[tl;dr sec] #127 - Trufflehog V3, The Future of InfoSec, IaC Scanning
The revamped secret scanner now is faster and finds more secrets, future projecting where the industry is headed, and security scanning infrastructure as code.
I hope you’ve been doing well!
The world is replete with TV shows and movies about eccentric rich people.
The Wolf of Wall Street, Bruce Wayne, Tony Stark, Christian Grey, Richie… Rich. (Sidenote: I really liked that movie with Macaulay Culkin growing up, but the title is a bit lazy.)
I find Elon Musk to be an interesting person, because he’s kind of like a movie character: a brilliant nerd gets rich then builds a rocket company to bring humanity to Mars and starts an (autonomous) electric vehicle company to save the environment on Earth.
I don’t agree with his views on a number of things, but I admire his fearlessness in tackling ambitious problem spaces and trying to drag humanity into the future. While tweeting memes and doing things just for the lulz 🤷
If you haven’t heard, Elon Musk is now Twitter’s largest shareholder at 9.2% and was given a board seat. The next highest shareholders are Vanguard at 8.8% and Jack Dorsey at 2.25%. Also Elon:
📢 Datadog Cloud Security On-Demand Webinar: Real-Time Threat Detection and Configuration Audits
In this webinar, you’ll learn how to best utilize the suite of Datadog Cloud Security products to identify the root cause of an attack and how a unified platform provides real-time threat-detection and continuous configuration audits across applications, hosts, containers and cloud infrastructure. Built on top of the observability platform, Datadog brings unprecedented integration between security and devops aligned to shared organizational goals.
Watch the on-demand webinar now to learn how to get full-stack security for your production environment.
📜 In this newsletter...
AppSec: A new composable way to build CI pipelines, new version of the Trufflehog secret scanner
OAuth: New service like VirusTotal but for OAuth apps
Authorization: Two guides on authorization in microservices
Supply Chain: How Go mitigates supply chain attacks, finding bugs in package managers
Cloud Security: SCP guide, malware in the cloud
Infrastructure as Code: GitHub Action for tfsec PR comments, how Square does IaC scanning, scanning AWS CDK code with Semgrep
Container Security: StackRox Kubernetes Security Platform is now open source
Blue Team: Generate MermaidJS Markdown charts for CVEs, red team MFA bypass techniques
Politics / Privacy: The ultimate personal security checklist; Stalkers, Sock Puppets, and Security
Humor: SF and Patagonia vests
Misc: Pen testing contract templates, the depths of Wikipedia, find where your images are used online, easily convert HEIC to JPG
Thinking About the Future of InfoSec: Daniel Miessler theorizes about where we're headed
Introducing Dagger: a new way to create CI/CD pipelines
A portable devkit for CI/CD pipelines that allows you to unify dev and CI environments, test and debug pipelines locally, and avoid CI lock-in. Instead of gluing pipeline together with throwaway scripts, Dagger supports composing reusable actions, which can be shared and reused due to a complete package management system.
It’s a complete rewrite in Golang with other speed improvements
Now contains over 600 credential detectors that support active verification against their respective APIs.
Verifying if the keys still work => no false positives or alert fatigue.
Native support for scanning GitHub, GitLab, filesystems, and S3.
Introducing AppTotal: Democratizing third-party apps security
Itay Kruk announces AppTotal, a new service like VirusTotal but for OAuth apps. It dynamically scans SaaS add-ons for vulnerabilities and suspicious or malicious behavior, enabling you to profile third-party apps’ permissions and access, posture, and behavior before connecting them to IT-approved applications.
Authorization in Microservices
A new chapter in Oso’s Authorization Academy covering how to share data between services and various trade-offs: decentralizing or centralizing your authorization model, centralizing data, distributing data with existing infrastructure, Authorization-as-a-Service.
Authorization in a microservices world
RapidDot’s Alexander Lolis describes authorization approaches and their trade-offs, and moving from a simple flag to Role Based Access Control (RBAC) to Attribute Based Access Control (ABAC), as well as architectures with an authz service, an authz and data service, and an authz middleware and library per service.
All builds are “locked”
Version contents never change
VCS is the source of truth
Building code doesn’t execute it
A little copying is better than a little dependency
Securing Developer Tools: Package Managers
SonarSource’s Paul Gerste describes vulnerabilities they found in several package managers, including Composer, Bundler, Bower, Yarn, and others. Some bugs are due to interesting nuances in how Windows vs other OS’s handle PATH or variable quoting, git argument injection, and more.
Codify your best practices using service control policies
Overview post on what SCPs are, why you should create SCPs, and the strategy you can use to implement SCPs, as well as how to continue iterating and improving SCPs as your workloads and business needs change. Part 2 discusses how you can create SCPs using constructs from AWS Well-Architected.
Infrastructure as Code
Standardizing Terraform Linting
Square’s Adam Cotenoff describes their rollout strategy, approaches to enforcement, and other lessons learned along the way in minimizing developer friction and maximizing fix rate.
Using SemGrep to find security issues and misconfigurations in AWS Cloud Development Kit projects
Aquia’s Dakota Riley walks through how to write Semgrep rules to find issues directly in AWS CDK code, using some open source rules he’s contributed as examples. Most IaC tools scan the generated Cloudformation output, which can make it harder to trace issues back to the originating CDK code, making it less likely devs will fix the issue.
Dakota shows how Semgrep can enforce usage of company-specific custom constructs, enabling cloud security teams to define secure by default primitives that developers can use. *me: waves secure guardrails flag vehemently*
The StackRox Kubernetes Security Platform is now open source. StackRox performs a risk analysis of the container environment (build, deploy, runtime), delivers visibility and runtime alerts, and provides recommendations to proactively improve security by hardening the environment.
Politics / Privacy
FYI Cassie is also looking for jobs in the GRC space, 100% remote or with an office in Austin, TX.
📢 The 2022 State of Cyber Assets Report - Now Available from JupiterOne!
This analysis of over 370 million cyber assets, findings, and policies across almost 1,300 organizations helps security operations, engineers, practitioners and leaders understand cyber assets, liabilities, attack surfaces, and their relationships in the modern enterprise.
Despite Ridicule, the Patagonia Vest Endures in San Francisco Tech
This KQED article was posted on April 1st, but to be honest I can’t tell if it’s a joke.
Want to See the Weirdest of Wikipedia? Look No Further
On @depthsofwikipedia, Annie Rauwerda is compiling some of the crowdsourced site’s most bizarre pages.
Pixsy: Image Theft Protection
Find where your images are being used online.
Quick Action to Convert an Image to JPG
A Shortcut to convert an HEIC (or any other formatted image) to JPG and strip all metadata.
Great post by my bud Daniel Miessler on what InfoSec will look like in the distant future, from organizational structure to technology.
I need to think about it more to have a more nuanced opinion, but a few things I strongly agree with off the bat:
Security becoming more mundane as we mature as an industry: less l33t h4x0rs and more “Oh you used a modern framework and didn’t turn any security controls off? Cool, you’ve got XSS, CSRF, SQL injection and … handled.” #SecureDefaultsLyfe
More security mechanisms and primitives built into platforms (like AWS, Salesforce, etc.).
The strong importance of continuous monitoring, detecting drift, and auto-remediation.
Two points from Daniel’s summary at the bottom of the post:
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!