- tl;dr sec
- [tl;dr sec] #121 - Container Security Checklist, DevSecOps & Automating Compliance, Proactive Subdomain Takeovers
[tl;dr sec] #121 - Container Security Checklist, DevSecOps & Automating Compliance, Proactive Subdomain Takeovers
A dense checklist of container hardening steps, Cloud Security Alliance whitepaper on automating compliance and better relating it to security requirements, tool to preemptively take over your subdomains before attackers can.
I hope you’ve been doing well!
The Superb Owl
Every year, growing up in Cincinnati, there was a constant refrain: “The Bengals are going to be good this year.”
A bold claim, given they’ve never won a Super Bowl, and in ~10 years of my living in Cincinnati, they rarely even got to the playoffs.
But this year the Bengals made it to the Super Bowl, and some people were so excited they painted their house orange and black.
Unfortunately the Bengals didn’t win, but at least they had a taste of success. Well done!
Sidenote: I wonder what the above paint job did for their property value 🤔
Sponsors Getting Acquired
Congrats to Vectrix, the 4th and counting tl;dr sec sponsor that has been acquired. And I think they’ve found a good home in Cloudflare (announcement post).
Hm, maybe I need to start a fund or something, as I wonder if my (accidental) success rate is higher than some VC firms. I’d need to invest in some Patagonia vests and nice shoes first though.
Brb, adding an “Acquired Sponsors” section to the tl;dr sec sales page 😎
📢 It's time to tackle client-side security, no really, the time is now!
📜 In this newsletter...
Machine Learning: AI trained on programming competition code does as well as median human competitor
AppSec: Finding secrets in git --mirror, automatically merging Dependabot PRs, automating compliance and connecting it to security requirements
Web Security: Tool to ease testing race conditions, automatically discovering vulnerabilities in WordPress plugins
Supply Chain: Collection of tools to audit NPM dependencies, a prototype implementation of the CNCF's Secure Software Factory, example malicious Terraform that leaks secrets
Cloud Security: Proactively take over your own vulnerable subdomains, IaC tool comparison + integrating into GitLab, VS Code extension with AWS IAM autocomplete, Amazon API Gateway CORS configurator
Container Security: Serverless reverse proxy for exposing container registries, container security checklist
Misc: How Apple could get to $1T in revenue, eBPF for Windows, No Starch author interview with lcamtuf on his new Practical Doomsday book, baby shark dance
Six things I've learned from 15 years at ZDNet: Larry Dignan on hiring, culture, careers, and more
DeepMind has made software-writing AI that rivals average human coder
Note that DeepMind was trained on code from programming competitions, and doesn’t seem to do as well on simpler tasks. Still, progress is being made.
Tool by Nightwatch Cybersecurity for calculating the delta between a regular cloned repo and a mirrored (--mirror) one, and scanning the parts only available in the mirror for secrets using gitleaks. Blog post with more info, including how --mirror mode can include additional repo content that isn’t present in normal clones.
Git is like a helpful but at times inscrutable long term partner– even interacting with them every day for years, there’s always more to learn.
How to keep your repo package dependencies up to date automatically
OpenPix’s Danilo Assis describes how to configure repos so that when Dependabot opens a PR that updates a dependency, tests are automatically ran in that PR, and the PR is auto-merged if the tests pass. Of course, be careful this doesn’t still break things, potential supply chain risk re: automatically updating dependencies, etc.
DevSecOps - Pillar 4 Bridging Compliance and Development
The third in a series of reports by the Cloud Security Alliance, this one lead by Deloitte’s Roupe Sahans et al. The document focuses on automating compliance and having compliance better relate to security requirements. Some recommendations mentioned:
Define and create security guardrails to monitor deployments and find deviations from desired baselines autonomously.
Leverage the use of patterns and templates to scale security consistently.
🔥 A technique to semi-automatically discover new vulnerabilities in WordPress plugins
Awesome work by Krzysztof Zając. WordPress plugins expose a number of standard routes, and these interfaces have a consistent trust boundary. Kryzysztof wrote a tool that executes each AJAX endpoint, menu page, REST route, or file multiple times with a variety of payloads, and analyzes the responses to detect XSS, SQL injection, CSRF, arbitrary file read and more.
One particularly neat aspect is that he mocks certain variables (like $_GET, $_REQUEST, etc.) and instruments a number of WordPress functions to determine what can be user-controlled. In total, he found over 120 CVEs in various WordPress plugins.
The Secure Software Factory
A prototype implementation of the CNCF’s Secure Software Factory Reference Architecture which is based on the CNCF’s Software Supply Chain Best Practices White Paper. SLSA ready.
OVO vs. Bug Bounty researchers - round 2
OVO’s Paul Schwarzenberger describes improvements they made to their open source tool Domain Protect that can now proactively take over your own vulnerable subdomains (usually within a few minutes), before attackers or bug bounty researchers can.
Fantastic Infrastructure as Code security attacks and how to find them
GitLab’s Michael Friedrich describes several infrastructure as code and Kubernetes scanning tools (tfsec, kics, terrascan, Semgrep, tflint) and how to integrate them into continuous GitLab code scanning. See also GitLab’s purposefully vulnerable IaC repo.
A VS Code extension by Sebastian Bille that provides AWS IAM actions autocomplete, documentation and wildcard resolution. Supports Serverless Framework, AWS SAM, CloudFormation and Terraform.
A serverless reverse proxy for exposing container registries (GCR, Docker Hub, Artifact Registry, etc.) as a public registry on your own domain name, by Twitter’s Ahmet Balkan.
Container Security Checklist: From the image to the workload
Great overview and distillation by Aqua Security’s Carol Valencia with actionable steps, links, and commands covering securing the build, container registry, container runtime, infrastructure, data, and workloads.
📢 Register for ZAPCon 2022 ⚡️
ZAPCon 2022 is a free virtual event for ZAP users and those looking to level-up their automated application security testing game.
The ZAPCon schedule is now available. See the full speaker lineup and save your spot for free.
The End Is (Not) Nigh: Disaster Prepping with Michal Zalewski
No Starch Author interview with Michal Zalewski (aka lcamtuf) on his new book: Practical Doomsday: A User’s Guide to the End of the World. Michael has had quite the career: creating AFL, building Google’s product security team, authoring Silence on the Wire and The Tangled Web, and more.
Use coupon code SPOTLIGHT30 to get 30% off your order of Practical Doomsday through March 9, 2022.
Baby Shark Dance
TIL the jingle for Jamie Tartt on the TV show Ted Lasso (“Jamie Tartte do do do do”) seems to be directly taken from this Baby Shark Dance song by South Korean children’s education megabrand Pinkfong.
Larry Dignan shares some interesting perspective on hiring, culture, careers, and more. Some snippets:
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!