Hey there,
I hope you’re doing well, and that you had a great Superb Owl last weekend.
Learning to Draw in Procreate
Speaking of owls, recently I drew this:
Drawing has been something I’ve historically found pretty frustrating (I mostly peaked with stick figures in grade school), but recently I’ve been following some Procreate tutorials on my iPad, and it’s been fun.
If you’re similarly artistically challenged, I’d recommend the Youtube channel “Art with Flo.” She has a nice “You Can Draw This” series that I’ve found almost impossible to screw up, like this sunset landscape.
Semgrep App: Now with Fix Rate, Auto-Setup, and More
My patron day job, r2c, is releasing a baker’s dozen of new features today. Here’s a few:
Fix rate: Are developers actually fixing the bugs you’re finding? If not, easily disable or tweak rules to make them higher signal.
Auto project setup: Semgrep App can now auto create PRs that will set up Semgrep scanning on all of your repos in minutes.
New languages: In the last few months, community members have contributed alpha support for 4 languages: C#, Rust, Lua, and R. They’re not quite production ready, but it’s pretty cool to see this level of community involvement.
Learn more Semgrep here.
Share the Mic in Cyber
There are never enough talented security professionals for the challenges we face as an industry, and to build secure and abuse-resistant products, we need a broad variety of perspectives. Further, it’s hard to get into a field if you’re on the outside, especially when you don’t see many people like you in it.
Which is why I think events like #ShareTheMicInCyber are great.
On March 19th they’re going to be celebrating the stories of successful African American security practitioners. Check it out!
Sponsor
📢 Protect Access to Your SaaS Data with AppOmni
SaaS applications have evolved into complex platforms that provide access not only to internal users, but also to external users, 3rd party apps, contractors, and managed service providers. In short, there are now more categories of users, and more data access points for attackers to exploit. Over 95% of enterprises we’ve analyzed have over-provisioned external users with access to sensitive data. See who has access to your business-critical data with AppOmni’s free risk assessment.
Get a free risk assessment📜 In this newsletter...
🔗 Links:- AppSec: Automating ASVS level 1 with ZAP, Kubernetes-based CTF platform, exploiting Java deserialization in 2021, automating vulnerability triage for open source
- Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies: Typosquat company internal package names ➡️ profit
- Web Security: Electron browser for finding XSS in the background
- Cloud Security: Automatically compile an AWS SCP that only allows services in line with your compliance needs, autogenerate IAM policy from AWS client-side monitoring, how to do authn/authz on Lambdas
- Container Security: A practical guide to writing secure Dockerfiles
- Politics / Privacy: Fingerprint website visitors via favicons, AI can now learn to manipulate human behavior
- Twitter: @litcapital for dank finance memes
A detailed walkthrough of how Jacob Salassi scaled threat modeling at Snowflake, including all the mistakes and lessons learned along the way.
AppSec
OWASP ASVS 4.0 Testing Guide
An unofficial guide by BlazingWindSec that
describes how to automatically test level 1 controls for much of the ASVS
standard using tools like OWASP ZAP.
kCTF: a Kubernetes-based infrastructure for CTF competitions
Open source project by Google. Each challenge gets its own node, flags stored as
k8s secrets. H/T Ishaq Mohammed for the
link.
Testing and exploiting Java Deserialization in 2021
Great overview by Lukasz Mikula of what
deserialization is, its root cause, auditing source code for deserialization
vulnerabilities, testing with Ysoserial and discussion of its payloads, and
troubleshooting exploitation attempts that aren’t quite working.
Launching OSV - Better vulnerability triage for open source
It can often be a pain to map a CVE to the vulnerable package versions, both as
a user to determine if you’re affected, as well as for the overworked package
maintainer to determine all affected versions and commits. This promising
project by Google aims to reduce this burden by attempting to automatically
determine affected package versions by, given a reproduction test case + how to
build the app, bisects to find the impacted commit ranges and version/tags.
Currently the data is mostly C/C++ data from OSS-Fuzz, but they’re working to extend it with data from language ecosystems like NPM and PyPI. They’re also providing an API (here) you can query.
Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies
Alex Birsan used OSINT (crawling public JavaScript on websites, searching GitHub and major package hosting services) to find leaked names of internal company packages. He then typosquatted those names on NPM, Rubygems, or PyPi with a payload that beaconed back the username, hostname, and current path of each unique installation via DNS so the connection could get out from corporate networks.
These backdoored dependencies were ran inside more than 35 organizations to date across all three tested programming languages, earning Alex a $30K bounty each from Shopify, Apple, and PayPal, and $40K from Azure. Netflix, Yelp, and Uber were also affected.
Fun fact: several package managers, when specifying an internal index (e.g. pip
install <library> --extra-index-url ...) look to see if library exists on the
specified internal package index as well as the public one, and if so,
installs whichever has a higher version. That is, an attacker’s typosquatted
package just needs to use a high version number and it will be selected. Package
managers, y u do dis 😅😅?!?!
Web Security
RenwaX23/XSSTRON
By @RenwaX23: An Electron browser that will
automatically check for reflected, stored, and DOM-based XSS vulnerabilities in
the background as you browse. Supports GET and POST requests.
Cloud Security
salesforce/aws-allowlister
By Kinnaird McQuade and Jason Dyke: “Automatically compile an
AWS Service Control Policy that ONLY allows AWS services that are compliant with
your preferred compliance frameworks.” Currently supports: PCI, SOC 1/2/3,
ISO/IEC, HIPAA BAA, and FedRAMP Moderate and High.
iann0036/iamlive
Tool by Ian Mckay that can automatically
generate a basic IAM policy from AWS client-side monitoring (CSM).
How to Use AWS Services to Secure your Endpoints Without Provisioning Infrastructure
Great post by ScaleSec’s Anthony
DiMarco on how to choose a
technology for exposing your Lambdas, how to get free TLS certs from AWS, and
how to separate authentication and authorization logic from your business logic
with custom authorizers. For the latter, the post discusses Cognito User Pools,
IAM-based authorization, Lambda Authorizers, and OpenID Connect / OAuth 2.
Container Security
A Practical Guide to Writing Secure Dockerfiles
Slides by Madhu Akula that reference many great resources and tools, including:
- The Docker docs on Dockerfile best practices
- Building images with BuildKit
- Securely passing in secrets
- hadolint for linting Dockerfiles for best practices
- dockle: a container image linter for security
- DockerSlim for minifying a Docker image and autogenerating Seccomp and AppArmor profiles
- dive for exploring a Docker image and layer contents
- conftest, docker-security-checker, and more
Politics / Privacy
jonasstrehle/supercookie
Project by Jonas Strehle that uses favicons to fingerprint website visitors.
conventional cookies |
supercookie |
|
|---|---|---|
| Identification accuracy | - | 100% |
| Incognito / Private mode detection | ❌ | ✅ |
| Persistent after flushed website cache and cookies | ❌ | ✅ |
| Identify multiple windows | ❌ | ✅ |
| Working with Anti-Tracking SW | ❌ | ✅ |
AI can now learn to manipulate human behaviour
A team of researchers at CSIRO’s Data61, the data and digital arm of Australia’s national science agency, devised a systematic method of finding and exploiting vulnerabilities in the ways people make choices, using a kind of AI system called a recurrent neural network and deep reinforcement-learning.
…in one game the AI was out to maximise how much money it ended up with, and in the other the AI aimed for a fair distribution of money between itself and the human investor. The AI was highly successful in each mode.
The research has an enormous range of possible applications, from enhancing behavioural sciences and public policy to improve social welfare, to understanding and influencing how people adopt healthy eating habits or renewable energy. AI and machine learning could be used to recognise people’s vulnerabilities in certain situations and help them to steer away from poor choices.
The method can also be used to defend against influence attacks. Machines could be taught to alert us when we are being influenced online, for example, and help us shape a behaviour to disguise our vulnerability (for example, by not clicking on some pages, or clicking on others to lay a false trail).
There’s no way this research could play out poorly 😅😅
I stumbled across the handle @litcapital, which has some on point finance memes.
🔥 Appsec Development: Keeping it all together at scale
Out of 100s of AppSec articles I’ve read over the past few years, this is easily in my top 3 for threat modeling.
My bud Jacob Salassi and I wrote about his journey scaling threat modeling in a hypergrowth start-up: Snowflake.
Tons of detailed, actionable insights and a few spot-on Arrested Development memes.
If you’re lazy (or want to help promote the post), I wrote a short Twitter thread of the key points here.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!
Cheers,Clint
@clintgibler