• tl;dr sec
  • Posts
  • [tl;dr sec] #129 - Maximizing Bug ROI, Tamper-proof GitHub Builds, Being Vulnerable

[tl;dr sec] #129 - Maximizing Bug ROI, Tamper-proof GitHub Builds, Being Vulnerable

How Flipkart gets the most value from every vulnerability, setting up a SLSA 3 GitHub Action build process, the power of being vulnerable.

Hey there,

I hope you’ve been doing well!

Potent Quotables

I wanted to share a few things that made me smile recently.

First, a candidate applied with potentially the best and most appropriate tagline I’ve ever seen in a resume.

Background: they have significant cryptography and math experience from years at the NSA. Right under their name:

“I am ill at these numbers.” – William Shakespeare, Hamlet

Second, I was leaving Safeway, and I saw a man leaving who recognized someone on their way in. He got a big smile on his face, opened his arms wide, and loudly asked,

“Are you hug-enabled?”

Because obviously if you live in the Bay Area you a) ask for consent before physical contact and b) represent all of your current world views as attributes on the You model.

You may think the Bay Area is a bit painfully nerdy. But hey, at least we’re not LA.

Sponsor

📢 On-Demand Fireside Chat: DevSecOps Best Practices in the Enterprise with CTO Cormac Brady & Datadog

Watch Datadog's exclusive fireside chat with CTO Cormac Brady for a 30-minute discussion on driving DevSecOps best practices in the enterprise.

Cormac shares stories and leadership lessons that are applicable to any enterprise technical leader looking to help their firm build and operate services in an increasingly competitive and treacherous digital economy. Watch now on-demand here.

You can also explore Datadog’s DevSecOps whitepaper that lays out a blueprint for assessing and advancing your organization's DevSecOps practices as is discussed in the chat.

📜 In this newsletter...

  • Conferences: Off the Chain for blockchain folks

  • Machine Learning: How DALL-E 2 works

  • Supply Chain: Tamper-proof builds with GitHub Actions, purposefully misconfigured GitHub org, defending against GitHub/OAuth supply chain attacks

  • AppSec: Getting the most value from every vulnerability, code review hotspots with Semgrep

  • Deserialization: Hunting for gadgets in Rails, updated universal deserialisation gadget for modern Ruby

  • Web Security: Burp's static crawler is now much faster, tool to test and exploit STUN and TURN, Jason Haddix's pen test stories

  • Cloud Security: Using OrgFormation to manage AWS orgs with IaC, choosing the right messaging service on AWS, detect publicly accessible Lambda Function URLs in your account

  • Cryptocurrency: Ethereum smart contract best practices, learning blockchain hacking/auditing, Semgrep rules for smart contracts

  • Container Security: Slides and code samples for Docker, container, and Kubernetes trainings, Kubernetes Admission Webhooks illustrated

  • Vulnerability: Daniel Miessler and Brené Brown on the power of vulnerability

  • Misc: Buy a shirt with any Wikipedia article on it, guess WikiHow article from image, Wikipedia's list of common misconceptions, top TikTok songs this week, video game Easter eggs were rebellion, 3D printing houses

  • Aphorism: Kierkegaard on understanding life

Conferences

Off the Chain Conference
A new blockchain-focused conference occurring a few blocks from RSA. There’s already been some submissions on topics like tracing coins through mixers using vulnerabilities, defense talks on storing private keys worth billions, and more. They’ll also be hosting the world’s first NFTCTF, where you keep the NFT/Flag you hacked. CFP is open but closing soon!

Machine Learning

How DALL-E 2 Actually Works
Pretty interesting overview and more detailed look.

Supply Chain

Improving software supply chain security with tamper-proof builds
Google’s Asra Ali and Laurent Simon describe a new method of generating non-forgeable provenance using GitHub Actions workflows for isolation and Sigstore’s signing tools for authenticity. Using this approach, projects building on GitHub runners can achieve SLSA 3 (the third of four progressive SLSA “levels”), which affirms to consumers that your artifacts are authentic and trustworthy.

arnica-ext/GitGoat
By Arnica: A learning and training project that demonstrates common configuration errors that can potentially allow adversaries to introduce code to production.

How to protect yourself against GitHub/OAuth Apps Supply Chain Attacks
Arnica’s Nir Valtman describes the difference between OAuth Apps and GitHub Apps, and makes the following recommendations:

OAuth Apps:

  1. Ensure OAuth App Access Restrictions are enabled

  2. Review Organization-wide OAuth Authorization Activity

  3. Review Personal OAuth Authorization Activity

GitHub Apps:

  1. Review App permissions

  2. Limit GitHub App permissions to specific repositories

  3. Get context on the behavior of each application

  4. Install the app in a Sandbox first

AppSec

How Flipkart Reacts to Security Vulnerabilities
Flipkart’s Shoeb Patel describes how they try to get the most value from every vulnerability (e.g. from bug bounty, pen tests, internal testing) by not just fixing that one instance, but also looking for variants, adding regression tests, including it in developer education and internal CTFs, and more.

Code Review Hotspots with Semgrep
EA’s Parsia Hakimian describes using Semgrep for finding “code hotspots”: code that may not be a bug, but is potentially sketchy and may deserve an audit from a security engineer. Parsia gives a number of examples of hotspots across languages, including insecure configurations, dangerous functions or patterns, and interesting keywords, as well as how to come up with your own hotspots.

Deserialization

Ruby Deserialization - Gadget on Rails
Harsh Jaiswal describes the process of hunting in the Ruby/Rails source code for an RCE gadget that would work with the most recent version of Ruby or Rails.

Round Two: An Updated Universal Deserialisation Gadget for Ruby 2.x-3.x
William Bowling describes the process of finding a new deserialisation gadget, including a script that autoloads as many classes as it can and then drops into a REPL so he can quickly check if a constant was loaded or dump all classes that implemented a method.

Web Security

Burp Scanner can now crawl static sites between 6x - 9x faster
Portswigger’s Matt Atkinson describes improvements made to Burp’s crawling of sites without significant dynamic content.

firefart/stunner
A tool to test and exploit STUN, TURN and TURN over TCP servers (mostly used in WebRTC) by Christian Mehlmauer. It can open a local socks server and relay all traffic over vulnerable devices into the internal network. Christian used Stunner to find multiple vulnerabilities in Cisco Expressway.

Jason Haddix: Complete compromise of a password manager company
I’ve been loving these pen testing stories Jason has been sharing recently. Another: compromising a porn site. Also check out Jason’s blog for excellent OSINT and recon info.

Cloud Security

How to get started with OrgFormation
Michael Bahr walks through using OrgFormation for an IaC approach to AWS organizations. “OrgFormation has many features, like restricting unused regions and large EC2 instances, offering a nice login experience with AWS SSO, and managing service quotas via code.”

WTFender/cf-lambda-public-url-prohibited
By Michael McIntyre: Detect publicly accessible Lambda Function URLs in your AWS account. A CloudFormation template that creates an AWS config rule that records public AWS Lambda Function URLs as NON_COMPLIANT.

Cryptocurrency

Ethereum Smart Contract Best Practices
By ConsenSys: Great overview of known attacks, recommendations, software engineering techniques, security tools, and more.

Learning Blockchain Hacking/Auditing
Quick list of resources by Rishabh on understanding Ethereum and Solidity, security best practices and common attacks, CTFs, and audit reports.

Raz0r/semgrep-smart-contracts
Semgrep rules for smart contracts based on actual DeFi exploits, by Arseniy Reutovm.

Container Security

jpetazzo/container.training
Slides and code samples for training, tutorials, and workshops about Docker, containers, and Kubernetes, by Jérôme Petazzoni.

Sponsor

📢 API Security for Dummies eBook

APIs have dramatically altered the application attack surface. As part of our continuing mission to educate organizations, Salt recently released “API Security for Dummies” to address how and why the app dev world has changed and why additional protections are needed. Download the eBook here to learn the most critical elements of API security and get ten prioritized steps you can follow now to start securing APIs for your organization.

Vulnerability

No, not that type of vulnerability.

From Daniel Miessler’s excellent Unsupervised Learning newsletter last week:

Vulnerability is not winning or losing; it’s having the courage to show up and be seen when we have no control over the outcome. Vulnerability is not weakness; it’s our greatest measure of courage. -Brené Brown

Recommendations:

  • Consider rating not working to get to know yourself better / sharing yourself with close friends and family a long term happiness security tech debt of CVSS 8.0+.

  • Try sharing one thing slightly beyond what you normally would, see how it goes, and how you feel.

Misc

Wikishirt
Buy a shirt with any Wikipedia article printed on it.

Wikipedia: List of common misconceptions
Huh, a number of these surprised me.

Tokboard - Top TikTok Songs This Week
What the hip kids are listening to these days.

The first ‘Easter eggs’ were an act of corporate rebellion
Some cool video game history. “When Atari’s video game designers were stiffed on credit for their work, they expressed their dissatisfaction through hidden messages.”

Many 3D printing enthusiasts view the process as a viable solution for the ongoing housing shortage and affordability crisis.

Homes that could take about a year to build can instead be 3D printed and complete within several months.

Someday, Icon wants to automate the entire homebuilding process.

Aphorism

Life can only be understood backwards; but it must be lived forwards. - Soren Kierkegaard

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint