[tl;dr sec] #129 - Maximizing Bug ROI, Tamper-proof GitHub Builds, Being Vulnerable
How Flipkart gets the most value from every vulnerability, setting up a SLSA 3 GitHub Action build process, the power of being vulnerable.
I hope you’ve been doing well!
I wanted to share a few things that made me smile recently.
First, a candidate applied with potentially the best and most appropriate tagline I’ve ever seen in a resume.
Background: they have significant cryptography and math experience from years at the NSA. Right under their name:
Second, I was leaving Safeway, and I saw a man leaving who recognized someone on their way in. He got a big smile on his face, opened his arms wide, and loudly asked,
Because obviously if you live in the Bay Area you a) ask for consent before physical contact and b) represent all of your current world views as attributes on the You model.
You may think the Bay Area is a bit painfully nerdy. But hey, at least we’re not LA.
📢 On-Demand Fireside Chat: DevSecOps Best Practices in the Enterprise with CTO Cormac Brady & Datadog
Watch Datadog's exclusive fireside chat with CTO Cormac Brady for a 30-minute discussion on driving DevSecOps best practices in the enterprise.
Cormac shares stories and leadership lessons that are applicable to any enterprise technical leader looking to help their firm build and operate services in an increasingly competitive and treacherous digital economy. Watch now on-demand here.
You can also explore Datadog’s DevSecOps whitepaper that lays out a blueprint for assessing and advancing your organization's DevSecOps practices as is discussed in the chat.
📜 In this newsletter...
Conferences: Off the Chain for blockchain folks
Machine Learning: How DALL-E 2 works
Supply Chain: Tamper-proof builds with GitHub Actions, purposefully misconfigured GitHub org, defending against GitHub/OAuth supply chain attacks
AppSec: Getting the most value from every vulnerability, code review hotspots with Semgrep
Deserialization: Hunting for gadgets in Rails, updated universal deserialisation gadget for modern Ruby
Web Security: Burp's static crawler is now much faster, tool to test and exploit STUN and TURN, Jason Haddix's pen test stories
Cloud Security: Using OrgFormation to manage AWS orgs with IaC, choosing the right messaging service on AWS, detect publicly accessible Lambda Function URLs in your account
Cryptocurrency: Ethereum smart contract best practices, learning blockchain hacking/auditing, Semgrep rules for smart contracts
Container Security: Slides and code samples for Docker, container, and Kubernetes trainings, Kubernetes Admission Webhooks illustrated
Vulnerability: Daniel Miessler and Brené Brown on the power of vulnerability
Misc: Buy a shirt with any Wikipedia article on it, guess WikiHow article from image, Wikipedia's list of common misconceptions, top TikTok songs this week, video game Easter eggs were rebellion, 3D printing houses
Aphorism: Kierkegaard on understanding life
Off the Chain Conference
A new blockchain-focused conference occurring a few blocks from RSA. There’s already been some submissions on topics like tracing coins through mixers using vulnerabilities, defense talks on storing private keys worth billions, and more. They’ll also be hosting the world’s first NFTCTF, where you keep the NFT/Flag you hacked. CFP is open but closing soon!
How DALL-E 2 Actually Works
Pretty interesting overview and more detailed look.
Improving software supply chain security with tamper-proof builds
Google’s Asra Ali and Laurent Simon describe a new method of generating non-forgeable provenance using GitHub Actions workflows for isolation and Sigstore’s signing tools for authenticity. Using this approach, projects building on GitHub runners can achieve SLSA 3 (the third of four progressive SLSA “levels”), which affirms to consumers that your artifacts are authentic and trustworthy.
How to protect yourself against GitHub/OAuth Apps Supply Chain Attacks
Arnica’s Nir Valtman describes the difference between OAuth Apps and GitHub Apps, and makes the following recommendations:
Ensure OAuth App Access Restrictions are enabled
Review Organization-wide OAuth Authorization Activity
Review Personal OAuth Authorization Activity
Review App permissions
Limit GitHub App permissions to specific repositories
Get context on the behavior of each application
Install the app in a Sandbox first
How Flipkart Reacts to Security Vulnerabilities
Flipkart’s Shoeb Patel describes how they try to get the most value from every vulnerability (e.g. from bug bounty, pen tests, internal testing) by not just fixing that one instance, but also looking for variants, adding regression tests, including it in developer education and internal CTFs, and more.
Code Review Hotspots with Semgrep
EA’s Parsia Hakimian describes using Semgrep for finding “code hotspots”: code that may not be a bug, but is potentially sketchy and may deserve an audit from a security engineer. Parsia gives a number of examples of hotspots across languages, including insecure configurations, dangerous functions or patterns, and interesting keywords, as well as how to come up with your own hotspots.
Round Two: An Updated Universal Deserialisation Gadget for Ruby 2.x-3.x
William Bowling describes the process of finding a new deserialisation gadget, including a script that autoloads as many classes as it can and then drops into a REPL so he can quickly check if a constant was loaded or dump all classes that implemented a method.
Burp Scanner can now crawl static sites between 6x - 9x faster
Portswigger’s Matt Atkinson describes improvements made to Burp’s crawling of sites without significant dynamic content.
A tool to test and exploit STUN, TURN and TURN over TCP servers (mostly used in WebRTC) by Christian Mehlmauer. It can open a local socks server and relay all traffic over vulnerable devices into the internal network. Christian used Stunner to find multiple vulnerabilities in Cisco Expressway.
Jason Haddix: Complete compromise of a password manager company
I’ve been loving these pen testing stories Jason has been sharing recently. Another: compromising a porn site. Also check out Jason’s blog for excellent OSINT and recon info.
How to get started with OrgFormation
Michael Bahr walks through using OrgFormation for an IaC approach to AWS organizations. “OrgFormation has many features, like restricting unused regions and large EC2 instances, offering a nice login experience with AWS SSO, and managing service quotas via code.”
By Michael McIntyre: Detect publicly accessible Lambda Function URLs in your AWS account. A CloudFormation template that creates an AWS config rule that records public AWS Lambda Function URLs as NON_COMPLIANT.
📢 API Security for Dummies eBook
APIs have dramatically altered the application attack surface. As part of our continuing mission to educate organizations, Salt recently released “API Security for Dummies” to address how and why the app dev world has changed and why additional protections are needed. Download the eBook here to learn the most critical elements of API security and get ten prioritized steps you can follow now to start securing APIs for your organization.
No, not that type of vulnerability.
Consider rating not working to get to know yourself better / sharing yourself with close friends and family a long term happiness security tech debt of CVSS 8.0+.
Try sharing one thing slightly beyond what you normally would, see how it goes, and how you feel.
Buy a shirt with any Wikipedia article printed on it.
Guess the WikiHow article based on an Image
Kind of hard actually.
Wikipedia: List of common misconceptions
Huh, a number of these surprised me.
Tokboard - Top TikTok Songs This Week
What the hip kids are listening to these days.
The first ‘Easter eggs’ were an act of corporate rebellion
Some cool video game history. “When Atari’s video game designers were stiffed on credit for their work, they expressed their dissatisfaction through hidden messages.”
See a 3D Printer Create a 2,000-Square-Foot Luxury Texas Home
Lots of pictures, pretty neat.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!