[tl;dr sec] #143 - Career Advice, SBOM, Attack Surface Monitoring

Hey there,

I hope you’ve been doing well!

A Safe Investment

In an uncertain economy, the only safe investment:

Interestingly, The Hustle actually did a mini piece on it:

❤️ Secure Guardrails <> Cloud

tl;dr sec has been a consistent predictor of exits (with 5 sponsors acquired and counting), but this time I got in at the beginning…

One of the recurring themes of this newsletter, and what I personally believe to be the future of security, is: secure guardrails (“secure defaults,” “paved road,” etc.) that make the secure thing the easiest thing for developers to do.

I have many people to thank for shaping my views on this, including: Dev Akhawe, Zane Lackey, John Heasman, Doug DePerry, and many friends from Netflix, including Scott Behrens, Astha Singhal, and Patrick Thomas.

So I’m stoked that my (former) Netflix friends Travis McPeak and Aladdin Almubayed have decided to take their experience building tooling and systems that enable developers to move quickly and securely, and decided to found a company: Resourcely (TechCrunch announcement).

The initial pain point they’re aiming to solve is to enable developers to provision and use cloud resources securely without being experts in IAM and all the ways that can go wrong. Nice!

I believe in this team and the future of security tools empowering developers so much that I decided to do my first angel investment in Resourcely 🎉

Congrats to the team on the $8M seed from a16z (Zane Lackey!) and Felicis Ventures, I’m looking forward to seeing what you build!

Wow, this is a super detailed post, nice 👍

Attack Surface Monitoring

Hacking Together an ASM Platform Using ProjectDiscovery Tools
Ben Bidmead describes putting together a simple attack surface monitoring platform (source) using ProjectDiscovery tools, bash, and flask.

Guide to Picking an Attack Surface Management Solution
Hakluke describes how to choose a high quality attack surface management solution. Consider:

• Breadth: How many of the 4 core phases (discovery, assessment, prioritization, remediation) of ASM does the tool cover?

• Depth: How well are each of the phases performed?

AppSec

Get Your Kicks on Route Sixty-Sink: Identifying Vulnerabilities Using Automated Static Analysis
Mandiant’s Dillon Franke and Michael Maturi released Route Sixty-Sink, a tool that can find vulnerabilities in any .NET assembly using automated source-to-sink analysis. Route Sixty-Sink has already been used to find and exploit dozens of critical security issues.

Hunting For Mass Assignment Vulnerabilities Using GitHub CodeSearch and grep.app
Include Security’s Laurence Tennant describes finding a mass assignment in freeCodeCamp, a widely popular repo, using grep.app. He describes the challenges and frustrations of trying to use GitHub’s default search, as well as the new cs.github.com. My colleagues and I have struggled with these as well.

Using Semgrep to keep track of your communities style
Steve Jones describes how Semgrep can be used not just for security, but also for developer use cases like enforcing style or contribution guides. Style guides can get long, so to save time from contributors having to re-read it, and to save maintainers time during code reviews, they automate a number of checks using Semgrep, including:

• All Terraform aws_iam_roles should have a description

• Descriptions of variables should be at least 20 characters

• Ensure Terraform Modules are pinned to a specific version

• Ensure certain heading are present in all modules

One consistent thread I see in security teams getting widespread (and enthusiastic) developer adoption of security tooling, services, or libraries, is to also simultaneously address a developer pain point or provide some benefit.

• When introducing new tools, ask yourself, “What non-security wins can this provide for my developer customers?”

• When building some secure-by-default libraries, infrastructure, or services, ask yourself, “How will this support developers in shipping code faster, or with greater quality/robustness/observability, etc.?”

Cloud Security

Security best practices in IAM
An updated list of 14 IAM best practices by AWS.

AWS Lambda announces support for Attribute-Based Access Control (ABAC)
You can now define access permissions based on tags, which can be attached to IAM resources (e.g. IAM users and roles), and to AWS resources, like Lambda functions.

Best Practices for AWS Organizations Service Control Policies in a Multi-Account Environment
AWS’s Rajeswari Malladi and People’s United Bank’s Jim Kozlowski provide a representative organization unit (OU) structure for a financial services industry customer, and also best practice guidance and starter service control policies (SCPs) to consider in a multi-account AWS environment to establish governance and control.

Abusing the Replicator: Silently Exfiltrating Data
The S3 Replication service can quickly and effectively data cross S3 buckets. However, Vectra AI’s Kat Traxler describes how an attacker can exfiltrate data, even if they don’t have access to the S3 objects, if they can update replication rules.

Further, if Replication Time Control (RTC) is enabled, the Replication Service will only log the first putObject event in CloudTrail, meaning a malicious destination, if not the first location, won’t be logged. Solution: monitor for Replication rule changes and alert when the destination is unusual.

Container Security

innobead/kubefire
KubeFire creates and manages Kubernetes Clusters running on Firecracker microVMs, by SUSE’s David Ko.

Minimal Container Images: Towards a More Secure Future
Common approaches for slimming down a base image are using Debian Slim or Alpine, but these still contain a full Linux distribution, which is not what you need in production.

Chainguard’s Adrian Mouat describes a distroless container philosophy, of stripping out as much as possible except for the root certificates, language runtimes, and minimal requirements, etc. Chainguard is building the next generation of distroless images centered around apk. Try their images at github.com/distroless.

Container Security Considerations: Security Best Practices and Common Threats
Mike Privette provides an overview of what containers are, their security benefits, their security risks, briefly discusses defense-in-depth, and maps some container threats to STRIDE.

Software Bill of Materials (SBOM)

marco-lancini/utils/ci/github/docker-build-sign-sbom
A reusable GitHub Action by Marco Lancini to build, sign, and compute the SBOM of a container image.

1. Builds a container image

2. Scans it with Trivy

3. Pushes it to ECR

4. Signs it with cosign

5. Computes its SBOM with Syft

6. Attaches the SBOM to it via cosign

Microsoft open sources Salus software bill of materials (SBOM) generation tool
Microsoft’s Danesh Kumar Badlani and Adrian Diglio announce the release of sbom-tool, which works across Windows, Linux and Mac, and uses the standard Software Package Data Exchange (SPDX) format.

• It can be easily integrated into and auto-detects NPM, NuGet, PyPI, CocoaPods, Maven, Golang, Rust Crates, RubyGems, Linux packages within containers, Gradle, Ivy, GitHub public repositories, and more.

• It can also reference other SBOM documents for capturing a full dependency tree.

SBOM + SLSA: Accelerating SBOM success with the help of SLSA
Google’s Brandon Lum, Isaac Hepworth, and Meder Kydyraliev explain the strengths of SBOMs and SLSA and how they fundamentally differ, and shows how SLSA principles can both support the generation of high-quality SBOMs and help consumers respond to supply chain attacks.

Career

Your Guide to Starting an Application Security Career
James Chiappetta shares an overview of basic knowledge & resources that will help you get started with an Application Security (AppSec) career. Including: prerequisite knowledge base, tools and live testing resources, blogs and online resources, book list, certifications, and community involvement. Honored to have tl;dr sec called out as one of the resources 🙏 

The Great Tech Salary Crash
By Andre Nader: “2022 is bringing us one of the largest declines in tech compensation in decades.” A significant amount of total compensation across most FAANGs is equity. As their stocks have taken a hit, thus so has employee compensation. Andre shares some interesting stats and figures.

Compensation report: The state of startup compensation, H1 2022
Carta shares some interesting trends on headcount by valuation, head count (and cost) by department, payroll by valuation and size, and more. Key trends:

• Remote hiring soars: In 2019, about 35% of new hires were based in a different state than the primary company headquarters. So far this year it’s 62%.

• Geo-adjusting is the norm: The vast majority of companies (84%) take employee location into account when deciding on compensation packages.

• Engineering is a key hire: Engineering accounts for nearly half of payroll spend in companies valued between $1 and 10 million.

• Terminations rise: Across all of Carta’s platform, involuntary terminations made up 29% of departures in May 2022, almost double the 15% termination share recorded in August of 2021.

A few great tweets and threads:

ElleArmageddon on not pre-rejecting yourself from applying for jobs
Don’t filter yourself out before giving it a chance. Give the hiring teams and panels the opportunity to evaluate you. That’s their job. Even if you think you’re not senior enough, or if you’d have to learn a few things based on the posting, you should still apply.

Misc

How to tie a tie in 10 seconds
Wow, this is pretty neat.

A Bourgeoisie PrimerI
f you like to throw around the terms “bourgeoisie” and “bougie” but aren’t sure exactly what they mean or their history, this primer by Daniel Miessler is quite helpful.

Mathway: Algebra
Solve algebra problems in your browser.

Long thread of DALL-E 2 pictures by Shashank Joshi
I like “Stained glass window of Alan Turing smashing a German Enigma machine with a hammer at Bletchley Park” and “Medieval illuminated manuscript of hackers explaining the Internet to a sceptical crowd in 1969.”

Aphorism

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint