I hope you’ve been doing well!
This issue is a bit longer so I’ll be brief: Janna Haider allowing her students to submit U.S. History memes for extra credit is excellent, and I love it.
Here are a few:
Feedback wanted: Have you bought or sold security assessments?
One of my favorite things with tl;dr sec is collaborating with super smart people on epic guides. And boy, is this one shaping up nicely.
But we need your help!
Please take 5 minutes to fill out a survey, so we can help everyone learn from your experiences and insights.
Hopefully we can then avoid what Haroon Meer has called a market for lemons.
Thanks so much in advance, you can fill out the 5min survey here.
📢 StackHawk and Snyk Join Forces
StackHawk and Snyk have partnered up to provide a complete modern application security testing package.
Learn how these tools can help your teams implement dev-friendly DAST, SAST, and SCA to fix vulnerabilities faster.Learn More
📜 In this newsletter...
- Machine Learning: DALL•E 2 creates amazing images based on English descriptions
- AppSec: CI/CD Goat, C/C++ Semgrep rules for vulnerability research
- Secret Management: Git credential manager, CLI tool to manage secrets in SSM Parameter Store
- SBOM: Docker now has an sbom command,
Softwarealone is insufficient
- Mobile Security: Bypassing SSL pinning on Android Flutter apps with Ghidra
- Web Security: Tool to find broken social media links that can be hijacked, Shubham Shah on offensive code review, list of open source web security scanners
- Cloud Security: AWS Lambda Function URLs, SCP to prevent open Lambda URLs, chasing an attacker in AWS
- Container Security: Bundle Kubernetes app into a single static OCI archive, container tool aimed running untrusted code
- Blue Team: RSS feeds for government CERTs, hosting FleetDM on AWS EKS
- Network Security: Docker security playground, distributed package capture tool for cloud-native platforms
- Misc: Awesome Go education, Semgrep Spring 2022 meetup recap, how to answer questions, FAA memes
- Monocle: How Chime creates a proactive security & engineering culture: Read it, great insights
- Errata: Elon was born rich, Pixsy is shady AF
Sam Altman announces the new release of DALL-E, an AI that can create and edit images based on natural language instructions. What it can do is, frankly, amazing. Check out this 3min explainer video, this Twitter thread, or this Less Wrong post for examples.
By Cider Security: A deliberately vulnerable CI/CD environment. Learn and practice CI/CD security through a set of 10 challenges, enacted against a real, full blown CI/CD environment.
Secure, cross-platform Git credential storage with authentication to GitHub, Azure Repos, and other popular Git hosting services. Also supports MFA.
By Segment: A CLI for managing secrets that stores secrets in SSM Parameter Store, an AWS service for storing secrets.
Announcing Docker SBOM: A step towards more visibility into Docker images
There’s now an experimental
docker sbom CLI command that displays the SBOM of any Docker image (uses Syft), and they’re working on making it easy for partners and the community to add SBOM functionality to
docker build using BuildKit’s extensibility.
“SBOM” should not exist! Long live the SBOM
Steve Springett argues that a Software Bill of Materials (SBOM) is insufficient, we should really be including services, hardware, and other traditional non-software inventory also, as well as communicating lifecycle to the target audience.
Bypassing SSL pinning on Android Flutter Apps with Ghidra
Android Flutter apps don’t honor Android’s proxy settings nor trust Android’s TrustManager. Raphael Denipotti describes how to patch the
libflutter.so binary so you can effectively intercept TLS
By Utku Şen: Tool that crawls a given URL and finds broken social media links that can be hijacked, which may allow an attacker to conduct phishing attacks. Currently supports Twitter, Facebook, Instagram and Tiktok without any API keys.
Shubham Shah on offensive source code review
Great thread with some useful tips.
A list of open source web security scanners by Stackhawk’s Simon Bennetts, covering general purpose web scanners, infrastructure scanners, fuzzers / brute forcers, CMS web scanners, API scanners, and specialized scanners.
AWS Lambda: function URL is live!
AWS has announced AWS Lambda Function URLs, which basically lets you use Lambdas as a public HTTPS endpoint without using an API Gateway or Application Load Balancer. Lumigo’s Yan Cui provides more context about what Function URLs are, how they work, and how to take advantage of them.
Incident report: From CLI to console, chasing an attacker in AWS
Walkthrough by Expel’s Brian Bahtiarian, David Blanton, Britton Manahan, and Kyle Pellett on how they spotted unauthorized access (log in by long-lived IAM account without MFA from unusual location), the investigative steps they took to understand what the attacker did (review all IAM API calls from the suspect account), remediation steps and lessons learned.
A container runtime tool aimed at providing unprivileged sandboxes. Unlike most existing approaches (e.g.
docker), bubblewrap is
intended for running untrusted code.
A microservices-based framework for the study of network security and penetration testing techniques.
Introducing PacketStreamer: distributed packet capture for cloud-native platforms
Deepfence’s Owen Garrett describes PacketStreamer, an open-source tool that captures network traffic from multiple remote sources concurrently and aggregates the data into a single pcap log file. Written in Golang and supports network capture from Kubernetes nodes, Docker hosts and bare-metal / virtual-machine servers.
📢 It’s CFP season! 🥳🤨😰
Need a hand to get your team’s submissions in on time? Let Discernible’s team of security communication experts help you create clear, unique, and compelling submissions to win over even the most stubborn program committee. We’ll also help with content development and speaker prep!Contact us today!
By the way, Melanie Ensign, the Founder & CEO of Discernible is pretty legit - she’s a steering committee member and PR lead for DEF CON, program committee co-chair for Enigma, was the Global Head of Security, Privacy, and Engineering Communications at Uber, and more 🤯
Semgrep Spring 2022 meetup recap
r2c’s Emily Fortuna provides an overview and recap of the most recent Semgrep meetup, including my discussion of security trends (shift to security engineering, secure defaults, developer experience), new Semgrep features, community members sharing their work (Lewis Ardern’s VS Code extension that provides Semgrep rule templates, Robusta’s Natan Yellin’s WhyProfiler), and Semgrep’s upcoming roadmap. Watch the recording here.
Wes Kao: How to Answer Questions
Awesome thread. A few tidbits: make sure to understand the “question behind the question,” tailor your answer to the asker (e.g. if they’re a numbers person), and aim for getting to an “eyes light up” moment.
Unruly Behavior Digital Signage
The FAA has created memes to discourage misbehavior against flight crew. Because this is the world we live in, sigh.
I loved this example of great security engineering by Chime’s David Trejo.
David describes building Monocle, an internal dashboard that educates service and code owners on their security posture, and provides simple, actionable guidance on how to improve it.
Assigning a letter grade encourages developers to raise it (who wants to be at a C?), proactively address issues when the letter goes down, and provides visibility to leadership.
And everything works within existing developer workflows, like a GitHub badge, Slack notifications, and more. Tons of good ideas in this post, highly recommend reading.
See also Laksh Raghavan’s thoughts on this post here, and the excellent Netflix talk, A Pragmatic Approach for Internal Security Partnerships, which has similarly interesting security engineering and internal dashboard examples.
One of the great things about having a newsletter is that people quickly point out when you’re wrong or are missing important context. Here are two things from last week:
From Riches to… Riches
Not knowing anything about Elon Musk’s past, I had assumed he grew up poor or middle class. However, according to Wikipedia, his family was quite wealthy.
I referenced Pixsy, a service in name about helping creatives prevent others from misusing their work. However, Pixsy has actually been abusing a loophole in old Creative Commons licenses to extort and copyright-troll people who misattribute CC-licensed works (or are even using them correctly).
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!Cheers,