[tl;dr sec] #101 - Securing Netflix at Scale, AWS PrivEsc Playground, Career Advice

Hey there,

I hope you’ve been doing well!

Feelings without a Name

Sometimes you might feel a light sadness, like something is slightly amiss, but not know how to put your feelings into words.

Enter: The Dictionary of Obscure Sorrows, full of definitions for those hyper specific feelings you may not have known how to describe.

Feel free to use one of these to impress your family over Thanksgiving, or make your date think you’re pretentious cool.

This one really resonated with me:

AppSec

Can The Real Codeowners Please Stand Up? Code Provenance at Scale
Twilio’s Laxman Eppalagudem describes how Twilio uses an about.yaml file in repos to determine which team “owns” the code (super useful when there’s an urgent vulnerability to be fixed), and they’ve released a GitHub App, Gordon, that enforces and validates about.yaml contents.

I know a handful of companies who’ve each custom built something like this. It’d be interesting to see if there gradually becomes some consensus around “this is how one should handle code ownership at scale.”

Automation assistants: GitOps tools in comparison
Cloudogu’s Johannes Schnatterer and Philipp Markiewka compare a number of GitOps tools for Kubernetes, secrets management, and more, and do a deeper dive on ArgoCD vs Flux v2.

Mobile Security

Introducing “apkeep,” EFF Threat Lab’s new APK Downloader
New CLI tool by the EFF to enable easily downloading APKs from Google Play or third party markets.

iOS Pentesting 101
Nice overview by Ninad Mathpati, covering vulnerable iOS apps to practice on, tools, methodology, bypassing SSL pinning, jailbreak detection, common issues, and more.

Cloud Security

IAM Vulnerable - An AWS IAM Privilege Escalation Playground
Bishop Fox’s Seth Art has released a playground of 30+ exercises for practicing different privilege escalation techniques, easily deployable in your AWS account via Terraform. Source code 

Mistakes I’ve Made in AWS
Performance and pricing tips from Chris Fidao: CPU credits, using cheaper servers, IO operations per second (IOPS), metrics to watch, and more.

awslabs/aws-security-hub-automated-response-and-remediation
An add-on solution that enables AWS Security Hub customers to remediate security findings with a single click using predefined response and remediation actions called “Playbooks”. Contains playbook remediations for some of the security standards defined as part of CIS AWS Foundations Benchmark v1.2.0 and for AWS Foundational Security Best Practices v1.0.0.

Career

Container Security

Managing Kubernetes seccomp profiles with security profiles operator
Seccomp allows you to limit the syscalls a process can make, limiting its attack surface. In this post, Lachlan Evenson describes how Kubernetes admins can use the security profiles operator to ease creating and managing seccomp profiles for your cluster, including how to monitor a pod and automatically create a seccomp profile for it based on its behavior. Neat!

A Kubernetes engineer’s guide to mTLS
This guide by Buoyant’s William Morgan is probably of the better overviews of mTLS in general - when it’s useful, what it gets you, why it’s hard, etc. The post concludes with how to easily add mTLS to your Kubernetes cluster in 5 minutes using Linkerd.

Blue Team

SteveD3/kit_hunter
A basic phishing kit scanner that will search directories and locate phishing kits based on established markers, by Steve Ragan.

Elastic on Elastic: Deep dive into our SIEM architecture
Elastic’s Aaron Jewitt how Elastic’s detection and analytics team uses Elastic to secure their company, including storing different types of data in different clusters, cross cluster search, and more.

Red Team

Black Hat Rust
Upcoming book by Sylvain Kerkour covering topics like reconnaissance (multi-threaded attack surface discovery), exploitation (writing shellcode in Rust), building a modern RAT in Rust, and more.

Politics / Privacy

Pfizer ‘variant hunters’ race to stay ahead of the Covid-19 pandemic
Some neat insight into the Pfizer team tracking variants and vaccine effectiveness.

Silicon Valley’s Optimization Mindset Sets Us Up for Failure
Tech companies tend to prioritize metrics that can be easily measured, like clicks, screen time, etc., while other admirable goals like increasing human flourishing or promoting freedom or equality are not.

Misc

A Good Movie to Watch
Find great movies to watch on various streaming platforms.

You Can Make a Netflix Style Doco About Literally Anything
Using a handful of the right equipment and stylistic choices.

The Rise of a Different Work-from-Home
a16z’s Jeff Jordan argues that many houses have assets that are poorly utilized, and that we’ll see more of these rented out via the sharing economy in the future.

Securing Netflix Studios At Scale

An absolutely excellent post about how the Netflix Studios team scaled security and increased developer productivity by partnering with the Cloud Gateway team to embed strong authentication and other security wins into a common gateway service.

The post contains some great discussion about the thought process and approach that went into it, and how to get widespread organic developer adoption of security tooling without being able to mandate it.

If you’re interested in being a modern security team that “builds,” empowers developers, and truly scales security, consider this post a must read.

Here are some quotes I particularly liked:

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint