• tl;dr sec
  • Posts
  • [tl;dr sec] #166 - 2023 Security Predictions, Vuln Hunting with App Server Logs, Enforcing Device AuthN

[tl;dr sec] #166 - 2023 Security Predictions, Vuln Hunting with App Server Logs, Enforcing Device AuthN

Predictions for offense, from security leaders, and AWS, high signal vuln finding from application runtime exceptions, how Pinterest enforces managed and compliant devices in their Okta flow.

Author

Clint Gibler
January 24, 2023

Hey there,

I hope you’ve been doing well!

The Economy 😅

Oof, a number of companies are continuing to lay off significant numbers of people.

My thoughts are with everyone who has been affected. Keep your head up, you’re going to land on your feet somewhere awesome, I believe in you.

I’m going to update my open jobs page in the near future, apologies to everyone who sent me new jobs for being a bit slow.

But it’s not just employees who are getting affected, even VCs are:

Fortunately, VCs all have unique insights and value adds, and don’t just happen to have a money gun that they can swing around and be “successful” when they’re right 10% of the time.

Sponsor

 📢 Moving from Spreadsheets to Modern GRC Platforms: What to Know

Using spreadsheets to manage your IT risk or compliance programs? From clunky and disorganized workflows to manual evidence collection and control monitoring, it's time to stop spending hours of time on menial tasks instead of strategic initiatives.

But how does one best prepare for the move to a modern GRC tool? What can be expected in the transition? How long will it take?

Join experts in the security compliance industry as they discuss:

  • 3 important things to understand about the transition

  • How you can best prepare for a smooth transition with your team

  • Why the move is worth it

📜 In this newsletter...

  • Threat Modeling: Open Threat Model, integrating threat modeling with DevOps

  • Web Security: new web proxy tool, give Burp a REST API, blind SQLi tool, GraphQL scraper/extractor

  • AppSec: How Palantir handles FIDO2 with New Hires & Lost Keys, enforcing device AuthN & compliance at Pinterest, threat and vulnerability hunting with application server error logs, scaling continuous security at Revolut

  • Cloud Security: Create refreshable boto3 sessions with Roles Anywhere, Lambda risks, using AWS SCPs for governance at the org level, take automated actions based on GCP Security Command Center findings

  • Container Security: Debug common issues that arise when moving to containers, tool to help secure Knative services

  • Blue Team: Credit card canary tokens

  • Politics / Privacy: TikTok confirms that its own employees can decide what goes viral

  • Predictions for Security in 2023: 3 predictions for offense in 2023, predictions from a security leader panel, predictions from AWS security heads

  • Misc: Tool to ensure source code files have copyright license headers, replace Slack file uploads with Google Drive uploads, just how does Kidz Bop censor songs?

  • Machine Learning: Google plans to demo AI chatbot search, ChatGPT in an iOS Shortcut, CNET sneakily using AI for content creation and it has errors, edit photos via text description

Threat Modeling

iriusrisk/OpenThreatModel
The Open Threat Modeling Format (OTM) defines a platform independent way to define the threat model of any system, by IriusRisk.

Integrating threat modeling with DevOps
Paper by Microsoft with some reflections on how it is possible to adopt threat modeling more effectively and efficiently, integrating it with modern DevOps methodologies and tools, and focusing on the value provided to all the various actors involved with the Software Development Lifecycle

Sponsor

📢 Tailscale, a frustratingly simple VPN

Tailscale is the simple and secure way to build and manage your team’s network.

We handle network configurations on your behalf to navigate firewalls and routers, so you don’t need to hassle with manual configuration or port forwarding. Authenticating is effortless with your current SSO provider, and Tailscale enables roaming so teammates stay connected wherever they go, even if they switch between Wi-Fi and cell networks.

Plus, you can get started in minutes. Just install and authenticate Tailscale on two or more devices, and you’re ready to roll.

Web Security

Caido
A lightweight web security auditing toolkit. Like ZAP or Burp, but written in Rust.

vmware/burp-rest-api
A REST/JSON API for Burp Suite.

CiscoCXSecurity/bbqsql
A blind SQL Injection exploitation tool.

cybervelia/graphicator
By Cybervelia’s Theodoros Danos: A GraphQL “scraper” / extractor. The tool iterates over the introspection document returned by the targeted GraphQL endpoint, and then re-structures the schema in an internal form so it can re-create the supported queries.

AppSec

FIDO2, New Hires & Lost Keys
Palantir’s Chris Dunn and Kimmy Richardson describe how Palantir handles the “chicken and egg” new FIDO2 user problem (Azure TAP codes) and when users lose keys.

Enforcing Device AuthN & Compliance at Pinterest
Pinterest’s Armen Tashjian describes how they’ve enforced the use of managed and compliant devices in their Okta authentication flow, using a passwordless implementation, so that access to their tools always requires a healthy Pinterest device.

Threat and Vulnerability Hunting with Application Server Error Logs
Wix’s Moti Harmats shares a clever approach: monitor specific application runtime exceptions to find exploitable vulnerabilities. For example, “SQL syntax error” means an improperly structured SQL query, which could be caused by an unparameterized SQL query + runtime data affecting it.

Wix applied this approach to several vulnerability classes and found it to be high signal: 100% true positives for XXE and SSTI, and 26% for SQL injection. They set up an out-of-band monitoring solution to prevent runtime overhead (like if you had a RASP).

Security Drone: Scaling Continuous Security at Revolut
Revolut’s Krzysztof Pranczk describes how Revolut’s continuous scanning approach evolved to be more effective. They scan every PR, put Security Drone in a Kubernetes cluster to scan code independently of CI/CD pipelines, and use Semgrep for SAST, Snyk for software composition analysis, and Checkov for IaC.

Initially, we used 19 SAST and 63 IaC rules. Only high and critical SCA issues were directly reported to our developers.

We lowered the false positive rate by carefully choosing the SAST solution and continual tuning of rules. We were able to achieve ~3.8% FP rate!

Cloud Security

awslabs/iam-roles-anywhere-session
This package provides an easy way to create a refreshable boto3 Session with AWS Roles Anywhere.

Lambda risks
Rami McCarthy’s notes on the risks and threat model of AWS Lambda, focusing on attack vectors, and not CI/CD concerns like the risks of Lambda Layers.

AWS SCPs - Governance: Setting security controls at the organizational level
2nd Sight Lab’s Teri Radichel walks through how using SCPs can help you follow the Don’t Repeat Yourself (DRY) principle, and example useful policies like limiting the principals who can deploy/modify SCPs, preventing removal of an account from an organization, and other useful hardenings.

GoogleCloudPlatform/security-response-automation
Take automated actions on your GCP Security Command Center findings, like:

  • Automatically create disk snapshots to enable forensic investigations.

  • Revoke IAM grants that violate your desired policy.

  • Notify other systems such as PagerDuty, Slack or email.

Container Security

google/containerdbg
An all-in-one CLI tool to help debug Kubernetes containers with common issues that arise when moving to containers as part of legacy application modernization.

Kubernetes Security-Guard
A tool focused on assisting Knative users in securing their deployed services, for example, by monitoring and potentially blocking requests and/or responses to Knative services based on a per-service security configuration.

Blue Team

Swipe right on our new credit card tokens!
Thinkst Canary has released a new canary token type: credit cards. They’ll create a valid credit card (number, expiration, and CVC) for you, and you’ll get notified if it ever gets used.

Politics / Privacy

That the company promotes certain videos, sometimes to enhance relationships with creators and businesses, is no longer just an open secret.

Good thing this Chinese-owned company would never promote or demote videos to advance China’s political agenda, as Chinese companies are totally independent from the Chinese government, and there’d never be US user data accessed from China, and they’d never use the platform to spy on Forbes journalists.

Predictions for Security in 2023

Top 3 Cyber Predictions in 2023 and How You Can Prepare
ForAllSecure’s David Brumley predictions for offense in 2023.

  1. Hackers are going to ransom our cars

  2. Attackers will start creating zero day exploit farms

  3. The OSS “tragedy of the commons” will continue

  1. Cloud security will move beyond CSPM

  2. CI/CD and IaC tools for audit trails and solving other security problems

  3. Attacker monetization strategies will evolve

  4. Radical data breach transparency from CISOs

  5. Security will give up on the user as a line of defense

  • MFA will become pervasive, including increased use of biometrics

  • Increasingly inclusive workforce will address talent gap

  • Collaboration across companies will improve preparedness and incident response

  • Training best practices will inspire action and improve security

    • Individualized, multimodal learning plans that contain a mix of presentations, discussions and hands-on labs

  • Embedded security will become more tangible with IaC

  • Orgs will increase investment and focus on business resiliency

  • Better visibility will improve with purpose-built tools (e.g. data lakes)

  • Cloud security will increase with automated reasoning

  • Security teams will get more serious about quantum-resistant cryptography

Misc

google/addlicense
A program which ensures source code files have copyright license headers by scanning directory patterns recursively.

kpolley/slackurity
By Kyle Polley: When a user is uploading a document to Slack, this Slack bot will ask if they want to upload to Google Drive instead, and do it for them if they say yes.

Just how does Kidz Bop censor songs?
Pudding.cool asking the important questions.

Machine Learning

Google plans to demo AI chatbot search as it panics about ChatGPT
Article title is a bit alarmist, but Google founders Larry Page and Sergey Brin have gotten a bit more involved, and Google plans to launch over 20 AI products this year, including a demo of its own search chatbot.

In the past, Google has said it’s avoided launching certain AI products because of the potential “reputational damage.”

An interesting example of the relative advantages/disadvantages of being a start-up (e.g. OpenAI) and being OK with being wrong.

ChatGPT in an iOS Shortcut — Worlds Smartest HomeKit Voice Assistant
How to create an iOS shortcut that uses GPT-3 to interpret your voice command and then send intelligent commands to your smart home devices. Nice example of a detailed prompt that returns output as structured JSON. It can do smart things like, turn on the lights when you say:

Just noticed that I’m recording this video in the dark in the office. Can you do something about that?

CNET’s Article-Writing AI Is Already Publishing Very Dumb Errors
CNET had been quietly publishing articles generated by an unspecified “AI engine.” CNET never publicly announced the program, and that the disclosure that the posts were bot-written was hidden away behind a human-sounding byline — “CNET Money Staff” — made it feel as though the outlet was trying to camouflage the provocative initiative from scrutiny.

It’s worth pointing out, as Platformer’s Casey Newton did this week, that CNET’s AI-generated finance articles arguably only exist in the first place because they’re trying to manipulate Google’s algorithm for profit. Countless better explanations of compound interest already exist; CNET’s strategy is simply to publish large volumes of cheaply produced text, carefully optimized to float to the top of search results, in a bid to capture the monetizable eyeballs of the financially curious.

“Over time, we should expect more consumer websites to feature this kind of ‘gray’ material: good-enough AI writing, lightly reviewed (but not always) by human editors, will take over as much of digital publishing as readers will tolerate,” Newton wrote. “The quiet spread of AI kudzu vines across CNET is a grim development for journalism, as more of the work once reserved for entry-level writers building their resumes is swiftly automated away.

brycedrennan/imaginAIry
Tell AI how to update photos via a text description. Make a “photo of a fruit bowl” and “portrait photo of a freckled woman,” now “replace the fruit with strawberries” and “make her a cyborg.”

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint