• tl;dr sec
  • Posts
  • [tl;dr sec] #149 - Incident Response in AWS, CISA's Supply Chain Security Guidance, Recon

[tl;dr sec] #149 - Incident Response in AWS, CISA's Supply Chain Security Guidance, Recon

How to prep for and handle an incident in AWS well, detailed PDF guide by NSA and CISA on software supply chain security, various OSINT and recon tools.

Hey there,

I hope you’ve been doing well!

Vienna 2022

This week has been a continuous montage, between giving a two day Semgrep training with my bud Claudio Merloni, to a talk at sec4dev, to finishing this newsletter right after 😅

Here’s Claudio and I, ten hours in to continuously prepping for the workshop:

I did manage to take at least one quick break though to get some delicious wiener schnitzel:

I don’t know how they do it, but it’s so crispy and fairly light actually. Would recommend 😍

Sponsor

📢 The Software Supply Chain Security Checklist

Learn 7 best practices for protecting your components and pipelines from attack in this step-by-step guide. You’ll get research on common security risks at each layer of your software supply chain and security best practices so you can quickly identify, prioritize, and address risks to prevent supply chain breaches.

If you want to better understand how to secure your software supply chain components such as open source packages, IaC templates, and the underlying delivery pipelines, this checklist is for you!

📜 In this newsletter...

  • AppSec: SPF deep dive and unexpected behavior, Elixir secure coding training

  • Web Security: Burp extension for AWS SigV4 signing, an intro to SAML and SAML security

  • Supply Chain: GitHub Action that can generate provenance documents for projects in any programming language, software supply chain guidance for developers from NSA and CISA, reflections on that doc

  • Cloud Security: Honest recap and summary of fwd:cloudsec and re:Inforce, incident response in AWS, interview with AWS CISO

  • Container Security: A blind spot many scanners have with popular Docker images, an interactive debugger for Dockerfiles, Dockerfile security best practices with Semgrep, implementing a quarantine pattern for container images

  • OSINT / Recon: Recon and vulnerability scanning automation with Trickest and GitHub, the ultimate wordlist tool, building your own historical DNS solution with DNSx, Golang implementation of Wappalyzer technology detection, tool to gather info about a domain or FQDN

  • Misc: Zelda Breath of the Wild Street View, time till open source alternative, announcing the Trail of Bits podcast

AppSec

The Sender Policy Framework (SPF)
Jan Schaumann does a deep dive on SPF, and how it doesn’t work how you’d expect.

podium/elixir-secure-coding
An interactive cybersecurity curriculum designed for enterprise use at software companies using Elixir, by Podium’s Holden Oullette. The curriculum is broken into the following 8 primary topics: OWASP Top 10, secure SDLC, GraphQL security, Elixir security, cookie security, security anti-patterns, CI/CD tooling, the secure road.

Web Security

NetSPI/AWSSigner
A Burp extension for AWS SigV4 signing, by NetSPI.

SAML: An Introduction to SAML and its security
Ruxmon 2022 talk by PentesterLab’s Louis Nyffenegger covering how SAML works and various attacks, including XXE, XML signature shenanigans, malicious identity providers, etc.

Supply Chain

General availability of SLSA3 Generic Generator for GitHub Actions
There is now a SLSA3 Generic Generator that can generate provenance documents for projects developed in any programming language, while keeping your existing build workflows.

A number of popular projects are always using it, meaning you can download artifacts (zip, binaries, etc.) from these projects and verify that the expected workflow was used to build the source code, without any modifications.

NSA, CISA, ODNI Release Software Supply Chain Guidance for Developers
New 64 page PDF covering developing secure code, verifying third-party components, hardening build environments, and delivering code securely.

Securing the Software Supply Chain
Chris Hughes discusses the above software supply chain security guidance from NSA and CISA, its various sections, and its overarching takeaways.

Cloud Security

An honest recap of fwd:cloudsec and AWS re:Inforce 2022
Resmo’s Mustafa Akın provides a nice summary of several fwd:cloudsec talks as well a number of re:Inforce announcements.

Incident Response in AWS
Post and slides by Chris Farris on prep to do before an incident so you can respond well, building detections, investigations, containment, and eradication.

CJ Moses might be the CISO of AWS, but service leaders own their own security
Interesting interview with AWS’s CJ Moses covering topics including:

  • What are your duties as CISO?

  • What is AWS’ security strategy?

  • What’s the biggest threat to cloud security right now and how do you stay ahead of all these bad actors?

  • What are the biggest security mistakes that you see enterprise customers repeating?

“Service leaders are responsible for the profit/loss, success/failure and, most of all, the security,” said CJ Moses, AWS’ chief information security officer (CISO) since January. “There are no excuses or finger pointing, so leaders don’t leave security success to chance, but rather actively own it.”

The focus going forward is to be able to establish more and more guardrails. The ability to block all your S3 buckets from not being able to be accessed from the internet is a good example of one of those controls. And as we go forward, you’ll see more and more capabilities like that that you can add from an executive governance level that’ll allow those guardrails to be in place to allow customers to be able to have their developers have that ability to be free and do the innovation that they need to do while also putting the controls in place across the board.

Sponsor

📢 How to slash the time of mobile app penetration testing by up to 50%!

Mobile pentesting, emulators and clouds don’t mix. You need the fidelity and environment that only a physical phone can provide. Until now. Only Corellium offers an Arm-native virtual device platform for iOS and Android that enables powerful pentesting in half the time - in the cloud or fully onsite.

With Corellium, you can spin-up near limitless device and OS combinations, with full root access, even the latest iOS, with no jailbreak required. And you can save more time by automating file, app, and script installation and execution through a powerful API.

Container Security

Dan Lorenc on a blind spot many scanners have with popular Docker images
tl;dr: Many Docker images manually install a specific version of a language like NodeJS using a custom script instead of an official Debian NodeJS package. This could lead to failing to report many open CVEs.

ktock/buildg
An interactive debugger for Dockerfiles, with support for IDEs (VS Code, Emacs, Neovim, etc.), by Kohei Tokunaga. Source-level inspection, breakpoints and step execution, interactive shell, supports rootless containers.

Dockerfile Security Best Practices with Semgrep
Kondukto’s Cenk Kalpakoğlu describes how to customize and use Dockerfile best practices for your organization using Semgrep. Practices covered include:

  • Enforcing a “custom” distroless image.

  • Using rootless containers.

  • App user control (last user must be the “app” user).

  • Check health check instructions.

  • Using a multistage build.

Implementing Quarantine Pattern for Container Images
Agitare Tech’s Toddy Mladenov describes a “quarantine pattern” for container images, that prevents an image from being used unless certain conditions are met.

OSINT / Recon

Recon and Vulnerability Scanner via Trickest and GitHub
Trickest’s Mohammed Diaa describes how to structure a GitHub repo and set up a GitHub Action so you can push nuclei templates and root domains to the repository and have it automatically kick off recon and vulnerability scanning.

d4rckh/gorilla
A tool for generating wordlists or extending an existing one using mutations, by @d4rckh. It can build wordlists based on: patterns, common password or username formats, words from scraping a web page, or extending existing wordlists using mutations.

Building Your Own Historical DNS Solution with DNSx
Ben Bidmead describes how to modify the pdiscovery-bot to build an efficient and simple to modify DNS tracking system that will continuously enumerate domains and then you on the existence of new domains, using all Project Discovery tools.

projectdiscovery/wappalyzergo
A high performance Golang implementation of the Wappalyzer Technology Detection Library, by ProjectDiscovery.

pirxthepilot/wtfis
A passive host and domain name lookup tool by Joon that gathers info about a domain or FQDN using various OSINT services and outputs them in a human-friendly readable way. Leverages VirtusTotal, Passivetotal, IPWhois, and Shodan.

Misc

Zelda Breath of The Wild Street View
Google maps’ street view meets Zelda Breath of The Wild.

Time Till Open Source Alternative
An informal look at the length of time between a proprietary piece of software being released in an area and an open source alternative.

Announcing the new Trail of Bits podcast
The first five episode season of the new Trail of Bits podcast is out, by Trail of Bits’s Dan Guido, Nick Selby, and many more. Episodes on: Zero Knowledge Proofs, are blockchains really decentralized?, intern spotlight, third-party dependency security (it-depends), and what we can learn about the future of security from companies building high assurance software that the rest of the industry may see in 18 to 24 months.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint