• tl;dr sec
  • Posts
  • [tl;dr sec] #119 - Picking the Right Terraform Security Tool, BloodHound for Cloud, Awesome-Security-Hardening

[tl;dr sec] #119 - Picking the Right Terraform Security Tool, BloodHound for Cloud, Awesome-Security-Hardening

Bake-off of multiple Terraform static analysis tools, tool to identify privilege escalation paths within and across different clouds, collection of security hardening best practices, checklists, benchmarks, tools, and more.

Hey there,

I hope you’ve been doing well!

The Future is Bright

A few of my friends have recently gotten the new M1 Macs, and they’ve been raving about the speed and battery life.

It’s vision like this that pushes our industry forward.

That’s one thing I like about tech: there’s this undefeatable optimism and hope for a better tomorrow.

Even when times are tough, it’s that hope that can still get you out of bed in the morning, because you know you’re working towards something that matters.

H/T Mike Privette for the image.

Podcast

I recently joined Panther founder Jack Naglieri on the Detection at Scale podcast.

It was a fun chat about the origins of Semgrep and how it differs from other static analysis tools, how AppSec and detection and response teams can collaborate, and tips on succeeding in AppSec at scale.

Sponsor

📢 Security and Compliance at the Pace of DevOps

Cloud Optix DevSecOps tools work seamlessly with existing DevOps processes to help prevent security breaches pre-deployment. Cloud Optix ensures container images and Infrastructure-as-Code (IaC) templates containing insecure configurations as well as embedded secrets and keys never make it to a test or live production environment.

📜 In this newsletter...

  • Conferences: Black Hat EU 2021 videos posted

  • AppSec: Stop storing secrets in environment variables, non-security things that can sink a security program

  • Web Security: A Burp Suite extension useful when testing apps using OAUTHv2 and OpenID

  • Infrastructure as Code: Private Terraform Module and Terraform Provider registry, purposefully vulnerable Kustomize.io Kubernetes templates, testing IaC using dynamic cloud security tools, a Terraform security scanner bake-off, get cloud cost estimates for Terraform changes on PRs

  • Cloud Security: Identify privilege escalation paths in cloud environments, Terraform module to automate setup of OIDC between AWS and GitHub Actions/GitLab CI, a safety net for AWS canarytokens, security practices in AWS multi-tenant SaaS environments

  • Blue Team: Malware simulation harness for evaluating security controls, awesome-security-hardening collection, anti-phishing using perceptual hashing algorithms

  • Politics / Privacy: NSO offered US mobile security firm "bags of cash"

  • Misc: Tool to encode/decode 120+ formats, write cross-platform native apps in Python, how to pick a good monitor for software development, inside one of India's biggest influencer families, the economics of Spotify

Conferences

Black Hat Europe 2021 Videos
Abstracts and slides on the main conference page here.

AppSec

Stop Storing Secrets In Environment Variables!
Forces Unseen’s Matt Hamilton argues that you should instead use ephemeral filesystem mounts.

Non-Security Things That Can Sink A Security Program
Helen Patton describes a number of important company aspects that impact the effectiveness of your security program, including asset management, identity strategy, technology stack, and inter-department governance.

Web Security

akabe1/OAUTHScan
A Burp Suite extension useful when testing applications implementing OAUTHv2 and OpenID standards. It contains 10+ security checks for OAUTHv2/OpenID vulnerabilities and common misconfigurations.

Infrastructure as Code

outsideris/citizen
A Private Terraform Module and Terraform Provider registry, by @Outsideris.

bridgecrewio/kustomizegoat
Purposefully vulnerable Kustomize.io Kubernetes templates for training and education purposes, by Bridgecrew.

Testing Infrastructure-as-Code Using Dynamic Tooling
NCC Group’s Erik Steringer describes how to shift left with dynamic cloud security tools. Rather than testing against a live development or production environment, you can run tools like Scout Suite and PMapper against Terraform using LocalStack, by spinning up a local environment. Neat! Tool release: Aerides.

Complete guide for picking the right tool for Terraform Security Code Analysis
Revolgy’s Marko Fábry and Marek Šottl discuss evaluating Checkov, Snyk, terrascan and tfsec for finding security vulnerabilities and misconfigurations in AWS and GCP Terraform files. The post includes a nice feature set comparison table, sections on each tool, and comparing the results of each tool on terragoat.

infracost/infracost
Tool by Infracost that shows cloud cost estimates for Terraform changes on pull requests. This enables DevOps, SRE and engineers to see a cost breakdown and understand costs before making changes.

Cloud Security

carlospolop/PurplePanda
Like BloodHound but for cloud: identify privilege escalation paths within and across different clouds, by Carlos Polop. Currently supports GCP, GitHub, and Kubernetes.

Identity Federation for CI on AWS
Small Terraform module that automates the setup of OIDC federation between AWS and GitHub Actions/GitLab CI, by Marco Lancini.

A “Safety Net” for AWS Canarytokens
In an ideal world, you could use CloudTrail to monitor the use of AWS API tokens. However, some AWS APIs don’t log to CloudTrail (this is why we can’t have nice things). Thinkst Canary describes how you can use IAM credential reports as a safety net to determine when API keys have been used more recently than has been seen in CloudTrail, covering this blind spot, and they’ve recently rolled this out to free users on Canarytokens.org 🙌 

Security practices in AWS multi-tenant SaaS environments
Challenges, opportunities and best practices covering identity, tenant isolation, and how isolation enforcement depends on the service involved.

Blue Team

FourCoreLabs/firedrill
A malware simulation harness for evaluating your security controls, by FourCore Labs. Includes a set of four different attack simulations for you to use and build on top of: Ransomware Simulation, Discovery Simulation, a UAC Bypass and a Persistence Simulation.

decalage2/awesome-security-hardening
“A collection of awesome security hardening guides, best practices, checklists, benchmarks, tools and other resources” by Philippe Lagadec, covering major operating systems, network devices, containers, SSH, web servers, and more.

Silly proof of concept: Anti-phishing using perceptual hashing algorithms
Anvil Secure’s Diego Freijo proposes a way to detect phishing websites without a centralized repository of malicious sites. Basically, it’s a browser extension that computes a fingerprint of screenshots of sites you visit, and then if you visit a site that visually looks similar but is from a different domain, it warns you. Sort of like SSH’s trust on first use (TOFU) approach for keys but for the visual appearance of websites. Neat idea. Source code.

Also, I love this and want to do it at my work:

Welcome to the first dispatch coming out of the Ministry of Silly Ideas! It’s a space we’ve got inside Anvil where we encourage ourselves to come up with interesting-even-if-sounding-silly-at-first-glance ideas around security or IT in general. We then filter out those ideas that might even work in real life and implement a proof-of-concept to see if they pass the reality check. And, who knows? Some of those ideas might even be not-so-silly after all!

Sponsor

📢 State of Modern Application Security: Insights From 400+ AppSec Practitioners

What would make AppSec programs more effective? What’s the relationship like between developers and security? To answer these questions and more, Tromzo commissioned a survey of over 400 AppSec professionals for their first annual State of Modern Application Security Report.

Politics / Privacy

A whistleblower has alleged that an executive at NSO Group offered a US-based mobile security company “bags of cash” in exchange for access to a global signalling network used to track individuals through their mobile phone, according to a complaint that was made to the US Department of Justice.

Misc

dhondta/python-codext
A Python library and CLI tool that can encode/decode 120+ formats, along with a guess mode for decoding multiple layers of encoding, by Alexandre D’Hondt. Seems potentially useful for CTFs.

BeeWare
“Write your apps in Python and release them on iOS, Android, Windows, MacOS, Linux, Web, and tvOS using rich, native user interfaces. Multiple apps, one codebase, with a fully native user experience on every platform.”

How to Pick a Good Monitor for Software Development
Nick Janetakis covers when to buy a new monitor, understanding physical size vs resolution, pixels per inch, scaling, picture quality and color accuracy, refresh rates and input lag, and more.

“Everything is content”: Inside the daily grind of one of India’s biggest influencer families
An interesting peak inside a family that has oriented itself around regularly creating social media content, and the impact it can have on the family.

“When spending time with the children becomes the job, the family fails to create memories that go beyond ‘content,’ and the children grow up to feel more alienated,” Laskari said.

The Economics of Spotify
Spotify makes a lot of money, but relatively little of that makes it back to the artists.

The total sum that goes back to rights holders each month is based on the proportion of overall streams the rights holders’ streams represent that month and the cut of music revenues the rights holders have negotiated with Spotify.

…a midsized independent label’s payout rates for the last several years, finding its average per-stream payout has declined to just $0.00348 as the service has expanded into more countries and extended more subscription discounts and bundles, and as users streamed more and more songs.

Also, some pretty brutal feedback for a company whose sole purpose is, you know, serving what artists create:

“I don’t know any artists who feel their career has been made better by Spotify,” said Dupuis, who has accumulated more than 15m Spotify streams as solo act Sad13 and as a singer and guitarist in Speedy Ortiz.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint