Hey there,
I hope you’ve been doing well!
Screenwriting Follow-up
Last week I shared some potential pitches for what I believe could be the plot for “Through My Window,” an upcoming “steamy romance” movie on Netflix, whose tagline is: “It all started with the Wi-Fi password…”
The pitches were artisanally crafted for believability, technical accuracy, educational content (why not teach computer security in a narrative form?), and fiery romance. After all, a long-haired man on a horse is an icon for many a romance novel, and many hackers have long hair. Coincidence? I think not.
Anywho, I offered my screenwriting services to help on the film, and I received this response from Patrick Thomas:
Your move Apple TV, Disney+, Amazon Prime, etc.
In good faith, I’d like to offer a line my bud Adam Berman came up with:
“I’ll have whatever Wi-Fi she’s having.”
Sponsor
📢 Make software security a priority in 2022
With the increasing rise of security breaches that exploit software vulnerabilities, 2022 is the year to invest in releasing quality software - that is also secure - faster, regardless of the language:framework it is built on. To do that, you need security aware and enabled developers that code securely as applications are being created. Let Secure Code Warrior show you how >>
Learn moređź“ś In this newsletter...
- AppSec: Examples of not to use secrets, automating your web scanning and vulnerability management, using types to prevent authorization bugs
- Mobile Security: Intentionally vulnerable Android app written in Kotlin
- Web Security: Automated authorization test tool, tool to validate your API specs
- Security Program Building: Secrets of successful security programs part 2, CISO's guide to a modern AppSec program
- Security Newsletters: This section is so Meta (but not the type that polarizes society)
- Cloud Security: Collection of publicly disclosed AWS customer security incidents, cloud red team tool to test your detections, autoremediate CloudFormation drift
- Container Security: Kubernetes admission controller that verifies the subject and issuer of images
- Network Security: NCSC will start releasing nmap scripts fingerprinting high risk vulns
- Reverse Engineering: Debugging a Java app with decompiled source code, Frida Handbook
- Politics / Privacy: A disgruntled hacker took down North Korea's Internet
- Misc: Academic computer science papers people love, get personal recommendations for streaming platforms, how to look your best on a video call, a CISO is briefed on a red team engagement
AppSec
OWASP WrongSecrets
12 challenges consisting of examples of how not to use secrets, by Xebia’s
Jeroen Willemsen, ENACT-IT’s Ben de
Haan, et al. Find the different secrets with
various tools and techniques, and learn if you’re doing secret management
correctly.
Improving Web Vulnerability Management through Automation
Lyft’s Nicolas Flacco describes how they automated the process of scanning
various endpoints via headless Burp, exporting the results, and auto-creating
Jira tickets for identified issues. There are some implementation challenges
here, for example, detecting duplicate issues, items marked as “won’t fix”,
reoccuring issues, etc.
Eliminating Authorization Vulnerabilities with Dacquiri
As mentioned last week, Nathanial
Lattimer’s Rust library Dacquiri “turns
authorization vulnerabilities into compile-time errors.” This post walks through
an example of using Dacquiri to help secure a hypothetical send money feature
for a bank. Using secure-by-default frameworks and leveraging type systems for
security guarantees is 🔥
By gating privileged actions in your application behind Dacquiri’s entitlement system, it will ensure that every single codepath that interacts with the protected function has performed the required authorization checks ahead of time.
Mobile Security
optiv/InsecureShop
An intentionally vulnerable Android application built in Kotlin, by Optiv’s
Gaurang Bhatnagar and Matt
Eidelberg. Over 19 vulnerabilities, most based on
real vulnerabilities found in an actual pen test.
Web Security
hahwul/authz0
An automated authorization test tool by Hahwul.
URLs and roles are managed as YAML-based templates, you can leverage ZAP and
Burp history, and more.
blst-security/cherrybomb
A CLI tool that helps you avoid undefined user behavior by validating your API
specifications. It takes in a Swagger file, runs a series of checks on it to
make sure everything is on par with the OAS, and outputs a detailed table with
any alerts found. Cherrybomb can also take in your logs and check them for
business logic flaws.
Security Program Building
Secrets of Successful Security Programs - Part 2
The second part of Phil Venables’s guide (my
notes on part 1 here) covers overall program
management and practices that are necessary for ongoing and effective risk
mitigation. Topics include: establishing sources of funding, building and
maintaining an effective team, establishing a strong security baseline with The
Essential 20, and more.
This post neatly summarizes and weaves through, in a very satisfying way, 10+
other posts Phil has written that go into each aspect in more detail. Another
must read.
CISO’s Guide to a Modern AppSec Program
James Chiappetta on cybersecurity’s
influence on organizational culture (be an enabler, not a blocker), a getting
started AppSec program checklist, building out AppSec focus areas, and various
useful pro-tips and takeaways.
Security Newsletters
This section brought to you by Xzibit.
TalEliyahu/awesome-security-newsletters
List by Tal Eliyahu.
The High-quality Security Newsletters Rami McCarthy reads and why
Great thread by Rami McCarthy, which
introduced me to a few I’ve now joined.
Cloud Security
ramimac/aws-customer-security-incidents
A repo by Rami McCarthy aiming to index all publicly disclosed AWS customer security incidents with a known root cause, so they can be learned from.
Stratus Red Team
Very cool new tool by Christophe
Tafani-Dereeper
(GitHub), an open-source
adversary emulation tool for the cloud. A standalone Golang binary that comes
with a catalog of cloud-native attack techniques that you can easily detonate to
test your threat detection. Datadog blog post
announcement,
Christophe’s behind the scenes making of
post
that includes details about the process of creating it, design decisions, and
more.
WeAreCloudar/cfn-drift-remediation
Tool by Cloudar that uses the Cloud Control
API to remediate drift that was detected on a CloudFormation stack. Reads the
existing drift of a stack, iterate through the drifted resources and construct a
patch document to change the actual (detected) property values to the expected
(stack) values.
Container Security
appvia/cosign-keyless-admission-webhook
Kubernetes admission webhook that uses cosign verify to check the subject and
issuer of the image matches what you expect, by
Appvia.
Sponsor
📢 Releasing Freemium Rapticore to make your cloud a little less cloudy.
Rapticore secures your Cloud Applications, Infrastructure & Code Repositories. Inventory, Architecture Diagrams, Automated Threat Modeling, Security Requirements, CIS and AWS Configuration Checks, IAM & Security Groups, & more to manage your Cloud Application lifecycle and program.
Request Free DownloadI met Ahsan Mir, one of the founders of Rapticore, when he was the CISO at Autodesk. Super nice and sharp guy. I like how they’re focusing on observability, and breaking down what can be siloed views in many companies.
Network Security
Introducing Scanning Made Easy
The NCSC will be releasing a collection of Nmap
scripts to help identify systems with certain high risk vulnerabilities. The
first is for Exim message transfer agent (MTA) RCEs, by NCC Group’s Ollie
Whitehouse.
Reverse Engineering
Debugging a Java application with decompiled source code
dozer describes how to decompile Java targets and
connect them to an IntelliJ IDEA project for live debugging, which is very
useful to tracking values passed to interesting or dangerous functions at
runtime (e.g. Runtime.exec()).
Frida HandBook
Virus Total’s @entdark_ describes how to use the
binary instrumentation tool Frida, covering Frida internals, how (not) to
approach common tasks, and advanced topics.
Politics / Privacy
North Korea Hacked Him. So He Took Down Its Internet
A year after the North Korean campaign to target Western security researchers,
one targeted researcher, P4x, was annoyed at the lack of U.S. government
response. So he found a number of North Korean systems running software with
unpatched vulnerabilities (e.g. nginx, Apache), and has been using those flaws
to DoS their websites, routers, etc.
Misc
papers-we-love/papers-we-love
“A community built around reading, discussing and learning more about academic
computer science papers. This repository serves as a directory of some of the
best papers the community can find, bringing together documents scattered across
the web.”
JustWatch - The Streaming Guide
Get personal recommendations for movies and TV shows available on Netflix,
Amazon Prime Video, Disney Plus and many more.
How to look your best on a video call
Light your face, raise your camera, test your video before the call, find a
quiet place and use your best headphones, and get comfortable.
CISO is briefed on Red Team engagement
A new take on the classic Hitler getting angry video 🤣
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!
Cheers,Clint
@clintgibler @tldrsec