[tl;dr sec] #134 - DevSecOps, Scalable Canary Tokens, Learning from AWS Customer Security Breaches
Useful ways to think about modern security teams, how to scale honeytokens while maintaining server level attribution, and how to harden your AWS environment based on public breaches.
I hope you’ve been doing well!
Being a Hot Dog
Last week at my team’s offsite, we were talking about different types of skillsets on the team.
A common term thrown around in tech is T-shaped people, who have some level of familiarity across a number of areas (the top of the T), and significant expertise in one thing (the body of the T).
My bud Grayson Hardaway was saying that as an eng manager now he feels like he’s more just… a line. Like, the top of the T. Still comfortable in a number of areas, but it’s hard to keep the depth.
Trying to cheer him up, another team member said, “Well, you’re not just a line, because that conveys no depth in anything. You do know more than that about some things. You’re more like… a hot dog, which is not necessarily deep, but somewhat wider.” 🤣
I laughed, said I felt the same way, and now I am forever referred to as a hot dog by the rest of the team, heh.
This also reminds me of that app on Silicon Valley:
Feel free to convey your value add to your team or company as also being a hot dog 🤣.
📢 Introducing the DevSecGuide to Kubernetes 🐳
As the de facto container orchestrator, Kubernetes has undeniable benefits when it comes to building performant and scalable applications. Its complexity and flexibility can create security challenges, but when approached with DevSecOps, can provide an opportunity to automate security from the start.
Download this free guide to explore the unique considerations Kubernetes presents for cloud-native application security. Learn how to build on top of its built-in security foundation for improved automation and DevSecOps collaboration.
📜 In this newsletter...
Navigating the Downturn: Resources on navigating the current economy
Web Security: Portswigger's vulnerable app for testing web scanners, a grammar-based HTTP fuzzer
Cloud Security: GCP resource scanner to determine level of access certain creds have, AWS canary tokens that scale, using stolen IAM creds, learning from AWS customer security breaches
Container Security: eBPF-based security observability and runtime enforcement tool, whitepaper on excessive Kubernetes permissions in popular platforms, tool to identify risky permissions and privilege escalation paths in k8s clusters
Politics / Privacy: How to enable HTTPS-only mode in mainstream browsers
OSINT / Recon: Machine learning-based scanner for PII in images
Misc: Mega list of open source games, list of open source security tools, why you shouldn't ransomware the Bank of Zambia, you can order 8 more free COVID tests from the US government, invisibility cloaks are coming
DevSecOps: How DevSecOps differs from DevOps, the security culture change required to truly embrace DevSecOps
Quote: Carl Jung on making the unconscious conscious
Navigating the Downturn
Many people are talking about the economy and how it affects tech companies, especially tech start-ups. I am not a finance professional, and I’m especially not your finance person, but here are some resources I’ve seen shared:
A grammar-based HTTP fuzzer written as a part of the ACM CCS 2021 paper: T-Reqs: HTTP Request Smuggling with Differential Fuzzing, by Northeastern University’s Bahruz Jabiyev, Steve Sprecher, Kaan Onarlioglu, and Engin Kirda.
A GCP resource scanner that can help determine what level of access certain credentials possess on GCP. It’s designed to help security engineers with evaluating impact of a certain VM/container compromise, GCP service account or OAuth2 token key leak.
🔥 Zero Maintenance AWS Canary Tokens That Scale
HashiCorp’s Will Bengtson describes an approach for scaling honeytokens in AWS while maintaining server level attribution no matter the cluster size or number of applications.
Using Stolen IAM Credentials
Nick Frichette provides tips for pen testers and red teamers on how you can use AWS IAM creds you find on an engagement, determine their validity, avoid detection, and gain situational awareness.
Learning from AWS (Customer) Security Breaches
Cedar’s Rami McCarthy joins the OWASP DevSlop podcast (slides) to discuss over 20 different public breaches, covering the technical details of these attacks, establish the common root causes, look at lessons learned, and establish how you can proactively secure your environment against these real world risks.
See also these 2 tools to identify and remediate the use of AWS IMDSv1:
eBPF-based security observability and runtime enforcement by Cilium. Tetragon detects and is able to react to security-significant events, such as process execution events, system call activity, and I/O activity including network & file access. When used in Kubernetes, it understands namespaces, pods, etc. so that security event detection can be configured in relation to individual workloads.
Kubernetes Privilege Escalation: Excessive Permissions in Popular Platforms
Whitepaper by Palo Alto Networks’s Yuval Avrahami and Shaul Ben Hai.
Accompanying tool to the above whitepaper. rbac-police helps you identify risky permissions and privilege escalation paths in Kubernetes clusters by evaluating the RBAC permissions of serviceaccounts, pods and nodes through policies written in Rego.
Politics / Privacy
HTTPS Is Actually Everywhere
Mainstream browsers now offer native support for an HTTPS-only mode, no browser extensions needed. The EFF’s Alexis Hancock walks through the relevant settings in Firefox, Chrome, Edge, and Safari.
📢 AppOmni's SaaS Security Checklist outlines the 7 key components of SaaS security
Whether you’re creating a new SaaS security program or want to improve, AppOmni's SaaS Security Checklist can help. It outlines 7 key components of SaaS security, including configuration management and always-on monitoring, based on AppOmni’s experience working with hundreds of security teams.
OSINT / Recon
Octopii - An Open-source, PII (Personally Identifiable Information) Scanner For Images
RedHunt Labs announces Octopii, that can look for image assets such as government IDs, passports, photos and signatures in a directory. Uses Tesseract’s Optical Character Recognition (OCR) and Keras’ Convolutional Neural Networks (CNN) models.
Open Source Game List
Aggregation of information about 1368 open source video games and 310 game engines/tools.
A list of interesting open source security tools across a broad variety of topics: mobile security, cloud, CTF, forensics, reverse engineering, code analysis, containers, firmware, fuzzing, and more.
National bank hit by ransomware trolls hackers with dick pics
The Bank of Zambia got hit by HIVE ransomware, and responded to the attackers by… sending dick pics. This post’s title will live forever in my heart, giving me joy in times of tribulation or sorrow.
You can, and should, order more free COVID tests from the US government
Every US household can now request eight rapid antigen tests. You can order them on the USPS website no matter how many tests you’ve received previously.
Invisibility cloaks are not just possible, but are becoming reality
Science isn’t quite there yet, but some of the requisite primitives seem to be falling into place.
DevSecOps vs. DevOps
VMware Tanzu’s Michael Coté provides a nice overview of DevSecOps, with three things that make it different and additive to DevOps: a secure software supply chain, improved culture and collaboration between security and development, and automation and guardrails. Emphasis mine:
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!