[tl;dr sec] #101 - Securing Netflix at Scale, AWS PrivEsc Playground, Career Advice
How to build security tooling developers love, a playground to practice privilege escalation in AWS, career advice from @lcamtuf and Corey Quinn.
I hope you’ve been doing well!
Feelings without a Name
Sometimes you might feel a light sadness, like something is slightly amiss, but not know how to put your feelings into words.
Enter: The Dictionary of Obscure Sorrows, full of definitions for those hyper specific feelings you may not have known how to describe.
Feel free to use one of these to impress your family over Thanksgiving, or make your date think you’re pretentious cool.
This one really resonated with me:
📢 Top 4 Cloud Security Pitfalls
As teams move to the cloud and adopt managed services, it's important to consider the security implications so cloud native architectures adhere to best practices and minimize risks. This free report identifies the four most common critical misconfigurations in cloud native architectures and steps you can take to programmatically mitigate these risks without disrupting development.
📜 In this newsletter...
AppSec: Determining code owners at scale, comparing GitOps tools
Mobile Security: CLI tool to download Android apps, iOS pentesting 101
Cloud Security: AWS IAM privilege escalation playground, mistakes I've made in AWS, Security Hub automated response and remediation playbooks
Career: @lcamtuf on building a career in infosec, Corey Quinn on switching jobs
Container Security: Managing Kubernetes seccomp profiles, a k8s engineer's guide to mTLS
Blue Team: Phishing kit scanner, how Elastic uses Elastic for detection and response
Red Team: Black Hat Rust book
Politics / Privacy: Pfizer's 'variant hunters,' the downsides of Silicon Valley's optimization mindset
Misc: Good movies to watch on streaming platforms, how to make a Netflix documentary, renting various parts of your house-as-a-Service, process vs risk people
Securing Netflix Studios At Scale: How to scale security and increase developer productivity via a common gateway service
Can The Real Codeowners Please Stand Up? Code Provenance at Scale
Twilio’s Laxman Eppalagudem describes how Twilio uses an about.yaml file in repos to determine which team “owns” the code (super useful when there’s an urgent vulnerability to be fixed), and they’ve released a GitHub App, Gordon, that enforces and validates about.yaml contents.
I know a handful of companies who’ve each custom built something like this. It’d be interesting to see if there gradually becomes some consensus around “this is how one should handle code ownership at scale.”
Automation assistants: GitOps tools in comparison
Cloudogu’s Johannes Schnatterer and Philipp Markiewka compare a number of GitOps tools for Kubernetes, secrets management, and more, and do a deeper dive on ArgoCD vs Flux v2.
Introducing “apkeep,” EFF Threat Lab’s new APK Downloader
New CLI tool by the EFF to enable easily downloading APKs from Google Play or third party markets.
IAM Vulnerable - An AWS IAM Privilege Escalation Playground
Bishop Fox’s Seth Art has released a playground of 30+ exercises for practicing different privilege escalation techniques, easily deployable in your AWS account via Terraform. Source code
An add-on solution that enables AWS Security Hub customers to remediate security findings with a single click using predefined response and remediation actions called “Playbooks”. Contains playbook remediations for some of the security standards defined as part of CIS AWS Foundations Benchmark v1.2.0 and for AWS Foundational Security Best Practices v1.0.0.
Managing Kubernetes seccomp profiles with security profiles operator
Seccomp allows you to limit the syscalls a process can make, limiting its attack surface. In this post, Lachlan Evenson describes how Kubernetes admins can use the security profiles operator to ease creating and managing seccomp profiles for your cluster, including how to monitor a pod and automatically create a seccomp profile for it based on its behavior. Neat!
A Kubernetes engineer’s guide to mTLS
This guide by Buoyant’s William Morgan is probably of the better overviews of mTLS in general - when it’s useful, what it gets you, why it’s hard, etc. The post concludes with how to easily add mTLS to your Kubernetes cluster in 5 minutes using Linkerd.
Elastic on Elastic: Deep dive into our SIEM architecture
Elastic’s Aaron Jewitt how Elastic’s detection and analytics team uses Elastic to secure their company, including storing different types of data in different clusters, cross cluster search, and more.
Black Hat Rust
Upcoming book by Sylvain Kerkour covering topics like reconnaissance (multi-threaded attack surface discovery), exploitation (writing shellcode in Rust), building a modern RAT in Rust, and more.
Politics / Privacy
Pfizer ‘variant hunters’ race to stay ahead of the Covid-19 pandemic
Some neat insight into the Pfizer team tracking variants and vaccine effectiveness.
Silicon Valley’s Optimization Mindset Sets Us Up for Failure
Tech companies tend to prioritize metrics that can be easily measured, like clicks, screen time, etc., while other admirable goals like increasing human flourishing or promoting freedom or equality are not.
A Good Movie to Watch
Find great movies to watch on various streaming platforms.
You Can Make a Netflix Style Doco About Literally Anything
Using a handful of the right equipment and stylistic choices.
The Rise of a Different Work-from-Home
a16z’s Jeff Jordan argues that many houses have assets that are poorly utilized, and that we’ll see more of these rented out via the sharing economy in the future.
An absolutely excellent post about how the Netflix Studios team scaled security and increased developer productivity by partnering with the Cloud Gateway team to embed strong authentication and other security wins into a common gateway service.
The post contains some great discussion about the thought process and approach that went into it, and how to get widespread organic developer adoption of security tooling without being able to mandate it.
If you’re interested in being a modern security team that “builds,” empowers developers, and truly scales security, consider this post a must read.
Here are some quotes I particularly liked:
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!