[tl;dr sec] #128 - Security Engineering, CI/CD Goat, Docker Security Playground

Hey there,

I hope you’ve been doing well!

History Memes

This issue is a bit longer so I’ll be brief: Janna Haider allowing her students to submit U.S. History memes for extra credit is excellent, and I love it.

Here are a few:

Feedback wanted: Have you bought or sold security assessments?

One of my favorite things with tl;dr sec is collaborating with super smart people on epic guides. And boy, is this one shaping up nicely.

My bud Rami McCarthy is working on a definitive “Client’s Guide to Security Assessments,” that will be available on tl;dr sec and as a conference talk at BSidesSF in June.

But we need your help!

Please take 5 minutes to fill out a survey, so we can help everyone learn from your experiences and insights.

Hopefully we can then avoid what Haroon Meer has called a market for lemons.

Thanks so much in advance, you can fill out the 5min survey here.

Machine Learning

DALL•E 2
Sam Altman announces the new release of DALL-E, an AI that can create and edit images based on natural language instructions. What it can do is, frankly, amazing. Check out this 3min explainer video, this Twitter thread, or this Less Wrong post for examples.

AppSec

cider-security-research/cicd-goat
By Cider Security: A deliberately vulnerable CI/CD environment. Learn and practice CI/CD security through a set of 10 challenges, enacted against a real, full blown CI/CD environment.

Semgrep ruleset for C/C++ vulnerability research
HN Security’s Marco Ivaldi describes using Semgrep for C/C++ vulnerability research, and has released 36 new rules.

Secret Management

GitCredentialManager/git-credential-manager
Secure, cross-platform Git credential storage with authentication to GitHub, Azure Repos, and other popular Git hosting services. Also supports MFA.

segmentio/chamber
By Segment: A CLI for managing secrets that stores secrets in SSM Parameter Store, an AWS service for storing secrets.

SBOM

Announcing Docker SBOM: A step towards more visibility into Docker images
There’s now an experimental docker sbom CLI command that displays the SBOM of any Docker image (uses Syft), and they’re working on making it easy for partners and the community to add SBOM functionality to docker build using BuildKit’s extensibility.

“SBOM” should not exist! Long live the SBOM
Steve Springett argues that a Software Bill of Materials (SBOM) is insufficient, we should really be including services, hardware, and other traditional non-software inventory also, as well as communicating lifecycle to the target audience.

Mobile Security

Bypassing SSL pinning on Android Flutter Apps with Ghidra
Android Flutter apps don’t honor Android’s proxy settings nor trust Android’s TrustManager. Raphael Denipotti describes how to patch the libflutter.so binary so you can effectively intercept TLS traffic.

Web Security

utkusen/socialhunter
By Utku Şen: Tool that crawls a given URL and finds broken social media links that can be hijacked, which may allow an attacker to conduct phishing attacks. Currently supports Twitter, Facebook, Instagram and Tiktok without any API keys.

Shubham Shah on offensive source code review
Great thread with some useful tips.

psiinon/open-source-web-scanners
A list of open source web security scanners by Stackhawk’s Simon Bennetts, covering general purpose web scanners, infrastructure scanners, fuzzers / brute forcers, CMS web scanners, API scanners, and specialized scanners.

Cloud Security

AWS Lambda: function URL is live!
AWS has announced AWS Lambda Function URLs, which basically lets you use Lambdas as a public HTTPS endpoint without using an API Gateway or Application Load Balancer. Lumigo’s Yan Cui provides more context about what Function URLs are, how they work, and how to take advantage of them.

Ben Kehoe’s SCP to prevent people from creating open Lambda URLs 

Incident report: From CLI to console, chasing an attacker in AWS
Walkthrough by Expel’s Brian Bahtiarian, David Blanton, Britton Manahan, and Kyle Pellett on how they spotted unauthorized access (log in by long-lived IAM account without MFA from unusual location), the investigative steps they took to understand what the attacker did (review all IAM API calls from the suspect account), remediation steps and lessons learned.

Container Security

kris-nova/kaar
Bundle up a Kubernetes application into a single static OCI compliant archive, by Kris Nóva.

containers/bubblewrap
A container runtime tool aimed at providing unprivileged sandboxes. Unlike most existing approaches (e.g. systemd-nspawn, docker), bubblewrap is intended for running untrusted code.

Blue Team

pulsedive/certrss
A list of RSS feeds for government CERTs, by Pulsedive.

Hosting FleetDM on AWS EKS
Segment’s Prima Virani describes how to host FleetDM on an EKS cluster and send scheduled query logs to an AWS Opensource destination entirely created and managed as code.

Network Security

DockerSecurityPlayground/DSP
A microservices-based framework for the study of network security and penetration testing techniques.

Introducing PacketStreamer: distributed packet capture for cloud-native platforms
Deepfence’s Owen Garrett describes PacketStreamer, an open-source tool that captures network traffic from multiple remote sources concurrently and aggregates the data into a single pcap log file. Written in Golang and supports network capture from Kubernetes nodes, Docker hosts and bare-metal / virtual-machine servers.

By the way, Melanie Ensign, the Founder & CEO of Discernible is pretty legit - she’s a steering committee member and PR lead for DEF CON, program committee co-chair for Enigma, was the Global Head of Security, Privacy, and Engineering Communications at Uber, and more 🤯

Misc

Awesome Go Education
A curated list of awesome articles and resources for learning and practicing Golang and its related technologies, by Mehdi Hadeli.

Semgrep Spring 2022 meetup recap
r2c’s Emily Fortuna provides an overview and recap of the most recent Semgrep meetup, including my discussion of security trends (shift to security engineering, secure defaults, developer experience), new Semgrep features, community members sharing their work (Lewis Ardern’s VS Code extension that provides Semgrep rule templates, Robusta’s Natan Yellin’s WhyProfiler), and Semgrep’s upcoming roadmap. Watch the recording here.

Wes Kao: How to Answer Questions
Awesome thread. A few tidbits: make sure to understand the “question behind the question,” tailor your answer to the asker (e.g. if they’re a numbers person), and aim for getting to an “eyes light up” moment.

Unruly Behavior Digital Signage
The FAA has created memes to discourage misbehavior against flight crew. Because this is the world we live in, sigh.

Monocle: How Chime creates a proactive security & engineering culture (Part 1)

I loved this example of great security engineering by Chime’s David Trejo.

David describes building Monocle, an internal dashboard that educates service and code owners on their security posture, and provides simple, actionable guidance on how to improve it.

Assigning a letter grade encourages developers to raise it (who wants to be at a C?), proactively address issues when the letter goes down, and provides visibility to leadership.

And everything works within existing developer workflows, like a GitHub badge, Slack notifications, and more. Tons of good ideas in this post, highly recommend reading.

See also Laksh Raghavan’s thoughts on this post, and the excellent Netflix talk, A Pragmatic Approach for Internal Security Partnerships, which has similarly interesting security engineering and internal dashboard examples.

Errata

One of the great things about having a newsletter is that people quickly point out when you’re wrong or are missing important context. Here are two things from last week:

From Riches to… RichesNot knowing anything about Elon Musk’s past, I had assumed he grew up poor or middle class. However, according to Wikipedia, his family was quite wealthy.

Shady ServicesI referenced Pixsy, a service in name about helping creatives prevent others from misusing their work. However, Pixsy has actually been abusing a loophole in old Creative Commons licenses to extort and copyright-troll people who misattribute CC-licensed works (or are even using them correctly).

Read Cory Doctorow’s thoughts on it here and here. Big thanks to Erika for the heads up on this!

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint