[tl;dr sec] #128 - Security Engineering, CI/CD Goat, Docker Security Playground
How Chime empowers developers to own security via internal tools, purposefully vulnerable CI/CD exercises, a microservices-based framework for learning network security.
I hope you’ve been doing well!
This issue is a bit longer so I’ll be brief: Janna Haider allowing her students to submit U.S. History memes for extra credit is excellent, and I love it.
Here are a few:
Feedback wanted: Have you bought or sold security assessments?
One of my favorite things with tl;dr sec is collaborating with super smart people on epic guides. And boy, is this one shaping up nicely.
But we need your help!
Please take 5 minutes to fill out a survey, so we can help everyone learn from your experiences and insights.
Hopefully we can then avoid what Haroon Meer has called a market for lemons.
Thanks so much in advance, you can fill out the 5min survey here.
📢 StackHawk and Snyk Join Forces
StackHawk and Snyk have partnered up to provide a complete modern application security testing package.
Learn how these tools can help your teams implement dev-friendly DAST, SAST, and SCA to fix vulnerabilities faster.
📜 In this newsletter...
Machine Learning: DALL•E 2 creates amazing images based on English descriptions
AppSec: CI/CD Goat, C/C++ Semgrep rules for vulnerability research
Secret Management: Git credential manager, CLI tool to manage secrets in SSM Parameter Store
SBOM: Docker now has an sbom command, Software alone is insufficient
Mobile Security: Bypassing SSL pinning on Android Flutter apps with Ghidra
Web Security: Tool to find broken social media links that can be hijacked, Shubham Shah on offensive code review, list of open source web security scanners
Cloud Security: AWS Lambda Function URLs, SCP to prevent open Lambda URLs, chasing an attacker in AWS
Container Security: Bundle Kubernetes app into a single static OCI archive, container tool aimed running untrusted code
Blue Team: RSS feeds for government CERTs, hosting FleetDM on AWS EKS
Network Security: Docker security playground, distributed package capture tool for cloud-native platforms
Misc: Awesome Go education, Semgrep Spring 2022 meetup recap, how to answer questions, FAA memes
Monocle: How Chime creates a proactive security & engineering culture: Read it, great insights
Errata: Elon was born rich, Pixsy is shady AF
Sam Altman announces the new release of DALL-E, an AI that can create and edit images based on natural language instructions. What it can do is, frankly, amazing. Check out this 3min explainer video, this Twitter thread, or this Less Wrong post for examples.
By Cider Security: A deliberately vulnerable CI/CD environment. Learn and practice CI/CD security through a set of 10 challenges, enacted against a real, full blown CI/CD environment.
Secure, cross-platform Git credential storage with authentication to GitHub, Azure Repos, and other popular Git hosting services. Also supports MFA.
By Segment: A CLI for managing secrets that stores secrets in SSM Parameter Store, an AWS service for storing secrets.
Announcing Docker SBOM: A step towards more visibility into Docker images
There’s now an experimental docker sbom CLI command that displays the SBOM of any Docker image (uses Syft), and they’re working on making it easy for partners and the community to add SBOM functionality to docker build using BuildKit’s extensibility.
“SBOM” should not exist! Long live the SBOM
Steve Springett argues that a Software Bill of Materials (SBOM) is insufficient, we should really be including services, hardware, and other traditional non-software inventory also, as well as communicating lifecycle to the target audience.
Bypassing SSL pinning on Android Flutter Apps with Ghidra
Android Flutter apps don’t honor Android’s proxy settings nor trust Android’s TrustManager. Raphael Denipotti describes how to patch the libflutter.so binary so you can effectively intercept TLS traffic.
By Utku Şen: Tool that crawls a given URL and finds broken social media links that can be hijacked, which may allow an attacker to conduct phishing attacks. Currently supports Twitter, Facebook, Instagram and Tiktok without any API keys.
Shubham Shah on offensive source code review
Great thread with some useful tips.
A list of open source web security scanners by Stackhawk’s Simon Bennetts, covering general purpose web scanners, infrastructure scanners, fuzzers / brute forcers, CMS web scanners, API scanners, and specialized scanners.
AWS Lambda: function URL is live!
AWS has announced AWS Lambda Function URLs, which basically lets you use Lambdas as a public HTTPS endpoint without using an API Gateway or Application Load Balancer. Lumigo’s Yan Cui provides more context about what Function URLs are, how they work, and how to take advantage of them.
Incident report: From CLI to console, chasing an attacker in AWS
Walkthrough by Expel’s Brian Bahtiarian, David Blanton, Britton Manahan, and Kyle Pellett on how they spotted unauthorized access (log in by long-lived IAM account without MFA from unusual location), the investigative steps they took to understand what the attacker did (review all IAM API calls from the suspect account), remediation steps and lessons learned.
A container runtime tool aimed at providing unprivileged sandboxes. Unlike most existing approaches (e.g. systemd-nspawn, docker), bubblewrap is intended for running untrusted code.
A microservices-based framework for the study of network security and penetration testing techniques.
Introducing PacketStreamer: distributed packet capture for cloud-native platforms
Deepfence’s Owen Garrett describes PacketStreamer, an open-source tool that captures network traffic from multiple remote sources concurrently and aggregates the data into a single pcap log file. Written in Golang and supports network capture from Kubernetes nodes, Docker hosts and bare-metal / virtual-machine servers.
📢 It’s CFP season! 🥳🤨😰
Need a hand to get your team’s submissions in on time? Let Discernible’s team of security communication experts help you create clear, unique, and compelling submissions to win over even the most stubborn program committee. We’ll also help with content development and speaker prep!
By the way, Melanie Ensign, the Founder & CEO of Discernible is pretty legit - she’s a steering committee member and PR lead for DEF CON, program committee co-chair for Enigma, was the Global Head of Security, Privacy, and Engineering Communications at Uber, and more 🤯
Semgrep Spring 2022 meetup recap
r2c’s Emily Fortuna provides an overview and recap of the most recent Semgrep meetup, including my discussion of security trends (shift to security engineering, secure defaults, developer experience), new Semgrep features, community members sharing their work (Lewis Ardern’s VS Code extension that provides Semgrep rule templates, Robusta’s Natan Yellin’s WhyProfiler), and Semgrep’s upcoming roadmap. Watch the recording here.
Wes Kao: How to Answer Questions
Awesome thread. A few tidbits: make sure to understand the “question behind the question,” tailor your answer to the asker (e.g. if they’re a numbers person), and aim for getting to an “eyes light up” moment.
Unruly Behavior Digital Signage
The FAA has created memes to discourage misbehavior against flight crew. Because this is the world we live in, sigh.
I loved this example of great security engineering by Chime’s David Trejo.
David describes building Monocle, an internal dashboard that educates service and code owners on their security posture, and provides simple, actionable guidance on how to improve it.
Assigning a letter grade encourages developers to raise it (who wants to be at a C?), proactively address issues when the letter goes down, and provides visibility to leadership.
And everything works within existing developer workflows, like a GitHub badge, Slack notifications, and more. Tons of good ideas in this post, highly recommend reading.
1/4 Interesting “Gamified Security Scorecard” case study from Chime 👌🏾
A short thread of threads🧵👇🏾
— 𝐋𝐚𝐤𝐬𝐡 𝐑𝐚𝐠𝐡𝐚𝐯𝐚𝐧 (@laraghavan)
Apr 8, 2022
See also Laksh Raghavan’s thoughts on this post, and the excellent Netflix talk, A Pragmatic Approach for Internal Security Partnerships, which has similarly interesting security engineering and internal dashboard examples.
One of the great things about having a newsletter is that people quickly point out when you’re wrong or are missing important context. Here are two things from last week:
From Riches to… RichesNot knowing anything about Elon Musk’s past, I had assumed he grew up poor or middle class. However, according to Wikipedia, his family was quite wealthy.
Shady ServicesI referenced Pixsy, a service in name about helping creatives prevent others from misusing their work. However, Pixsy has actually been abusing a loophole in old Creative Commons licenses to extort and copyright-troll people who misattribute CC-licensed works (or are even using them correctly).
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!