- tl;dr sec
- Posts
- [tl;dr sec] #105 - DevSecOps, Ransomware & S3, Falco Labs
[tl;dr sec] #105 - DevSecOps, Ransomware & S3, Falco Labs
Effectively shifting left, protecting your S3 buckets from ransomware, exercises to learn Falco in your browser.
Hey there,
I hope you’ve been doing well!
Notre Dame
Last weekend I attended a superspreader event my cousin’s wedding at the University of Notre Dame, which is where they met.
My parents also met at Notre Dame, and it was fun going around campus seeing the dorms they used to live in, the pond they used to walk around, and hear stories of the bitter winters. Here’s me in front of the Golden Dome:
Fun fact: Notre Dame has a giant mural called Touchdown Jesus, so called because Jesus is raising his arms in the air and is visible from the football stadium. America!
Work with Me? 🙌
One of my favorite things about tl;dr sec is all of the things I’ve learned from you, dear reader. The posts you’ve written and tools you’ve made have inspired me and make me smarter, so I’d love to work with people from this community.
My security research team at r2c is looking for people passionate about codifying the world’s security domain knowledge into Semgrep rules that can help companies raise their security bar and eliminate classes of vulnerabilities. If you love digging into new technologies, languages and frameworks, grokking the security risks, and then sharing your knowledge via blog posts, talks, and open source contributions, we’d love to chat with you!
What is Semgrep? It’s the open source static analysis tool Snowflake, Slack, Figma, and Dropbox are standardizing their code scanning on. Or as AppSec educator and long time OWASP member Jim Manico described it, “The future of static analysis.”
You can apply here, or respond directly to me, happy to answer questions!
Sponsor
📢 5 Benefits of Detection-as-Code
The “Everything-as-Code” evolution is changing how security teams write, test and harden detections. By adopting universal coding languages like Python, and managing detections through standard CI/CD workflows, security teams can produce high-fidelity alerts tuned to their specific environment. Learn how Panther integrates this approach into a scalable platform for threat detection and response.
We actually use Panther at my company and we’ve enjoyed it so far. It’s nice to be able to easily tune detections and create new ones as they’re in Python, ensure the detections work via unit tests, and not have to manage the infrastructure.
📜 In this newsletter...
AppSec: Risk-based security decision making at Netflix, tool to detect default creds, bypassing required reviews using GitHub Actions
DevSecOps: NIST on microservices with a service mesh, building an end-to-end DevSecOps pipeline on AWS, how to effectively shift left
Web Security: Easily integrate CLI tools with Burp via the Piper extension, XSS challenges
Cloud Security: Analyzing the Twitch leak from a security consultant POV, what to do with an inherited AWS account, visualize CloudFormation stacks, the threat of ransomware to S3 buckets, inside an AWS pricing meeting
Container Security: Context discovery tool for Kubernetes, hands-on Falco labs, k8s RBAC tool, k8s security checklist
Blue Team: osquery 5, now with EndpointSecurity on macOS
Misc: Logging best practices, search open tabs in Chrome, Super Mario 64 on iOS, why airlines need business travel to return
AppSec
Risk-Based Security Decision Making at Netflix
A lot of the cool kids these days are talking about maturing risk discussions from handwavy “I feel like this is probably bad” to more quantitative measures. This talk by Netflix’s Prashanthi Koutha and Shannon Morrison will be FAIRly interesting. H/T Travis McPeak.
ztgrace/changeme
By LARES’s Zach Grace: A tool for detecting default and backdoor credentials. By default scans for HTTP(S) default credentials, but also supports the MSSQL, MySQL, Postgres, SSH, SNMP, MongoDB, and FTP protocols.
Bypassing required reviews using GitHub Actions
Cider Security’s Omer Gil found that a user with write permissions on a repo can create a GitHub Action that uses the GitHub API to approve their own pull request, bypassing required reviewer settings. Because Actions are enabled by default, even if your repo isn’t currently using GitHub Actions, a malicious user could still do this attack.
The caveat here is that the malicious user needs to have write permissions on the repo, which should be a highly trusted user, though they could be compromised.
DevSecOps
DevSecOps for Microservices-based App with Service Mesh
NIST whitepaper discussing 1) a reference platform (e.g. Kubernetes) for implementing DevSecOps primitives, 2) organizational preparedness and key primitives, and 3) implementing the DevSecOps primitives.
Building an end-to-end Kubernetes-based DevSecOps software factory on AWS
AWS’s Srinivas Manepalli describes an architecture using AWS services and mostly open source tools to build a secure software development pipeline that includes finding secrets, SCA, SAST, DAST, RASP, and aggregates vulnerability findings into a single pane of glass.
I see AppSec resumés list accomplishments like:
• Integrated SAST and DAST tools with CI
That’s like, the ultimate DevOpsSec win, right?
No!
Throwing a bunch of tools in CI and generating a bunch of security findings isn’t valuable by itself.
If I see this, I’ll dig in with some questions to see if “shifting left” solved real problems:
• What types of vulnerabilities were you trying to identify?
• How did you deal with false positives?
• How did you help the development team learn how to use the new tools?
• How did you measure and manage how these tools affected development metrics like Commit to Deploy time?
• What was the vulnerability management process to ensure issues got fixed?
• How did you address the backlog of issues from existing code?
In summary - buying and using security products is easy. Identifying and solving security problems is hard. Show you can do the latter.
Web Security
righettod/burp-piper-custom-scripts
Piper is a Burp Suite extension that makes it easy to “pipe” CLI tool functionality into Burp. This repo by Dominique Righetto contains a number of his useful Piper scripts, like extracting web API endpoints, pretty printing JWTs, extracting single page app unsafe patterns, and more.
Training XSS Muscles
33 XSS challenges by Brute Logic, so you can get #XSSwole.
Cloud Security
Victor Grenu analyzes the Twitch leak from an AWS Security Consultant perspective
1442 unique AWS AccountIDs, a lot of in-house security tooling, tech stack used, IAM, InfoSec security maturity, and more.
Inherited AWS Account
Concise, actionable notes by Marco Lancini on Matt Fuller’s excellent post: So You Inherited an AWS Account.
mhlabs/cfn-diagram
CLI tool to visualise CloudFormation/SAM/CDK stacks as visjs networks, draw.io or ascii-art diagrams.
The Threat of Ransomware to S3 Buckets
Ermetic’s Lior Zatlavi describes research they did into the susceptibility of various AWS environments to S3 ransomware. The post does a nice job listing risk factors (risky permission combinations), mitigations (e.g. MFA delete, object locking, bucket versioning), and key findings. Yikes:
In over 45% of environments, we found IAM roles available for third-party use that were allowed to elevate their privileges to admin.
Container Security
kdigger: a Context Discovery Tool for Kubernetes
Quarkslab’s Mahé Tardy has open sourced kdigger, a tool that automates many standard steps when pentesting Kubernetes from inside a pod. He’s also released minik8s-ctf, a beginner-friendly CTF about Kubernetes security.
Falco Hands-on Labs
Learn to use Falco, the runtime container security monitoring tool, via several labs, all in your browser! Labs include: detecting threats such as a container running an interactive shell or an unauthorized process, defining custom rules, and taking automated actions when threats are detected.
alcideio/rbac-tool
A collection of Kubernetes RBAC tools to sugar coat Kubernetes RBAC complexity. Examples include:
Create a RBAC graph of the actively running workload on all namespaces
Analyze RBAC permissions and highlight overly permissive principals, risky permissions
Generate RBAC policy from Kubernetes audit events
Kubernetes Security Checklist and Requirements
A checklist by Vinum Security covering authentication and authorization, secrets, cluster config, auditing and logging, OS config, network security, secure configuration of workloads, and securely building images.
Blue Team
Announcing osquery 5: Now with EndpointSecurity on macOS
Trail of Bits’ Sharvil Shah describes the new osquery release, including the EndpointSecurity process event capturing on macOS they added. When combined with the required entitlements, the EndpointSecurity framework enables user-mode processes to subscribe to events of interest from the macOS kernel in real time, replacing the need for kernel extensions.
Misc
Log after, not before
Separate parameters and messages
Distinguish between WARNING and ERROR
INFO is for business, DEBUG for technology
How to Search Open Tabs on Google Chrome
⌘+shift+A on Chrome lets you not only search open tabs and jump to them, it will also search recently closed tabs. Thanks Isaac Evans for the tip!
Super Mario 64 has been ported to iOS
Christian Kosman is a hero, gentleman, and scholar.
Why airlines need business travel to return
In short, business travelers heavily subsidize economy class travelers. Some groups estimate that somewhere between 19% and 36% of business trips will never return, leading airlines to cut flights, ground more of their fleets, and buy fewer new planes.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!
Cheers,
Clint