[tl;dr sec] #108 - How SolarWinds is Securing their Supply Chain, Cloud Security Tooling, Risk-base

Hey there,

I hope you’ve been doing well!

You’re Enough

Happy Halloween! 🎃 I hope you had a festive and fun weekend.

I mostly just stayed in, relaxed, and watched Dune with a few friends.

I wanted to share how I spent my weekend, because TV, movies, and pop culture can set pretty high expectations.

• On your birthday, you should be surrounded by a huge crowd of friends.

• On Thanksgiving, you should have an Instagram-worthy food spread.

• And if you don’t personally trample at least 3 people trying to get a slightly bigger TV on Black Friday, then something must be wrong with you.

It can feel hard to live up to these expectations sometimes.

You might find yourself thinking, “Am I having enough fun?” Or “I only have a few friends here 😥”

But you’re doing just fine. I think you’re great 😀 You’re enough. Right now.

Alright, enough talk of emotions (ew!), gimme a high fructose crypto meme to get me back on that sweet, sweet emotional sugar high:

AppSec

Risk-Based Security Decision Making at Netflix
The video for the talk by Prashanthi Koutha and Shannon Morrison is live, thanks Sajal Verma for the heads up!

Minimum Viable Secure Product
A minimalistic security checklist for B2B software and business process outsourcing suppliers. It lists business, application design, application implementation, and operational security controls.

See also Enterprise Ready, 12 great guides for common features you need to sell as a B2B SaaS app. H/T Rami McCarthy.

‘Trojan Source’ Bug Threatens the Security of All Code
While I think this title is a bit fear mongering, Brian Krebs describes an interesting bug discussed by Nicholas Boucher and Ross Anderson in this academic paper. In short, the attack is to use control characters embedded in comments and strings to reorder source code characters in a way that changes its logic. They’ve found the attack works in C, C++, C#, JavaScript, Java, Rust, Go, and Python (PoCs). GitHub and VS Code will now warn you about it.

A Hands-On Intro to Semgrep’s Autofix
EA’s Parsia Hakimian presents hands-on examples of using Semgrep’s autofix feature to address CBC padding oracles, ensuring security-related cookie flags are set (HttpOnly and Secure) in Java and Golang, ensuring the right templating library is used so that output encoding is done in Golang, and more.

Meet Ottr: A Serverless Public Key Infrastructure Framework
Airbnb’s Kenneth Yang describes Ottr, a serverless Public Key Infrastructure framework that handles end-to-end certificate rotations without the use of an agent.

Travis McPeak on the Guiding Principle of AppSec at Databricks
This is the way ✊

Supply Chain

Project Trebuchet: How SolarWinds is Using Open Source to Secure Their Supply Chain in the Wake of the Sunburst Hack
Cloud Native Computing Foundation (CNCF) talk by Trevor Rosen on the SolarWinds hack, what they did after discovery, and an in-depth discussion of the new high assurance build system they’ve been developing that uses a number of CNCF and CDF projects.

Web Security

Improvements to Burp Suite authenticated scanning
Portswigger’s Matt Atkinson describes improvements that allow Burp Suite to better scan privileged areas of target web applications, even when a complex login sequence is required. Improvements across iframes, animated elements, DOM-based redirections, SVG elements, and multi-select.

Tortellini in Brodobuf
How to decode and deserialize Google Protobuf data and an example of exploiting SQL injection using a custom SQLmap tamper script to automate the process. By Advanced Persistent Tortellini, an Italian hacker collective, who is now one of my favoritely named security groups.

See also Blackbox Protobuf, a tool by NCC Group’s Ryan Winkelmaier, a Burp Suite extension for decoding and modifying arbitrary protobuf messages without the protobuf type definition.

Cloud Security

AWS SSO Tutorial with Google Workspace (Gsuite) as an IdP Step-by-Step
Detailed walkthrough by Cloud Query’s Mike Elsmore on how to use G Suite as an identity provider for AWS SSO. Benefits of this approach: no need to manage AWS IAM creds, 2FA is already managed by your IdP (G Suite), when users join or leave your org, you only have to make changes in one place.

Introducing Quiet Riot: A Scalable AWS Enumeration and Footprinting Tool
New tool by Wes Ladd that does unauthenticated enumeration and footprinting of AWS Account IDs, roles, users, services in use (via existing service linked role names) across AWS.

Cloud Security Tooling for the Sole Practitioner
Are you the only person doing cloud security at your company? Salesforce’s Kinnaird McQuade joins Nikki Becher and Shinesa Cambric on the OWASP DevSlop podcast to help you navigate where to start, what to prioritize, and how to build out your own “lean but mean” cloud security toolkit. Slides, useful links to learn more, and a purposefully vulnerable repo to practice on.

Container Security

APIClarity
An open source cloud native visibility tool for APIs, utilizing a Service Mesh framework to capture and analyze API traffic. APIClarity can compare OpenAPI specs to traffic observed at runtime: detect undocumented APIs and deprecated API use. For apps that don’t have an OpenAPI spec, autogenerate one based on your live environment.

Abusing Registries For Exfil And Droppers
Awesome post by Snowflake’s Mark Manning on sneakily abusing container registries. Key take-aways: registries are trusted endpoints, and thus useful for exfiltration and post-exploitation, and it’s easy to make a malicious file look like a legitimate image layer.

Hardware

2021 CWE Most Important Hardware Weaknesses
By MITRE. Top 3:

1. Improper Isolation of Shared Resources on System-on-a-Chip (SoC)

2. On-Chip Debug and Test Interface With Improper Access Control

3. Improper Prevention of Lock Bit Modification

Network Security

cilium/pwru: Packet, where are you?
By Cilium: “An eBPF-based tool for tracing network packets in the Linux kernel with advanced filtering capabilities. It allows fine-grained introspection of kernel state to facilitate debugging network connectivity issues.”

Red Team

This bug doesn’t exist on x86: Exploiting an ARM-only race condition
By Stephen Tong: How to exploit a double free vulnerability in 2021. ‘Use After Free for Dummies.’

Politics

The Triumph and Terror of Wang Huning
Fascinating article on Wang Huning, the former academic behind many of Xi Jinping’s policies. When he was younger, Wang admired the U.S., but when he visited, he found:

Wang has observed the same individualism and erosion of cultural values in China, hence the crackdowns on celebrities living lavish lifestyles, massive fines to monopolistic tech companies, and more.

America Against America
An overview of Wang Huning’s book, with more context.

Misc

Microservices
Comedy sketch about why adding a user’s birthday on the settings page is going to take years. I actually laughed out loud.

Fundamentals of Piano Practice
“Most books list what skills are needed (scales, arpeggios, trills, etc.), but not how to acquire them. This book teaches how to solve technical problems, step by step. Learn practice methods, how to acquire technique and memorize hours of repertoire, sight reading, musical playing, relaxation, etc., and, most importantly, Mental Play in which you learn to play the piano in your mind. “

The economics of pumpkin patches
How lucrative is the pumpkin business? The Hustle’s Juliet Bennett Rylah talked to farmers, patch operators, and industry experts to find out. TL;DR: roughly $1,500 to $6,000 of profit per acre.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint