[tl;dr sec] #122 - Developer Experience is Security, Everything as Code Survey, Graph-based Asset Management

Hey there,

I hope you’ve been doing well!

The Conflict

My heart goes out to the people of Ukraine, and all of the Russians against the violence.

Nothing I say can do justice to what’s happening, but know my thoughts are with you ✊💙

Feel Good Memes

It’s a stressful time right now, so here are a few images from tl;dr sec’s ye olde meme bank, FDIC-insured* to put a smile on your face.

Dagobert Renouf has some amusing start-up related memes and GIFs:

*No these memes are not insured, they’re provided AS IS with no warranty. This was said in jest, and I’m not a lawyer nor your accountant, nor do I play one on TV (yet).

AppSec

Exploiting Jenkins build authorization
Cider Security’s Asi Greenholts describes how the default build authorization configuration in Jenkins — controlling the permissions allocated to pipelines — is insecure and often left unmodified in production environments. He recommends using the “Authorize Project” and “Role-Based Authorization Strategy” plugins to define secure build authorization configurations.

Democratizing Graph-Based Security: Introducing Starbase
JupiterOne’s Austin Kelleher announces Starbase, an open source tool that enables collecting assets from 70+ systems, including cloud service providers, source control providers, IdPs, vulnerability management platforms, and more, and storing them in Neo4J. Starbase also interops with Lyft’s Cartography tool.

This lets you asking interesting questions like:

• Which users have MFA disabled?

• Which of my source code repos are accessible to outside contributors?

• and much more

Manicode Secure Coding Education Catalog 2022
My bud Jim Manico has updated the courses he and his artisanally sourced team of expert trainers offer, all focusing on teaching your developers to write secure code and maintain secure software.

For a taste of how Jim is like a shot of knowledge and positivity straight into your heart, see his AppSec Cali 2019 keynote, The Unabridged History of Application Security. Reach out to jim AT manicode.com for more info.

In depth research and trends analyzed from 50+ different concepts as code
Very cool overview by Patrick Debois covering various “Foo as Code” trends with supporting resources. Some trends:

Web Security

projectdiscovery/nuclei-burp-plugin
New Burp Suite extension by ProjectDiscovery’s @forgedhallpass that makes it easy to generate nuclei templates from HTTP request/resposes.

Cloud Security

AWS Security Fundamentals (Second edition)
Self-paced course by Amazon covering fundamental AWS cloud security concepts, including AWS access control, data encryption methods, and how network access to your AWS infrastructure can be secured. It discusses the user’s security responsibility in AWS and the different security-oriented services available.

Granted.dev
A CLI tool by Common Fate that simplifies access to cloud roles and allows multiple cloud accounts to be opened in your web browser simultaneously. It’s designed for AWS SSO and encrypts cached credentials to avoid plaintext SSO tokens being saved on disk.

awslabs/aws-cloudsaga
Tool to test security controls and alerts within your AWS environment, using generated alerts based on security events seen by the AWS Customer Incident Response Team (CIRT).

Container Security

defenseunicorns/zarf
A tool to simplify the setup and administration of Kubernetes clusters in airgapped environments.

Introducing Whorf: The Checkov-powered Kubernetes Admission Controller
Bridgecrew’s Steve Giguere describes Whorf, a new Kubernetes Validating Admission Controller that uses Checkov as the core validator for Kubernetes manifests.

Developer Experience

Why is there a Developer Experience section in this security newsletter?

Because it’s a critical to being a modern, effective security team.

Developer Experience Is Security
By RedMonk’s Rachel Stephens.

What is Developer Experience? a roundup of links and goodness
Great round up of resources by RedMonk’s James Governor.

Building for the 99% Developers
Akita Software’s Jean Yang argues that most conference talks and FAANG companies portray an idealized form of software development that isn’t representative of real world development environments. We should instead focus on what helps the 99% of developers, not just those with massive teams of experts dedicated to observability, testing, developer productivity, etc. Some truths:

• “Trickle-down” tooling is aspirational

• There is no gold standard development environment

• The goal is progress, not perfection

• A good demo doesn’t show the Day 2 snags

• Heterogeneity is here to stay

WhyProfiler - the world’s first hybrid profiler, now for Jupyter notebook and Python
What if you could automatically find and fix slow code in your Jupyter notebooks? Robusta’s Natan Yellin shows you can, in a pretty neat way. Basically, WhyProfiler uses a dynamic profiler (yappi) to observe which lines of code are slow and runs Python performance-focused Semgrep rules to find and recommend code fixes for those slow lines.

WhyProfiler is easily extendable- just write a Semgrep rule for any code pattern you’d like to flag and/or fix. And with Semgrep App (free, but not open source) you can enforce coding standards specific to your org (performance, security, whatever) across teams of data scientists, all in one place.

Blue Team

Free Cybersecurity Services and Tools
A curated list by CISA covering: reducing the likelihood of a damaging cyber incident, detecting malicious activity quickly, responding effectively to confirmed incidents, and maximizing resilience.

google/grr
An incident response framework focused on remote live forensics.

Network Security

alphasoc/flightsim
By AlphaSOC: A utility to safely generate malicious network traffic patterns and help security teams to evaluate security controls and network visibility. The tool performs tests to simulate DNS tunneling, DGA traffic, requests to known active C2 destinations, and other suspicious traffic patterns.

Politics

@vixentael
An awesome hacker friend of mine based out of Kyiv. Follow her for updates and perspective.

Russia and the Four Internets, Shifts and Social Media, Gelsinger Interview Follow-Up
By Stratechery’s Ben Thompson.

Derek Thompson’s thread to track economic fallout from Russia sanctions
Ties together a number of links and resources.

Information Warfare Is Without Limits and So Are Its Consequences"
Some history of Russian information warfare in Ukraine from 2014 onwards.

Defending the City: An Overview of Defensive Tactics from the Modern History of Urban Warfare
Article from West Point on a number of tactics and strategic advantages defenders have in modern urban warfare, including concrete examples from prior battles.

Misc

Zane Lackey joins a16z
Over the past few years, I’ve had a blast doing a number of DevSecOps panels with Zane Lackey and friends. Zane is one of the nicest, sharpest people I’ve met in infosec, and has helped me with a number of personal and career matters. If you’re doing a security start-up, I highly recommend chatting with Zane. Congrats, and all the best in this next chapter!

How Covid Stole Our Time and How We Can Get It Back
Wait but Why’s Tim Urban presents some Depressing Math. For example, if you’re an adult, based on your life expectancy, if you spend say, 1 week with your family a year, you’ve likely already spent over 95% of the time you’ll ever spend with them in person. Same with friends, movies you’ll watch, etc. But the important thing is we can reprioritize our time and change our future.

How Ikea tricks you into buying more stuff
A dive into store architecture, decoy pricing, packing choices, the psychological impact of building your own furniture, food courts, and more.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint