[tl;dr sec] #152 - Infra as Code Security, Linux Distro for Supply Chain Security, CI/CD Security

Hey there,

I hope you’ve been doing well!

Peer Review

Code reviews are an important part of software development.

They’re a great way to learn, improve your code, and reduce single points of failure by spreading context across the team.

But sometimes they can be frustrating.

I hope you’ve been having a smooth and productive week, and that this bumper sticker doesn’t resonate with you.

Conferences

USENIX Best Papers
List of USENIX best papers across security, SOUPS, OSDI, NSDI, and more.

Hitcon 2022 Videos
Taiwan’s leading cybersecurity conference. Some talks that sound interesting:

• Taming the Chaos of Supply Chain Security Risks with MITRE’s System of Trust™

• A New Trend for the Blue Team - Using a Practical Symbolic Engine to Detect Evasive Forms of Malware/Ransomware

• CRAX++: Modular Exploit Generator using Dynamic Symbolic Execution

• Pain Pickle: Systemically bypassing restricted unpickle

• Every authorization has its black: tackling privilege escalation in macOS

Web Security

stark0de/nginxpwner
Nginxpwner is a simple tool to look for common Nginx misconfigurations and vulnerabilities, by Daniel Peso.

How to secure against Forced Browsing
Information disclosure via forced browsing is when you can find sensitive data (such as credentials or secret keys) in a file not referenced by the application. These are generally found using content discovery tools like fuzzers. rez0 describes a process of enumerating files and routes on the web server and then automatically, continuously testing if they’re externally visible.

YubiKey

bulwarkid/virtual-fido
A virtual USB device that implements the FIDO2/U2F protocol (like a YubiKey) to support 2FA and WebAuthN.

Relaying YubiKeys
By @Cube0x0.

CI/CD

rhysd/actionlint
Static checker for GitHub Actions workflow files, by @Linda_pp.

Analyzing the GitHub marketplace - Dependency security is a big issue
Rob Bos crawled ~10.5K GitHub Actions from the official marketplace, shares some overall composition stats, and as you’d expect, Dependabot reports a number of High and Critical issues from NPM packages alone in about 1/3 of the Actions. It’s unclear how much any of these are actually exploitable though.

How we Abused Repository Webhooks to Access Internal CI Systems at Scale
Some clever work by Cider Security’s Omer Gil and Asi Greenholts. In short: organizations take multiple measures to protect and limit access to self-hosted CI systems (like Jenkins), including restricting inbound IPs to SaaS SCM vendors’ (e.g. GitHub, GitLab) webhook services. However, this is a false sense of security, as any attacker can leverage SCM webhook infrastructure to send traffic to internal CI systems and conduct malicious activities which range from obtaining valid CI credentials to running exploits (e.g. using known Jenkins CVEs).

Vulnerable GitHub Actions Workflows Part 1: Privilege Escalation Inside Your CI/CD Pipeline
Legit Security’s (epic name) Noam Dotan walks through the risks of using the workflow_run GitHub trigger with concrete examples, and in part 2 Noam demonstrates how a minor bug in a custom popular GitHub action could potentially lead to privilege escalation inside your CI/CD pipeline.

Supply Chain

There is no “software supply chain”
iliana etaoin argues that third party dependencies are not in fact a “software supply chain,” because no money is exchanging hands.

Introducing Wolfi – the first Linux (Un)distro designed for securing the software supply chain
Chainguard’s Dan Lorenc describes Wolfi, the first community Linux (un)distribution built with default security measures for the software supply chain. Key features: a high-quality, build-time SBOM for all packages, packages are designed to be granular and independent to support minimal images, uses apk, fully declarative and reproducible build system, designed to support glibc and musl.

Also, Chainguard Images, now powered by Wolfi, are a suite of distroless images that provide support for both musl and glibc. By distroless, they mean they are minimal to the point of not even having a package manager (such as apt or apk)– simplifies auditing and updating images, and reduces attack surface.

Cloud Security

The Many Ways to Manage Access to an EC2 Instance
By Sym’s Mathew Pregasen. Options: EC2 key pairs, SSH access via 3rd-party tools, SSH access via IAM policies, eliminate direct access via GitOps (SSM’s Run Command), and temporary or JIT access.

zoph-io/aws-security-survival-kit
Victor Grenu helps you set up minimal alerting on typical suspicious activities on your AWS Account. Using this kit, you will deploy CloudWatch EventRules and CW alarms on:

1. Root User activities

2. CloudTrail changes

3. AWS Personal Health Events

4. IAM Users changes

5. MFA updates

6. Unauthorized Operations

7. Failed AWS Console login authentication

AWS services, explained in Victorian English
By GPT-3 and @thesephist. How all companies should describe their products 🤣

Six years of giving Black Hat trainings?! Nice. #goalz

Infrastructure as Code

How DoorDash Ensures Velocity and Reliability through Policy Automation
How DoorDash leverages OPA to build policy-based guardrails with codified rules that ensure velocity and reliability for cloud infrastructure automated deployments.

When a GitHub pull request is created, Atlantis runs a Terraform plan and passes the plan file to Conftest, which then pulls custom policies written in Rego from an AWS S3 bucket, evaluates the OPA policy based on the Terraform plan, then comments the output to the PR — all in a single action.

A Guide to Improving Security Through Infrastructure-as-Code
Epic post by NCC Group’s Viktor Gazdag with almost 90 references. Viktor shares a guide on how to integrate security into infrastructure as a code and shows how these security checks and gates, tools and procedures secure the infrastructure by mentioning free and/or open-source tools.

Container Security

edgelesssys/constellation
By Edgeless Systems: A Kubernetes engine that aims to provide the best possible data security by wrapping your K8s cluster into a single confidential context that is shielded from the underlying cloud infrastructure. Everything inside is always encrypted, including at runtime in memory.

What’s Inside Of a Distroless Container Image: Taking a Deeper Look
Ivan Velichko walks through the challenges in building a minimal container image from scratch, the difference between a container built from a distroless base and a container built from scratch, and more.

Tool Release – Project Kubescout: Adding Kubernetes Support to Scout Suite
By NCC Group’s Liyun Li: Scout Suite can now scan Kubernetes clusters in addition to cloud environments. It currently has a base subset of rules, including CIS Benchmarks rules, and core integrations for building out futher Kubernetes security analyses.

Politics / Privacy

Serverless Ad Blocking with Cloudflare Gateway
Super cool 👍 Marco Lancini describes a serverless approach to Pi-hole like ad blocking using Cloudflare’s Gateway and WARP. Benefits: no server to maintain, no performance impact, and ad blocking is not tied to a single network: he can switch to a mobile network on his phone and still maintain the protection of the filters enforced by Cloudflare Gateway.

Misc

5f0ne/pdf-examiner
Provides an overview of the inner file structure of a PDF and extracts /URI and /JS data.

araekiel/jot
A feature-stripped version of Obsidian focused on rapid note management through the terminal. It uses the same format of storage as Obsidian, i.e. markdown files for notes, and local folders for vaults (and sub-folders).

10 things Matt Yanchyshyn learned from 10 years at AWS

Rachel Syme on staying curious

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint