Hey there,

I hope you’ve been doing well!

The Conflict

My heart goes out to the people of Ukraine, and all of the Russians against the violence.

Nothing I say can do justice to what’s happening, but know my thoughts are with you ✊💙

Feel Good Memes

It’s a stressful time right now, so here are a few images from tl;dr sec’s ye olde meme bank, FDIC-insured* to put a smile on your face.

Dagobert Renouf has some amusing start-up related memes and GIFs:

*No these memes are not insured, they’re provided AS IS with no warranty. This was said in jest, and I’m not a lawyer nor your accountant, nor do I play one on TV (yet).

Sponsor

📢 Prevent Security Breaches Pre-Deployment

Sophos Cloud Optix DevSecOps tools work seamlessly with existing DevOps processes to help prevent security breaches pre-deployment. Cloud Optix ensures container images and Infrastructure-as-Code (IaC) templates containing insecure configurations as well as embedded secrets and keys never make it to a test or live production environment.

Try Today

📜 In this newsletter...

  • AppSec: Exploiting Jenkins build authorization, easily ingest your assets into Neo4J, Manicode 2022 secure coding catalog, Foo as Code survey
  • Web Security: Burp plugin to easily create nuclei templates
  • Cloud Security: AWS security fundamentals, simplify accessing multiple cloud accounts in your browser, tool to test your AWS security controls
  • Container Security: Run Kubernetes in airgapped environments, a Checkov-powered Kubernetes Admission controller
  • Developer Experience: Developer Experience is Security, a roundup of DevX resources, building for the 99% developers, autofix your slow Jupyter notebook code
  • Blue Team: Free tools recommended by CISA, IR framework focused on remote live forensics
  • Network Security: Tool to generate network traffic to test your security controls
  • Politics: A Ukrainian hacker to follow, Russia and the 4 Internets, tracking the economic fallout of Russia sanctions, history of information warfare in Ukraine, modern tactics in defending in urban warfare
  • Misc: Zane Lackey joins the dark side a16z, some Depressing Math, how Ikea tricks you into buying more stuff

AppSec

Exploiting Jenkins build authorization
Cider Security’s Asi Greenholts describes how the default build authorization configuration in Jenkins — controlling the permissions allocated to pipelines — is insecure and often left unmodified in production environments. He recommends using the “Authorize Project” and “Role-Based Authorization Strategy” plugins to define secure build authorization configurations.

Democratizing Graph-Based Security: Introducing Starbase
JupiterOne’s Austin Kelleher announces Starbase, an open source tool that enables collecting assets from 70+ systems, including cloud service providers, source control providers, IdPs, vulnerability management platforms, and more, and storing them in Neo4J. Starbase also interops with Lyft’s Cartography tool.

This lets you asking interesting questions like:

  • Which users have MFA disabled?
  • Which of my source code repos are accessible to outside contributors?
  • and much more

Manicode Secure Coding Education Catalog 2022
My bud Jim Manico has updated the courses he and his artisanally sourced team of expert trainers offer, all focusing on teaching your developers to write secure code and maintain secure software.

For a taste of how Jim is like a shot of knowledge and positivity straight into your heart, see his AppSec Cali 2019 keynote, The Unabridged History of Application Security. Reach out to jim AT manicode.com for more info.

In depth research and trends analyzed from 50+ different concepts as code
Very cool overview by Patrick Debois covering various “Foo as Code” trends with supporting resources. Some trends:

  • Constructs are getting bigger: we are combining multiple parts in to bigger concepts
  • DevSecOps as code explosion: security is working it’s way into the code constructs
  • Capturing process workflow: not just the infrastructure but also how we act/react to situations
  • Shift “regular” code to declarative code: some aspects can better be defined instead of being coded
  • Data as code: with the advent of MLOps, DataOps, the lines between code and data are blurring
  • Capturing knowledge as code: documentation, architecture and other aspect are becoming part of coding
  • Closer to the business: service levels, business experiments are increasingly getting defined as code
As Code Trends Patrick Debois

Web Security

projectdiscovery/nuclei-burp-plugin
New Burp Suite extension by ProjectDiscovery’s @forgedhallpass that makes it easy to generate nuclei templates from HTTP request/resposes.

Cloud Security

AWS Security Fundamentals (Second edition)
Self-paced course by Amazon covering fundamental AWS cloud security concepts, including AWS access control, data encryption methods, and how network access to your AWS infrastructure can be secured. It discusses the user’s security responsibility in AWS and the different security-oriented services available.

Granted.dev
A CLI tool by Common Fate that simplifies access to cloud roles and allows multiple cloud accounts to be opened in your web browser simultaneously. It’s designed for AWS SSO and encrypts cached credentials to avoid plaintext SSO tokens being saved on disk.

awslabs/aws-cloudsaga
Tool to test security controls and alerts within your AWS environment, using generated alerts based on security events seen by the AWS Customer Incident Response Team (CIRT).

Container Security

defenseunicorns/zarf
A tool to simplify the setup and administration of Kubernetes clusters in airgapped environments.

Introducing Whorf: The Checkov-powered Kubernetes Admission Controller
Bridgecrew’s Steve Giguere describes Whorf, a new Kubernetes Validating Admission Controller that uses Checkov as the core validator for Kubernetes manifests.

Whorf

Developer Experience

Why is there a Developer Experience section in this security newsletter?

Because it’s a critical to being a modern, effective security team.

Developer Experience Is Security
By RedMonk’s Rachel Stephens.

If we are asking developers to be increasingly responsible for building secure apps, we have to make it as frictionless as possible for them to do so. We need platforms and software with baked in security defaults. We need to embed principles of least privilege. We need guardrails not gates. We need a focus on usability and speed. We need reduced configuration areas exposed to developers. We need automation. We need developer experience.

Security at the expense of usability comes at the expense of security. - Avi Douglen

What is Developer Experience? a roundup of links and goodness
Great round up of resources by RedMonk’s James Governor.

A great developer experience gets out of the way, leaving the developer in a flow state. DX allows developers to be more effective, by making the good thing the easy thing – in areas such as testing, security and observability this is increasingly important.

Building for the 99% Developers
Akita Software’s Jean Yang argues that most conference talks and FAANG companies portray an idealized form of software development that isn’t representative of real world development environments. We should instead focus on what helps the 99% of developers, not just those with massive teams of experts dedicated to observability, testing, developer productivity, etc. Some truths:

  • “Trickle-down” tooling is aspirational
  • There is no gold standard development environment
  • The goal is progress, not perfection
  • A good demo doesn’t show the Day 2 snags
  • Heterogeneity is here to stay

WhyProfiler - the world’s first hybrid profiler, now for Jupyter notebook and Python
What if you could automatically find and fix slow code in your Jupyter notebooks? Robusta’s Natan Yellin shows you can, in a pretty neat way. Basically, WhyProfiler uses a dynamic profiler (yappi) to observe which lines of code are slow and runs Python performance-focused Semgrep rules to find and recommend code fixes for those slow lines.

WhyProfiler is easily extendable- just write a Semgrep rule for any code pattern you’d like to flag and/or fix. And with Semgrep App (free, but not open source) you can enforce coding standards specific to your org (performance, security, whatever) across teams of data scientists, all in one place.

Whyprofiler

Blue Team

Free Cybersecurity Services and Tools
A curated list by CISA covering: reducing the likelihood of a damaging cyber incident, detecting malicious activity quickly, responding effectively to confirmed incidents, and maximizing resilience.

google/grr
An incident response framework focused on remote live forensics.

Network Security

alphasoc/flightsim
By AlphaSOC: A utility to safely generate malicious network traffic patterns and help security teams to evaluate security controls and network visibility. The tool performs tests to simulate DNS tunneling, DGA traffic, requests to known active C2 destinations, and other suspicious traffic patterns.

Sponsor

📢 State of Modern Application Security: Insights From 400+ AppSec Practitioners

What would make AppSec programs more effective? What’s the relationship like between developers and security? To answer these questions and more, Tromzo commissioned a survey of over 400 AppSec professionals for their first annual State of Modern Application Security Report.

Read the Report

Politics

@vixentael
An awesome hacker friend of mine based out of Kyiv. Follow her for updates and perspective.

Russia and the Four Internets, Shifts and Social Media, Gelsinger Interview Follow-Up
By Stratechery’s Ben Thompson.

Derek Thompson’s thread to track economic fallout from Russia sanctions
Ties together a number of links and resources.

Information Warfare Is Without Limits and So Are Its Consequences
Some history of Russian information warfare in Ukraine from 2014 onwards.

Defending the City: An Overview of Defensive Tactics from the Modern History of Urban Warfare
Article from West Point on a number of tactics and strategic advantages defenders have in modern urban warfare, including concrete examples from prior battles.

Misc

Zane Lackey joins a16z
Over the past few years, I’ve had a blast doing a number of DevSecOps panels with Zane Lackey and friends. Zane is one of the nicest, sharpest people I’ve met in infosec, and has helped me with a number of personal and career matters. If you’re doing a security start-up, I highly recommend chatting with Zane. Congrats, and all the best in this next chapter!

How Covid Stole Our Time and How We Can Get It Back
Wait but Why’s Tim Urban presents some Depressing Math. For example, if you’re an adult, based on your life expectancy, if you spend say, 1 week with your family a year, you’ve likely already spent over 95% of the time you’ll ever spend with them in person. Same with friends, movies you’ll watch, etc. But the important thing is we can reprioritize our time and change our future.

Tim Urban Life Paths Open To You

How Ikea tricks you into buying more stuff
A dive into store architecture, decoy pricing, packing choices, the psychological impact of building your own furniture, food courts, and more.

Ikea has mastered the use of a psychological principle called the Gruen effect — when the layout of a store is so bewildering that it makes you forget the original reason you came there, leading to impulse buys.

If you were to look at Ikea’s food operation as a stand-alone entity, it would rank as one of the 50 highest-grossing food chains in the world, right above IHOP.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler @tldrsec