Hey there,
I hope youâve been doing well!
The Superb Owl
Every year, growing up in Cincinnati, there was a constant refrain: âThe Bengals are going to be good this year.â
A bold claim, given theyâve never won a Super Bowl, and in ~10 years of my living in Cincinnati, they rarely even got to the playoffs.
But this year the Bengals made it to the Super Bowl, and some people were so excited they painted their house orange and black.
Unfortunately the Bengals didnât win, but at least they had a taste of success. Well done!
Sidenote: I wonder what the above paint job did for their property value đ¤
Sponsors Getting Acquired
Congrats to Vectrix, the 4th and counting tl;dr sec sponsor that has been acquired. And I think theyâve found a good home in Cloudflare (announcement post).
Hm, maybe I need to start a fund or something, as I wonder if my (accidental) success rate is higher than some VC firms. Iâd need to invest in some Patagonia vests and nice shoes first though.
Brb, adding an âAcquired Sponsorsâ section to the tl;dr sec sales page đ
Sponsor
đ˘ It's time to tackle client-side security, no really, the time is now!
Get the information you need about client-side security in order to protect your JavaScript web applications and customer data. Discover the attacks targeting businesses that deliver products and services through the client-side. Understand how to operationalize JavaScript security, how to recover from client-side breaches, and how to optimize your security for success in todayâs digital economy.
Get Ferootâs latest ebook on client-side securityđ In this newsletter...
- Machine Learning: AI trained on programming competition code does as well as median human competitor
- AppSec: Finding secrets in git
--mirror, automatically merging Dependabot PRs, automating compliance and connecting it to security requirements - Web Security: Tool to ease testing race conditions, automatically discovering vulnerabilities in WordPress plugins
- Supply Chain: Collection of tools to audit NPM dependencies, a prototype implementation of the CNCF's Secure Software Factory, example malicious Terraform that leaks secrets
- Cloud Security: Proactively take over your own vulnerable subdomains, IaC tool comparison + integrating into GitLab, VS Code extension with AWS IAM autocomplete, Amazon API Gateway CORS configurator
- Container Security: Serverless reverse proxy for exposing container registries, container security checklist
- Misc: How Apple could get to $1T in revenue, eBPF for Windows, No Starch author interview with lcamtuf on his new Practical Doomsday book, baby shark dance
- Six things I've learned from 15 years at ZDNet: Larry Dignan on hiring, culture, careers, and more
Machine Learning
DeepMind has made software-writing AI that rivals average human coder
Note that DeepMind was trained on code from programming competitions, and
doesnât seem to do as well on simpler tasks. Still, progress is being made.
The tool was entered into 10 rounds on the programming competition website Codeforces, where human entrants test their coding skills. In these 10 rounds, AlphaCode placed at about the level of the median competitor.
AppSec
nightwatchcybersecurity/gitbleed_tools
Tool by Nightwatch Cybersecurity for
calculating the delta between a regular cloned repo and a mirrored (--mirror)
one, and scanning the parts only available in the mirror for secrets using
gitleaks. Blog post with more info, including how --mirror mode can include additional repo content that isnât present in normal clones.
Git is like a helpful but at times inscrutable long term partnerâ even
interacting with them every day for years, thereâs always more to learn.
How to keep your repo package dependencies up to date automatically
OpenPixâs Danilo Assis describes how to
configure repos so that when Dependabot opens a PR that updates a dependency,
tests are automatically ran in that PR, and the PR is auto-merged if the tests
pass. Of course, be careful this doesnât still break things, potential supply chain
risk re: automatically updating dependencies, etc.
DevSecOps - Pillar 4 Bridging Compliance and Development
The third in a series of reports by the Cloud Security
Alliance, this one lead by Deloitteâs Roupe
Sahans et al. The document focuses on
automating compliance and having compliance better relate to security
requirements. Some recommendations mentioned:
- Define and create security guardrails to monitor deployments and find deviations from desired baselines autonomously.
- Leverage the use of patterns and templates to scale security consistently.
Web Security
Cache-Money/chronorace
A tool to accurately perform timed race conditions to circumvent application
business logic, by @itscachemoney.
đĽ A technique to semi-automatically discover new vulnerabilities in WordPress plugins
Awesome work by Krzysztof ZajÄ
c. WordPress plugins expose a number of standard routes, and these interfaces have a consistent trust boundary. Kryzysztof wrote a tool that executes each AJAX endpoint, menu page, REST route, or file multiple times with a variety of payloads, and analyzes the responses to detect XSS, SQL injection, CSRF, arbitrary file read and more.
One particularly neat aspect is that he mocks certain variables (like $_GET, $_REQUEST, etc.) and instruments a number of WordPress functions to determine what can be user-controlled. In total, he found over 120 CVEs in various WordPress plugins.
Supply Chain
jfrog/jfrog-npm-tools
A collection of tools to help audit your NPM dependencies for suspicious
packages or continuously monitor dependencies for future security events, by
JFrog.
The Secure Software Factory
A prototype implementation of the CNCFâs Secure Software Factory Reference
Architecture which is based on
the CNCFâs Software Supply Chain Best Practices White
Paper. SLSA ready.
Supply Chain Attack as Code
@xssfox gives an example of how to leak secrets
via a malicious Terraform module.
Cloud Security
OVO vs. Bug Bounty researchers - round 2
OVOâs Paul Schwarzenberger describes
improvements they made to their open source tool Domain
Protect that can now proactively
take over your own vulnerable subdomains (usually within a few minutes), before attackers or bug bounty
researchers can.
Fantastic Infrastructure as Code security attacks and how to find them
GitLabâs Michael Friedrich describes several
infrastructure as code and Kubernetes scanning tools (tfsec, kics, terrascan,
Semgrep, tflint) and how to integrate them into continuous GitLab code scanning.
See also GitLabâs purposefully vulnerable IaC
repo.
IAM Legend
A VS Code extension by Sebastian Bille that
provides AWS IAM actions autocomplete, documentation and wildcard resolution.
Supports Serverless Framework, AWS SAM, CloudFormation and Terraform.
Corey Quinnâs Last Week in AWS Security
If the bully who beat you up and stole your lunch money in middle school were a technology, they would undoubtedly be CORS. The Amazon API Gateway CORS Configurator helps you make it work with API Gateway.
Container Security
ahmetb/serverless-registry-proxy
A serverless reverse proxy for exposing container registries (GCR, Docker Hub,
Artifact Registry, etc.) as a public registry on your own domain name, by Twitterâs Ahmet Balkan.
Container Security Checklist: From the image to the workload
Great overview and distillation by Aqua Securityâs Carol
Valencia with actionable steps, links, and
commands covering securing the build, container registry, container runtime,
infrastructure, data, and workloads.
Sponsor
đ˘ Register for ZAPCon 2022 âĄď¸
ZAPCon 2022 is a free virtual event for ZAP users and those looking to level-up their automated application security testing game.
The ZAPCon schedule is now available. See the full speaker lineup and save your spot for free.
Save My SpotMisc
Apple: Thief
Fascinating thought experiment by Prof
Galloway on the various verticals Apple could
snatch up to become the first company with $1 trillion in revenue.
Microsoft Brings eBPF to Windows
Nice overview and context by Mary Branscombe.
The End Is (Not) Nigh: Disaster Prepping with Michal Zalewski
No Starch Author interview with Michal Zalewski
(aka lcamtuf) on his new book: Practical Doomsday: A Userâs Guide to the End of
the World. Michael has had quite the career: creating AFL, building Googleâs
product security team, authoring Silence on the Wire and The Tangled Web, and more.
Use coupon code SPOTLIGHT30 to get 30% off your order of Practical Doomsday through March 9, 2022.
A comprehensive security program starts with minimizing the risk of such mistakes in the first place: building automation that makes it easy to do the right thing and difficult for humans to mess up.
Baby Shark Dance
TIL the jingle for Jamie Tartt on the TV show Ted Lasso (âJamie Tartte do do do
doâ) seems to be directly taken from this Baby Shark Dance song by South Korean
childrenâs education megabrand Pinkfong.
Six things Iâve learned from 15 years at ZDNet
Larry Dignan shares some interesting perspective on hiring, culture, careers, and more. Some snippets:
Collect characters. ZDNet is an eclectic group that has mid-air collisions, a bit of squabbling and a lot of opinions. But the brainpower you can harness is amazing and you have a built-in defense to groupthink. Itâs not easy to collect characters because you have to hold on loosely.
Technology and careers are about the middle of the Venn diagram. The next big thing usually isnât, but whatâs clear is that intersections matter. Technologies may have been early but often pave the way for something else as an enabler. Thanks to computing gains, AI and machine learning has become operationalized.
Careers are often about the intersections too. The tech leaders of today also are well versed in business. Pick two themes, find the middle ground between two sides that donât understand each other and you have a career.
âď¸ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them đ
Thanks for reading!
Cheers,Clint
@clintgibler