I hope you’ve been doing well!
Slogans that are not Security Companies but Should Be
I was taking a walk recently and I saw some branding that made me do a double take- it was a plumbing company that had the perfect slogan for an infosec company.
I walked up, took a picture, and then
scurried strutted away when I realized
that there were two people still sitting inside.
“Uhh… what are you doing?” one of them asked. “Oh, I just really like the design.” And then I meandered away, full of joy.
📢 How the history of SaaS is preventing businesses from embracing modern SaaS security
Businesses are investing more heavily in SaaS, but investment in SaaS security is lagging. Why? Much of the answer lies in the history of early SaaS applications, many of which were sold to individual business units, completely bypassing IT and security teams. Today, SaaS has grown to be a major part of the legitimate tech stack, but its origin as shadow IT still haunts organizations and prevents SaaS security from being correctly prioritized. AppOmni CEO Brendan O’Connor details four ways to modernize SaaS security processes. Originally published as a feature in
📜 In this newsletter...🔗 Links:
- AppSec: How Segment is scaling threat modeling, Semgrep now has first-class YAML support
- Web Security: Automating blind SQLi over websocket
- Cloud Security: PMapper update, another IaC static analysis tool, HackerOne's first AWS CTF, attacking and auditing S3 buckets
- Red Team: Free reverse engineering course, intercepting mTLS of Java thick clients, tool for macOS persistence
- Neat CLI tools: Find files with SQL-like queries,
exa, a better
ls, problems you can solve with
- Bootstrapping vs VCs: Thinkst has bootstrapped to $11M ARR, a story of a bootstrapped company trying to compete with a VC-backed one, DHH weighs in, Hamilton parody of the situation
- Chaos Engineering: What computer security can learn from safety and complex systems research in other fields
- Security as Value
Unlocker: Minimizing risk is setting your sights too low, security can unlock significant business value
Redefining Threat Modeling: Security team goes on vacation
Great post by Segment’s Jeevan Saini. Similar to what Jacob Salassi and I discussed in our blog post, Segment realized they needed developers to lead threat modeling if they were truly going to scale. This post gives a nice overview of the problem space and details on how they actually rolled out their program, and they’ve open sourced their threat modeling training slides. As the kids say these days- yeet!
How we made Semgrep rules run on Semgrep rules
By r2c’s Emma Jin: Semgrep now has first-class support for anything YAML, which includes Kubernetes configs, CircleCI workflows, and more. You can even lint Semgrep rules with… more Semgrep rules! (yo dawg, I heard you like… 🤣). The post also has some neat info about implementation details, if you’re curious to get a peak at Semgrep internals.
Automating Blind SQL injection over WebSocket
Blog post by Rayhan Ahmed, and he’s released a vulnerable NodeJS web app that you can practice on.
Principal Mapper v1.1.0 Update
By NCC Group’s Erik Steringer: PMapper, an IAM permission analysis tool, now supports AWS Organizations as well as other types of policies: Service Control Policies (SCPs), Session Policies, Resource Policies, and Permission Boundaries.
A static analysis tool that can find security vulnerabilities, compliance issues, and misconfigurations in infrastructure as code. Currently supports: Terraform, Kubernetes, Docker, CloudFormation, Ansible, Helm.
AWS and Hackerone CTF
“Put your cloud skills to the test and participate in HackerOne’s first-ever AWS Capture the Flag on Monday, April 5th starting at 12:00 PM PT until Monday, April 12th 12:00 PM PT.” Learn how to escalate privileges through SSRF and elevate your access by exploiting misconfigurations of AWS services.
Cloud Storage Security: Attacking &
A free comprehensive reverse engineering course covering x86, x64, 32-bit ARM & 64-bit ARM architectures by Kevin Thomas.
HowTo: intercept mutually-authenticated TLS communications of a Java thick client
Nice walkthrough by @SAERXCIT, which involves: dumping the password from the client to decrypt the private key from the ClientKeyStore and loading a fake TrustStore in place of the legitimate ClientTrustStore to bypass pinning. See also Piergiovanni Cipolloni ’s SSL pinning bypass in Android using Frida.
By Cyborg Security’s Austin Jackson: A CLI tool to perform various persistence mechanism techniques on macOS, designed to be used by threat hunters for cyber threat emulation purposes. Currently includes ~16 persistence mechanisms, including
Neat CLI Tools
Find files with SQL-like queries.
$ fselect size, path from /home/user where name = '*.cfg' \ or name = '*.tmp'
Why I use exa instead of ls on Linux
exa improves on
ls with more features and better defaults. It uses colors
to distinguish file types and metadata, and it knows about symlinks, extended
attributes, and Git.
What problems do people solve with strace?
If you haven’t already heard of her work, Julia Evans writes great content (and fun Zines) about various tech tools and concepts, highly recommended. People use
answer: where’s a program’s config file, what other files does a program depend
on, determine why it’s hanging, stuck, or slow, diagnosing hidden permission
errors, determining what CLI arguments are being used, why network connections
are failing, and more.
Bootstrapping vs VCs
We bootstrapped to $11 million in ARR
Inspiring blog post by Haroon Meer about how Thinkst grew to $11M ARR with no external funding by focusing on solving customer problems, keeping promises, and great company culture. If you’re not familiar, Thinkst is one of the few security companies that users rave about, and Haroon is such a kind, humble, A+ dude. I couldn’t be happier for their success. Check this post for some great tips on culture, values, and also some trade-offs of not raising money. See also Haroon’s response to 👇
Andrew Wilkinson on Flow’s Failure
It’s hard to draw lessons from your own failures
By @DHH: “Wilkinson was inspired by our funding model – bootstrapped from consulting – but didn’t follow any of the principles that go with that model.”
Also, Martin Jambon shared this gem:
Security Chaos Engineering: How to Security Differently
Verica’s Aaron Rinehart discusses computer security in relation to resiliency and robustness in other domains with complex systems. He includes a few references to other non-security domain work on complex systems, minimizing human error, and safety. There’s a few high level ideas that I thought were pretty interesting:
- Traditionally security focuses on counting security negatives: unpatched software, security log events, bugs, etc.
- Instead, we should focus on security positives: capabilities that help keep systems in secure states, help us understand what’s going on, and prevent bad events.
- Focus on adaptive capacity— the ability to respond, monitor, learn, and anticipate errors.
- One common fallacy is we assume that when we wrote the policy, designed the system, and implemented the relevant security measures that we had an accurate understanding of how the entire system behaved to begin with.
Security as Value Unlocker
A few weeks ago I had the privilege of presenting some of my colleagues and my work on secure defaults and eliminating vulnerability classes at the Bay Area CSO Council (thanks Flee!).
There were some other great presentations and interesting free-form discussions, but one of my favorite parts was a comment by Adrian Ludwig (currently CISO at Atlassian, formerly Director of Android Security at Google), right at the end.
The following is my paraphrased version, sharing with Adrian’s permission:
Having your security team focus on minimizing risk is setting your sights too low. The goal of a security org should be to facilitate the types of experiences that weren’t possible until we had achieved that level of risk mitigation.
When I lead Android security at Google, we had an incredibly high security bar. Why? We were building an OS, a platform upon which billion dollar companies like Uber were being built. If we built a fundamentally insecure platform, all of these companies building on top of us would fail. Framing it this way caused us to view Android security very differently internally, and helped drive conversations with development teams and product.
The security of the platform you’re building unlocks business potential. This fundamentally changes the conversation with the business- it’s not about minimizing downside, it’s about unlocking upside.
Historically, different product groups and parts of the business meet at the table and come with the promise of “unlocking upside” and “unlimited potential,” while security shows up talking about “minimizing downside.” That’s why security hasn’t had a seat at the table. But no longer - building secure platforms can unlock massive business upside.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!Cheers,