Hey there,
I hope youâve been doing well!
History Memes
This issue is a bit longer so Iâll be brief: Janna Haider allowing her students to submit U.S. History memes for extra credit is excellent, and I love it.
Here are a few:
Feedback wanted: Have you bought or sold security assessments?
One of my favorite things with tl;dr sec is collaborating with super smart people on epic guides. And boy, is this one shaping up nicely.
My bud Rami McCarthy is working on a definitive âClientâs Guide to Security Assessments,â that will be available on tl;dr sec and as a conference talk at BSidesSF in June.
But we need your help!
Please take 5 minutes to fill out a survey, so we can help everyone learn from your experiences and insights.
Hopefully we can then avoid what Haroon Meer has called a market for lemons.
Thanks so much in advance, you can fill out the 5min survey here.
Sponsor
đ˘ StackHawk and Snyk Join Forces
StackHawk and Snyk have partnered up to provide a complete modern application security testing package.
Learn how these tools can help your teams implement dev-friendly DAST, SAST, and SCA to fix vulnerabilities faster.
Learn Moređ In this newsletter...
- Machine Learning: DALLâ˘E 2 creates amazing images based on English descriptions
- AppSec: CI/CD Goat, C/C++ Semgrep rules for vulnerability research
- Secret Management: Git credential manager, CLI tool to manage secrets in SSM Parameter Store
- SBOM: Docker now has an sbom command,
Software alone is insufficient - Mobile Security: Bypassing SSL pinning on Android Flutter apps with Ghidra
- Web Security: Tool to find broken social media links that can be hijacked, Shubham Shah on offensive code review, list of open source web security scanners
- Cloud Security: AWS Lambda Function URLs, SCP to prevent open Lambda URLs, chasing an attacker in AWS
- Container Security: Bundle Kubernetes app into a single static OCI archive, container tool aimed running untrusted code
- Blue Team: RSS feeds for government CERTs, hosting FleetDM on AWS EKS
- Network Security: Docker security playground, distributed package capture tool for cloud-native platforms
- Misc: Awesome Go education, Semgrep Spring 2022 meetup recap, how to answer questions, FAA memes
- Monocle: How Chime creates a proactive security & engineering culture: Read it, great insights
- Errata: Elon was born rich, Pixsy is shady AF
Machine Learning
DALLâ˘E 2
Sam Altman announces the new release of DALL-E, an
AI that can create and edit images based on natural language instructions. What
it can do is, frankly, amazing. Check out this 3min explainer
video, this Twitter
thread, or this Less Wrong post for
examples.
AppSec
cider-security-research/cicd-goat
By Cider Security: A deliberately vulnerable
CI/CD environment. Learn and practice CI/CD security through a set of 10
challenges, enacted against a real, full blown CI/CD environment.
Semgrep ruleset for C/C++ vulnerability research
HN Securityâs Marco Ivaldi describes using
Semgrep for C/C++ vulnerability research, and has released 36 new
rules.
Secret Management
GitCredentialManager/git-credential-manager
Secure, cross-platform Git credential storage with authentication to GitHub, Azure Repos, and other popular Git hosting services. Also supports MFA.
segmentio/chamber
By Segment: A CLI for managing secrets that stores secrets in SSM Parameter
Store, an AWS service for storing secrets.
SBOM
Announcing Docker SBOM: A step towards more visibility into Docker images
Thereâs now an experimental docker sbom CLI command that displays the SBOM of any Docker image (uses Syft), and theyâre working on making it easy for partners and the community to add SBOM functionality to docker build using BuildKitâs extensibility.
âSBOMâ should not exist! Long live the SBOM
Steve Springett argues that a Software
Bill of Materials (SBOM) is insufficient, we should really be including
services, hardware, and other traditional non-software inventory also, as well
as communicating lifecycle to the target audience.
Mobile Security
Bypassing SSL pinning on Android Flutter Apps with Ghidra
Android Flutter apps donât honor Androidâs proxy settings nor trust Androidâs
TrustManager. Raphael
Denipotti describes
how to patch the libflutter.so binary so you can effectively intercept TLS
traffic.
Web Security
utkusen/socialhunter
By Utku Ĺen: Tool that crawls a given URL and
finds broken social media links that can be hijacked, which may allow an
attacker to conduct phishing attacks. Currently supports Twitter, Facebook,
Instagram and Tiktok without any API keys.
Shubham Shah on offensive source code review
Great thread with some useful tips.
psiinon/open-source-web-scanners
A list of open source web security scanners by Stackhawkâs Simon
Bennetts, covering general purpose web scanners,
infrastructure scanners, fuzzers / brute forcers, CMS web scanners, API
scanners, and specialized scanners.
Cloud Security
AWS Lambda: function URL is live!
AWS has
announced
AWS Lambda Function URLs, which basically lets you use Lambdas as a public HTTPS
endpoint without using an API Gateway or Application Load Balancer. Lumigoâs Yan Cui provides more context about what Function URLs are, how they work, and how to take advantage of them.
Ben Kehoeâs SCP to prevent people from creating open Lambda URLs
Incident report: From CLI to console, chasing an attacker in AWS
Walkthrough by Expelâs Brian
Bahtiarian, David
Blanton, Britton
Manahan, and Kyle
Pellett on how they spotted
unauthorized access (log in by long-lived IAM account without MFA from unusual
location), the investigative steps they took to understand what the attacker did
(review all IAM API calls from the suspect account), remediation steps and
lessons learned.
Container Security
kris-nova/kaar
Bundle up a Kubernetes application into a single static OCI compliant archive,
by Kris NĂłva.
containers/bubblewrap
A container runtime tool aimed at providing unprivileged sandboxes.
Unlike most existing approaches (e.g. systemd-nspawn, docker), bubblewrap is
intended for running untrusted code.
Blue Team
pulsedive/certrss
A list of RSS feeds for government CERTs, by
Pulsedive.
Hosting FleetDM on AWS EKS
Segmentâs Prima Virani describes how to host
FleetDM on an EKS cluster and send scheduled query logs to an AWS Opensource
destination entirely created and managed as code.
Network Security
DockerSecurityPlayground/DSP
A microservices-based framework for the study of network security and
penetration testing techniques.
Introducing PacketStreamer: distributed packet capture for cloud-native platforms
Deepfenceâs Owen Garrett describes
PacketStreamer, an open-source
tool that captures network traffic from multiple remote sources concurrently and
aggregates the data into a single pcap log file. Written in Golang and supports
network capture from Kubernetes nodes, Docker hosts and bare-metal /
virtual-machine servers.
Sponsor
đ˘ Itâs CFP season! đĽłđ¤¨đ°
Need a hand to get your teamâs submissions in on time? Let Discernibleâs team of security communication experts help you create clear, unique, and compelling submissions to win over even the most stubborn program committee. Weâll also help with content development and speaker prep!
Contact us today!By the way, Melanie Ensign, the Founder & CEO of Discernible is pretty legit - sheâs a steering committee member and PR lead for DEF CON, program committee co-chair for Enigma, was the Global Head of Security, Privacy, and Engineering Communications at Uber, and more đ¤Ż
Misc
Awesome Go Education
A curated list of awesome articles and resources for learning and practicing
Golang and its related technologies, by Mehdi
Hadeli.
Semgrep Spring 2022 meetup recap
r2câs Emily Fortuna provides an overview
and recap of the most recent Semgrep meetup, including my discussion of security
trends (shift to security engineering, secure defaults, developer experience),
new Semgrep features, community members sharing their work (Lewis
Ardernâs VS Code
extension
that provides Semgrep rule templates, Robustaâs Natan
Yellinâs
WhyProfiler),
and Semgrepâs upcoming roadmap. Watch the recording here.
Wes Kao: How to Answer Questions
Awesome thread. A few tidbits: make sure to understand the âquestion behind the
question,â tailor your answer to the asker (e.g. if theyâre a numbers person),
and aim for getting to an âeyes light upâ moment.
Unruly Behavior Digital Signage
The FAA has created memes to discourage misbehavior against flight crew. Because
this is the world we live in, sigh.
Monocle: How Chime creates a proactive security & engineering culture (Part 1)
I loved this example of great security engineering by Chimeâs David Trejo.
David describes building Monocle, an internal dashboard that educates service and code owners on their security posture, and provides simple, actionable guidance on how to improve it.
Assigning a letter grade encourages developers to raise it (who wants to be at a C?), proactively address issues when the letter goes down, and provides visibility to leadership.
And everything works within existing developer workflows, like a GitHub badge, Slack notifications, and more. Tons of good ideas in this post, highly recommend reading.
See also Laksh Raghavanâs thoughts on this post here, and the excellent Netflix talk, A Pragmatic Approach for Internal Security Partnerships, which has similarly interesting security engineering and internal dashboard examples.
Errata
One of the great things about having a newsletter is that people quickly point out when youâre wrong or are missing important context. Here are two things from last week:
From Riches to⌠Riches
Not knowing anything about Elon Muskâs past, I had assumed he grew up poor or
middle class. However, according to
Wikipedia, his family was quite
wealthy.
Shady Services
I referenced Pixsy, a service in name about helping creatives prevent others
from misusing their work. However, Pixsy has actually been abusing a loophole in
old Creative Commons licenses to extort and copyright-troll people who
misattribute CC-licensed works (or are even using them correctly).
Read Cory Doctorowâs thoughts on it here and here. Big thanks to Erika for the heads up on this!
âď¸ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them đ
Thanks for reading!
Cheers,Clint
@clintgibler @tldrsec