Hey there!

I hope you’ve been doing well. Before we get into it, a few upcoming events!


Bay Area OWASP

Detect complex code patterns using semantic grep
Today May 21 5:30pm PDT.

We’ll discuss a program analysis tool we’re developing called semgrep. It’s a multilingual semantic tool for writing security and correctness queries on source code (for Python, Java, Go, C, and JS) with a simple “grep-like” interface. The original author, Yoann Padioleau, worked on sgrep’s predecessor, Coccinelle, for Linux kernel refactoring, and later developed sgrep while at Facebook. He’s now full time with us at r2c.

semgrep is a free open-source program analysis toolkit that finds bugs using custom analysis we’ve written and OSS code checks. semgrep is ideal for security researchers, product security engineers, and developers who want to find complex code patterns without extensive knowledge of ASTs or advanced program analysis concepts.

For example, find subprocess calls with shell=True in Python using the query:

subprocess.open(..., shell=True)

This will even find snippets like:

import subprocess as s
s.open(f'rm {args}', shell=True)

Or find hardcoded credentials using the query:

  aws_access_key_id=... )

Virtual AppSec Days Training Submissions

Submit your training proposal, deadline: May 22.

Coccinelle, Prequel, and Spinfer: Automating Summarization and Application of Code Evolutions in the Linux Kernel.

If program analysis is also your jam, you might enjoy this upcoming presentation by INRIA research scientist Julia Lawall on May 27th:

In a large software system such as the Linux kernel, there is a continual need for large-scale changes across many source files, triggered by new needs or refined design decisions. Over the past 15 years, we have developed tools:

  1. to automate such changes (Coccinelle)
  2. to extract information about such changes from git histories (Prequel)
  3. to automatically infer relevant transformation rules (Spinfer)

In this talk, we will present the design of these tools and review their use and potential use in the development of the Linux kernel and other large code bases.


On June 15-16, DevSecCon goes virtual, with talks from APAC, EU, and the Americas.

📜 In this newsletter...

🔗 Links:
  • AppSec: Secure by default crypto library by Google, threat modelling resources collection, finding secrets in .pyc files, labeling criticality of bugs via ML, searchable list of tools, understanding underhanded code
  • OAuth: Several articles on testing OAuth from a bug bounty or pen tester's perspective
  • Web Security: Burp plugin for helping with session management, list of Burp extensions, breaking CAPTCHAs at scale with ML
  • Cloud Security: Automated security controls from the AWS Foundational Security Best Practices standard, build attack graphs for Azure
  • Container Security: Automating TLS cert lifecycle for a Kubernetes cluster using Vault and cert-manager, GCP container threat detection product
  • Red Team: Obfuscator for code using GCC, breaking typical Windows hardening implementations, decompile targets right from VS Code
  • Blue Team: Elastic Stack gets a new alerting framework
  • Politics / Privacy: FBI can look at your web browsing history without a warrant, reflections on the media trying to cover Trump
  • Network Security: Scapy-based network analyzer
  • Linux: Hardware and firmware security resources, Linux utils intro, SSH tips
  • Misc: Google's fuzzing dictionaries, learn about other careers, securing your home network, Solidity has a built-in model checker, prioritizing and opportunity cost, optimising for optionality
  • Coronavirus: Jurassic Park coronavirus allegory, Nigerian crime ring committing large-scale unemployment insurance program fraud, predictions on coronavirus' impact on higher education
📚 Building Your Career in Security, Specializing, and More

Some interesting reflections by Scott Piper.


🔥 google/tink
“A multi-language, cross-platform, open source library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse.” Imho, building libraries that make it a) easy to do things securely and b) hard to do them wrong is one of the highest ROI things we can do to push security forward. Love this.

“A curated list of threat modeling resources (books, courses - free and paid, videos, tools, tutorials and workshops to practice on) for learning threat modeling and the initial phases of security review” by Practical DevSecOps.

Finding secrets by decompiling Python bytecode in public repositories
Python projects commonly store secrets like configuration, keys, and passwords in a gitignored Python file named something like secrets.py, config.py, or settings.py, which other parts of the project import. These secrets are cached in .pyc files and can be recovered using tools like uncompyle6. Jesse Li found thousands of GitHub repos with secrets in checked in Python bytecode. He created a small CTF-style lab to try it yourself.

Secure the software development lifecycle with machine learning
“At Microsoft, 47,000 developers generate nearly 30 thousand bugs a month. These items get stored across over 100 AzureDevOps and GitHub repositories.” The Microsoft team built a ML model that “correctly distinguishes between security and non-security bugs 99 percent of the time and accurately identifies the critical, high priority security bugs, 97 percent of the time.” They classify only using the bug title, see the whitepaper for more details.

“Curated list of security tools for Hackers & Builders!” Allows searching by tags, OS, license, etc. Super useful tools, this is a great resource 👌

Initial Analysis of Underhanded Source Code
Whitepaper studying common techniques in writing seemingly benign code that’s actually malicious + potential mechanisms for countering it.


The Wondeful World of OAuth: Bug Bounty Edition
A brief overview of OAuth 2.0 and how it can be implemented incorrectly from a security perspective, with a focus on the authorization code grant type. Common bug categories include: weak redirect_uri configuration, improper handling of state parameter, assignments of accounts based on email address, and disclosure of secrets (client_secret).

Mix-Up, Revisited
Daniel Fett “A Mix-Up Attack on OAuth is an attack wherein the attacker manages to convince the client to send credentials (authorization code or access token) obtained from an “honest” authorization server to a server under the attacker’s control. I revisit simple mix-up attacks and mix-up attacks with OAuth Metadata and try to find out what happens if we put Pushed Authorization Requests (PAR) into the mix.”

OAuth Mixup Attack

Penetration Tester’s Guide to Evaluating OAuth 2.0 — Authorization Code Grants
“I’ll explain everything you need to know about OAuth from a security standpoint and provide a clear list of test cases so you can report high severity issues on your next engagement. This guide will cover the Authorization Code Grant flow.”

Web Security

Authentication Token Obtain and Replace (ATOR) Burp Plugin: Fast and Reliable plugin to handle Complex Login Sequences
Seems like a super useful Burp plugin for handling session management (CSRF tokens, APIs using auth tokens, JWTs in headers, etc.). source code

Authentication Token Obtain and Replace (ATOR) Burp Plugin

BurpSuite Extensions: Some Favorites
A list of useful Burp extensions.

Releasing the CAPTCHA Cracken
F-Secure Labs on cracking CAPTCHAs at scale, including those that have heavy anti-automation defenses.

Cloud Security

AWS Foundational Security Best Practices standard now available in Security Hub
“The AWS Foundational Security Best Practices standard implements security controls that detect when your AWS accounts and deployed resources do not align with the security best practices defined by AWS security experts. In the initial release, this standard consists of 31 fully-automated security controls in supported AWS Regions, and 27 controls in AWS GovCloud (US-West) and AWS GovCloud (US-East).” docs

“Stormspotter creates an “attack graph” of the resources in an Azure subscription. It enables red teams and pentesters to visualize the attack surface and pivot opportunities within a tenant, and supercharges your defenders to quickly orient and prioritize incident response work.”

Stormspotter Screenshot

Container Security

Securing K8s Ingress Traffic with HashiCorp Vault PKIaaS and JetStack Cert-Manager
“In this article, we will see how to automate the creation and management of the lifecycle of TLS certificates in a Kubernetes environment with HashiCorp Vault and its PKI secret engine as well as JetStack cert-manager.”

Container Threat Detection conceptual overview
Pre-release GCP product. Container Threat Detection detection instrumentation collects low-level behavior in the guest kernel to detect potentially malicious behavior like a binary that was not part of the original container image being executed, a library that was not part of the original container image being loaded, or a process being started with stream redirection to a remote connected socket (reverse shell).

Red Team

GIMPLE (a family of intermediate representations for GCC) obfuscator for C, C++, Go, … all supported GCC targets and front-ends that use GIMPLE.

Breaking Typical Windows Hardening Implementations
Some hardening configurations that are typically set in Group Policy settings and ways to bypass them.

VS Code Decompiler Extension
Decompile right from your IDE. Leverages Ghidra, IDA Pro, JadX/JD-CLI/dex2jar for Java and Android.

Blue Team

Introducing the new alerting framework for Elastic Observability, Elastic Security, and the Elastic Stack
“We’re excited to announce a new alerting framework that delivers a first-class alerting experience natively within the SIEM, Uptime, APM, and Metrics applications as part of the Kibana 7.7 release.”

Politics / Privacy

Senate Votes to Allow FBI to Look at Your Web Browsing History Without a Warrant
As part of a reauthorization of the Patriot Act. Cool, thanks.

What I’ve learned by watching the American press try to cover Trump
Tweet thread by NYU professor Jay Rosen on how the media has historically worked was (and is) fundamentally unprepared/ill suited for covering Trump.

Network Security

A Scapy-based network analyzer that can read/write .pcap files, monitor ARP requests/responses, sniff on multiple interfaces, monitor HTTP requests, sniff in asynchronous mode, and more.


A list of tools, posts, and other resources about hardware and firmware security.

Linux Productivity Tools
Nice slides overview of shell basics like streams, pipes, find, awk, sed, etc.

SSH Tips & Tricks
Add a second factor, use agent forwarding safely, exit stuck sessions, keep a persistent terminal open on the remote host, share a remote terminal session with a friend.


Google’s list of fuzzing dictionaries

Learn what different jobs are like from people who’ve done them.

Exploring Solidity’s Model Checker
Apparently they’re developing a model checker within the Solidity compiler itself. Specifications are written inline using the Solidity language.

A 3-tiered Approach to Securing Your Home Network
By Daniel Miessler:

A 3-tiered Approach to Securing Your Home Network

Never attribute to stupidity that which is adequately explained by opportunity cost

What I have come to believe is that: prioritization is the most value creating activity in any company. Generating ideas and executing things is of course also important! But what I’ve seen to set apart great teams from good is a brutal focus on prioritization. This means generating an absurd amount of ideas and throwing 99% of them out of the window, to focus on the 1% that have the highest impact.

Optimising for optionality
Some thoughts from my bud Jon Hawes:

  1. Optimise for time to be creative vs doing repetitive tasks; care how we use our brainpower; never be in a position where we can’t innovate because we must do the mundane
  2. Optimise to be able to discard parts of our tech stack; we should make architecture work for us with that intent; that’s where our emotional investment and political capital should be spent
  3. Optimise to continually lower the cost of rapid and deep exploration for value creation / delivery at all levels of a value chain; avoid multi layer, tangled complexities (even if they’re clear to everyone and easy to understand), as well as shallow and obvious ones


How Sillicon Valley tries to solve everything


Sure, The Velociraptors are Still On The Loose, But That’s No Reason Not to Reopen Jurassic Park
An amusing skewering of the decision to remove shelter-in-place too early.

U.S. Secret Service: “Massive Fraud” Against State Unemployment Insurance Programs
Krebs on Security: “A well-organized Nigerian crime ring is exploiting the COVID-19 crisis by committing large-scale fraud against multiple state unemployment insurance programs, with potential losses in the hundreds of millions of dollars, according to a new alert issued by the U.S. Secret Service.”

The Coming Disruption
Another article by Scott Galloway on how he predicts coronavirus will cause many tier 2 universities to go under and the top ones (e.g. MIT, Stanford, Harvard) will partner with tech companies (e.g. Google, Microsoft, Apple) to create a hybrid education for a more massive audience.

At universities, we’re having constant meetings, and we’ve all adopted this narrative of “This is unprecedented, and we’re in this together,” which is Latin for “We’re not lowering our prices, bitches.” Universities are still in a period of consensual hallucination with each saying, “We’re going to maintain these prices for what has become, overnight, a dramatically less compelling product offering.”

📚 Building Your Career in Security, Specializing, and More

Some snippets from a great Twitter thread by Scott Piper:

Happy anniversary to Summit Route! 3 years ago today I started my AWS security consulting business.

With recent tech layoffs happening, perhaps I can offer some advice as I’ve had some success with this life path and believe there are similar consulting opportunities.

I had been the sole security person at a company before this wearing too many hats. I wanted to focus and be an expert in something. I was doing our surveillance cameras, badge readers, appsec, corpsec, cloudsec, etc. I didn’t know much about AWS security.

I created http://flaws.cloud to teach myself and my team about AWS security issues. I tried finding someone to assess our AWS environment, and couldn’t find anyone. I knew there was demand (I wanted it) and lack of supply. The same is true in other areas today.

CloudMapper is open-source and can generate an assessment report, but companies will still bring me in to run that. Same as running burp or nmap, because you can add value to the process, interpretation of results, perform additional manual checks, integrate it to be automated.

They say it takes 10,000 hours to become an expert in something, but you can cheat by narrowly focusing your niche and finding one without existing experts. Knowledge is fractal. There is no top “science expert”, or “computer science expert”, or even “infosec expert”. Too broad.

As you narrowly focus, you’ll realize there are even narrower niches to focus on. The subject + task can further refine the niche. (Security assessment with internal access, blackbox pentest externally, setting up monitoring & alerting, incident response, etc).

No company is perfect at everything. Just as your last/current company had blind spots, so do others. Those blind spots are different.

The things you did well at, you can sell as an engagement to help improve another company. Spend some time building tooling for it (maybe even have a company pay for that time) and open-source it. It won’t destroy your business to make that public. It’ll actually help market it.

Some will companies just use your tools, but they would not have been clients any way. Some of those might improve your tools in some ways though, maybe via PRs but possible just private DMs about issues. Same with blog posts or publicly offering advice.

The rising tide will raise all ships. You’ll feel good, the world will have become a better place, and you’ll make some money along the way.

There is still more to do, and importantly there are many other areas outside of AWS that can be improved by having someone focusing on them publicly, outside the walls of a single company.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

@clintgibler @tldrsec