[tl;dr sec] #143 - Career Advice, SBOM, Attack Surface Monitoring
How to get into AppSec, getting a raise, and other career advice, SBOM tools, how to build your own ASM with ProjectDiscovery tools
I hope you’ve been doing well!
A Safe Investment
In an uncertain economy, the only safe investment:
Interestingly, The Hustle actually did a mini piece on it:
❤️ Secure Guardrails <> Cloud
tl;dr sec has been a consistent predictor of exits (with 5 sponsors acquired and counting), but this time I got in at the beginning…
One of the recurring themes of this newsletter, and what I personally believe to be the future of security, is: secure guardrails (“secure defaults,” “paved road,” etc.) that make the secure thing the easiest thing for developers to do.
I have many people to thank for shaping my views on this, including: Dev Akhawe, Zane Lackey, John Heasman, Doug DePerry, and many friends from Netflix, including Scott Behrens, Astha Singhal, and Patrick Thomas.
So I’m stoked that my (former) Netflix friends Travis McPeak and Aladdin Almubayed have decided to take their experience building tooling and systems that enable developers to move quickly and securely, and decided to found a company: Resourcely (TechCrunch announcement).
The initial pain point they’re aiming to solve is to enable developers to provision and use cloud resources securely without being experts in IAM and all the ways that can go wrong. Nice!
I believe in this team and the future of security tools empowering developers so much that I decided to do my first angel investment in Resourcely 🎉
Congrats to the team on the $8M seed from a16z (Zane Lackey!) and Felicis Ventures, I’m looking forward to seeing what you build!
📢 How to secure Kubernetes deployment with signature verification
When running containers in a Kubernetes cluster, trusting the images you deploy is key to enforce security. The use of mutable images represents a risk to the secure Kubernetes deployment. Read this blog to learn step-by-step how to implement a secure Kubernetes deployment.
Wow, this is a super detailed post, nice 👍
📜 In this newsletter...
Attack Surface Monitoring: Hacking together an ASM platform using ProjectDiscovery tools, how to pick an ASM solution
AppSec: Tool to find vulnerabilities in .NET assembly using taint analysis, hunting for mass assignment vulnerabilities using code search platforms, using Semgrep to enforce coding style and best practices
Cloud Security: Updated security best practices in IAM, Lambda now supports attribute-based access control, best practices for SCPs in a multi-account environment, exfiltrating data using the S3 replication service
Container Security: Tool to manage k8s clusters running on Firecracker microVMs, the security benefits of distroless minimal container images, container security best practices and common threats
Software Bill of Materials (SBOM): GitHub Action to build, sign, and compute the SBOM of a container image, Microsoft open sources SBOM generation tool, how SBOM and SLSA are complementary
Career: Getting into AppSec career guide, the great tech salary crash, startup compensation H1 2022 report, how to get a 48% raise, don't pre-reject yourself from applying for jobs, why ambitious high slope people change jobs every few years
Misc: How to tie a tie in 10 seconds, the history of "bougie," solve algebra in your browser, thread of DALL-E 2 images
Aphorism: All progress depends on unreasonable people
Attack Surface Monitoring
Hacking Together an ASM Platform Using ProjectDiscovery Tools
Ben Bidmead describes putting together a simple attack surface monitoring platform (source) using ProjectDiscovery tools, bash, and flask.
Guide to Picking an Attack Surface Management Solution
Hakluke describes how to choose a high quality attack surface management solution. Consider:
Breadth: How many of the 4 core phases (discovery, assessment, prioritization, remediation) of ASM does the tool cover?
Depth: How well are each of the phases performed?
Get Your Kicks on Route Sixty-Sink: Identifying Vulnerabilities Using Automated Static Analysis
Mandiant’s Dillon Franke and Michael Maturi released Route Sixty-Sink, a tool that can find vulnerabilities in any .NET assembly using automated source-to-sink analysis. Route Sixty-Sink has already been used to find and exploit dozens of critical security issues.
Hunting For Mass Assignment Vulnerabilities Using GitHub CodeSearch and grep.app
Include Security’s Laurence Tennant describes finding a mass assignment in freeCodeCamp, a widely popular repo, using grep.app. He describes the challenges and frustrations of trying to use GitHub’s default search, as well as the new cs.github.com. My colleagues and I have struggled with these as well.
Using Semgrep to keep track of your communities style
Steve Jones describes how Semgrep can be used not just for security, but also for developer use cases like enforcing style or contribution guides. Style guides can get long, so to save time from contributors having to re-read it, and to save maintainers time during code reviews, they automate a number of checks using Semgrep, including:
aws_iam_rolesshould have a
Descriptions of variables should be at least 20 characters
Ensure Terraform Modules are pinned to a specific version
Ensure certain heading are present in all modules
One consistent thread I see in security teams getting widespread (and enthusiastic) developer adoption of security tooling, services, or libraries, is to also simultaneously address a developer pain point or provide some benefit.
When introducing new tools, ask yourself, “What non-security wins can this provide for my developer customers?”
When building some secure-by-default libraries, infrastructure, or services, ask yourself, “How will this support developers in shipping code faster, or with greater quality/robustness/observability, etc.?”
Security best practices in IAM
An updated list of 14 IAM best practices by AWS.
AWS Lambda announces support for Attribute-Based Access Control (ABAC)
You can now define access permissions based on tags, which can be attached to IAM resources (e.g. IAM users and roles), and to AWS resources, like Lambda functions.
Best Practices for AWS Organizations Service Control Policies in a Multi-Account Environment
AWS’s Rajeswari Malladi and People’s United Bank’s Jim Kozlowski provide a representative organization unit (OU) structure for a financial services industry customer, and also best practice guidance and starter service control policies (SCPs) to consider in a multi-account AWS environment to establish governance and control.
Abusing the Replicator: Silently Exfiltrating Data
The S3 Replication service can quickly and effectively data cross S3 buckets. However, Vectra AI’s Kat Traxler describes how an attacker can exfiltrate data, even if they don’t have access to the S3 objects, if they can update replication rules.
Further, if Replication Time Control (RTC) is enabled, the Replication Service will only log the first putObject event in CloudTrail, meaning a malicious destination, if not the first location, won’t be logged. Solution: monitor for Replication rule changes and alert when the destination is unusual.
📢 Fortifying Your Applications: The Expert’s Guide to Penetration Testing
Bishop Fox has compiled insights from two decades of experience and thousands of engagements into a new app pen testing guide. See how to set yourself up for success and avoid common pitfalls by planning ahead, setting goals, asking the right questions along the way, and ensuring you can effectively operationalize the results. Plus, get our top 20 tips to crush your next test!
Minimal Container Images: Towards a More Secure Future
Common approaches for slimming down a base image are using Debian Slim or Alpine, but these still contain a full Linux distribution, which is not what you need in production.
Chainguard’s Adrian Mouat describes a distroless container philosophy, of stripping out as much as possible except for the root certificates, language runtimes, and minimal requirements, etc. Chainguard is building the next generation of distroless images centered around apk. Try their images at github.com/distroless.
Container Security Considerations: Security Best Practices and Common Threats
Mike Privette provides an overview of what containers are, their security benefits, their security risks, briefly discusses defense-in-depth, and maps some container threats to STRIDE.
Software Bill of Materials (SBOM)
A reusable GitHub Action by Marco Lancini to build, sign, and compute the SBOM of a container image.
Builds a container image
Scans it with Trivy
Pushes it to ECR
Signs it with cosign
Computes its SBOM with Syft
Attaches the SBOM to it via cosign
Microsoft open sources Salus software bill of materials (SBOM) generation tool
Microsoft’s Danesh Kumar Badlani and Adrian Diglio announce the release of sbom-tool, which works across Windows, Linux and Mac, and uses the standard Software Package Data Exchange (SPDX) format.
It can be easily integrated into and auto-detects NPM, NuGet, PyPI, CocoaPods, Maven, Golang, Rust Crates, RubyGems, Linux packages within containers, Gradle, Ivy, GitHub public repositories, and more.
It can also reference other SBOM documents for capturing a full dependency tree.
SBOM + SLSA: Accelerating SBOM success with the help of SLSA
Google’s Brandon Lum, Isaac Hepworth, and Meder Kydyraliev explain the strengths of SBOMs and SLSA and how they fundamentally differ, and shows how SLSA principles can both support the generation of high-quality SBOMs and help consumers respond to supply chain attacks.
Your Guide to Starting an Application Security Career
James Chiappetta shares an overview of basic knowledge & resources that will help you get started with an Application Security (AppSec) career. Including: prerequisite knowledge base, tools and live testing resources, blogs and online resources, book list, certifications, and community involvement. Honored to have tl;dr sec called out as one of the resources 🙏
The Great Tech Salary Crash
By Andre Nader: “2022 is bringing us one of the largest declines in tech compensation in decades.” A significant amount of total compensation across most FAANGs is equity. As their stocks have taken a hit, thus so has employee compensation. Andre shares some interesting stats and figures.
Compensation report: The state of startup compensation, H1 2022
Carta shares some interesting trends on headcount by valuation, head count (and cost) by department, payroll by valuation and size, and more. Key trends:
Remote hiring soars: In 2019, about 35% of new hires were based in a different state than the primary company headquarters. So far this year it’s 62%.
Geo-adjusting is the norm: The vast majority of companies (84%) take employee location into account when deciding on compensation packages.
Engineering is a key hire: Engineering accounts for nearly half of payroll spend in companies valued between $1 and 10 million.
Terminations rise: Across all of Carta’s platform, involuntary terminations made up 29% of departures in May 2022, almost double the 15% termination share recorded in August of 2021.
A few great tweets and threads:
ElleArmageddon on not pre-rejecting yourself from applying for jobs
Don’t filter yourself out before giving it a chance. Give the hiring teams and panels the opportunity to evaluate you. That’s their job. Even if you think you’re not senior enough, or if you’d have to learn a few things based on the posting, you should still apply.
How to tie a tie in 10 seconds
Wow, this is pretty neat.
Solve algebra problems in your browser.
Long thread of DALL-E 2 pictures by Shashank Joshi
I like “Stained glass window of Alan Turing smashing a German Enigma machine with a hammer at Bletchley Park” and “Medieval illuminated manuscript of hackers explaining the Internet to a sceptical crowd in 1969.”
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!