Hey there,
I hope youâve been doing well!
How It Actually Works
I wanted to give a shout out to this newsletter by Trevor McKendrick.
Itâs a weekly, nicely curated list of links on writing, productivity, inspiration, tech, Twitter, and more.
This week I came across the Section 230 and First Amendment links (below) from his newsletter, so thanks!
đ° News
A few cool things have happened recently.
I was invited to reflect on security trends in Portswiggerâs Swig Security Review 2020 along with a number of great people.
On the work front:
- r2c was called out as the âDisruptive Innovatorâ in the 2020 Forbes Cybersecurity Awards.
- Semgrep was included in The Daily Swigâs latest web hacking tools roundup of Q4 2020.
- Trail of Bits used Semgrep to assess the backend code of The Markupâs Facebook Inspector.
- And Semgrep was even referenced as a ânice to haveâ in a job description on Hacker News.
Iâm pretty sure the next step is to be covered in a drama by David Fincher. I call dibs on being played by Justin Timberlake. Or Keanu, but like, Keanu as John Wick as me.
Sponsor
đ˘ Codify your cloud security with Bridgecrew
Bridgecrew embeds security directly into developer workflows. By leveraging automation and delivering security-as-code, our platform empowers teams to find, fix, and prevent misconfigurations in deployed cloud resources and in infrastructure as code without slowing them down. Streamline your infrastructure security from commit to cloud with Bridgecrew.
Get started for free!đ In this newsletter...
đ Links:- AppSec: CLI tool to search Rego policies, four levels of maturity in how AppSec and Eng teams can work together re: automation
- Web Security: Browser extension to edit/replay HTTP traffic without a separate proxy, NoSQL injection tool
- Cloud Security: Updated AWS Security Maturity Roadmap, Serverless framework will gobble your AWS creds, automate existing AWS infra -> infra as code
- Container Security: Netflix on using user namespaces for container security defense-in-depth
- Blue Team: Resources on defending against Cobalt Strike, Linux hardening guide
- Politics / Privacy: WhatsApp will share your info with
creepy uncleparent company Facebook, Section 230 FAQ, First Amendment FAQ - Bro, Do You Even Rust?: Memes, when to use C, Flash emulator in Rust, experimental OS written in Rust
- Capitol Reflections: As much as I'd prefer to avoid it, I feel compelled to share at least a few relevant links
AppSec
policy-hub/policy-hub-cli
The Open Policy Agent (OPA) project provides
a policy language, Rego, that can be used to automate policy enforcement (e.g.
for compliance, security, Kubernetes, microservice authorization, policies that
define organisational best practices, etc.). This is a CLI tool that makes Rego policies searchable.
Four levels of maturity that bridge the AppSec / engineering divide
Django co-creator Jacob Kaplan-Moss describes 4
levels of maturity in how AppSec teams and engineering can work together
productively as they build a continuous integration and automation pipeline:
- Security finds problems; Engineering fixes them
- Security and Engineering collaborate to produce test cases and remediations
- After the issue is fixed, Security and Engineering collaborate to find systemic fixes and develop checks
- Security and Engineering now also proactively look for new classes of issues and create systemic checks before an actual problem occurs
Web Security
Tamper Dev
A browser extension that lets you edit HTTP(S) requests and responses without a
proxy. So like Burp Suite/ZAP, but just your browser.
Charlie-belmer/nosqli
A CLI tool for finding sites vulnerable to NoSql injection, with a focus on
MongoDB, by Charlie Belmer. Charlie works
at DuckDuckGo and has a nice blog with articles about
security and privacy, and a mailing list if you want to keep up with the cool
stuff heâs working on.
Cloud Security
AWS Security Maturity Roadmap 2021
The third annual release of Scott Piperâs
excellent guide for securely running on AWS. Probably one of the best, concise,
actionable guides on this I know of.
@goserverless will copy up your AWS API creds to their service and execute things on your behalf
Oof, thanks Corey Quinn for the heads up.
Accelerate infrastructure as code development with open source Former2
If you have existing AWS infrastructure that has not yet been ported to
infrastructure as code, you can use Former2 (landing
page, GitHub) to
automatically generate CloudFormation, Terraform, or Troposphere templates from your existing
AWS resources.
Container Security
Evolving Container Security With Linux User Namespaces
Nicely detailed blog post by Kabio Kung and the
Netflix container team on the challenges of securing containers in multi-tenant
systems and how adopting user namespaces (ârootless containersâ) helps them
embrace defense-in-depth. Great overview of the problem space, and a discussion
of how their architecture has changed over time.
Blue Team
MichaelKoczwara/Awesome-CobaltStrike-Defence
Repo by Michael Koczwara collecting
hunting and detection tools, YARA rules, indicators of compromise, research
articles and more re: detecting the use of Cobalt Strike.
Linux Hardening Guide
Pretty massive hardening guide covering a range of topics including kernel
hardening, mandatory access control, sandboxing, hardened memory allocator and
compilation flags, memory safe languages, the root account, firewalls,
identifiers, file permissions, core dumps, entropy, physical security, and more.
Politics / Privacy
WhatsApp gives users an ultimatum: Share data with Facebook or stop using the app
Wait whaaat, Facebook wants access to your private data?! đą No one could have
seen this coming.
Hello! Youâve Been Referred Here Because Youâre Wrong About Section 230 Of The Communications Decency Act
Great TechDirt article by Mike Masnick if youâre
curious about how or when Section 230 applies, or if youâre tired of explaining
it and just want to link people to something.
Hello! Youâve Been Referred Here Because Youâre Wrong About The First Amendment
Same as above, but for the First Amendment.
Bro, Do You Even Rust?
âHave you considered rewriting in Rust?â has been said so many times that itâs become a meme.
But I think thereâs something to it. For one example: Microsoft: Rust Is the Industryâs âBest Chanceâ at Safe Systems Programming. I came across a few Rust-related links this week so I decided to group them.
I also wrote up a handy cheatsheet in case youâre considering using C:
Like smoking or eating Big Macs for every meal, while itâs not illegal to use C
in 2021, it should be discouraged.
Ruffle
Sad that Flash is going away? Then check out this Flash Player emulator written
in Rust. Because - why not? đ
theseus-os/Theseus
âA new OS written from scratch in Rust to experiment with novel OS structure,
better state management, and how to shift OS responsibilities like resource
management into the compiler.â
Capitol Reflections
Hey friend đ Itâs a stressful time right now. I know I feel it. So I put this
in its own section at the end so you can skip it if youâd like.
I
generally donât write about politics, as Iâd rather not, but I think this
is too momentous a point in history to not at least mention.
Iâm proud
of America and being an American. Weâre in a tough spot, but weâll pull through.
The key is being kind to each other, embracing listening over shouting, and taking threats
against democracy seriously.
US allies say Trump attempted coup with help from federal law enforcement
A French police official responsible for public security in a key section of central Paris and two intelligence officials from NATO countries who directly work in counterterrorism and counterintelligence operations involving the US, terrorism, and Russia said the circumstantial evidence available pointed to what would be openly called a coup attempt in any other nation.
⌠they believed that an investigation would find that someone interfered with the deployment of additional federal law-enforcement officials on the perimeter of the Capitol complex; the official has direct knowledge of the proper procedures for security of the facility.
âThe broader damage around the world will be extensive in terms of reputation, and thatâs why Putin doesnât mind at all that Trump lost. Heâs got to be happy to take his chips and count his winnings, which from the Trump era will be a shockingly quick decline in American prestige and moral high ground.
âEvery moment the Americans spend on their own self-inflicted chaos helps China, it helps Putin, and, to a lesser extent, it helps the mini-dictators like Erdogan and Orban, who breathe cynicism about politics, human rights, and democracy as their air,â the official said.
Here are some recent things I find especially concerning:
- A number of outside groups were given a tour of the Capitol complex on January 5th (the day before), which would only have been permitted entry by a member of Congress or a staffer. Capitol tours have been prohibited since March due to COVID-19.
- Looters found their way to Congressman Clyburnâs unmarked, third floor office instead of his clearly marked ceremonial office in Statuary Hall, and one of the rioters told The New York Times that a Capitol Police officer directed them to Senate Democratic Leader Chuck Schumerâs office.
- Every panic button in Congresswoman Pressleyâs office was torn out before the rioters entered the Capitol. That implies someone with access to her office had purposefully done this beforehand.
âď¸ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them đ
Thanks for reading!
Cheers,Clint
@clintgibler