- tl;dr sec
- [tl;dr sec] #122 - Developer Experience is Security, Everything as Code Survey, Graph-based Asset Management
[tl;dr sec] #122 - Developer Experience is Security, Everything as Code Survey, Graph-based Asset Management
Why DevX is so important for security, 50+ examples of Foo as Code, ingest all of your assets and query them in Neo4J.
I hope you’ve been doing well!
My heart goes out to the people of Ukraine, and all of the Russians against the violence.
Nothing I say can do justice to what’s happening, but know my thoughts are with you ✊💙
Feel Good Memes
It’s a stressful time right now, so here are a few images from tl;dr sec’s ye olde meme bank, FDIC-insured* to put a smile on your face.
*No these memes are not insured, they’re provided AS IS with no warranty. This was said in jest, and I’m not a lawyer nor your accountant, nor do I play one on TV (yet).
📢 Prevent Security Breaches Pre-Deployment
Sophos Cloud Optix DevSecOps tools work seamlessly with existing DevOps processes to help prevent security breaches pre-deployment. Cloud Optix ensures container images and Infrastructure-as-Code (IaC) templates containing insecure configurations as well as embedded secrets and keys never make it to a test or live production environment.
📜 In this newsletter...
AppSec: Exploiting Jenkins build authorization, easily ingest your assets into Neo4J, Manicode 2022 secure coding catalog, Foo as Code survey
Web Security: Burp plugin to easily create nuclei templates
Cloud Security: AWS security fundamentals, simplify accessing multiple cloud accounts in your browser, tool to test your AWS security controls
Container Security: Run Kubernetes in airgapped environments, a Checkov-powered Kubernetes Admission controller
Developer Experience: Developer Experience is Security, a roundup of DevX resources, building for the 99% developers, autofix your slow Jupyter notebook code
Blue Team: Free tools recommended by CISA, IR framework focused on remote live forensics
Network Security: Tool to generate network traffic to test your security controls
Politics: A Ukrainian hacker to follow, Russia and the 4 Internets, tracking the economic fallout of Russia sanctions, history of information warfare in Ukraine, modern tactics in defending in urban warfare
Misc: Zane Lackey joins the dark side a16z, some Depressing Math, how Ikea tricks you into buying more stuff
Exploiting Jenkins build authorization
Cider Security’s Asi Greenholts describes how the default build authorization configuration in Jenkins — controlling the permissions allocated to pipelines — is insecure and often left unmodified in production environments. He recommends using the “Authorize Project” and “Role-Based Authorization Strategy” plugins to define secure build authorization configurations.
Democratizing Graph-Based Security: Introducing Starbase
JupiterOne’s Austin Kelleher announces Starbase, an open source tool that enables collecting assets from 70+ systems, including cloud service providers, source control providers, IdPs, vulnerability management platforms, and more, and storing them in Neo4J. Starbase also interops with Lyft’s Cartography tool.
This lets you asking interesting questions like:
Which users have MFA disabled?
Which of my source code repos are accessible to outside contributors?
and much more
Manicode Secure Coding Education Catalog 2022
My bud Jim Manico has updated the courses he and his artisanally sourced team of expert trainers offer, all focusing on teaching your developers to write secure code and maintain secure software.
For a taste of how Jim is like a shot of knowledge and positivity straight into your heart, see his AppSec Cali 2019 keynote, The Unabridged History of Application Security. Reach out to jim AT manicode.com for more info.
In depth research and trends analyzed from 50+ different concepts as code
Very cool overview by Patrick Debois covering various “Foo as Code” trends with supporting resources. Some trends:
AWS Security Fundamentals (Second edition)
Self-paced course by Amazon covering fundamental AWS cloud security concepts, including AWS access control, data encryption methods, and how network access to your AWS infrastructure can be secured. It discusses the user’s security responsibility in AWS and the different security-oriented services available.
A CLI tool by Common Fate that simplifies access to cloud roles and allows multiple cloud accounts to be opened in your web browser simultaneously. It’s designed for AWS SSO and encrypts cached credentials to avoid plaintext SSO tokens being saved on disk.
Tool to test security controls and alerts within your AWS environment, using generated alerts based on security events seen by the AWS Customer Incident Response Team (CIRT).
A tool to simplify the setup and administration of Kubernetes clusters in airgapped environments.
Introducing Whorf: The Checkov-powered Kubernetes Admission Controller
Bridgecrew’s Steve Giguere describes Whorf, a new Kubernetes Validating Admission Controller that uses Checkov as the core validator for Kubernetes manifests.
Why is there a Developer Experience section in this security newsletter?
Because it’s a critical to being a modern, effective security team.
What is Developer Experience? a roundup of links and goodness
Great round up of resources by RedMonk’s James Governor.
Building for the 99% Developers
Akita Software’s Jean Yang argues that most conference talks and FAANG companies portray an idealized form of software development that isn’t representative of real world development environments. We should instead focus on what helps the 99% of developers, not just those with massive teams of experts dedicated to observability, testing, developer productivity, etc. Some truths:
“Trickle-down” tooling is aspirational
There is no gold standard development environment
The goal is progress, not perfection
A good demo doesn’t show the Day 2 snags
Heterogeneity is here to stay
WhyProfiler - the world’s first hybrid profiler, now for Jupyter notebook and Python
What if you could automatically find and fix slow code in your Jupyter notebooks? Robusta’s Natan Yellin shows you can, in a pretty neat way. Basically, WhyProfiler uses a dynamic profiler (yappi) to observe which lines of code are slow and runs Python performance-focused Semgrep rules to find and recommend code fixes for those slow lines.
WhyProfiler is easily extendable- just write a Semgrep rule for any code pattern you’d like to flag and/or fix. And with Semgrep App (free, but not open source) you can enforce coding standards specific to your org (performance, security, whatever) across teams of data scientists, all in one place.
Free Cybersecurity Services and Tools
A curated list by CISA covering: reducing the likelihood of a damaging cyber incident, detecting malicious activity quickly, responding effectively to confirmed incidents, and maximizing resilience.
An incident response framework focused on remote live forensics.
By AlphaSOC: A utility to safely generate malicious network traffic patterns and help security teams to evaluate security controls and network visibility. The tool performs tests to simulate DNS tunneling, DGA traffic, requests to known active C2 destinations, and other suspicious traffic patterns.
📢 State of Modern Application Security: Insights From 400+ AppSec Practitioners
What would make AppSec programs more effective? What’s the relationship like between developers and security? To answer these questions and more, Tromzo commissioned a survey of over 400 AppSec professionals for their first annual State of Modern Application Security Report.
An awesome hacker friend of mine based out of Kyiv. Follow her for updates and perspective.
Derek Thompson’s thread to track economic fallout from Russia sanctions
Ties together a number of links and resources.
Information Warfare Is Without Limits and So Are Its Consequences"
Some history of Russian information warfare in Ukraine from 2014 onwards.
Defending the City: An Overview of Defensive Tactics from the Modern History of Urban Warfare
Article from West Point on a number of tactics and strategic advantages defenders have in modern urban warfare, including concrete examples from prior battles.
Zane Lackey joins a16z
Over the past few years, I’ve had a blast doing a number of DevSecOps panels with Zane Lackey and friends. Zane is one of the nicest, sharpest people I’ve met in infosec, and has helped me with a number of personal and career matters. If you’re doing a security start-up, I highly recommend chatting with Zane. Congrats, and all the best in this next chapter!
How Covid Stole Our Time and How We Can Get It Back
Wait but Why’s Tim Urban presents some Depressing Math. For example, if you’re an adult, based on your life expectancy, if you spend say, 1 week with your family a year, you’ve likely already spent over 95% of the time you’ll ever spend with them in person. Same with friends, movies you’ll watch, etc. But the important thing is we can reprioritize our time and change our future.
How Ikea tricks you into buying more stuff
A dive into store architecture, decoy pricing, packing choices, the psychological impact of building your own furniture, food courts, and more.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!