[tl;dr sec] #124 - GraphQL Cop, GitLab CI/CD CTF, NSA's Network Infrastructure Security Guidance

Hey there,

I hope you’ve been doing well!

Pitch Deck

Last week I shared a link to a hilarious card game about pitching ridiculous, fabricated start-ups.

Apparently, it’s not the only one such game, as my friend Maya Kaczorowski pointed out: Pitch Deck also exists.

An example from their home page:

What a time to be alive 🤣

Conferences

LocoMocoSec 2022 CFP is Open!
A great single track conference in Hawaii 🏖️ CFP closes April 3rd.

CI/CD

CI/CDon’t
An AWS and GitLab CI/CD themed CTF that you can run in your own AWS account, by Nick Frichette.

Top 10 CI/CD Security Risks
By Cider Security, including an overview, the impact, and recommendations for each.

1. Insufficient Flow Control Mechanisms

2. Inadequate Identity and Access Management

3. Dependency Chain Abuse

4. Poisoned Pipeline Execution (PPE)

5. Insufficient PBAC (Pipeline-Based Access Controls)

6. Insufficient Credential Hygiene

7. Insecure System Configuration

8. Ungoverned Usage of 3rd Party Services

9. Improper Artifact Integrity Validation

AppSec

Security for package maintainers
Guide by Seth Larson on how open source package maintainers can secure their accounts, the platforms and roles for various package repositories, securing your package repository, and more.

Scaling Semgrep rule coverage by spidering language documentation
Many languages and frameworks have extensive docs, and somewhere in them, there are periodic Warning call-out blocks that say something like, “Make sure not to do this, it’s dangerous.” But who has time to read and remember hundreds of pages of docs?

Neat post by r2c’s Kurt Boberg on writing a scraper to extract all of these Warnings from the MSDN docs, so now you can get programmatically warned about dangerous C# code using open source Semgrep rules. And there’s a bunch of other new C# rules for all major OWASP vulnerability classes.

Web Security

dolevf/graphql-cop
Tool by Dolev Farhi to run common security tests against GraphQL APIs. ~10 detections for DoS, CSRF, and info leaks.

How to Burp Good
Great walkthrough by @n00py1 of how to do useful things in Burp, like: password brute forcing, password spraying, handling CSRF tokens, re-validating sessions, targeted scanning, finding hidden pages, SSL stripping, and more.

Padding Oracle Hunter
New Burp Extension by the Singapore government that helps penetration testers quickly identify and exploit the PKCS#7 and PKCS#1 v1.5 padding oracle vulnerability. More context by Eugene Lim.

Cloud Security

ClickOops
A simple Lambda that monitors your CloudTrail log files to find manual actions taken in your accounts, by Paul Zietsman. Valuable intel for when your cloud state is getting out of sync with your infrastructure as code.

Idem Project
A collaboration from VMWare and SaltStack that aims to simplify cloud configuration from Infrastructure as Code to Infrastructure as Data. It can scan your current cloud deployments and generate all the data needed to manage them. Idem can manage not just cloud providers, but any API driven system, such as GitLab.com.

Why Step Functions is the Best AWS Service You Are Not Using
stackArmor’s Matthew Venne describes the power of using AWS Step Functions to implement continuous security monitoring, such as tracking SSL configuration status to meet FedRAMP requirements.

Recent changes make this much easier:

• You can now call AWS API calls directly from State Machines instead of stitching together simple Lambdas for every action.

• Workflow Studio is a slick browser-based wizard where you can drag and drop to to define your flow.

Dashboards as Code with HCL + SQL
Steampipe now supports defining various Dashboards as Code, giving you real-time insight into your cloud environment, compliance posture, and more. They’ve released 79 AWS Insights dashboards that include security reports and visualizations of VPC & IAM entity relationships.

Network Security

Debugging Certificate Errors
Great walkthrough by Jan Schaumann on various debugging techniques to better make sense of errors: cert expired, wrong name on the cert, incomplete cert chain, unknown root, and more.

Network Infrastructure Security Guidance
~60 page PDF by NSA covering topics including:

• Network architecture and design

• Security maintenance

• Authentication, authorization, and accounting

• Logging and monitoring

• Routing

Exploitation

nccgroup/exploit_mitigations
By NCC Group: A knowledge base of exploit mitigations available across numerous operating systems (Windows, Linux, Android, iOS, and more), architectures and applications (Firefox, Edge, Chrome, Office) and versions.

Why is memory safety still a concern?
PhD candidacy exam write-up by Columbia’s Mohamed Hassan. ~200 slides here.

Whoa, ☝️ is pretty cool.

Misc

Magic Eraser - Remove unwanted things from images in seconds
Upload an image, mark the bit you need removed, download the fixed up image.

Piskel
A free online editor for animated sprites & pixel art. Create animations in your browser.

Simple Wikipedia
Wikipedia, but using basic English words and shorter sentences, making it easier to read for children and people learning English.

Tip of My Tongue
Find that word that you’ve been thinking about all day but just can’t seem to remember. Search and filter by partial word, letters, word meaning, length.

Flush - Toilet Finder & Map
iOS app to help you find public restrooms.

Humor

A walk sign continually repeating “CHANGE PASSWORD”
Nothing to see here, everything is fine.

CNCF Puzzle of Doom

Naomi Buckwalter speaking hard truths

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint