Hey there,
I hope youâve been doing well!
2020 DevSecOps Leadership Awards
DevSecCon announced the winners:
- Most effective DevSecOps team: CNCF Sig-Security
- Outstanding DevSecOps community: OWASP DevSlop
- Inspiring DevSecOps individual: Tanya Janca
A big congrats to all these great people doing great work, keep it up! đ
With (Mediocre) Power ComesâŠ
One fun thing about tl;dr sec is that periodically people share neat articles with me that I wouldnât have otherwise seen, or share tools that havenât been publicly released yet.
Like endgame, if you saw that kerfuffle. And thereâs another tool in the works
that I think will also cause a bit of splash. Keep an eye out đ
Another thing I realized, is that tl;dr sec in the wrong hands could be used to spoil the twist in some movie or TV show for a pretty decent number of people.
Iâm not the type to do that, but it was a random shower thought I had.
Sponsor
đą Use SpiderFoot HX for broader attack surface visibility
An attack surface is made up of more than open ports and hostnames; you need a full spectrum of OSINT. If you already know this, then you've probably hit the next hurdle: automating collection and correlation of all that data. That's where SpiderFoot HX comes in. Built on top of the popular open source version, it automates your OSINT collection and gives you the tools to find the critical needle in the stack of needles. It's also cloud-hosted, so always online and ready to go. As a tl;dr sec subscriber, you'll receive a 10% discount on any annual subscription by using the coupon TLDRSEC.
Register a free account now and take it for a spinOne of the cool things about SpiderFoot is that it started as (and still is) an open source project by Steve Micallef and team. Iâm a fan of open source projects with a commercial version with enterprise-y features.
That way, businesses can get their problems solved, the open source version can be actively supported, and the maintainers can earn a good living. Check it out!
đ In this newsletter...
đ Links:- AppSec: GitHub App to up your PR approval policy game, overview of a lightweight threat modeling approach
- Web Security: Middleware misconfigurations and potential exploits
- Spectre: Spectre demo in your browser, RFC on protecting against it, Chrome extension to find potentially vulnerable resources
- Cloud Security: Tool to balance IAM least privilege + development velocity, manage GCP secrets in your IDE, hackingthe.cloud, when to use Amazon Cognito
- Container Security: OWASP Docker security cheat sheet, PoC scripts to demonstrate Kubernetes DoS conditions
- Red Team: Bash script that automated data exfiltration over DNS
- Politics / Privacy: T-Mobile is selling your data by default now. Shame!
- Beating a grandmaster at chess: Moving quickly is a superpower
AppSec
palantir/policy-bot
A GitHub App for enforcing approval policies on pull requests that goes beyond what GitHub natively supports, including:
- Require reviews from specific users, organizations, or teams
- Apply rules based on the files, authors, or branches involved in a pull request
- Combine multiple approval rules with and and or conditions
- Automatically approve pull requests that meet specific conditions
Rapid Risk Assessments (RRA): a lightweight approach to measuring risks and modeling threats
~30min video by Julien Vehent in which he describes rapid risk assessments, a
lightweight threat modeling approach that I think is quite practical and useful.
(Mozilla docs).
Web Security
Middleware, middleware everywhere and lots of misconfigurations to fix
Detectifyâs Frans RosĂ©n, Mathias Karlsson, and Fredrik Almroth describe some
interesting middleware misconfigurations and potential exploits that, if left
unchecked, leaves your web applications vulnerable to attack. See also, common Nginx misconfigurations.
Spectre
đ„ Spectre Demo
âThis site hosts a proof of concept for the Spectre vulnerability written in JavaScript.â Really cool demo, worth checking out. Blog post with more info. Great work by Googleâs Artur Janc and
Stephen Röttger.
Post-Spectre Web Development
W3C RFC by Googleâs Mike West et al that does
a nice job of laying out the threat model and concrete mitigations in
different scenarios. Sidenote:
if youâre interested in modern web and browser security features, this RFC
references a number of useful topics and resources.
Spectroscope
Chrome extension by Lukas Weichselbaum et al that
âidentifies resources which are exempt from default protections enabled in
Google Chrome (Cross-Origin Read Blocking, SameSite cookies) and which can be
embedded cross-site. The results are added to Chromeâs DevTools âSpectroscopeâ
panel and include security recommendations to help protect your resources from
Spectre and other cross-site attacks.â
Cloud Security
Introducing Cloud Code Secret Manager Integration
You can now create and manage secrets stored in GCPâs Secret Manager right from
your IDE (VS Code, IntelliJ, Cloud Shell Editor). Wow, this is some A+ developer
UX work, well done.
hackingthe.cloud
âAn encyclopedia of attacks/tactics/techniques that offensive security
professionals can use on their next cloud exploitation adventure,â by Nick
Frichette. Currently covers general knowledge,
enumeration, exploitation, avoiding detection, and post exploitation for AWS.
The case for and against Amazon Cognito
By Yan Cui:
- Pros: Very cost effective and plays nicely with AWS services.
- Cons: Poorly documented and some of its features feel undercooked.
đ„ ConsoleMe: A Central Control Plane for AWS Permissions and Access
This is like the security engineering equivalent of a fancy schmancy wine youâd
swirl around in your glass to make sure its properly aerated before enjoying
(âMmm, hints of least privilege with notes of cloud-native.â).
Super cool work by the Netflix cloud security team, including Curtis Castrapel, Patrick Sanders, and Hee Won Kim, on how Netflix balances IAM least privilege with development velocity. Snape kills Dumbledore. Travis McPeak and Will Bengston discussed ConsoleMe in their AppSec Cali 2019 talk (summary), and what I love about it is it improves security and developer productivity.
Highly recommended reading as inspiration for your internal security engineering efforts.
Container Security
OWASP Cheat Sheet Series: Docker Security
11 rules to follow, a list of static analysis tools, and a number of useful reference articles.
uchi-mata/dostainer
By Matthias Luft: Three scripts to demonstrate
resource exhaustion from within a Kubernetes cluster, including allocating all
remaining RAM, allocating all remaining disk space, and fork bombing.
Red Team
vp777/procrustes
By @_vepe: A bash script that automates the
exfiltration of data over DNS. Useful when you have a blind command execution on a
server where all outbound connections except DNS are blocked.
Politics / Privacy
T-Mobile to Step Up Ad Targeting of Cellphone Customers
So frustrating đ€Ź âT-Mobile will automatically enroll its phone subscribers in
an advertising program informed by their online activity, testing businessesâ
appetite for information that other companies have restricted.â Thankfully Drew
FitzGerald with some opt-out info. H/T
Zack Whittaker.
Beating a grandmaster at chess
From ConvertKit founder Nathan Barryâs newsletter:
âYou could beat a grandmaster at chess if you could move twice every time he moved once.â â James Currier
How fast you move matters. In chess you donât get to choose your own pace. But in businessâespecially creator focused businessesâyou do.
There are about 50 working weeks in a year. If on Monday you say, âletâs decide next weekâ you just used up 2% of your year.
If youâre anything like me, youâve got massive goals for the year. Every week counts.
At ConvertKit weâve formed a new habit this year: when a teammate says, âIâll have that for you next weekâ we ask, âcould you get it for me tomorrow?â
Sometimes the answer is no: it actually takes a week. But more often we just say something like ânext weekâ or âby the end of the weekâ because it sounds easy, but doesnât promise too much. Then the task just goes at the bottom of the todo list.
If youâre building something you believe in donât waste a day.
Make decisions, take decisive action. Donât delay.
âïž Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them đ
Thanks for reading!
Cheers,Clint
@clintgibler