- tl;dr sec
- Posts
- [tl;dr sec] #116 - Secrets of Successful Security Programs, Supply Chain, Killing Bug Classes
[tl;dr sec] #116 - Secrets of Successful Security Programs, Supply Chain, Killing Bug Classes
A masterclass in building a modern, scalable security program by Phil Venables, GitHub Action to check your supply chain security posture, Chrome feature to protect against CSRF and DNS rebinding.
Clint Gibler
January 19, 2022
Hey there,
I hope you’ve been doing well!
There are some longer sections at the bottom of this one, but some really good stuff I couldn’t leave out.
Indentation Woes
I don’t know about you, but I’ve been writing some YAML lately.
I hope this meme by Justin Yoo also cheers you up.
Sponsor
📢 Podcast: The Value of Agility and Education for Scaling Security
In a recent episode of the Detection at Scale podcast, Panther Labs CEO and Founder Jack Naglieri sat down with Matt Jezorek, VP of Security and Abuse at Dropbox, to discuss Matt’s perspective on the decisions security teams have to make that ultimately control how fast they can detect threats.
I actually joined Jack on the Detection at Scale podcast this week, look for our episode in a bit!
📜 In this newsletter...
Conferences: Cybersecurity conferences in 2022, Global AppSec US 2021 videos
AppSec: Free book on SSH tunneling, securing GitHub organizations
Secrets: GitHub leaked secret search engine, secrets stored in environment variables, secret scanning tool by Salesforce
CI/CD and Supply Chain: OpenSSF Scorecards v4, 10 real-world stories on compromising CI/CD pipelines, linting and securing GitHub Actions
Cloud Security: SSH bastion host best practices, 2 serious vulnerabilities in AWS, free labs to learn cloud pen testing
Fuzzing: Fuzzing LoRaWAN protocol stacks
Red Team: Payload creation framework for fileless VBA scripts
Privacy: Disable 2G option on new Android phones
OSINT: 5 hour OSINT course, service to remove objects from images, lessons learned from 10 years building an open source OSINT tool
Misc: Internet meme search engine, browser extension to inject SciHub links, create an RPG game for free without coding
New Chrome security measure aims to curtail an entire class of Web attack: Protecting against CSRF and DNS rebinding
Secrets of Successful Security Programs: A masterclass in building a scalable, modern security program
Conferences
Cybersecurity conferences 2022
A rundown of ~30 online, in person, and ‘hybrid’ events, by The Daily Swig’s Adam Bannister.
Global AppSec US 2021 Virtual
YouTube playlist of the talk recordings, covering AppSec, threat modeling, cloud security, supply chain, and much more.
AppSec
The Cyber Plumber’s Handbook
Free book by Brennon Thomas: “The definitive guide to Secure Shell (SSH) tunneling, port redirection, and bending traffic like a boss.”
Securing GitHub organizations
LaunchDarkly’s Alex Smolen presents his step-by-step process for securing your GitHub organization. See also the OpenSSF’s AllStar GitHub App for continuous enforcement of security best practices.
Secrets
Introducing PinataHub: Explore the world of leaked secrets in GitHub
PinataHub is a new search engine for secrets leaked on GitHub. The post includes some interesting ideas regarding high signal secrets detection, using Algorithmically generated Domain (AGD) detection.
Awesome List Of Secrets In Environment Variables️
List of secrets, passwords, API keys, tokens stored inside a system environment variables, by Maciej Pulikowski. Useful if you have RCE or some exploit that lets you read a vulnerable app’s system environment.
salesforce/lobster-pot
DJ Khaled voice: Another one. Tool by Salesforce to scans every git push to your Github organisations to find unwanted secrets.
CI/CD and Supply Chain
Reducing Security Risks in Open Source Software at Scale: Scorecards Launches V4
The OpenSSF announces that their Scorecards project now includes new security checks and a GitHub Action you can run to easily flag potentially risky supply-chain practices. Release notes.
10 real-world stories of how we’ve compromised CI/CD pipelines
Great write-up with tons of interesting examples, including several scenarios with RCE-as-a-Service Jenkins, GitLab, Kubernetes, and what a pen tester can do with a dev’s laptop. By NCC Group’s Aaron Haymore, Iain Smart, Viktor Gazdag, Divya Natesan and Jennifer Fernick.
Linting your GitHub Actions
CipherStash’s Matt Palmer describes action-validator a new tool that lints GitHub Action and Workflow YAML files. It ensures they are well-formed by checking them against published JSON schemas and making sure that any globs used in paths / paths-ignore match at least one file in the repo.
For linting your GitHub Action YAMLs for security issues, see this post and open source Semgrep rules here.
Cloud Security
SSH Bastion host best practices: How to Build and Deploy a Security-Hardened SSH Bastion Host
Teleport’s Sakshyam Shah provides a nice overview. Build a server with minimal packages installed, limit the services actively running, lock down OS network capabilities, limit user accounts and restrict account capabilities (e.g. SELinux), implement access logging, harden OpenSSH, and more.
2 Critical Cloud Vulnerabilities to Convince You to Move to the Cloud
The Orca Security Research Team discusses multiple critical zero-day vulnerabilities discovered in AWS Glue and CloudFormation. “These vulnerabilities could’ve allowed unauthorized access to customer data and/or sensitive code and data within the public cloud.” However, there’s been some discussion that Orca’s impact claims are a bit overblown, see this Scott Piper thread for more context.
Free labs to learn cloud pentesting
Great thread by @0xAs1F.
Scott Piper: flaws.cloud and flaws2.cloud
OWASP Serverless Goat
James Wickett: lambhack, a vulnerable AWS Lambda
Bishop Fox: iam-vulnerable, a vulnerable by design AWS IAM privilege escalation playground
Rhino Security Labs: cloudgoat, a vulnerable by design AWS deployment tool
Appsecco: A step-by-step walkthrough of CloudGoat 2.0 scenarios
dvca a Damn Vulnerable Cloud Application
NCC Group: sadcloud, a tool for standing up (and tearing down!) purposefully insecure cloud infrastructure
Appsecco: Breaking and Pwning Apps and Servers on AWS and Azure free courseware and labs
Fuzzing
LoRaWAN’s Protocol Stacks: The Forgotten Targets at Risk
LoRaWAN is a low-power, wide area networking protocol often used for things like smart city security, environmental monitoring, industrial safety, and more. Trend Micro’s Sébastien Dudek discusses how to hunt for bugs in different LoRaWAN stacks, for example by fuzzing with AFL++. He explains how Qiling (based on the Unicorn Engine) can be used in fuzzing and debugging exotic architectures, and how Ghidra’s PCode emulation can be used when the architectures targeted are not supported by Unicorn or Qiling.
Fuzzing architecture design for radio protocol layer as applied to LoRaWAN
Red Team
optiv/Ivy
By Optiv’s Matt Eidelberg: A payload creation framework for the stealthy execution of arbitrary VBA (macro) source code directly in memory without dropping macro documents to disk, making it harder for EDR to detect it.
Privacy
VICTORY: Google Releases “disable 2g” Feature for New Android Smartphones
The EFF describes a new feature in Android phones that lets you disable 2G at the modem level, a legacy, insecure protocol that is leveraged by some stingray interception devices via downgrade attacks. Disable by: Settings > Network & Internet > SIMs > Allow 2G and turn that setting off.
Sponsor
📢 Slash Cloud Cyber Risk with Security-as-Code
Existing cybersecurity architectures break down in public cloud. Why? Because cloud applications are being self-serviced by developers. John Steven, Concourse Labs CTO and co-author of the BSIMM study, explains how Security-as-Code enables developers to self-service the security of their infrastructure-as-code.
OSINT
Open-Source Intelligence (OSINT) in 5 Hours - Full Course
Free course by Heath Adams (@thecybermentor) covering a wide variety of topics, including reverse image searching, viewing EXIF data, discovering email addresses, hunting breached passwords, OSINT on platforms like Twitter, Facebook, Instagram, Reddit, LinkedIn, and much more.
Cleanup.pictures
Remove objects, people, text and defects from any picture for free, which can be useful for reverse image searching. H/T Loránd Bodó .
Lessons learned from my 10 year open source project
Steve Micallef shares 10 lessons from developing his widely popular SpiderFoot OSINT tool for over a decade.
Misc
Memegine - The Internet Meme Search Engine
A full-text search engine across the text in memes by Théo Champion. Hundreds of thousands of memes indexed, approximately 10,000 new memes added per day.
rickwierenga/sci-hub-injector
A browser extension that adds SciHub links to popular publisher websites, to make accessing science even easier, by Rick Wierenga. Seems like it’s been taken down, perhaps because it became too popular. Rick’s thread about it.
RPG Playground
Make an RPG game without coding for free. tl;dr sec sends its apologies to your employer and spouse (hopefully separate parties) for your future lower productivity and attentiveness.
Starting in Chrome 98, website requests to internal network resources (e.g. 192.168.1.1) will trigger a CORS preflight request (Access-Control-Request-Private-Network). This will be a massive step forward in eliminating classes of vulnerabilities like CSRF and DNS rebinding. Google blog
Searching for vulnerabilities manually or with automated tools has value, and so does secure code training, but in my (and many people’s) opinion, secure defaults that prevent those classes of vulnerabilities from occuring in the first place is higher leverage.
And building protections into the platform (e.g. web browsers) can be even higher leverage, as that secures everything on the platform (there are only a handful of browsers vs billions of websites).
What security wins can you build into the platforms you control?
This post by Google Cloud CISO Phil Venables is probably one of the most useful and value-dense posts on lessons learned, best practices, and how to build a modern security program I’ve ever seen.
Here’s my attempt at not quoting the entire post:
A successful security program is made up of two distinct elements:
1. A series of episodic big bets that yield transformational improvements.
2. A set of management practices and approaches applied relentlessly, iteratively and subject to constant incremental improvement.
If you just do the first then the success that those improvements bring taper off or are a just a patch-work of bright spots amid a back drop of issues and instability. If you just do the second then you are condemned to operate in reactive catch-up mode in the face of events.
Aim for projects that:
• Mitigate whole classes of attacks. Not just picking off new tactics but dealing with whole sets of attack techniques.
• Eliminate sets of pain. Look for significant areas of pervasive toil for customers, end users or developers/engineers.
More-
Security is an Endless Program not a Project
Secure Products not [just] Security Products
While developer education on security is important, even more important is reducing the extent of knowledge required by encapsulating security capabilities in highly assured tooling that all can use. This is an ongoing investment, not just in the tool variety, capability and assurance level but also in continued integration with other frameworks so that the secure path is always the easiest path. Every time application security or other teams find a vulnerability then, think, what can we do to reduce the potential for further instances of the vulnerability through the provision of good tooling.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!
Cheers,
Clint