• tl;dr sec
  • Posts
  • [tl;dr sec] #108 - How SolarWinds is Securing their Supply Chain, Cloud Security Tooling, Risk-base

[tl;dr sec] #108 - How SolarWinds is Securing their Supply Chain, Cloud Security Tooling, Risk-base

What SolarWinds did after the attack their new high assurance build system, how to succeed as the only cloud security practitioner in your company, how Netflix uses risk to make informed decisions.

Hey there,

I hope you’ve been doing well!

You’re Enough

Happy Halloween! 🎃 I hope you had a festive and fun weekend.

I mostly just stayed in, relaxed, and watched Dune with a few friends.

I wanted to share how I spent my weekend, because TV, movies, and pop culture can set pretty high expectations.

  • On your birthday, you should be surrounded by a huge crowd of friends.

  • On Thanksgiving, you should have an Instagram-worthy food spread.

  • And if you don’t personally trample at least 3 people trying to get a slightly bigger TV on Black Friday, then something must be wrong with you.

It can feel hard to live up to these expectations sometimes.

You might find yourself thinking, “Am I having enough fun?” Or “I only have a few friends here 😥”

But you’re doing just fine. I think you’re great 😀 You’re enough. Right now.

Alright, enough talk of emotions (ew!), gimme a high fructose crypto meme to get me back on that sweet, sweet emotional sugar high:

Sponsor

📢 Simplify complex security analysis with graph data modeling

Similar to security, the mind is like a web of complex connections and classifications.

So why do 73% of organizations still rely on spreadsheets as a tool for their security hygiene and posture? That doesn't scale.

There’s a better way.

Listen to this talk on how data modeling like a mind map - a graph model - helps teams simplify complex security analysis and answer questions with rich visibility.

📜 In this newsletter...

  • AppSec: Risk-based security decision making, minimum viable secure product, changing source code logic via subtle control characters, hands-on intro to Semgrep's autofix, a serverless PKI framework, guiding AppSec principles

  • Supply Chain: How SolarWinds is hardening their supply chain

  • Web Security: Improvements to Burp's authenticated scanning, testing apps that use protobuf

  • Cloud Security: Using AWS SSO with GSuite as an IdP, an AWS enumeration and footprinting tool, cloud security tooling for the sole practitioner

  • Container Security: Service mesh for API visibility, abusing registries for exfil and droppers

  • Hardware: MITRE's 2021 most important hardware weaknesses

  • Network Security: eBPF-based tool for tracing network packets in the Linux kernel

  • Red Team: Exploiting an ARM-only race condition

  • Politics: Perspectives form Wang Huning, the man behind many of Xi Jinping's policies

  • Misc: Microservices comedy sketch, the fundamentals of piano practice, the economics of pumpkin patches

AppSec

Risk-Based Security Decision Making at Netflix
The video for the talk by Prashanthi Koutha and Shannon Morrison is live, thanks Sajal Verma for the heads up!

Minimum Viable Secure Product
A minimalistic security checklist for B2B software and business process outsourcing suppliers. It lists business, application design, application implementation, and operational security controls.

See also Enterprise Ready, 12 great guides for common features you need to sell as a B2B SaaS app. H/T Rami McCarthy.

‘Trojan Source’ Bug Threatens the Security of All Code
While I think this title is a bit fear mongering, Brian Krebs describes an interesting bug discussed by Nicholas Boucher and Ross Anderson in this academic paper. In short, the attack is to use control characters embedded in comments and strings to reorder source code characters in a way that changes its logic. They’ve found the attack works in C, C++, C#, JavaScript, Java, Rust, Go, and Python (PoCs). GitHub and VS Code will now warn you about it.

A Hands-On Intro to Semgrep’s Autofix
EA’s Parsia Hakimian presents hands-on examples of using Semgrep’s autofix feature to address CBC padding oracles, ensuring security-related cookie flags are set (HttpOnly and Secure) in Java and Golang, ensuring the right templating library is used so that output encoding is done in Golang, and more.

Meet Ottr: A Serverless Public Key Infrastructure Framework
Airbnb’s Kenneth Yang describes Ottr, a serverless Public Key Infrastructure framework that handles end-to-end certificate rotations without the use of an agent.

Security’s job is to make it easy, ideally automatic, for developers to create and ship secure code. We should provide the right guidance at the exact time that it is needed. Developers should have to go out of their way to write insecure code or open a hole in a system.

Supply Chain

Project Trebuchet: How SolarWinds is Using Open Source to Secure Their Supply Chain in the Wake of the Sunburst Hack
Cloud Native Computing Foundation (CNCF) talk by Trevor Rosen on the SolarWinds hack, what they did after discovery, and an in-depth discussion of the new high assurance build system they’ve been developing that uses a number of CNCF and CDF projects.

Web Security

Improvements to Burp Suite authenticated scanning
Portswigger’s Matt Atkinson describes improvements that allow Burp Suite to better scan privileged areas of target web applications, even when a complex login sequence is required. Improvements across iframes, animated elements, DOM-based redirections, SVG elements, and multi-select.

Tortellini in Brodobuf
How to decode and deserialize Google Protobuf data and an example of exploiting SQL injection using a custom SQLmap tamper script to automate the process. By Advanced Persistent Tortellini, an Italian hacker collective, who is now one of my favoritely named security groups.

See also Blackbox Protobuf, a tool by NCC Group’s Ryan Winkelmaier, a Burp Suite extension for decoding and modifying arbitrary protobuf messages without the protobuf type definition.

Cloud Security

AWS SSO Tutorial with Google Workspace (Gsuite) as an IdP Step-by-Step
Detailed walkthrough by Cloud Query’s Mike Elsmore on how to use G Suite as an identity provider for AWS SSO. Benefits of this approach: no need to manage AWS IAM creds, 2FA is already managed by your IdP (G Suite), when users join or leave your org, you only have to make changes in one place.

Introducing Quiet Riot: A Scalable AWS Enumeration and Footprinting Tool
New tool by Wes Ladd that does unauthenticated enumeration and footprinting of AWS Account IDs, roles, users, services in use (via existing service linked role names) across AWS.

Cloud Security Tooling for the Sole Practitioner
Are you the only person doing cloud security at your company? Salesforce’s Kinnaird McQuade joins Nikki Becher and Shinesa Cambric on the OWASP DevSlop podcast to help you navigate where to start, what to prioritize, and how to build out your own “lean but mean” cloud security toolkit. Slides, useful links to learn more, and a purposefully vulnerable repo to practice on.

Container Security

APIClarity
An open source cloud native visibility tool for APIs, utilizing a Service Mesh framework to capture and analyze API traffic. APIClarity can compare OpenAPI specs to traffic observed at runtime: detect undocumented APIs and deprecated API use. For apps that don’t have an OpenAPI spec, autogenerate one based on your live environment.

Abusing Registries For Exfil And Droppers
Awesome post by Snowflake’s Mark Manning on sneakily abusing container registries. Key take-aways: registries are trusted endpoints, and thus useful for exfiltration and post-exploitation, and it’s easy to make a malicious file look like a legitimate image layer.

Hardware

  1. Improper Isolation of Shared Resources on System-on-a-Chip (SoC)

  2. On-Chip Debug and Test Interface With Improper Access Control

  3. Improper Prevention of Lock Bit Modification

Network Security

cilium/pwru: Packet, where are you?
By Cilium: “An eBPF-based tool for tracing network packets in the Linux kernel with advanced filtering capabilities. It allows fine-grained introspection of kernel state to facilitate debugging network connectivity issues.”

Red Team

This bug doesn’t exist on x86: Exploiting an ARM-only race condition
By Stephen Tong: How to exploit a double free vulnerability in 2021. ‘Use After Free for Dummies.’

Politics

The Triumph and Terror of Wang Huning
Fascinating article on Wang Huning, the former academic behind many of Xi Jinping’s policies. When he was younger, Wang admired the U.S., but when he visited, he found:

…homeless encampments in the streets of Washington DC, out-of-control drug crime in poor black neighborhoods in New York and San Francisco, and corporations that seemed to have fused themselves to and taken over responsibilities of government. Eventually, he concludes that America faces an “unstoppable undercurrent of crisis” produced by its societal contradictions, including between rich and poor, white and black, democratic and oligarchic power, egalitarianism and class privilege, individual rights and collective responsibilities, cultural traditions and the solvent of liquid modernity.

“The real cell of society in the United States is the individual,” he finds. This is so because the cell most foundational (per Aristotle) to society, “the family, has disintegrated.” Meanwhile, in the American system, “everything has a dual nature, and the glamour of high commodification abounds. Human flesh, sex, knowledge, politics, power, and law can all become the target of commodification.” This “commodification, in many ways, corrupts society and leads to a number of serious social problems.” In the end, “the American economic system has created human loneliness” as its foremost product, along with spectacular inequality. As a result, “nihilism has become the American way, which is a fatal shock to cultural development and the American spirit.”

Wang has observed the same individualism and erosion of cultural values in China, hence the crackdowns on celebrities living lavish lifestyles, massive fines to monopolistic tech companies, and more.

America Against America
An overview of Wang Huning’s book, with more context.

In the 20th century America introduced Keynesianism and the welfare state which can’t be undone without political instability, but in many cases it exists to solve what are really social problems.

Money is the chief motivator of the strong work ethic for urban professionals, not the collective good.

Misc

Microservices
Comedy sketch about why adding a user’s birthday on the settings page is going to take years. I actually laughed out loud.

Fundamentals of Piano Practice
“Most books list what skills are needed (scales, arpeggios, trills, etc.), but not how to acquire them. This book teaches how to solve technical problems, step by step. Learn practice methods, how to acquire technique and memorize hours of repertoire, sight reading, musical playing, relaxation, etc., and, most importantly, Mental Play in which you learn to play the piano in your mind. “

The economics of pumpkin patches
How lucrative is the pumpkin business? The Hustle’s Juliet Bennett Rylah talked to farmers, patch operators, and industry experts to find out. TL;DR: roughly $1,500 to $6,000 of profit per acre.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint