Hey there,
I hope youâve been doing well!
Strategery and Normalcy
Last week we had a staff offsite to plan our next quarter, and it was a blast.
Since I joined my current company, itâs been fascinating to see the inner workings of the decision making process, and an honor and privilege to play a role in influencing company direction.
It also comes with a hefty feeling of responsibility, as I feel the weight of making decisions that will affect peopleâs jobs and the success of the company. The team is great though, and Iâm fully confident in what we can build together.
Spending several socially distanced days in person with my colleagues was energizing. I didnât realize how much I missed spending time with people until I had some non Zoom time.
Iâve very much looking forward to seeing people more regularly, and Iâm getting my second shot today!
After which, I plan to promptly take up squirrel suit skydiving and juggling flaming knives. Conservation of risk, after all.
Sponsor
đ˘ Try Vectrix, the new Y Combinator security platform
Vectrix.io is making cloud and SaaS security ridiculously easy.
Browse a growing library of one-click security scans that instantly identify vendor misconfigurations, suspicious activity, and best practice violations. Simply choose your scans, connect your vendors, and click ârun scanâ to receive a complete list of security issues in minutes.
Get started with 10 free scans every week. No credit card required.
Run your first scanđ In this newsletter...
- Web Security: Sending webhooks securely, using custom Python scripts with Burp, popular Burp extensions
- AppSec: Finding goroutine leaks with Semgrep
- Cloud Security: Tool to exploit Firebase datastores, cloud incident response framework, IaC scanner comparison repo,
tfsecVS Code extension - Container Security: Results from scanning many Helm charts, Google's signing their base images, Kubernetes the hard way
- Blue Team: An open source SOAR tool
- Red Team: Jenkins attack framework
- Misc: Call functions across programming languages, sustainable content creation
- Is Complexity the Enemy of Security?: Phil Venables on good design principles
Web Security
Sending webhooks securely
Trickier than it sounds. Ameya Lokare
describes: mitigating SSRF, authentication (request signing, mutual TLS, IP
allow lists), and certificate chain verification.
Overcoming Issues Using Custom Python Scripts with Burp Suite Professional
By JumpSec Labs: how to run custom Python
scripts on every request/response processed by Burp, including those from Burpâs
active scanner. Use cases include:
- Encoding / encrypting user input (where keys and algorithms are known)
- HTTP request signature algorithms
- Weak CAPTCHA implementations
- Functionality that requires a unique value per request to the server
Ben Sadeghipour Twitter thread on popular Burp extensions
Common extensions people referenced include: Logger++, Param Miner, Auto
Repeater, Autorize, Turbo Intruder, Asset History, Collaborator Everywhere,
Active Scan++, HUNT, and Backslash Powered Scanner.
AppSec
Discovering goroutine leaks with Semgrep
Trail of Bitsâ Alex Useche walks through creating a Semgrep rule to identify
goroutine leaks that found bugs in Kubernetes, Minikube,
azure-container-networking, and hcsshim. Alex does a good job discussing
Semgrepâs pros and cons and use cases in practice.
Trail of Bits has also open sourced a semgrep-rules repo that contains Python and Golang rules theyâve used on engagements.
Cloud Security
Introducing Baserunner: a tool for exploring and exploiting Firebase datastores
Baserunner eases testing for various Firebase misconfigurations, including:
unauthenticated users having read/write access to collections, trying to dump
the full datastore, testing authorization across privilege levels, exploring
data and actions not exposed through the UI, and more.
Cloud Incident Response Framework
Newly published by the Cloud Security Alliance,
covering how to effectively manage cloud incidents through the entire lifecycle
of a disruptive event, including: preparation, detection and analysis,
containment, eradication, and recovery, and post-mortem.
iacsecurity/tool-compare
Repo by Indeniâs Yoni Leitersdorf that has a
bunch of IaC scanning test cases and compares the results from Checkov, Indeni
Cloudrail, Kics, Snyk, Terrascan, and Tfsec.
tfsec VS Code Extension
Run tfsec in your IDE, by Owen Rumney.
Container Security
Part 1: Top trends from analyzing the security posture of open-source Helm charts
Bridgecrewâs Matt Johnson discusses the results
of running 103 security checks against 2,312 Helm charts across 618 repos on
Artifact Hub. Theyâve also open sourced their data
collection process, which gets a
đ from me for reproducibility. In part 2 they examine Helm dependency trees, and in part 3 they examine one of the most popularly used dependencies on Artifact Hub, bitnami/postgresql.
Making the Internet more secure one signed container at a time
Google is now signing all of their distroless base
images with their recently
released Cosign tool. These minimal base
images donât include common tools like shells or package managers, making their
attack surface (and download size) smaller than traditional base images such as
ubuntu or alpine.
Kubernetes The Hard Way
A tutorial by Kelsey Hightower that
guides you through bootstrapping a highly available Kubernetes cluster with
end-to-end encryption between components and RBAC authentication on GCP.
Blue Team
frikky/Shuffle
An open source Security Orchestration, Automation and Response (SOAR) tool by
Frikky. The
security-openapis repo
contains OpenAPI specifications for a number of security products and services, nice!
Red Team
Jenkins Attack Framework
Toolkit by Accentureâs Bryan Alexander and
Shelby Spencer with a variety of useful
offense-focused functionality, including understanding your current
privileges, dumping LDAP or domain joining credentials, and âghost jobsâ - long
running worker shells that arenât visibile within Jenkins.
Misc
𤯠metacall/core by Vicente Eduardo Ferrer Garcia
MetaCall allows calling functions, methods or procedures between programming languages. Currently supports NodeJS, Vanilla JavaScript, TypeScript, Python, Ruby, C#, Go, C, C++, Rust, D, Cobol and more.
# sum.py
def sum(a, b):
return a + b
// main.js
const { sum } = require('./sum.py');
sum(3, 4); // 7
Sustainable Content Creation by Daniel
Miessler
- Make sure you enjoy making your content separate from peoplesâ reaction to it.
- Try to make content thatâs evergreen, or as close as possible to it.
- Make sure you can happily take breaks for days, weeks, or even months at a time.
- Itâs ok to enjoy nice comments, but donât get to where you need them.
- Donât compare yourself to other creatorsâ popularity or statistics.
Is Complexity the Enemy of Security?
Complexity is not the enemy of security. Bad design is.
Great post by Phil Venables in which he outlines 13 different examples of good design principles.
Here are a few parts I especially liked, along with some brief musings:
#1 Abstraction
Abstract complexity away through hiding it behind APIs and other interfaces. Then, think about security policy objectives and see if they require you to consider and enforce controls at multiple levels of abstraction.
#3 Opinionated Defaults
How can we abstract away sharp edges so most of the time developers donât have to worry about security?
#4 Declarative Configuration
Define a configuration of the system in a declarative manner so that the actual configuration of the system can be generated and continuously compared to the specification. Treat policy/controls as a lifecycle managed part of the configuration. If you have controls as code then you need to inspect the ability of that control configuration to match intended policy, not just inspect the instantiated environment that results from the declarative configuration.
Explicit is better than implicit, and declarative configurations make it easy (/possible) to detect drift and auto-remediate.
#5 Idempotence
âŚif you push something to happen such as enforcing a particular control then no matter how many times you push it wonât have any other affect than sustaining the control. This is an important design property for applying declarative configurations in complex environments as you simply assert the outcome and let the control plane worry about state.
#7 Affordances
Look for opportunities to build in better affordances where the means of interacting with a system, element or controls intuitively conveys the capabilities it has. To quote Don Norman, âWhen affordances are taken advantage of, the user knows what to do just by looking: no picture, label, or instruction needed.â, like door handles that donât have to come with a label of âpushâ or âpullâ because the design makes that clear.
How can we make security controls and systems self-explanatory?
#8 Observability and Feedback Loops
Observability of the behavior of the system overall is critical, but it is only useful if the data from observation is put into feedback loops - either positive or negative - to correctly amplify or dampen behaviors.
#9 Reduce Error Messages and Guidance
Work to eliminate error messages, user guides and other configuration or set-up guidance for systems. Instead of creating better error messages work to reduce the scope of errors needing messaging. Similarly, if your user and configuration guides keep getting bigger and more numerous then ask yourself: are you making the right design choices on defaults, linked behaviors, and levels of abstraction?
Working to eliminate error messages and user guides is an aggressively strong position, and I love it. We owe it to our customers (developers and colleagues) to hold ourselves to this high standard.
#10 System-wide Invariants : People, Process and Technology
It is valuable to set system wide invariants - properties you want to be held true - and then build processes to enforce them. For example, if you want no single points of failure then build processes to find them and the feedback loops to eliminate them, and the design review practices to discourage the design patterns that lead to them. Additionally, work hard to not experience broken processes.
Secure guardrails and enforcing invariants are some of the highest leverage ways Iâve seen companies scale their security, and have featured prominently in talks Iâve given (BSidesSF, Global AppSec SF).
#11 Desire Lines : Principle of Least Action
One unifying theme here, borrowed from physics, is that where we see return on investment, our work aligns with the principle of least action. If our controls and approach can align with the natural âhappy pathâ for our employees and our customers then that will likely provide the maximum returns over time. Another concept, is desire lines, if you consistently see an actual or attempted engineer or end user behavior (particularly in a complex environment) then you should find that and make that a secure path.
People are going to do what it takes to get their jobs done. How can we help them do their jobs easier, faster, and more securely?
If you donât subscribe to Philâs blog, youâre seriously missing out, his posts are consistently great.
Also, Laksh Raghavan shared some thoughts on this post.
âď¸ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them đ
Thanks for reading!
Cheers,Clint
@clintgibler