Hey there,
I hope you’ve been doing well!
BSidesSF this Weekend!
BSidesSF is a great conference. If you don’t already have tickets, you can get them here.
The organizers kindly opened up some additional slots in my previously sold out Semgrep workshop! So if you’d like, try registering now and/or stop by in person.
There are countless interesting BSidesSF talks, but I’ll shamelessly plug:
- My colleagues’ talk on The power of guardrails and
- Buying Security: A Client’s Guide by my bud Rami McCarthy.
Also, if you find me around the con, I’ll give you some elusive tl;dr sec stickers!
(Oh hey, didn’t see you there #wokeuplikethis)
Regardless of if we hang out at the workshop, I hope we cross paths at BSidesSF or at RSA parties srs bizness events.
P.S. You can see a list of public RSA parties here.
Sponsor
📢 StackHawk’s New Integration with Snyk Code is Now Live!
With StackHawk’s new Snyk integration, teams can correlate security issues between dynamic security testing (DAST) and static security testing (SAST) to find and fix the most important application and API vulnerabilities before production.
Check out the StackHawk and Snyk in Action webinar to see how your team can automate security testing in CI/CD using these integrated tools.
Watch on Demand📜 In this newsletter...
- Conferences: Pwn crypto to keep it competition, LocoMocoSec registration rates increase soon, ROOTCON CFP is open
- AppSec: Getting RCE on Rails apps
- Web Security: Damn vulnerable web sockets walkthrough, exploiting Swagger-UI
- Cloud Security: Bring Azure resources under Terraform management, Google's library to carry out DFIR in the cloud, AWS startup security baseline, thinking about threat detection in the cloud
- Container Security: How to use Atomic Red Team to test Falco rules in Kubernetes
- Blue Team: A binary authorization system for macOS, open source tool to auto-enrich alerts
- Supply Chain: Software supply chain security reading list
- Running Bug Bounty Programs: Eight years of the GitHub bug bounty program, learning experiences going from hacker to bug bounty program owner
- Network Security: A network traffic analysis tool suite by CISA, Tailscale tricks for security testers
- Scraping: CLI tool for automated web page screenshots, how to effectively scrape using Python
- Misc: An analysis of the structure and contents of top newsletters, how to professionally say what you want in a work setting, Rego style guide, learn to tie 150 knots, Org mode that's not dependent on Emacs, the curse of strong typing
- Quote: Your life is your message. So what are you saying?
Conferences
PWN2BTC
A smart contract & crypto hardware exploitation competition on June 7th, as a
part of Off The Chain. If you pwn it, you keep the crypto.
LocoMocoSec
Registration costs increase after June 7th, so get your tickets soon! If you do,
I’ll see you June 27-30 in Honolulu 😎.
ROOTCON
CFP open until July 25, conference September 28-30 in Manila.
AppSec
Ruby Vulnerabilities: Exploiting Dangerous Open, Send and Deserialization Operations
Bishop Fox’s Ben Lincoln walks through a
number of ways to get sweet, sweet remote code execution when testing Rails
apps, as well as a sample vulnerable app and example exploit code.
Vulnerabilities: Kernel-level open function, insecure send, binary
deserialization, YAML deserialization, and Oj JSON Deserialization.
Web Security
Damn Vulnerable Web Sockets Walkthrough
A walkthrough of the Damn Vulnerable Web
Sockets app, including brute
forcing the login, CSRF, file inclusion, error and blind SQL injection, and
stored XSS.
Hacking Swagger-UI - from XSS to account takeovers
Vidoc Security Lab’s Dawid Moczadło found a DOM
XSS in Swagger UI, which he was able to successfully report across 60 different
bug bounty programs. Swagger UI had an outdated version of DomPurify, and Dawid
found a new way to exploit a known DomPurify bypass.
I think this post is a good example of finding and building on related work to achieve a goal, and maximizing impact.
GitLab had CSP that did not allow me to use event handlers -
<img onerror=alert(window.origin) src=1>was blocked. The good thing with Gitlab is that they disclose all of their security issues, so I just searched for XSS and copied the CSP bypass from there;) (remember to work smart not hard)
Cloud Security
Azure/aztfy
A tool to bring existing Azure resources under Terraform’s management.
google/cloud-forensics-utils
A Python library to carry out DFIR analysis on the cloud. Currently supports
GCP, Azure, and AWS.
AWS Startup Security Baseline
Guidance by AWS’ Jay Michael on a
set of controls that create a minimum foundation for businesses to build
securely on AWS without decreasing their agility.
How to Think about Threat Detection in the Cloud
Google’s Anton Chuvakin and Tim
Peacock share their views on a foundational
framework for thinking about threat detection in public cloud computing.
Container Security
How to use Atomic Red Team to test Falco rules in K8s
It’s important to test that your security controls and tools actually work!
Sysdig’s Jason Avery
describes how to use Red Canary’s Atomic Red
Team in a Kubernetes
environment to confirm that Falco’s rules flag the malicious behavior.
Blue Team
google/santa
A binary authorization system for macOS.
Avoiding Security Alert Hell: Introducing Squyre
Bill Mahony announces
Squyre, a new open source tool aimed at
reducing analyst fatigue by automatically enriching alerts with helpful
context. It uses Lambdas and Step Functions to extract IP addresses, domains,
hashes etc. from an alert body, looks them up on various services, and then adds
the results to the alert in your ticketing system (e.g. Jira).
Supply Chain
Software Supply-Chain Security Reading List
A list of resources by Chainguard covering
policy, incidents/threats, solutions, organizations, background, and reports and
summaries.
Running Bug Bounty Programs
Eight years of the GitHub Security Bug Bounty program
By GitHub’s Jill Moné-Corallo. GitHub awarded
$803,769 in bounties for 235 vulnerabilities in 2021, bringing them to ~$2.4M in
total rewards via HackerOne since 2016. Npm has also been added to GitHub’s bug
bounty scope.
From Hacker to Bug Bounty Program Owner: A Learning Experience
Braze’s Tommy DeVoss describes the lessons he’s
learned in going from a top bug bounty researcher to building Braze’s program.
Four big learnings:
- Launching a Bug Bounty Program Takes Cross-Team Collaboration
- Never Lose Sight of Your Relationship With Hackers and Researchers
- Bug Bounties Look Different From the Company Side
- The Work Doesn’t End When a Bug is Identified
Network Security
cisagov/Malcolm
A powerful, easily deployable network traffic analysis tool suite for full
packet capture artifacts (PCAP files) and Zeek logs, by
CISA.
A few Tailscale tricks for Security Testers
Pulse Security NZ’s Michael Fincham shares some
interesting details about how Tailscale works, including that Tailscale
currently only supports ingress access control rules, all outbound network
traffic leaving a host is allowed. So if you’ve compromised a machine, you could
re-install a modified version of Tailscale to allow any traffic to the device.
Also:
As a tailnet administrator you still have to make sure your containers are running with tags rather than a human user if you want to avoid containers being able to leak each other’s environment variables.
See also Tailscale’s Hardening Guide. I feel like I’ve been hearing a lot of good things about Tailscale recently, I’ve been meaning to play with it when I have time.
Sponsor
📢 Developing Security Products that Can Scale.
In a recent episode of the Detection at Scale podcast, Panther Labs CEO and Founder Jack Naglieri sat down with Joren McReynolds,VP of Engineering, IT and Security at Panther Labs, to discuss the experiences and lessons over the course of Joren’s journey at Facebook, Airbnb, and how they shaped his knowledge on what building a great product takes.
Listen NowI first met Joren when he was leading Detection and Response at Airbnb. Super smart dude. It was neat hearing in this podcast about Joren’s experiences in the creation of osquery at Facebook, StreamAlert at Airbnb, and navigating inter-organization dynamics as a security team. Would recommend a listen 👌
Scraping
shot-scraper: automated screenshots for documentation, built on Playwright
A CLI tool for automating screenshots of web pages, by Simon
Willison. You can also have it screenshot just a
subsection of the page using CSS selectors.
Web scraping with Python open knowledge
Re Analytics shares best practices for scalable and efficient to maintain web
scraping in Python. See also
advanced-scrapy-proxies,
a Scrapy rotation proxy package with advanced functions.
Misc
Newsletter Analysis: What My Favorite Newsletters Have in Common
Super cool analysis by my friend Daniel Miessler on the structure and contents of his top 10+ favorite newsletters. Honored that tl;dr sec was one of them 😍. If you run a newsletter, Daniel recommends:
- Unless you’re over a million subscribers, include a value proposition
- Consider opening with a brief, personal intro
- Use a custom email subject that describes the episode
- Consider getting a referral program to jumpstart growth
How to professionally say
Some professional sounding wording for things you might really want to say at
work, like: “That meeting sounds like a waste of my time” or “I’m not doing your
job for you.”
StyraInc/rego-style-guide
A collection of recommendations and best practices for authoring Rego from
Styra, the founders of Open Policy Agent (OPA).
Knots 3D
Learn how to tie over 150 useful knots. If you’re ever had challenges in this
domain, it should be knot a problem after this app.
200ok-ch/organice
An implementation of Org mode without the dependency of Emacs - built for mobile
and desktop browsers.
The curse of strong typing
A fun and playful, very detailed article by
@fasterthanlime.
Someone, somewhere (above me, presumably) made a decision. “From now on”, they declared, “all our new stuff must be written in Rust”.
I don’t know what they see in it, to be honest. It’s like I always say: it’s not a data race, it’s a data marathon.
At any rate, I now find myself in a beautiful house, with a beautiful wife, and a lot of compile errors.
Quote
“My life is my message.” -Ghandi
So is yours. So what are you saying?
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!
Cheers,Clint
@clintgibler