Hey there,
I hope you’re doing well, and that you got to spend some quality time with loved ones this past weekend.
The tl;dr sec branded chocolates, flower arrangements, and Valentine’s Day cards didn’t come in on time for the merch store, but hopefully next year.
Sponsor’d
Thank you so much for everyone who reached out about sponsoring tl;dr sec! I’m floored by how many people want to support these efforts 🙏
tl;dr sec is mostly sold out through the rest of the year! And it’s only *checks steam punk pocket watch* February. Phew.
Pro-tip: if you want to ensure that you continue doing something, have someone else put money down on the fact that you will. It’s a much stronger enforcement mechanism than willpower 😅
Sponsor
📢 ⚡ Register Now for ZAPCon
The first-ever user conference for OWASP ZAP is taking place March 9th! This virtual event will dig into using ZAP at scale and application security best practices. Your free ticket will let you watch sessions, chat with speakers, and connect with other ZAP users. If you are interested in AppSec and how you can use the world's most widely used web app scanner, you won't want to miss ZAPCon!
Get Your Free Ticket📜 In this newsletter...
🔗 Links:- AppSec: Defending against dependency confusion, tool to grok new code bases more easily
- Securing CI/CD: NCSC on protecting software build pipelines, building a secure pipeline for Infra as Code
- Electron Security: GitHub action for scanning Electron apps, Electron APIs that can be abused for high impact
- Web Security: Burp extension to easily "send to" CLI tools, CLI tool to generate temporary email addresses and read OTPs and other info from them,
ffufprimer - Cloud Security: Tool to get your assets from cloud providers, Scott Piper's up for grabs security project ideas, visual editor for learning how to create Network Policies for Kubernetes
- Misc: Tool for tracing IPC on Linux, illustrated guide to bitcoin mining and the blockchain, Slate Star Codex returns, new Bruce Lee-inspired TV show, Daniel Miessler entrepreneurial thoughts
- How we put Facebook on the path to 1 billion users: By ignoring "virality"
AppSec
visma-prodsec/confused
Last week I mentioned
some work by Alex Birsan who successfully
typosquatted internal package names for a number of companies. This tool by
Joona Hoikkala aims to combat this attack by checking
for lingering free namespaces for private package names referenced in dependency
configuration for Python (PyPI, requirements.txt), JavaScript (NPM,
package.json), or PHP (Composer, composer.json).
Flávio Heleno shared with me this
article describing
what Composer does to prevent dependency confusion. They seem to have thought
through this threat scenario well and even allow you to place an exclude filter
on third-party package repositories banning packages that do not start with
your-org/ prefix.
CoatiSoftware/Sourcetrail
By Sourcetrail: A free and open-source
cross-platform source explorer that helps you get productive on unfamiliar
source code. It does lightweight static analysis on C, C++, Java, and Python
source code to extract class and method definitions, member fields, class
hierarchies, and more.
Securing CI/CD
Defending software build pipelines from malicious attack
Recommendations by the NCSC, covering topics including:
- Protect builds from each other - running in containers/VMs instead of sharing an OS kernel, use network isolation, prevent jobs from each other’s build artifacts.
- Establish a chain of custody - ensure security checks are performed consistently and that the build isn’t modified afterwards (TLS everywhere, source code checksums).
- Consider a managed service for your build pipelines.
Pipelines need to be defended against attack at least as effectively as the environments it deploys to.
Building a secure CI/CD pipeline for Terraform Infrastructure as Code
Great blog post by OVO’s Chongyang
Shi evaluating how to securely
deliver infrastructure changes in CI/CD pipelines. He highlights current
limitations of popular platforms, discusses what they’d like in an ideal
solution, and finally presents the architecture they’ve decided on that meets
those requirements. Great discussion of the team’s reasoning and thought process
👍
Electron Security
Electronegativity GitHub Action
Use this GitHub Action to easily run
Electronegativity, a tool to
identify misconfigurations and security anti-patterns in Electron applications
by Doyensec, into GitHub CI/CD. The Action
produces a GitHub compatible SARIF file for uploading to the repository ‘Code
scanning alerts’.
Electron APIs Misuse: An Attacker’s First Choice
Doyensec’s Luca Carettoni and Lorenzo
Stella discuss a list of APIs they’ve
successfully abused during past engagements for high impact, like RCE.
Web Security
bytebutcher/burp-send-to
By @bytebutcher: Burp extension that adds a
customizable “Send to…” context menu, enabling you to easily pass input to
arbitrary CLI tools, like sqlmap, gobuster, etc. Here’s a blog
post
about it by @ƒyoorer.
s0md3v/ote
A CLI tool that generates temporary email address and automatically extracts
OTPs or confirmation links from the incoming mails using
1secmail.com’s API to generate temporary
emails, by Somdev Sangwan.
A ffuf Primer
Nice overview and walkthrough by Daniel
Miessler of the Golang CLI web fuzzing tool
ffuz.
Cloud Security
projectdiscovery/cloudlist
By @projectdiscovery: “a multi-cloud tool
for getting Assets (Hostnames, IP Addresses) from Cloud Providers.” Can be used
by blue teams to augment Attack Surface Management efforts by maintaining a
centralized list of assets across multiple clouds with little configuration
efforts.
AWS security project ideas
Scott Piper has decided to shut down his
consulting business and join Aurora, a self
driving car company. This blog post lists some neat AWS security projects that
would push the industry forward. If you’re looking for somewhere to get started,
check it out!
Cilium Editor
By Cilium: A visual editor for learning how to create Network Policies for Kubernetes. The
tutorial “explains basic network policy concepts and guides you through the
steps needed to achieve the desired least- privilege security and zero-trust
concepts.”
Misc
guardicore/IPCDump
By Guardicore: A tool for tracing interprocess
communication (IPC) on Linux. Useful tool for debugging multi-process applications or understanding how the different moving parts in your system communicate with one another. It covers most of the common IPC mechanisms –
pipes, fifos, signals, unix sockets, loopback-based networking, and
pseudoterminals. Collects info from BPF hooks placed on kprobes and
tracepoints at key functions in the kernel, though it also fills in some
bookkeeping from /proc.
An illustrated guide to bitcoin mining and the blockchain
Nice entry-level overview by The Hustle’s Zachary Crockett, told through a gold mining metaphor.
Still Alive - Astral Codex Ten
The author Slate Star Codex reflecting on closing down his blog, and now
starting things again. Funny, insightful, and reflective.
Warrior on HBO Max is a pulpy, Bruce Lee-inspired joy
Bruce Lee’s daughter, Shannon, found an 8 page manuscript her father had written
that has now been made into a two season show on HBO Max. 1870s San Francisco
Chinatown, rival gangs, Western-esque, excellent martial arts sequences– I
haven’t watched it yet but it sounds great.
Tech entrepreneurship thoughts from Daniel Miessler’s newsletter:
Ask yourself: “What are the awesome technologies that are hard for companies to take advantage of?”, and, “What company can I start to make that easy for them?”
Chamath Palihapitiya - how we put Facebook on the path to 1 billion users
H/T Pablo Estrada for the link.
I teased out virality and said: You cannot do it. Don’t talk about it, don’t touch it, I don’t want you to give me any product plans that revolve around this idea of virality — I don’t want to hear it.
What I want to hear about are the three most difficult and hard problems that any product has to deal with:
- How do you get people in the front door?
- How do you get them to an a-ha moment as quickly as possible?
- And how do you deliver core product value as often as possible?
After all of that is said and done, only then can you propose to me about how you are going to get people to get more people.
And that single decision about not even allowing the conversation to revolve around virality was the most important thing that we did.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!
Cheers,Clint
@clintgibler