[tl;dr sec] #116 - Secrets of Successful Security Programs, Supply Chain, Killing Bug Classes
A masterclass in building a modern, scalable security program by Phil Venables, GitHub Action to check your supply chain security posture, Chrome feature to protect against CSRF and DNS rebinding.
I hope you’ve been doing well!
There are some longer sections at the bottom of this one, but some really good stuff I couldn’t leave out.
I don’t know about you, but I’ve been writing some YAML lately.
I hope this meme by Justin Yoo also cheers you up.
📢 Podcast: The Value of Agility and Education for Scaling Security
In a recent episode of the Detection at Scale podcast, Panther Labs CEO and Founder Jack Naglieri sat down with Matt Jezorek, VP of Security and Abuse at Dropbox, to discuss Matt’s perspective on the decisions security teams have to make that ultimately control how fast they can detect threats.
I actually joined Jack on the Detection at Scale podcast this week, look for our episode in a bit!
📜 In this newsletter...
Conferences: Cybersecurity conferences in 2022, Global AppSec US 2021 videos
AppSec: Free book on SSH tunneling, securing GitHub organizations
Secrets: GitHub leaked secret search engine, secrets stored in environment variables, secret scanning tool by Salesforce
CI/CD and Supply Chain: OpenSSF Scorecards v4, 10 real-world stories on compromising CI/CD pipelines, linting and securing GitHub Actions
Cloud Security: SSH bastion host best practices, 2 serious vulnerabilities in AWS, free labs to learn cloud pen testing
Fuzzing: Fuzzing LoRaWAN protocol stacks
Red Team: Payload creation framework for fileless VBA scripts
Privacy: Disable 2G option on new Android phones
OSINT: 5 hour OSINT course, service to remove objects from images, lessons learned from 10 years building an open source OSINT tool
Misc: Internet meme search engine, browser extension to inject SciHub links, create an RPG game for free without coding
New Chrome security measure aims to curtail an entire class of Web attack: Protecting against CSRF and DNS rebinding
Secrets of Successful Security Programs: A masterclass in building a scalable, modern security program
Global AppSec US 2021 Virtual
YouTube playlist of the talk recordings, covering AppSec, threat modeling, cloud security, supply chain, and much more.
Securing GitHub organizations
LaunchDarkly’s Alex Smolen presents his step-by-step process for securing your GitHub organization. See also the OpenSSF’s AllStar GitHub App for continuous enforcement of security best practices.
Introducing PinataHub: Explore the world of leaked secrets in GitHub
PinataHub is a new search engine for secrets leaked on GitHub. The post includes some interesting ideas regarding high signal secrets detection, using Algorithmically generated Domain (AGD) detection.
Awesome List Of Secrets In Environment Variables️
List of secrets, passwords, API keys, tokens stored inside a system environment variables, by Maciej Pulikowski. Useful if you have RCE or some exploit that lets you read a vulnerable app’s system environment.
CI/CD and Supply Chain
Reducing Security Risks in Open Source Software at Scale: Scorecards Launches V4
The OpenSSF announces that their Scorecards project now includes new security checks and a GitHub Action you can run to easily flag potentially risky supply-chain practices. Release notes.
10 real-world stories of how we’ve compromised CI/CD pipelines
Great write-up with tons of interesting examples, including several scenarios with RCE-as-a-Service Jenkins, GitLab, Kubernetes, and what a pen tester can do with a dev’s laptop. By NCC Group’s Aaron Haymore, Iain Smart, Viktor Gazdag, Divya Natesan and Jennifer Fernick.
Linting your GitHub Actions
CipherStash’s Matt Palmer describes action-validator a new tool that lints GitHub Action and Workflow YAML files. It ensures they are well-formed by checking them against published JSON schemas and making sure that any globs used in paths / paths-ignore match at least one file in the repo.
For linting your GitHub Action YAMLs for security issues, see this post and open source Semgrep rules here.
SSH Bastion host best practices: How to Build and Deploy a Security-Hardened SSH Bastion Host
Teleport’s Sakshyam Shah provides a nice overview. Build a server with minimal packages installed, limit the services actively running, lock down OS network capabilities, limit user accounts and restrict account capabilities (e.g. SELinux), implement access logging, harden OpenSSH, and more.
2 Critical Cloud Vulnerabilities to Convince You to Move to the Cloud
The Orca Security Research Team discusses multiple critical zero-day vulnerabilities discovered in AWS Glue and CloudFormation. “These vulnerabilities could’ve allowed unauthorized access to customer data and/or sensitive code and data within the public cloud.” However, there’s been some discussion that Orca’s impact claims are a bit overblown, see this Scott Piper thread for more context.
OWASP Serverless Goat
Bishop Fox: iam-vulnerable, a vulnerable by design AWS IAM privilege escalation playground
Rhino Security Labs: cloudgoat, a vulnerable by design AWS deployment tool
Appsecco: A step-by-step walkthrough of CloudGoat 2.0 scenarios
dvca a Damn Vulnerable Cloud Application
NCC Group: sadcloud, a tool for standing up (and tearing down!) purposefully insecure cloud infrastructure
Appsecco: Breaking and Pwning Apps and Servers on AWS and Azure free courseware and labs
LoRaWAN’s Protocol Stacks: The Forgotten Targets at Risk
LoRaWAN is a low-power, wide area networking protocol often used for things like smart city security, environmental monitoring, industrial safety, and more. Trend Micro’s Sébastien Dudek discusses how to hunt for bugs in different LoRaWAN stacks, for example by fuzzing with AFL++. He explains how Qiling (based on the Unicorn Engine) can be used in fuzzing and debugging exotic architectures, and how Ghidra’s PCode emulation can be used when the architectures targeted are not supported by Unicorn or Qiling.
Fuzzing architecture design for radio protocol layer as applied to LoRaWAN
By Optiv’s Matt Eidelberg: A payload creation framework for the stealthy execution of arbitrary VBA (macro) source code directly in memory without dropping macro documents to disk, making it harder for EDR to detect it.
VICTORY: Google Releases “disable 2g” Feature for New Android Smartphones
The EFF describes a new feature in Android phones that lets you disable 2G at the modem level, a legacy, insecure protocol that is leveraged by some stingray interception devices via downgrade attacks. Disable by: Settings > Network & Internet > SIMs > Allow 2G and turn that setting off.
📢 Slash Cloud Cyber Risk with Security-as-Code
Existing cybersecurity architectures break down in public cloud. Why? Because cloud applications are being self-serviced by developers. John Steven, Concourse Labs CTO and co-author of the BSIMM study, explains how Security-as-Code enables developers to self-service the security of their infrastructure-as-code.
Open-Source Intelligence (OSINT) in 5 Hours - Full Course
Free course by Heath Adams (@thecybermentor) covering a wide variety of topics, including reverse image searching, viewing EXIF data, discovering email addresses, hunting breached passwords, OSINT on platforms like Twitter, Facebook, Instagram, Reddit, LinkedIn, and much more.
Lessons learned from my 10 year open source project
Steve Micallef shares 10 lessons from developing his widely popular SpiderFoot OSINT tool for over a decade.
A browser extension that adds SciHub links to popular publisher websites, to make accessing science even easier, by Rick Wierenga. Seems like it’s been taken down, perhaps because it became too popular. Rick’s thread about it.
Make an RPG game without coding for free. tl;dr sec sends its apologies to your employer and spouse (hopefully separate parties) for your future lower productivity and attentiveness.
Starting in Chrome 98, website requests to internal network resources (e.g. 192.168.1.1) will trigger a CORS preflight request (Access-Control-Request-Private-Network). This will be a massive step forward in eliminating classes of vulnerabilities like CSRF and DNS rebinding. Google blog
Searching for vulnerabilities manually or with automated tools has value, and so does secure code training, but in my (and many people’s) opinion, secure defaults that prevent those classes of vulnerabilities from occuring in the first place is higher leverage.
And building protections into the platform (e.g. web browsers) can be even higher leverage, as that secures everything on the platform (there are only a handful of browsers vs billions of websites).
This post by Google Cloud CISO Phil Venables is probably one of the most useful and value-dense posts on lessons learned, best practices, and how to build a modern security program I’ve ever seen.
Here’s my attempt at not quoting the entire post:
Aim for projects that:
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!