• tl;dr sec
  • Posts
  • [tl;dr sec] #134 - DevSecOps, Scalable Canary Tokens, Learning from AWS Customer Security Breaches

[tl;dr sec] #134 - DevSecOps, Scalable Canary Tokens, Learning from AWS Customer Security Breaches

Useful ways to think about modern security teams, how to scale honeytokens while maintaining server level attribution, and how to harden your AWS environment based on public breaches.

Author

Clint Gibler
May 25, 2022

Hey there,

I hope you’ve been doing well!

Being a Hot Dog

Last week at my team’s offsite, we were talking about different types of skillsets on the team.

A common term thrown around in tech is T-shaped people, who have some level of familiarity across a number of areas (the top of the T), and significant expertise in one thing (the body of the T).

My bud Grayson Hardaway was saying that as an eng manager now he feels like he’s more just… a line. Like, the top of the T. Still comfortable in a number of areas, but it’s hard to keep the depth.

Trying to cheer him up, another team member said, “Well, you’re not just a line, because that conveys no depth in anything. You do know more than that about some things. You’re more like… a hot dog, which is not necessarily deep, but somewhat wider.” 🤣

I laughed, said I felt the same way, and now I am forever referred to as a hot dog by the rest of the team, heh.

This also reminds me of that app on Silicon Valley:

Feel free to convey your value add to your team or company as also being a hot dog 🤣.

Sponsor

📢 Introducing the DevSecGuide to Kubernetes 🐳

As the de facto container orchestrator, Kubernetes has undeniable benefits when it comes to building performant and scalable applications. Its complexity and flexibility can create security challenges, but when approached with DevSecOps, can provide an opportunity to automate security from the start.

Download this free guide to explore the unique considerations Kubernetes presents for cloud-native application security. Learn how to build on top of its built-in security foundation for improved automation and DevSecOps collaboration.

📜 In this newsletter...

  • Navigating the Downturn: Resources on navigating the current economy

  • Web Security: Portswigger's vulnerable app for testing web scanners, a grammar-based HTTP fuzzer

  • Cloud Security: GCP resource scanner to determine level of access certain creds have, AWS canary tokens that scale, using stolen IAM creds, learning from AWS customer security breaches

  • Container Security: eBPF-based security observability and runtime enforcement tool, whitepaper on excessive Kubernetes permissions in popular platforms, tool to identify risky permissions and privilege escalation paths in k8s clusters

  • Politics / Privacy: How to enable HTTPS-only mode in mainstream browsers

  • OSINT / Recon: Machine learning-based scanner for PII in images

  • Misc: Mega list of open source games, list of open source security tools, why you shouldn't ransomware the Bank of Zambia, you can order 8 more free COVID tests from the US government, invisibility cloaks are coming

  • DevSecOps: How DevSecOps differs from DevOps, the security culture change required to truly embrace DevSecOps

  • Quote: Carl Jung on making the unconscious conscious

Many people are talking about the economy and how it affects tech companies, especially tech start-ups. I am not a finance professional, and I’m especially not your finance person, but here are some resources I’ve seen shared:

Web Security

Gin and Juice Shop: put your scanner to the test
Portswigger has released a new purposefully vulnerable web app designed to test the chops of modern web scanners.

bahruzjabiyev/T-Reqs-HTTP-Fuzzer
A grammar-based HTTP fuzzer written as a part of the ACM CCS 2021 paper: T-Reqs: HTTP Request Smuggling with Differential Fuzzing, by Northeastern University’s Bahruz Jabiyev, Steve Sprecher, Kaan Onarlioglu, and Engin Kirda.

Cloud Security

google/gcp_scanner
A GCP resource scanner that can help determine what level of access certain credentials possess on GCP. It’s designed to help security engineers with evaluating impact of a certain VM/container compromise, GCP service account or OAuth2 token key leak.

🔥 Zero Maintenance AWS Canary Tokens That Scale
HashiCorp’s Will Bengtson describes an approach for scaling honeytokens in AWS while maintaining server level attribution no matter the cluster size or number of applications.

By utilizing temporary credentials (credentials returned as the result of the AssumeRole operation) as honeytokens, we can deploy a honeytoken approach that scales with our environment, utilize existing detection mechanisms (CloudTrail alerting), and remove the need to run a set of infrastructure dedicated to managing IAM Users.

Using Stolen IAM Credentials
Nick Frichette provides tips for pen testers and red teamers on how you can use AWS IAM creds you find on an engagement, determine their validity, avoid detection, and gain situational awareness.

Learning from AWS (Customer) Security Breaches
Cedar’s Rami McCarthy joins the OWASP DevSlop podcast (slides) to discuss over 20 different public breaches, covering the technical details of these attacks, establish the common root causes, look at lessons learned, and establish how you can proactively secure your environment against these real world risks.

See also these 2 tools to identify and remediate the use of AWS IMDSv1:

Container Security

cilium/tetragon
eBPF-based security observability and runtime enforcement by Cilium. Tetragon detects and is able to react to security-significant events, such as process execution events, system call activity, and I/O activity including network & file access. When used in Kubernetes, it understands namespaces, pods, etc. so that security event detection can be configured in relation to individual workloads.

To understand the real-world impact of excessive permissions, Prisma Cloud researchers analyzed popular Kubernetes platforms (e.g. AKS, EKS, GKE, OpenShift) - distributions, managed services, and common add-ons - to identify widespread infrastructure components that run with powerful permissions. In 62.5% of the Kubernetes platforms reviewed, privileged credentials were distributed across every node in the cluster. As a result, in half of the platforms examined, a single container escape was enough to take over the entire cluster.

PaloAltoNetworks/rbac-police
Accompanying tool to the above whitepaper. rbac-police helps you identify risky permissions and privilege escalation paths in Kubernetes clusters by evaluating the RBAC permissions of serviceaccounts, pods and nodes through policies written in Rego.

Politics / Privacy

HTTPS Is Actually Everywhere
Mainstream browsers now offer native support for an HTTPS-only mode, no browser extensions needed. The EFF’s Alexis Hancock walks through the relevant settings in Firefox, Chrome, Edge, and Safari.

Sponsor

📢 AppOmni's SaaS Security Checklist outlines the 7 key components of SaaS security

Whether you’re creating a new SaaS security program or want to improve, AppOmni's SaaS Security Checklist can help. It outlines 7 key components of SaaS security, including configuration management and always-on monitoring, based on AppOmni’s experience working with hundreds of security teams.

OSINT / Recon

Octopii - An Open-source, PII (Personally Identifiable Information) Scanner For Images
RedHunt Labs announces Octopii, that can look for image assets such as government IDs, passports, photos and signatures in a directory. Uses Tesseract’s Optical Character Recognition (OCR) and Keras’ Convolutional Neural Networks (CNN) models.

Misc

Open Source Game List
Aggregation of information about 1368 open source video games and 310 game engines/tools.

CaledoniaProject/awesome-opensource-security
A list of interesting open source security tools across a broad variety of topics: mobile security, cloud, CTF, forensics, reverse engineering, code analysis, containers, firmware, fuzzing, and more.

National bank hit by ransomware trolls hackers with dick pics
The Bank of Zambia got hit by HIVE ransomware, and responded to the attackers by… sending dick pics. This post’s title will live forever in my heart, giving me joy in times of tribulation or sorrow.

You can, and should, order more free COVID tests from the US government
Every US household can now request eight rapid antigen tests. You can order them on the USPS website no matter how many tests you’ve received previously.

Invisibility cloaks are not just possible, but are becoming reality
Science isn’t quite there yet, but some of the requisite primitives seem to be falling into place.

The invisibility to radar, which is microwave-to-radio wavelength electromagnetic radiation, might have been the first step, but recent developments in metamaterials have extended this even further, bending light around an object and rendering it truly undetectable. Perhaps the critical advance that could finally bring an invisibility cloak to reality occurred in 2018, in a novel material called a broadband achromatic metalens. For the first time, it rendered an object undetectable across the entire visible light spectrum. The fusion of this technology with metamaterial cloaking — another recent nanotechnology advance — could finally enable the first visible-light cloaking device.

DevSecOps

DevSecOps vs. DevOps
VMware Tanzu’s Michael Coté provides a nice overview of DevSecOps, with three things that make it different and additive to DevOps: a secure software supply chain, improved culture and collaboration between security and development, and automation and guardrails. Emphasis mine:

DevSecOps staff think of developers as their customers and the security process as a product they’re creating and delivering for developer use. This is a product management approach to security.

Applying product management thinking to security shifts security’s focus from enforcing compliance to making the right thing the easiest thing for developers to do.

DevSecOps: beyond security, a cultural change
Deloitte’s Giles Houghton shares some perspective on how they’re addressing DevSecOps in the UK Government sector (emphasis mine).

Security must be not only integrated into the imagine, deliver and operate teams, but security team members must adopt the same delivery culture.

Everyone needs to be focused on value delivery to end users. The subconscious question changes from ‘is this too risky to go live with?’ to ‘given what we know about the risk, how can we still go live?’.

All security requirements must be described in terms of the business impact of not delivering the requirement, not just the security risk they mitigate. Too often we have seen requirements struggle to be addressed because they don’t mean anything to business stakeholders, and security specialists getting frustrated because their argument that “it’s important because it’s a security requirement” isn’t landing.

Security stakeholders must play an active role in requirements prioritisation… With a single shared backlog, all requirement owners must work in concert, considering the current security risk alongside the business value that needs to be released…

Quote

“Until you make the unconscious conscious, it will direct your life and you will call it fate.”

— Carl Jung

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint