Hey there,
I hope youâve been doing well!
The Future is Bright
A few of my friends have recently gotten the new M1 Macs, and theyâve been raving about the speed and battery life.
Itâs vision like this that pushes our industry forward.
Thatâs one thing I like about tech: thereâs this undefeatable optimism and hope for a better tomorrow.
Even when times are tough, itâs that hope that can still get you out of bed in the morning, because you know youâre working towards something that matters.
H/T Mike Privette for the image.
Podcast
I recently joined Panther founder Jack Naglieri on the Detection at Scale podcast.
It was a fun chat about the origins of Semgrep and how it differs from other static analysis tools, how AppSec and detection and response teams can collaborate, and tips on succeeding in AppSec at scale.
Check it out here: Ep15: r2câs Clint Gibler: How To Succeed in AppSec at Scale.
Sponsor
đ˘ Security and Compliance at the Pace of DevOps
Cloud Optix DevSecOps tools work seamlessly with existing DevOps processes to help prevent security breaches pre-deployment. Cloud Optix ensures container images and Infrastructure-as-Code (IaC) templates containing insecure configurations as well as embedded secrets and keys never make it to a test or live production environment.
Free Trialđ In this newsletter...
- Conferences: Black Hat EU 2021 videos posted
- AppSec: Stop storing secrets in environment variables, non-security things that can sink a security program
- Web Security: A Burp Suite extension useful when testing apps using OAUTHv2 and OpenID
- Infrastructure as Code: Private Terraform Module and Terraform Provider registry, purposefully vulnerable Kustomize.io Kubernetes templates, testing IaC using dynamic cloud security tools, a Terrform security scanner bake-off, get cloud cost estimates for Terraform changes on PRs
- Cloud Security: Identify privilege escalation paths in cloud environments, Terraform module to automate setup of OIDC between AWS and GitHub Actions/GitLab CI, a safety net for AWS canarytokens, security practices in AWS multi-tenant SaaS environments
- Blue Team: Malware simulation harness for evaluating security controls, awesome-security-hardening collection, anti-phishing using perceptual hashing algorithms
- Politics / Privacy: NSO offered US mobile security firm "bags of cash"
- Misc: Tool to encode/decode 120+ formats, write cross-platform native apps in Python, how to pick a good monitor for software development, inside one of India's biggest influencer families, the economics of Spotify
Conferences
Black Hat Europe 2021 Videos
Abstracts and slides on the main conference page here.
AppSec
Stop Storing Secrets In Environment Variables!
Forces Unseenâs Matt Hamilton argues that you
should instead use ephemeral filesystem mounts.
Non-Security Things That Can Sink A Security Program
Helen Patton describes a number of important
company aspects that impact the effectiveness of your security program,
including asset management, identity strategy, technology stack, and
inter-department governance.
Web Security
akabe1/OAUTHScan
A Burp Suite extension useful when testing applications implementing OAUTHv2 and
OpenID standards. It contains 10+ security checks for OAUTHv2/OpenID
vulnerabilities and common misconfigurations.
Infrastructure as Code
outsideris/citizen
A Private Terraform Module and Terraform Provider registry, by
@Outsideris.
bridgecrewio/kustomizegoat
Purposefully vulnerable Kustomize.io Kubernetes templates for training and
education purposes, by Bridgecrew.
Testing Infrastructure-as-Code Using Dynamic Tooling
NCC Groupâs Erik Steringer describes how to shift
left with dynamic cloud security tools. Rather than testing against a live
development or production environment, you can run tools like Scout Suite and
PMapper against Terraform using LocalStack, by spinning up a local environment. Neat! Tool
release: Aerides.
Complete guide for picking the right tool for Terraform Security Code Analysis
Revolgyâs Marko FĂĄbry and Marek
Ĺ ottl discuss evaluating Checkov,
Snyk, terrascan and tfsec for finding security vulnerabilities and
misconfigurations in AWS and GCP Terraform files. The post includes a nice
feature set comparison table, sections on each tool, and comparing the results
of each tool on terragoat.
infracost/infracost
Tool by Infracost that shows cloud cost
estimates for Terraform changes on pull requests. This enables DevOps, SRE and
engineers to see a cost breakdown and understand costs before making changes.
Cloud Security
carlospolop/PurplePanda
Like BloodHound but for cloud: identify privilege escalation paths within and
across different clouds, by Carlos Polop.
Currently supports GCP, GitHub, and Kubernetes.
Identity Federation for CI on AWS
Small Terraform module that automates the setup of OIDC federation between AWS
and GitHub Actions/GitLab CI, by Marco
Lancini.
A âSafety Netâ for AWS Canarytokens
In an ideal world, you could use CloudTrail to monitor the use of AWS API
tokens. However, some AWS APIs donât log to CloudTrail (this is why we canât
have nice things). Thinkst Canary describes
how you can use IAM credential reports as a safety net to determine when API
keys have been used more recently than has been seen in CloudTrail, covering
this blind spot, and theyâve recently rolled this out to free users on
Canarytokens.org đ
Security practices in AWS multi-tenant SaaS environments
Challenges, opportunities and best practices covering identity, tenant
isolation, and how isolation enforcement depends on the service involved.
Blue Team
FourCoreLabs/firedrill
A malware simulation harness for evaluating your security controls, by FourCore
Labs. Includes a set of four different attack
simulations for you to use and build on top of: Ransomware Simulation, Discovery
Simulation, a UAC Bypass and a Persistence Simulation.
decalage2/awesome-security-hardening
âA collection of awesome security hardening guides, best practices, checklists,
benchmarks, tools and other resourcesâ by Philippe
Lagadec, covering major operating systems,
network devices, containers, SSH, web servers, and more.
Silly proof of concept: Anti-phishing using perceptual hashing algorithms
Anvil Secureâs Diego Freijo proposes a way to
detect phishing websites without a centralized repository of malicious sites.
Basically, itâs a browser extension that computes a fingerprint of screenshots
of sites you visit, and then if you visit a site that visually looks similar but
is from a different domain, it warns you.
Sort of like SSHâs trust on first use (TOFU) approach for keys but for the visual
appearance of websites. Neat idea. Source
code.
Also, I love this and want to do it at my work:
Welcome to the first dispatch coming out of the Ministry of Silly Ideas! Itâs a space weâve got inside Anvil where we encourage ourselves to come up with interesting-even-if-sounding-silly-at-first-glance ideas around security or IT in general. We then filter out those ideas that might even work in real life and implement a proof-of-concept to see if they pass the reality check. And, who knows? Some of those ideas might even be not-so-silly after all!
Sponsor
đ˘ State of Modern Application Security: Insights From 400+ AppSec Practitioners
What would make AppSec programs more effective? Whatâs the relationship like between developers and security? To answer these questions and more, Tromzo commissioned a survey of over 400 AppSec professionals for their first annual State of Modern Application Security Report.
Read the Report Now! [No email required]Politics / Privacy
NSO offered US mobile security firm âbags of cashâ, whistleblower claims
A whistleblower has alleged that an executive at NSO Group offered a US-based mobile security company âbags of cashâ in exchange for access to a global signalling network used to track individuals through their mobile phone, according to a complaint that was made to the US Department of Justice.
Misc
dhondta/python-codext
A Python library and CLI tool that can encode/decode 120+ formats, along with a guess mode for decoding multiple layers of encoding, by Alexandre DâHondt. Seems potentially useful for CTFs.
BeeWare
âWrite your apps in Python and release them on iOS, Android, Windows, MacOS, Linux, Web, and tvOS using rich, native user interfaces. Multiple apps, one codebase, with a fully native user experience on every platform.â
How to Pick a Good Monitor for Software Development
Nick Janetakis covers when to buy a new
monitor, understanding physical size vs resolution, pixels per inch, scaling,
picture quality and color accuracy, refresh rates and input lag, and more.
âEverything is contentâ: Inside the daily grind of one of Indiaâs biggest influencer families
An interesting peak inside a family that has oriented itself around regularly
creating social media content, and the impact it can have on the family.
âWhen spending time with the children becomes the job, the family fails to create memories that go beyond âcontent,â and the children grow up to feel more alienated,â Laskari said.
The Economics of Spotify
Spotify makes a lot of money, but relatively little of that makes it back to the artists.
The total sum that goes back to rights holders each month is based on the proportion of overall streams the rights holdersâ streams represent that month and the cut of music revenues the rights holders have negotiated with Spotify.
âŚa midsized independent labelâs payout rates for the last several years, finding its average per-stream payout has declined to just $0.00348 as the service has expanded into more countries and extended more subscription discounts and bundles, and as users streamed more and more songs.
Also, some pretty brutal feedback for a company whose sole purpose is, you know, serving what artists create:
âI donât know any artists who feel their career has been made better by Spotify,â said Dupuis, who has accumulated more than 15m Spotify streams as solo act Sad13 and as a singer and guitarist in Speedy Ortiz.
âď¸ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them đ
Thanks for reading!
Cheers,Clint
@clintgibler