• tl;dr sec
  • Posts
  • [tl;dr sec] #118 - Atomic Red Team for Cloud, Security Program Building, How Not to Do Secrets

[tl;dr sec] #118 - Atomic Red Team for Cloud, Security Program Building, How Not to Do Secrets

Tool to test your cloud detections, how to build and scale a security program, OWASP project to teach you how not to manage secrets.

Author

Clint Gibler
February 02, 2022

Hey there,

I hope you’ve been doing well!

Screenwriting Follow-up

Last week I shared some potential pitches for what I believe could be the plot for “Through My Window,” an upcoming “steamy romance” movie on Netflix, whose tagline is: “It all started with the Wi-Fi password…”

The pitches were artisanally crafted for believability, technical accuracy, educational content (why not teach computer security in a narrative form?), and fiery romance. After all, a long-haired man on a horse is an icon for many a romance novel, and many hackers have long hair. Coincidence? I think not.

Anywho, I offered my screenwriting services to help on the film, and I received this response from Patrick Thomas:

Your move Apple TV, Disney+, Amazon Prime, etc.

In good faith, I’d like to offer a line my bud Adam Berman came up with:

“I’ll have whatever Wi-Fi she’s having.”

Sponsor

📢 Make software security a priority in 2022

With the increasing rise of security breaches that exploit software vulnerabilities, 2022 is the year to invest in releasing quality software - that is also secure - faster, regardless of the language:framework it is built on. To do that, you need security aware and enabled developers that code securely as applications are being created. Let Secure Code Warrior show you how >>

📜 In this newsletter...

  • AppSec: Examples of how not to use secrets, automating your web scanning and vulnerability management, using types to prevent authorization bugs

  • Mobile Security: Intentionally vulnerable Android app written in Kotlin

  • Web Security: Automated authorization test tool, tool to validate your API specs

  • Security Program Building: Secrets of successful security programs part 2, CISO's guide to a modern AppSec program

  • Security Newsletters: This section is so Meta (but not the type that polarizes society)

  • Cloud Security: Collection of publicly disclosed AWS customer security incidents, cloud red team tool to test your detections, autoremediate CloudFormation drift

  • Container Security: Kubernetes admission controller that verifies the subject and issuer of images

  • Network Security: NCSC will start releasing nmap scripts fingerprinting high risk vulns

  • Reverse Engineering: Debugging a Java app with decompiled source code, Frida Handbook

  • Politics / Privacy: A disgruntled hacker took down North Korea's Internet

  • Misc: Academic computer science papers people love, get personal recommendations for streaming platforms, how to look your best on a video call, a CISO is briefed on a red team engagement

AppSec

OWASP WrongSecrets
12 challenges consisting of examples of how not to use secrets, by Xebia’s Jeroen Willemsen, ENACT-IT’s Ben de Haan, et al. Find the different secrets with various tools and techniques, and learn if you’re doing secret management correctly.

Improving Web Vulnerability Management through Automation
Lyft’s Nicolas Flacco describes how they automated the process of scanning various endpoints via headless Burp, exporting the results, and auto-creating Jira tickets for identified issues. There are some implementation challenges here, for example, detecting duplicate issues, items marked as “won’t fix”, reoccuring issues, etc.

Eliminating Authorization Vulnerabilities with Dacquiri
As mentioned last week, Nathanial Lattimer’s Rust library Dacquiri “turns authorization vulnerabilities into compile-time errors.” This post walks through an example of using Dacquiri to help secure a hypothetical send money feature for a bank. Using secure-by-default frameworks and leveraging type systems for security guarantees is 🔥

By gating privileged actions in your application behind Dacquiri’s entitlement system, it will ensure that every single codepath that interacts with the protected function has performed the required authorization checks ahead of time.

Mobile Security

optiv/InsecureShop
An intentionally vulnerable Android application built in Kotlin, by Optiv’s Gaurang Bhatnagar and Matt Eidelberg. Over 19 vulnerabilities, most based on real vulnerabilities found in an actual pen test.

Web Security

hahwul/authz0
An automated authorization test tool by Hahwul. URLs and roles are managed as YAML-based templates, you can leverage ZAP and Burp history, and more.

blst-security/cherrybomb
A CLI tool that helps you avoid undefined user behavior by validating your API specifications. It takes in a Swagger file, runs a series of checks on it to make sure everything is on par with the OAS, and outputs a detailed table with any alerts found. Cherrybomb can also take in your logs and check them for business logic flaws.

Security Program Building

Secrets of Successful Security Programs - Part 2
The second part of Phil Venables’s guide (my notes on part 1 here) covers overall program management and practices that are necessary for ongoing and effective risk mitigation. Topics include: establishing sources of funding, building and maintaining an effective team, establishing a strong security baseline with The Essential 20, and more.

This post neatly summarizes and weaves through, in a very satisfying way, 10+ other posts Phil has written that go into each aspect in more detail. Another must read.

CISO’s Guide to a Modern AppSec Program
James Chiappetta on cybersecurity’s influence on organizational culture (be an enabler, not a blocker), a getting started AppSec program checklist, building out AppSec focus areas, and various useful pro-tips and takeaways.

Security Newsletters

This section brought to you by Xzibit.

The High-quality Security Newsletters Rami McCarthy reads and why
Great thread by Rami McCarthy, which introduced me to a few I’ve now joined.

Cloud Security

ramimac/aws-customer-security-incidents
A repo by Rami McCarthy aiming to index all publicly disclosed AWS customer security incidents with a known root cause, so they can be learned from.

Stratus Red Team
Very cool new tool by Christophe Tafani-Dereeper (GitHub), an open-source adversary emulation tool for the cloud. A standalone Golang binary that comes with a catalog of cloud-native attack techniques that you can easily detonate to test your threat detection. Datadog blog post announcement, Christophe’s behind the scenes making of post that includes details about the process of creating it, design decisions, and more.

WeAreCloudar/cfn-drift-remediation
Tool by Cloudar that uses the Cloud Control API to remediate drift that was detected on a CloudFormation stack. Reads the existing drift of a stack, iterate through the drifted resources and construct a patch document to change the actual (detected) property values to the expected (stack) values.

Container Security

appvia/cosign-keyless-admission-webhook
Kubernetes admission webhook that uses cosign verify to check the subject and issuer of the image matches what you expect, by Appvia.

Sponsor

📢 Releasing Freemium Rapticore to make your cloud a little less cloudy.

Rapticore secures your Cloud Applications, Infrastructure & Code Repositories. Inventory, Architecture Diagrams, Automated Threat Modeling, Security Requirements, CIS and AWS Configuration Checks, IAM & Security Groups, & more to manage your Cloud Application lifecycle and program.

I met Ahsan Mir, one of the founders of Rapticore, when he was the CISO at Autodesk. Super nice and sharp guy. I like how they’re focusing on observability, and breaking down what can be siloed views in many companies.

Network Security

Introducing Scanning Made EasyThe NCSC will be releasing a collection of Nmap scripts to help identify systems with certain high risk vulnerabilities. The first is for Exim message transfer agent (MTA) RCEs, by NCC Group’s Ollie Whitehouse.

Reverse Engineering

Debugging a Java application with decompiled source
codedozer describes how to decompile Java targets and connect them to an IntelliJ IDEA project for live debugging, which is very useful to tracking values passed to interesting or dangerous functions at runtime (e.g. Runtime.exec()).

Frida HandBook
Virus Total’s @entdark_ describes how to use the binary instrumentation tool Frida, covering Frida internals, how (not) to approach common tasks, and advanced topics.

Politics / Privacy

North Korea Hacked Him. So He Took Down Its Internet
A year after the North Korean campaign to target Western security researchers, one targeted researcher, P4x, was annoyed at the lack of U.S. government response. So he found a number of North Korean systems running software with unpatched vulnerabilities (e.g. nginx, Apache), and has been using those flaws to DoS their websites, routers, etc.

Misc

papers-we-love/papers-we-love
“A community built around reading, discussing and learning more about academic computer science papers. This repository serves as a directory of some of the best papers the community can find, bringing together documents scattered across the web.”

JustWatch - The Streaming Guide
Get personal recommendations for movies and TV shows available on Netflix, Amazon Prime Video, Disney Plus and many more.

How to look your best on a video call
Light your face, raise your camera, test your video before the call, find a quiet place and use your best headphones, and get comfortable.

CISO is briefed on Red Team engagement
A new take on the classic Hitler getting angry video 🤣

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint