• tl;dr sec
  • Posts
  • [tl;dr sec] #121 - Container Security Checklist, DevSecOps & Automating Compliance, Proactive Subdomain Takeovers

[tl;dr sec] #121 - Container Security Checklist, DevSecOps & Automating Compliance, Proactive Subdomain Takeovers

A dense checklist of container hardening steps, Cloud Security Alliance whitepaper on automating compliance and better relating it to security requirements, tool to preemptively take over your subdomains before attackers can.

Author

Clint Gibler
February 23, 2022

Hey there,

I hope you’ve been doing well!

The Superb Owl

Every year, growing up in Cincinnati, there was a constant refrain: “The Bengals are going to be good this year.”

A bold claim, given they’ve never won a Super Bowl, and in ~10 years of my living in Cincinnati, they rarely even got to the playoffs.

But this year the Bengals made it to the Super Bowl, and some people were so excited they painted their house orange and black.

Unfortunately the Bengals didn’t win, but at least they had a taste of success. Well done!

Sidenote: I wonder what the above paint job did for their property value 🤔

Sponsors Getting Acquired

Congrats to Vectrix, the 4th and counting tl;dr sec sponsor that has been acquired. And I think they’ve found a good home in Cloudflare (announcement post).

Hm, maybe I need to start a fund or something, as I wonder if my (accidental) success rate is higher than some VC firms. I’d need to invest in some Patagonia vests and nice shoes first though.

Brb, adding an “Acquired Sponsors” section to the tl;dr sec sales page 😎

Sponsor

📢 It's time to tackle client-side security, no really, the time is now!

Get the information you need about client-side security in order to protect your JavaScript web applications and customer data. Discover the attacks targeting businesses that deliver products and services through the client-side. Understand how to operationalize JavaScript security, how to recover from client-side breaches, and how to optimize your security for success in today’s digital economy.

📜 In this newsletter...

  • Machine Learning: AI trained on programming competition code does as well as median human competitor

  • AppSec: Finding secrets in git --mirror, automatically merging Dependabot PRs, automating compliance and connecting it to security requirements

  • Web Security: Tool to ease testing race conditions, automatically discovering vulnerabilities in WordPress plugins

  • Supply Chain: Collection of tools to audit NPM dependencies, a prototype implementation of the CNCF's Secure Software Factory, example malicious Terraform that leaks secrets

  • Cloud Security: Proactively take over your own vulnerable subdomains, IaC tool comparison + integrating into GitLab, VS Code extension with AWS IAM autocomplete, Amazon API Gateway CORS configurator

  • Container Security: Serverless reverse proxy for exposing container registries, container security checklist

  • Misc: How Apple could get to $1T in revenue, eBPF for Windows, No Starch author interview with lcamtuf on his new Practical Doomsday book, baby shark dance

  • Six things I've learned from 15 years at ZDNet: Larry Dignan on hiring, culture, careers, and more

Machine Learning

DeepMind has made software-writing AI that rivals average human coder
Note that DeepMind was trained on code from programming competitions, and doesn’t seem to do as well on simpler tasks. Still, progress is being made.

The tool was entered into 10 rounds on the programming competition website Codeforces, where human entrants test their coding skills. In these 10 rounds, AlphaCode placed at about the level of the median competitor.

AppSec

nightwatchcybersecurity/gitbleed_tools
Tool by Nightwatch Cybersecurity for calculating the delta between a regular cloned repo and a mirrored (--mirror) one, and scanning the parts only available in the mirror for secrets using gitleaks. Blog post with more info, including how --mirror mode can include additional repo content that isn’t present in normal clones.

Git is like a helpful but at times inscrutable long term partner– even interacting with them every day for years, there’s always more to learn.

How to keep your repo package dependencies up to date automatically
OpenPix’s Danilo Assis describes how to configure repos so that when Dependabot opens a PR that updates a dependency, tests are automatically ran in that PR, and the PR is auto-merged if the tests pass. Of course, be careful this doesn’t still break things, potential supply chain risk re: automatically updating dependencies, etc.

DevSecOps - Pillar 4 Bridging Compliance and Development
The third in a series of reports by the Cloud Security Alliance, this one lead by Deloitte’s Roupe Sahans et al. The document focuses on automating compliance and having compliance better relate to security requirements. Some recommendations mentioned:

  • Define and create security guardrails to monitor deployments and find deviations from desired baselines autonomously.

  • Leverage the use of patterns and templates to scale security consistently.

Web Security

Cache-Money/chronorace
A tool to accurately perform timed race conditions to circumvent application business logic, by @itscachemoney.

🔥 A technique to semi-automatically discover new vulnerabilities in WordPress plugins
Awesome work by Krzysztof Zając. WordPress plugins expose a number of standard routes, and these interfaces have a consistent trust boundary. Kryzysztof wrote a tool that executes each AJAX endpoint, menu page, REST route, or file multiple times with a variety of payloads, and analyzes the responses to detect XSS, SQL injection, CSRF, arbitrary file read and more.

One particularly neat aspect is that he mocks certain variables (like $_GET, $_REQUEST, etc.) and instruments a number of WordPress functions to determine what can be user-controlled. In total, he found over 120 CVEs in various WordPress plugins.

Supply Chain

jfrog/jfrog-npm-tools
A collection of tools to help audit your NPM dependencies for suspicious packages or continuously monitor dependencies for future security events, by JFrog.

The Secure Software Factory
A prototype implementation of the CNCF’s Secure Software Factory Reference Architecture which is based on the CNCF’s Software Supply Chain Best Practices White Paper. SLSA ready.

Supply Chain Attack as Code
@xssfox gives an example of how to leak secrets via a malicious Terraform module.

Cloud Security

OVO vs. Bug Bounty researchers - round 2
OVO’s Paul Schwarzenberger describes improvements they made to their open source tool Domain Protect that can now proactively take over your own vulnerable subdomains (usually within a few minutes), before attackers or bug bounty researchers can.

Fantastic Infrastructure as Code security attacks and how to find them
GitLab’s Michael Friedrich describes several infrastructure as code and Kubernetes scanning tools (tfsec, kics, terrascan, Semgrep, tflint) and how to integrate them into continuous GitLab code scanning. See also GitLab’s purposefully vulnerable IaC repo.

IAM Legend
A VS Code extension by Sebastian Bille that provides AWS IAM actions autocomplete, documentation and wildcard resolution. Supports Serverless Framework, AWS SAM, CloudFormation and Terraform.

If the bully who beat you up and stole your lunch money in middle school were a technology, they would undoubtedly be CORS. The Amazon API Gateway CORS Configurator helps you make it work with API Gateway.

Container Security

ahmetb/serverless-registry-proxy
A serverless reverse proxy for exposing container registries (GCR, Docker Hub, Artifact Registry, etc.) as a public registry on your own domain name, by Twitter’s Ahmet Balkan.

Container Security Checklist: From the image to the workload
Great overview and distillation by Aqua Security’s Carol Valencia with actionable steps, links, and commands covering securing the build, container registry, container runtime, infrastructure, data, and workloads.

Sponsor

📢 Register for ZAPCon 2022 ⚡️

ZAPCon 2022 is a free virtual event for ZAP users and those looking to level-up their automated application security testing game.

The ZAPCon schedule is now available. See the full speaker lineup and save your spot for free.

Misc

Apple: Thief
Fascinating thought experiment by Prof Galloway on the various verticals Apple could snatch up to become the first company with $1 trillion in revenue.

The End Is (Not) Nigh: Disaster Prepping with Michal Zalewski
No Starch Author interview with Michal Zalewski (aka lcamtuf) on his new book: Practical Doomsday: A User’s Guide to the End of the World. Michael has had quite the career: creating AFL, building Google’s product security team, authoring Silence on the Wire and The Tangled Web, and more.

Use coupon code SPOTLIGHT30 to get 30% off your order of Practical Doomsday through March 9, 2022.

A comprehensive security program starts with minimizing the risk of such mistakes in the first place: building automation that makes it easy to do the right thing and difficult for humans to mess up. 

Baby Shark Dance
TIL the jingle for Jamie Tartt on the TV show Ted Lasso (“Jamie Tartte do do do do”) seems to be directly taken from this Baby Shark Dance song by South Korean children’s education megabrand Pinkfong.

Larry Dignan shares some interesting perspective on hiring, culture, careers, and more. Some snippets:

Collect characters. ZDNet is an eclectic group that has mid-air collisions, a bit of squabbling and a lot of opinions. But the brainpower you can harness is amazing and you have a built-in defense to groupthink. It’s not easy to collect characters because you have to hold on loosely.

Technology and careers are about the middle of the Venn diagram. The next big thing usually isn’t, but what’s clear is that intersections matter. Technologies may have been early but often pave the way for something else as an enabler. Thanks to computing gains, AI and machine learning has become operationalized.

Careers are often about the intersections too. The tech leaders of today also are well versed in business. Pick two themes, find the middle ground between two sides that don’t understand each other and you have a career.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint