[tl;dr sec] #127 - Trufflehog V3, The Future of InfoSec, IaC Scanning

Hey there,

I hope you’ve been doing well!

Eccentric Billionaires

The world is replete with TV shows and movies about eccentric rich people.

The Wolf of Wall Street, Bruce Wayne, Tony Stark, Christian Grey, Richie… Rich. (Sidenote: I really liked that movie with Macaulay Culkin growing up, but the title is a bit lazy.)

I find Elon Musk to be an interesting person, because he’s kind of like a movie character: a brilliant nerd gets rich then builds a rocket company to bring humanity to Mars and starts an (autonomous) electric vehicle company to save the environment on Earth.

I don’t agree with his views on a number of things, but I admire his fearlessness in tackling ambitious problem spaces and trying to drag humanity into the future. While tweeting memes and doing things just for the lulz 🤷

If you haven’t heard, Elon Musk is now Twitter’s largest shareholder at 9.2% and was given a board seat. The next highest shareholders are Vanguard at 8.8% and Jack Dorsey at 2.25%. Also Elon:

AppSec

Introducing Dagger: a new way to create CI/CD pipelines
A portable devkit for CI/CD pipelines that allows you to unify dev and CI environments, test and debug pipelines locally, and avoid CI lock-in. Instead of gluing pipeline together with throwaway scripts, Dagger supports composing reusable actions, which can be shared and reused due to a complete package management system.

Trufflehog V3
Epic new release by the Truffle Security team. See Dylan Ayrey’s video overview for more details, but in short:

• It’s a complete rewrite in Golang with other speed improvements

• Now contains over 600 credential detectors that support active verification against their respective APIs.

  • Verifying if the keys still work => no false positives or alert fatigue.

• Native support for scanning GitHub, GitLab, filesystems, and S3.

OAuth

Introducing AppTotal: Democratizing third-party apps security
Itay Kruk announces AppTotal, a new service like VirusTotal but for OAuth apps. It dynamically scans SaaS add-ons for vulnerabilities and suspicious or malicious behavior, enabling you to profile third-party apps’ permissions and access, posture, and behavior before connecting them to IT-approved applications.

Authorization

Authorization in Microservices
A new chapter in Oso’s Authorization Academy covering how to share data between services and various trade-offs: decentralizing or centralizing your authorization model, centralizing data, distributing data with existing infrastructure, Authorization-as-a-Service.

Authorization in a microservices world
RapidDot’s Alexander Lolis describes authorization approaches and their trade-offs, and moving from a simple flag to Role Based Access Control (RBAC) to Attribute Based Access Control (ABAC), as well as architectures with an authz service, an authz and data service, and an authz middleware and library per service.

Supply Chain

How Go Mitigates Supply Chain Attacks
Go team security lead Filippo Valsorda describes some language choices that provide nice security properties.

• All builds are “locked”

• Version contents never change

• VCS is the source of truth

• Building code doesn’t execute it

• A little copying is better than a little dependency

Securing Developer Tools: Package Managers
SonarSource’s Paul Gerste describes vulnerabilities they found in several package managers, including Composer, Bundler, Bower, Yarn, and others. Some bugs are due to interesting nuances in how Windows vs other OS’s handle PATH or variable quoting, git argument injection, and more.

Cloud Security

Codify your best practices using service control policies
Overview post on what SCPs are, why you should create SCPs, and the strategy you can use to implement SCPs, as well as how to continue iterating and improving SCPs as your workloads and business needs change. Part 2 discusses how you can create SCPs using constructs from AWS Well-Architected.

The Expansion of Malware to the Cloud
Orca Security’s Bar Kaduri describes the main malware types you may encounter in your cloud with examples and ways to detect and protect yourself from them.

Infrastructure as Code

aquasecurity/tfsec-pr-commenter-action
GitHub Action by Aqua Security that comments on Pull Requests where tfsec checks have failed.

Standardizing Terraform Linting
Square’s Adam Cotenoff describes their rollout strategy, approaches to enforcement, and other lessons learned along the way in minimizing developer friction and maximizing fix rate.

Using SemGrep to find security issues and misconfigurations in AWS Cloud Development Kit projects
Aquia’s Dakota Riley walks through how to write Semgrep rules to find issues directly in AWS CDK code, using some open source rules he’s contributed as examples. Most IaC tools scan the generated Cloudformation output, which can make it harder to trace issues back to the originating CDK code, making it less likely devs will fix the issue.

Dakota shows how Semgrep can enforce usage of company-specific custom constructs, enabling cloud security teams to define secure by default primitives that developers can use. *me: waves secure guardrails flag vehemently*

Container Security

stackrox/stackrox
The StackRox Kubernetes Security Platform is now open source. StackRox performs a risk analysis of the container environment (build, deploy, runtime), delivers visibility and runtime alerts, and provides recommendations to proactively improve security by hardening the environment.

Blue Team

Introducing CVE Markdown Charts
@clearbluejar describes cve-markdown-charts, a simple tool to generate MermaidJS Markdown charts from CVE IDs and CVE keyword searches.

MG thread on Red Team MFA bypass techniques

Politics / Privacy

The Ultimate Personal Security Checklist
A curated checklist of 300+ tips for protecting digital security and privacy in 2021, by Alicia Sykes.

Stalkers, Sock Puppets, and Security
A chapter from an unpublished book by Cassie Cage covering InfoSec best practices and techniques that can help protect against online threat actors and stalkers.

FYI Cassie is also looking for jobs in the GRC space, 100% remote or with an office in Austin, TX.

Humor

Despite Ridicule, the Patagonia Vest Endures in San Francisco Tech
This KQED article was posted on April 1st, but to be honest I can’t tell if it’s a joke.

Misc

cure53/Contracts
Potentially useful contract templates for code auditors, IT security specialists & penetration testers by Cure53. Includes a DPA, MSA, and NDA.

Want to See the Weirdest of Wikipedia? Look No Further
On @depthsofwikipedia, Annie Rauwerda is compiling some of the crowdsourced site’s most bizarre pages.

Pixsy: Image Theft Protection
Find where your images are being used online.

Quick Action to Convert an Image to JPG
A Shortcut to convert an HEIC (or any other formatted image) to JPG and strip all metadata.

Thinking About the Future of InfoSec (v2022)

Great post by my bud Daniel Miessler on what InfoSec will look like in the distant future, from organizational structure to technology.

I need to think about it more to have a more nuanced opinion, but a few things I strongly agree with off the bat:

• Security becoming more mundane as we mature as an industry: less l33t h4x0rs and more “Oh you used a modern framework and didn’t turn any security controls off? Cool, you’ve got XSS, CSRF, SQL injection and … handled.” #SecureDefaultsLyfe

• More security mechanisms and primitives built into platforms (like AWS, Salesforce, etc.).

• The strong importance of continuous monitoring, detecting drift, and auto-remediation.

Two points from Daniel’s summary at the bottom of the post:

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint