Hey there,

I hope you’ve been well!

Academic #truth

Academia can be tough. Thanks @yin_psyched for helping me laugh about it though.

Your Novel Research Idea

🎉 New Job!

I’ve accepted a new role!

A few months ago I became Head of Security Research at r2c, a hip San Francisco-based start-up building Semgrep, an open source, lightweight static analysis tool.

To be honest, it was really tough leaving NCC Group- my colleagues were brilliant, the work was challenging and interesting, and I got to personally help dozens of companies a year improve their security posture.

NCC Group was a career making experience for me. Like a blade tested in a forge, I rapidly improved my security expertise, built a valuable network of security professionals and friends, and had the opportunity to speak at conferences around the world.

I will forever be grateful to NCC Group and my colleagues there, who helped set me up for a successful career and made me the security professional I am today. Thank you 🙏

But when a uniquely exciting opportunity came my way, I had to take it. I wrote a post about my decision, see below.


📢 Sqreen: The Essential Guide to RASP

The new NIST 5 has just been released and now recognizes RASP (Runtime Application Self-Protection) as critical to reducing risk from software vulnerabilities. RASP uses instrumentation to detect and block the exploit of vulnerabilities by taking advantage of the app's runtime. Read the essential guide to RASP to learn more.

Get the Guide

📜 In this newsletter...

🔗 Links:
  • AppSec: Three GitHub-themed CTF challenges, best practices for hardening GitHub Actions
  • Fuzzing: Two epic lists of fuzzing papers
  • Web Security: Tool to sync Burp HTTP traffic, comments and highlights in realtime, tool for reversing Google Web Toolkit apps
  • Container Security: Dockerfile security best practices + OPA rules to enforce them, a Kubernetes add-on that injects TLS certs into your containers, Kubernetes security demos, restricting a container's syscalls with seccomp
  • Blue Team: APT tactics in an open source adversary emulation repo, LD_AUDIT runs before LD_PRELOAD, block some forms of malware by setting up LD_PRELOAD whitelisting
  • Red Team: Collaborative reverse engineering with Ghidra Server
  • Politics / Privacy: FAQ to combat election-related disinformation, Iran behind fake voter intimidation emails, massive US voters and consumer databases circulate on hacker forums
  • Misc: A political + tech pun, 27 pages on benchmarking "hello world," free book on Chaos Engineering, Daniel Miessler on writing well, quantum random number generator as a service
📚 The future of AppSec and why I joined r2c

My reasoning behind joining r2c and my views on where the future of application security is headed, based my experiences speaking and working with dozens of companies.


Hack this repository: The EkoParty 2020 GitHub CTF challenges
Neat write-up by Bas Alberts on their GitHub CTF challenges: use SSH key from git history to clone a private repo, a GitHub Action vulnerable to command injection that can be exploited by a maliciously crafted GitHub Issue, and then use that vulnerability to exfiltrate a secret from the private Action environment.

Security hardening for GitHub Actions
GitHub’s best practice docs for securing GitHub Actions.


Two epic lists of fuzzing papers, H/T Richard Johnson:

Web Security

Hack with friends! Syncs in-scope requests/responses, comments, and highlights across multiple Burp Suite instances in realtime, by Bishop Fox’s Joe DeMesy.

GWTMap - Reverse Engineering Google Web Toolkit Applications F-Secure’s Oliver Simonnet describes GWTMap, “a new tool to help map the attack surface of Google Web Toolkit (GWT) based applications. The purpose of this tool is to facilitate the extraction of any service method endpoints buried within a modern GWT application’s obfuscated client-side code, and attempt to generate example GWT-RPC requests payloads to interact with them.”

Container Security

Dockerfile Security Best Practices
Spotify’s Gianluca Brindisi discusses a number of Dockerfile security best practices and shares corresponding OPA rules you can use to scan your Dockerfiles with using conftest. Practices include: don’t store secrets in environment variables, only use trusted base images, don’t use the latest tag for base images, avoid curl | bash-ing, don’t apt-get upgrade, don’t use ADD if possible, and don’t use root or sudo.

“A Kubernetes add-on that automatically injects TLS/HTTPS certificates into your containers” by smallstep.

Demos of various Kubernetes security features, including Network Policies, Security Context, and Pod Security Policies, by Cloudogu.

Restrict a Container’s Syscalls with Seccomp

Seccomp stands for secure computing mode and has been a feature of the Linux kernel since version 2.6.12. It can be used to sandbox the privileges of a process, restricting the calls it is able to make from userspace into the kernel. Kubernetes lets you automatically apply seccomp profiles loaded onto a Node to your Pods and containers.

Identifying the privileges required for your workloads can be difficult. In this tutorial, you will go through how to load seccomp profiles into a local Kubernetes cluster, how to apply them to a Pod, and how you can begin to craft profiles that give only the necessary privileges to your container processes.

Blue Team

Emulate various APT threat actors using the threats enumerated in this adversary emulation repo, which supports SCYTHE threats and MITRE ATT&CK Navigator (both use JSON). Another example of the “detection-as-code” theme (see also tl;dr sec 55), in which defenders are codifying adversary behavior to ensure detections are repeatable and work as expected.

Leveraging LD_AUDIT to Beat the Traditional Linux Library Preloading Technique
In Linux, LD_PRELOAD is often used by threat actors to intercept library calls (for process hiding and rootkit implementation in user space) and to inject code in general. SentinelOne’s Lior Ribak describes how LD_AUDIT runs before LD_PRELOAD, which can be used by defenders to prevent this malicious behavior, or by attackers to write more stealthy malware.

Whitelisting LD_PRELOAD for Fun and (No) Profit
Linked by the above article, Tony Lambert wrote libpreloadvaccine, which enables you to whitelist what libraries you expect to use LD_PRELOAD, making it harder for malware to abuse this functionality.

Red Team

Collaborative Reverse Engineering with Ghidra Server
Given that the NSA has teams of people hunting for bugs, it’s not surprising that Ghidra has built-in functionality for “shared projects,” enabling reversers to easily share progress, annotations, and more. This post by Omar Darwish has a nice intro and overview of Ghidra’s collaboration features.

Politics / Privacy

Rumor Control | CISA
Nice short write-ups on rumor vs reality to combat election-related disinformation, by the Cybersecurity & Infrastructure Security Agency.

US govt: Iran behind fake Proud Boys voter intimidation emails
“The US govt has stated that Iran is behind threatening emails sent to Democratic voters warning that they must vote for Trump or face consequences.”

Massive US Voters and Consumers Databases Circulate Among Hackers
Trustwave’s Ziv Mador reports on multiple instances of U.S. voter databases being sold on hacker forums, ranging from 186 - 245 million records. Depending on the dump, this data includes full name, physical address, phone number, ethnic group, political affiliation, and more. This info can be used for more effective social engineering scams and to spread disinformation about the election. According to Bitcoin transactions the researchers obtained, the cybercriminal group made $100 million USD in the last five months alone.


Politics + Tech Pun

Brexit Free Up

Benchmarking “Hello, World!”
It’s Friday night, you’ve just poured yourself a tall glass of red wine, and you’re looking to relax after a tough week. Enter this 27 page PDF by Dr. Richard L. Sites on the difficulties of truly evaluating performance, distributed systems challenges, etc. H/T Collen Dai.

Programmers have pictures in their heads of what their programs are doing. Those pictures are too simplistic and essentially always wrong. Sometimes the performance problem they are looking for is in the missing parts, or in the not-visible dynamics of “event A causes event B”, with time sequencing and cause and effect not observed at all.

The Chaos Engineering Book
Casey Rosenthal chartered the Chaos Engineering Team at Netflix, and you can now download the book on chaos engineering he and Nora Jones wrote for free! Topics include: where Chaos Engineering came from, mental models to challenge mainstream thinking on system reliability, and contributed chapters from people at Slack, Google, Microsoft, LinkedIn, and CapitalOne.

How to Write Well
Advice from the impressively prolific Daniel Miessler:

  1. Clear writing is only possible with clear thinking, so start with an outline.
  2. Fancy language communicates deception, so write like you’re talking to someone.
  3. Wandering sentences lose the reader, so be clear and direct.
  4. Flow creates impact, so alternate between short and long sentences.

QuantumRNG-aaS - Making use of Quantum Algorithms
A proof of concept implementation by Mark Cardinal of using IBM’s Quantum Experience platform to generate the entropy pool for a cryptographically secure pseudorandom number generator (CSPRNG). Because lol, why not?! 🤘 Friendly reminder: friends don’t let friends buy products with “quantum computing” in their name.

Quantum State Meme

📚 The future of AppSec and why I joined r2c

During my final few years at NCC Group, I spent thousands of hours watching security conference talks, reading technical blog posts, and having frank conversations with security engineers at many forward-thinking tech companies. This lead to me giving a number of talks in which I collected the best tips and tactics into one tome of a slide deck (latest slides).

I began to find that there were some initially surprising, but consistent trends. Things that were a bit different than what was commonly discussed publicy.

In short, I found that many AppSec teams were deprioritizing finding vulnerabilities, and instead building secure defaults and then using lightweight tools to enforce their use. When done properly, this can eliminate certain vulnerability classes from ever occuring in the first place.

Google, Microsoft, Facebook, Netflix, Dropbox, DocuSign, and many other companies have written about this, and I think it’s a key shift in the industry.

And as with all big shifts (for example, the adoption of Agile/DevOps, cloud infrastructure, and containers), it requires a shift in our tooling and approach.

If this sounds interesting, check out my blog post for more details.

Bonus The post includes anecdotes like:

  • The rude awakening I faced as an academic, seeing how security works in the Real World™
  • What happens when you smack talk an entire Gartner quadrant in an off-the-record session at AppSec USA, when people in sales at the relevant companies are there 😅
  • Why I should have been a bit cheekier and requested $150,000 for 2 weeks of work
  • What happened when I gave critical feedback to r2c’s CEO on my first day
  • How r2c’s CTO built a proof-of-concept of an idea I mentioned in passing, in two days 🚀

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!