• tl;dr sec
  • Posts
  • [tl;dr sec] #101 - Securing Netflix at Scale, AWS PrivEsc Playground, Career Advice

[tl;dr sec] #101 - Securing Netflix at Scale, AWS PrivEsc Playground, Career Advice

How to build security tooling developers love, a playground to practice privilege escalation in AWS, career advice from @lcamtuf and Corey Quinn.

Hey there,

I hope you’ve been doing well!

Feelings without a Name

Sometimes you might feel a light sadness, like something is slightly amiss, but not know how to put your feelings into words.

Enter: The Dictionary of Obscure Sorrows, full of definitions for those hyper specific feelings you may not have known how to describe.

Feel free to use one of these to impress your family over Thanksgiving, or make your date think you’re pretentious cool.

This one really resonated with me:

Sponsor

📢 Top 4 Cloud Security Pitfalls

As teams move to the cloud and adopt managed services, it's important to consider the security implications so cloud native architectures adhere to best practices and minimize risks. This free report identifies the four most common critical misconfigurations in cloud native architectures and steps you can take to programmatically mitigate these risks without disrupting development.

📜 In this newsletter...

  • AppSec: Determining code owners at scale, comparing GitOps tools

  • Mobile Security: CLI tool to download Android apps, iOS pentesting 101

  • Cloud Security: AWS IAM privilege escalation playground, mistakes I've made in AWS, Security Hub automated response and remediation playbooks

  • Career: @lcamtuf on building a career in infosec, Corey Quinn on switching jobs

  • Container Security: Managing Kubernetes seccomp profiles, a k8s engineer's guide to mTLS

  • Blue Team: Phishing kit scanner, how Elastic uses Elastic for detection and response

  • Red Team: Black Hat Rust book

  • Politics / Privacy: Pfizer's 'variant hunters,' the downsides of Silicon Valley's optimization mindset

  • Misc: Good movies to watch on streaming platforms, how to make a Netflix documentary, renting various parts of your house-as-a-Service, process vs risk people

  • Securing Netflix Studios At Scale: How to scale security and increase developer productivity via a common gateway service

AppSec

Can The Real Codeowners Please Stand Up? Code Provenance at Scale
Twilio’s Laxman Eppalagudem describes how Twilio uses an about.yaml file in repos to determine which team “owns” the code (super useful when there’s an urgent vulnerability to be fixed), and they’ve released a GitHub App, Gordon, that enforces and validates about.yaml contents.

I know a handful of companies who’ve each custom built something like this. It’d be interesting to see if there gradually becomes some consensus around “this is how one should handle code ownership at scale.”

Automation assistants: GitOps tools in comparison
Cloudogu’s Johannes Schnatterer and Philipp Markiewka compare a number of GitOps tools for Kubernetes, secrets management, and more, and do a deeper dive on ArgoCD vs Flux v2.

Mobile Security

Introducing “apkeep,” EFF Threat Lab’s new APK Downloader
New CLI tool by the EFF to enable easily downloading APKs from Google Play or third party markets.

iOS Pentesting 101
Nice overview by Ninad Mathpati, covering vulnerable iOS apps to practice on, tools, methodology, bypassing SSL pinning, jailbreak detection, common issues, and more.

Cloud Security

IAM Vulnerable - An AWS IAM Privilege Escalation Playground
Bishop Fox’s Seth Art has released a playground of 30+ exercises for practicing different privilege escalation techniques, easily deployable in your AWS account via Terraform. Source code 

Mistakes I’ve Made in AWS
Performance and pricing tips from Chris Fidao: CPU credits, using cheaper servers, IO operations per second (IOPS), metrics to watch, and more.

awslabs/aws-security-hub-automated-response-and-remediation
An add-on solution that enables AWS Security Hub customers to remediate security findings with a single click using predefined response and remediation actions called “Playbooks”. Contains playbook remediations for some of the security standards defined as part of CIS AWS Foundations Benchmark v1.2.0 and for AWS Foundational Security Best Practices v1.0.0.

Career

Container Security

Managing Kubernetes seccomp profiles with security profiles operator
Seccomp allows you to limit the syscalls a process can make, limiting its attack surface. In this post, Lachlan Evenson describes how Kubernetes admins can use the security profiles operator to ease creating and managing seccomp profiles for your cluster, including how to monitor a pod and automatically create a seccomp profile for it based on its behavior. Neat!

A Kubernetes engineer’s guide to mTLS
This guide by Buoyant’s William Morgan is probably of the better overviews of mTLS in general - when it’s useful, what it gets you, why it’s hard, etc. The post concludes with how to easily add mTLS to your Kubernetes cluster in 5 minutes using Linkerd.

Blue Team

SteveD3/kit_hunter
A basic phishing kit scanner that will search directories and locate phishing kits based on established markers, by Steve Ragan.

Elastic on Elastic: Deep dive into our SIEM architecture
Elastic’s Aaron Jewitt how Elastic’s detection and analytics team uses Elastic to secure their company, including storing different types of data in different clusters, cross cluster search, and more.

Red Team

Black Hat Rust
Upcoming book by Sylvain Kerkour covering topics like reconnaissance (multi-threaded attack surface discovery), exploitation (writing shellcode in Rust), building a modern RAT in Rust, and more.

Politics / Privacy

Pfizer ‘variant hunters’ race to stay ahead of the Covid-19 pandemic
Some neat insight into the Pfizer team tracking variants and vaccine effectiveness.

Silicon Valley’s Optimization Mindset Sets Us Up for Failure
Tech companies tend to prioritize metrics that can be easily measured, like clicks, screen time, etc., while other admirable goals like increasing human flourishing or promoting freedom or equality are not.

The desire to optimize can favor some values over others. And the choice of which values to favor, and which to sacrifice, are made by the optimizers who then impose those values on the rest of us when their creations reach great scale.

For example, consider that Facebook’s decisions about how content gets moderated or who loses their accounts are the rules of expression for more than three billion people on the platform.

The small and anomalous group of human beings at these companies create, tweak, and optimize technology based on their notions of how it ought to be better. Their vision and their values about technology are remaking our individual lives and societies. As a result, the problems with the optimization mindset have become our problems, too.

Misc

A Good Movie to Watch
Find great movies to watch on various streaming platforms.

You Can Make a Netflix Style Doco About Literally Anything
Using a handful of the right equipment and stylistic choices.

The Rise of a Different Work-from-Home
a16z’s Jeff Jordan argues that many houses have assets that are poorly utilized, and that we’ll see more of these rented out via the sharing economy in the future.

An absolutely excellent post about how the Netflix Studios team scaled security and increased developer productivity by partnering with the Cloud Gateway team to embed strong authentication and other security wins into a common gateway service.

The post contains some great discussion about the thought process and approach that went into it, and how to get widespread organic developer adoption of security tooling without being able to mandate it.

If you’re interested in being a modern security team that “builds,” empowers developers, and truly scales security, consider this post a must read.

Here are some quotes I particularly liked:

Overall, we cannot overstate the value of organizationally committing to a single paved road product to handle these kinds of concerns.

The difference between 2–4 “right-ish” ways and a single paved road one is powerful.

If you can do one thing to manage a large product security portfolio, do bulletproof authentication; preferably as a property of the architecture.

“Productizing” a capability (eg: clearly articulated; defined value proposition; branded; measured), even for internal tools, is useful to drive adoption and find further value.

Hitch the security wagon to developer productivity.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint