• tl;dr sec
  • Posts
  • [tl;dr sec] #127 - Trufflehog V3, The Future of InfoSec, IaC Scanning

[tl;dr sec] #127 - Trufflehog V3, The Future of InfoSec, IaC Scanning

The revamped secret scanner now is faster and finds more secrets, future projecting where the industry is headed, and security scanning infrastructure as code.

Hey there,

I hope you’ve been doing well!

Eccentric Billionaires

The world is replete with TV shows and movies about eccentric rich people.

The Wolf of Wall Street, Bruce Wayne, Tony Stark, Christian Grey, Richie… Rich. (Sidenote: I really liked that movie with Macaulay Culkin growing up, but the title is a bit lazy.)

I find Elon Musk to be an interesting person, because he’s kind of like a movie character: a brilliant nerd gets rich then builds a rocket company to bring humanity to Mars and starts an (autonomous) electric vehicle company to save the environment on Earth.

I don’t agree with his views on a number of things, but I admire his fearlessness in tackling ambitious problem spaces and trying to drag humanity into the future. While tweeting memes and doing things just for the lulz 🤷

If you haven’t heard, Elon Musk is now Twitter’s largest shareholder at 9.2% and was given a board seat. The next highest shareholders are Vanguard at 8.8% and Jack Dorsey at 2.25%. Also Elon:


📢 Datadog Cloud Security On-Demand Webinar: Real-Time Threat Detection and Configuration Audits

In this webinar, you’ll learn how to best utilize the suite of Datadog Cloud Security products to identify the root cause of an attack and how a unified platform provides real-time threat-detection and continuous configuration audits across applications, hosts, containers and cloud infrastructure. Built on top of the observability platform, Datadog brings unprecedented integration between security and devops aligned to shared organizational goals.

Watch the on-demand webinar now to learn how to get full-stack security for your production environment.

📜 In this newsletter...

  • AppSec: A new composable way to build CI pipelines, new version of the Trufflehog secret scanner

  • OAuth: New service like VirusTotal but for OAuth apps

  • Authorization: Two guides on authorization in microservices

  • Supply Chain: How Go mitigates supply chain attacks, finding bugs in package managers

  • Cloud Security: SCP guide, malware in the cloud

  • Infrastructure as Code: GitHub Action for tfsec PR comments, how Square does IaC scanning, scanning AWS CDK code with Semgrep

  • Container Security: StackRox Kubernetes Security Platform is now open source

  • Blue Team: Generate MermaidJS Markdown charts for CVEs, red team MFA bypass techniques

  • Politics / Privacy: The ultimate personal security checklist; Stalkers, Sock Puppets, and Security

  • Humor: SF and Patagonia vests

  • Misc: Pen testing contract templates, the depths of Wikipedia, find where your images are used online, easily convert HEIC to JPG

  • Thinking About the Future of InfoSec: Daniel Miessler theorizes about where we're headed


Introducing Dagger: a new way to create CI/CD pipelines
A portable devkit for CI/CD pipelines that allows you to unify dev and CI environments, test and debug pipelines locally, and avoid CI lock-in. Instead of gluing pipeline together with throwaway scripts, Dagger supports composing reusable actions, which can be shared and reused due to a complete package management system.

Trufflehog V3
Epic new release by the Truffle Security team. See Dylan Ayrey’s video overview for more details, but in short:

  • It’s a complete rewrite in Golang with other speed improvements

  • Now contains over 600 credential detectors that support active verification against their respective APIs.

    • Verifying if the keys still work => no false positives or alert fatigue.

  • Native support for scanning GitHub, GitLab, filesystems, and S3.


Introducing AppTotal: Democratizing third-party apps security
Itay Kruk announces AppTotal, a new service like VirusTotal but for OAuth apps. It dynamically scans SaaS add-ons for vulnerabilities and suspicious or malicious behavior, enabling you to profile third-party apps’ permissions and access, posture, and behavior before connecting them to IT-approved applications.


Authorization in Microservices
A new chapter in Oso’s Authorization Academy covering how to share data between services and various trade-offs: decentralizing or centralizing your authorization model, centralizing data, distributing data with existing infrastructure, Authorization-as-a-Service.

Authorization in a microservices world
RapidDot’s Alexander Lolis describes authorization approaches and their trade-offs, and moving from a simple flag to Role Based Access Control (RBAC) to Attribute Based Access Control (ABAC), as well as architectures with an authz service, an authz and data service, and an authz middleware and library per service.

Supply Chain

How Go Mitigates Supply Chain Attacks
Go team security lead Filippo Valsorda describes some language choices that provide nice security properties.

  • All builds are “locked”

  • Version contents never change

  • VCS is the source of truth

  • Building code doesn’t execute it

  • A little copying is better than a little dependency

Securing Developer Tools: Package Managers
SonarSource’s Paul Gerste describes vulnerabilities they found in several package managers, including Composer, Bundler, Bower, Yarn, and others. Some bugs are due to interesting nuances in how Windows vs other OS’s handle PATH or variable quoting, git argument injection, and more.

Cloud Security

Codify your best practices using service control policies
Overview post on what SCPs are, why you should create SCPs, and the strategy you can use to implement SCPs, as well as how to continue iterating and improving SCPs as your workloads and business needs change. Part 2 discusses how you can create SCPs using constructs from AWS Well-Architected.

The Expansion of Malware to the Cloud
Orca Security’s Bar Kaduri describes the main malware types you may encounter in your cloud with examples and ways to detect and protect yourself from them.

Infrastructure as Code

GitHub Action by Aqua Security that comments on Pull Requests where tfsec checks have failed.

Standardizing Terraform Linting
Square’s Adam Cotenoff describes their rollout strategy, approaches to enforcement, and other lessons learned along the way in minimizing developer friction and maximizing fix rate.

Using SemGrep to find security issues and misconfigurations in AWS Cloud Development Kit projects
Aquia’s Dakota Riley walks through how to write Semgrep rules to find issues directly in AWS CDK code, using some open source rules he’s contributed as examples. Most IaC tools scan the generated Cloudformation output, which can make it harder to trace issues back to the originating CDK code, making it less likely devs will fix the issue.

Dakota shows how Semgrep can enforce usage of company-specific custom constructs, enabling cloud security teams to define secure by default primitives that developers can use. *me: waves secure guardrails flag vehemently*

Container Security

The StackRox Kubernetes Security Platform is now open source. StackRox performs a risk analysis of the container environment (build, deploy, runtime), delivers visibility and runtime alerts, and provides recommendations to proactively improve security by hardening the environment.

Blue Team

Introducing CVE Markdown Charts
@clearbluejar describes cve-markdown-charts, a simple tool to generate MermaidJS Markdown charts from CVE IDs and CVE keyword searches.

Want some techniques that many Red Teams have been using to circumvent MFA protections on accounts? Yeah, even “unphishable” versions.

I’m sharing so that you can think about what’s coming, how you’ll do mitigations, etc. Its being seen in the wild more these days.

Politics / Privacy

The Ultimate Personal Security Checklist
A curated checklist of 300+ tips for protecting digital security and privacy in 2021, by Alicia Sykes.

Stalkers, Sock Puppets, and Security
A chapter from an unpublished book by Cassie Cage covering InfoSec best practices and techniques that can help protect against online threat actors and stalkers.

FYI Cassie is also looking for jobs in the GRC space, 100% remote or with an office in Austin, TX.


📢 The 2022 State of Cyber Assets Report - Now Available from JupiterOne!

This analysis of over 370 million cyber assets, findings, and policies across almost 1,300 organizations helps security operations, engineers, practitioners and leaders understand cyber assets, liabilities, attack surfaces, and their relationships in the modern enterprise.


Despite Ridicule, the Patagonia Vest Endures in San Francisco Tech
This KQED article was posted on April 1st, but to be honest I can’t tell if it’s a joke.

“The kind of people who wear Patagonia are maybe raising rents and maybe are the kind of people that these other groups are trying to push back on,” he said on a recent afternoon as he played fetch with his golden retriever, with a lacrosse stick and ball, in a grassy field overlooking the San Francisco Bay. “But there’s another cohort of people who do wear Patagonia who are not at all part of that.”


Potentially useful contract templates for code auditors, IT security specialists & penetration testers by Cure53. Includes a DPA, MSA, and NDA.

Want to See the Weirdest of Wikipedia? Look No Further
On @depthsofwikipedia, Annie Rauwerda is compiling some of the crowdsourced site’s most bizarre pages.

Pixsy: Image Theft Protection
Find where your images are being used online.

Quick Action to Convert an Image to JPG
A Shortcut to convert an HEIC (or any other formatted image) to JPG and strip all metadata.

Great post by my bud Daniel Miessler on what InfoSec will look like in the distant future, from organizational structure to technology.

I need to think about it more to have a more nuanced opinion, but a few things I strongly agree with off the bat:

  • Security becoming more mundane as we mature as an industry: less l33t h4x0rs and more “Oh you used a modern framework and didn’t turn any security controls off? Cool, you’ve got XSS, CSRF, SQL injection and … handled.” #SecureDefaultsLyfe

  • More security mechanisms and primitives built into platforms (like AWS, Salesforce, etc.).

  • The strong importance of continuous monitoring, detecting drift, and auto-remediation.

I think much of the current security market is based on how poorly the industry does the basics. AWS exists because local IT within companies was a dumpster full of burning tires. Asset management companies exist because nobody knows what they have, and therefore what to defend. Endpoint companies exist because OS’s haven’t been great at identity, access control, and allow-listing applications and content. As those basics improve, that functionality moves back into the core products.

Two points from Daniel’s summary at the bottom of the post:

• Security will increasingly blend into engineering, both at the technical level and within organizational charts.

• The mid-game (who knows what endgame is) involves a massive operations team monitoring centralized dashboards and responding when things go out of tolerance. Not security dashboards. Company dashboards. Which include security and lots of other types of metrics and risk-levels that need to be kept within tolerances.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!