[tl;dr sec] #130 - Project Zero on 0day Trends, ThinkstScapes, How Do You Actually Find Bugs?
Maddie Stone on 2021 0day trends, Thinkst's excellent research round-up, Mark Dowd OffensiveCon keynote on security research
I hope you’ve been doing well!
In Recent News
Unrelatedly, shout-out to the management consultants out there 👏
📢 5 Features you need in an automated security platform
There are so many compliance platforms on the market, yet not all are created equal. As the leader in compliance automation, we know exactly what features to look for when choosing an automated platform. We've compiled a list of the biggest differentiators to check for – and we explain how each feature works in order to make your job more efficient as you go through the compliance process. Check out our guide to the five must haves in an automated security platform.
📜 In this newsletter...
Conferences: OffensiveCon keynote on how to find bugs, Insomni'hack 2022 presentations
SSH: A smart SSH bastion host for Linux usable with any SSH client, a memory-safe SSH server built in Go with secure defaults
AppSec: DataDog Security Labs' PoCs, cURL but for gRPC, 6 principles for pragmatic start-up security
Cloud Security: Mitigating the top 10 GCP security threats, GCP asset inventory, Lambda that converts any document format that LibreOffice can import, CLI that uses Okta IdP via SAML for temporary AWS creds, Prowler Pro, a decade of AWS Marketplace
OPA: Audit your GitHub data using Rego, vet resources at deploy time using OPA + AWS CloudFormation Hook
Container Security: Gaining visibility via a security-focused service mesh
Misc: Easier and faster jq, make your Slack Google-searchable, keyboard shortcuts, license plates from around the world
The More You Know, The More You Know You Don’t Know: Google Project Zero on 2021 0day trends
ThinkstScapes Quarterly: 2022 Q1: Great round-up of security research by Thinkst
Twitter: Permanent chronic pain vs acute pain
OffensiveCon22: How Do You Actually Find Bugs?
Great keynote by Mark Dowd, author of The Art of Software Security Assessment, in which he shares his mindset and tips as a long time vulnerability researcher.
Insomni’hack 2022 YouTube Playlist
Has some interesting both offensive and defensive talks.
Information, exploits, and scripts from Datadog Security Labs from DataDog’s Christophe Tafani-Dereeper and Andrew Krug. Currently has PoCs for the Dirty Pipe container breakout, Spring4Shell, and the JWT Null Signature Vulnerability.
Like cURL, but for gRPC: a CLI tool for interacting with gRPC servers, by FullStory. You can also browse the schema for gRPC services, either by querying a server that supports server reflection, by reading proto source files, or by loading in compiled “protoset” files.
Vanta’s 6 principles for pragmatic startup security
Vanta’s Rob Picard describes practical, high value areas that are useful to focus on at a start-up.
Mitigating the top 10 security threats to GCP using the CIS Google Cloud Platform Foundation Benchmark
NCC Group’s Viktor Gazdag outlines some of the recommendations of the latest CIS GCP benchmark, to which he contributed. Topics: resource segregation, IAM, network security, cloud storage, compute engine, cloud SQL, and logging and monitoring.
Where’s my stuff on GCP?
Google’s Nick Brandaleone shares how easily is it use GCP’s Cloud Asset Inventory functionality to search for all of your GCP resources globally: $ gcloud asset search-all-resources.
A CLI that utilizes an Okta IdP via SAML to acquire temporary AWS credentials via AWS STS.
Putting the Pro in Prowler
Toni de la Fuente, the creator of Prowler, will now be working on Prowler Pro, which makes it easy to deploy in multiple AWS cloud accounts, and offers centralized, automated reporting with configurable dashboards. It’s always nice to see open source tools getting more development, and the creators of them being rewarded.
Related meme by Naomi Buckwalter:
A decade of innovating with AWS Marketplace
An interesting history and overview of AWS Marketplace, which aims to make it easy to buy and deploy software from vendors into your AWS environment, like Snowflake, Databricks, Palo Alto Networks, and more.
Audit your GitHub data using custom policies written in Rego. Generate reports, perform auditing and more.
The OPA AWS CloudFormation Hook
Styra’s Anders Eknert describes using the new AWS CloudFormation Hook feature to allow custom code (in this case OPA) to intercept a resource on its way to deployment and verify its properties against policy at provisioning time.
Gaining Visibility Within Container Clusters
Palo Alto Networks’ Nathaniel Quist describes how using a security-focused service mesh can help you with runtime and network traffic monitoring and visibility in Kubernetes clusters. Here’s an example architecture:
📢 Eliminate noise and prioritize the vulnerabilities that really matter with Risk Spotlight
Is your team drowning in container vulnerability noise? Are you spending a lot of time figuring out where to focus resources on and still missing risky vulnerabilities? You are not alone. Read this blog to learn how fast and easy you can find, focus and fix vulnerabilities that pose a real risk.
Introducing zq: an Easier (and Faster) Alternative to jq
By Brim Data. I haven’t played with it yet, but zq’s syntax seems a bit more intuitive than jq’s.
Linen: Make your Slack community Google-searchable
“Linen syncs your Slack threads to an SEO friendly website that allows your community to discover you through search engines and reduces the number of repeat questions.”
Use The Keyboard
A collection of keyboard shortcuts for Mac apps, Windows programs, and websites.
License Plates Of The World
See license plates from all around the world.
Google Project Zero’s Maddie Stone presents Project Zero’s annual review of 0days used in-the-wild in 2021.
58 in-the-wild 0-days detected and disclosed, the most ever recorded since Project Zero began tracking in mid-2014.
They believe this increased number is due to better detection, not more being used.
39, or 67% were memory corruption.
Attacker methodology hasn’t actually had to change much, they’re having success using the same bug patterns and exploitation techniques and going after the same attack surfaces.
Outstanding questions include:
Another great round-up of security research by Thinkst Canary, covering:
Low-level, but high-privilege bug hunting
Confidential computing for the masses
MachineLearning is here to help, or not
One that stuck out to me is “Why No One Pwned Synology at Pwn2Own and Tianfu Cup in 2021” (slides) by Eugene Lim and Loke Hui Yi, in which they reflected on how Synology held up as targets at two IoT-focused exploitation contests.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!