[tl;dr sec] #108 - How SolarWinds is Securing their Supply Chain, Cloud Security Tooling, Risk-base
What SolarWinds did after the attack their new high assurance build system, how to succeed as the only cloud security practitioner in your company, how Netflix uses risk to make informed decisions.
I hope you’ve been doing well!
Happy Halloween! 🎃 I hope you had a festive and fun weekend.
I mostly just stayed in, relaxed, and watched Dune with a few friends.
I wanted to share how I spent my weekend, because TV, movies, and pop culture can set pretty high expectations.
On your birthday, you should be surrounded by a huge crowd of friends.
On Thanksgiving, you should have an Instagram-worthy food spread.
And if you don’t personally trample at least 3 people trying to get a slightly bigger TV on Black Friday, then something must be wrong with you.
It can feel hard to live up to these expectations sometimes.
You might find yourself thinking, “Am I having enough fun?” Or “I only have a few friends here 😥”
But you’re doing just fine. I think you’re great 😀 You’re enough. Right now.
Alright, enough talk of emotions (ew!), gimme a high fructose crypto meme to get me back on that sweet, sweet emotional sugar high:
📢 Simplify complex security analysis with graph data modeling
Similar to security, the mind is like a web of complex connections and classifications.
So why do 73% of organizations still rely on spreadsheets as a tool for their security hygiene and posture? That doesn't scale.
There’s a better way.
Listen to this talk on how data modeling like a mind map - a graph model - helps teams simplify complex security analysis and answer questions with rich visibility.
📜 In this newsletter...
AppSec: Risk-based security decision making, minimum viable secure product, changing source code logic via subtle control characters, hands-on intro to Semgrep's autofix, a serverless PKI framework, guiding AppSec principles
Supply Chain: How SolarWinds is hardening their supply chain
Web Security: Improvements to Burp's authenticated scanning, testing apps that use protobuf
Cloud Security: Using AWS SSO with GSuite as an IdP, an AWS enumeration and footprinting tool, cloud security tooling for the sole practitioner
Container Security: Service mesh for API visibility, abusing registries for exfil and droppers
Hardware: MITRE's 2021 most important hardware weaknesses
Network Security: eBPF-based tool for tracing network packets in the Linux kernel
Red Team: Exploiting an ARM-only race condition
Politics: Perspectives form Wang Huning, the man behind many of Xi Jinping's policies
Misc: Microservices comedy sketch, the fundamentals of piano practice, the economics of pumpkin patches
Minimum Viable Secure Product
A minimalistic security checklist for B2B software and business process outsourcing suppliers. It lists business, application design, application implementation, and operational security controls.
‘Trojan Source’ Bug Threatens the Security of All Code
A Hands-On Intro to Semgrep’s Autofix
EA’s Parsia Hakimian presents hands-on examples of using Semgrep’s autofix feature to address CBC padding oracles, ensuring security-related cookie flags are set (HttpOnly and Secure) in Java and Golang, ensuring the right templating library is used so that output encoding is done in Golang, and more.
Meet Ottr: A Serverless Public Key Infrastructure Framework
Airbnb’s Kenneth Yang describes Ottr, a serverless Public Key Infrastructure framework that handles end-to-end certificate rotations without the use of an agent.
Travis McPeak on the Guiding Principle of AppSec at Databricks
This is the way ✊
Project Trebuchet: How SolarWinds is Using Open Source to Secure Their Supply Chain in the Wake of the Sunburst Hack
Cloud Native Computing Foundation (CNCF) talk by Trevor Rosen on the SolarWinds hack, what they did after discovery, and an in-depth discussion of the new high assurance build system they’ve been developing that uses a number of CNCF and CDF projects.
Improvements to Burp Suite authenticated scanning
Portswigger’s Matt Atkinson describes improvements that allow Burp Suite to better scan privileged areas of target web applications, even when a complex login sequence is required. Improvements across iframes, animated elements, DOM-based redirections, SVG elements, and multi-select.
Tortellini in Brodobuf
How to decode and deserialize Google Protobuf data and an example of exploiting SQL injection using a custom SQLmap tamper script to automate the process. By Advanced Persistent Tortellini, an Italian hacker collective, who is now one of my favoritely named security groups.
AWS SSO Tutorial with Google Workspace (Gsuite) as an IdP Step-by-Step
Detailed walkthrough by Cloud Query’s Mike Elsmore on how to use G Suite as an identity provider for AWS SSO. Benefits of this approach: no need to manage AWS IAM creds, 2FA is already managed by your IdP (G Suite), when users join or leave your org, you only have to make changes in one place.
Introducing Quiet Riot: A Scalable AWS Enumeration and Footprinting Tool
New tool by Wes Ladd that does unauthenticated enumeration and footprinting of AWS Account IDs, roles, users, services in use (via existing service linked role names) across AWS.
Cloud Security Tooling for the Sole Practitioner
Are you the only person doing cloud security at your company? Salesforce’s Kinnaird McQuade joins Nikki Becher and Shinesa Cambric on the OWASP DevSlop podcast to help you navigate where to start, what to prioritize, and how to build out your own “lean but mean” cloud security toolkit. Slides, useful links to learn more, and a purposefully vulnerable repo to practice on.
An open source cloud native visibility tool for APIs, utilizing a Service Mesh framework to capture and analyze API traffic. APIClarity can compare OpenAPI specs to traffic observed at runtime: detect undocumented APIs and deprecated API use. For apps that don’t have an OpenAPI spec, autogenerate one based on your live environment.
Abusing Registries For Exfil And Droppers
Awesome post by Snowflake’s Mark Manning on sneakily abusing container registries. Key take-aways: registries are trusted endpoints, and thus useful for exfiltration and post-exploitation, and it’s easy to make a malicious file look like a legitimate image layer.
Improper Isolation of Shared Resources on System-on-a-Chip (SoC)
On-Chip Debug and Test Interface With Improper Access Control
Improper Prevention of Lock Bit Modification
cilium/pwru: Packet, where are you?
By Cilium: “An eBPF-based tool for tracing network packets in the Linux kernel with advanced filtering capabilities. It allows fine-grained introspection of kernel state to facilitate debugging network connectivity issues.”
This bug doesn’t exist on x86: Exploiting an ARM-only race condition
By Stephen Tong: How to exploit a double free vulnerability in 2021. ‘Use After Free for Dummies.’
The Triumph and Terror of Wang Huning
Fascinating article on Wang Huning, the former academic behind many of Xi Jinping’s policies. When he was younger, Wang admired the U.S., but when he visited, he found:
Wang has observed the same individualism and erosion of cultural values in China, hence the crackdowns on celebrities living lavish lifestyles, massive fines to monopolistic tech companies, and more.
America Against America
An overview of Wang Huning’s book, with more context.
Comedy sketch about why adding a user’s birthday on the settings page is going to take years. I actually laughed out loud.
Fundamentals of Piano Practice
“Most books list what skills are needed (scales, arpeggios, trills, etc.), but not how to acquire them. This book teaches how to solve technical problems, step by step. Learn practice methods, how to acquire technique and memorize hours of repertoire, sight reading, musical playing, relaxation, etc., and, most importantly, Mental Play in which you learn to play the piano in your mind. “
The economics of pumpkin patches
How lucrative is the pumpkin business? The Hustle’s Juliet Bennett Rylah talked to farmers, patch operators, and industry experts to find out. TL;DR: roughly $1,500 to $6,000 of profit per acre.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!