (chat and quick chat) were a bit unclear to me what they would archive / how they are structured.
Ah, you're referring to our cal link (https://cal.com/team/subimage)? It's basically up to you -- we can show you something in 15 minutes or 30 minutes based on your availability and based on what you're interested in -- would love to hear feedback in call!
Thank you! Our business model is B2B software as a service. We're offering a fully-hosted offering around Cartography where we add useful features that enterprises want like automatic fix actions, recommendations, a natural language interface, and others.
We're looking for customers who find value in Cartography but don't have the resources to self-host. Open source is big in helping us meet people and learn the needs of teams who would be interested in commercial support. For pricing, it varies because we can take on very different infra requirements depending on the size of the customer's environment or their data freshness needs.
Makes sense -- we're focused on fixing problems over just being yet another Jira ticket generator.
> Found Splunk creds in a log? Awesome, start using them. Syslog in an S3 bucket... boom. You are now hitting the stuff that every other ASM/visualization tool has missed.
This is my dream :). This past weekend I was playing around with something where if I clicked on a SecretsManagerSecret node then it'd give me the CLI commands to assume the roles and then retrieve the secret. It'd be neat to take it a step further and be able to click here and get a shell -- I don't think we're _that_ far off from that (but for now to be very clear we're focusing on read-only actions only since a security tool with permissions to do scary things in your environment kinda defeats the purpose).
Or, I have a docker container image that is built from multiple base images owned by different teams in my organization. Who is responsible for fixing security vulnerabilities introduced by each layer?
We really could model these as tables but getting into all those joins makes things so cumbersome. Plus visualizing these things in a graph map is very compelling for presentation and persuading stakeholders to make security decisions.
reply