[tl;dr sec] #144 - Hacker Summer Camp, Building ProdSec from Scratch, IAM-Deescalate
How to stay healthy and get the most out of Vegas this year, how to build a ProdSec program from scratch, tool to mitigate privilege escalation risks in AWS.
I hope you’ve been doing well!
InfoSec ❤️ Musicals
If you’re a regular tl;dr sec reader, you probably know I love InfoSec.
So you can imagine my joy upon seeing that Rachel Tobac and co have released a set of musical (and spoken) security awareness videos.
She’s living my dream 😍 Awesome.
I love seeing people in security sharing their creative side.
r2c at DEF CON
If you’re going to be in Vegas for DEF CON, feel free to come say hi to some of my awesome colleagues!
📢 The Top Five Myths in API Security
Think your WAF and API gateways have you protected from API attacks? Think your APIs are protected by your Cloud provider? It's time to take another look. As many organizations experience API security incidents, security leaders are learning traditional approaches and assumptions do not protect against the new forms of attacks. The Top 5 Myths in API Security white paper from Salt Security helps you understand what might be putting your critical data at risk.
📜 In this newsletter...
Hacker Summer Camp: A calendar and guide to the week, digital and personal self-care, effective face masks
AppSec: Building a Product Security program from scratch, building an AppSec pipeline for continuous visibility, exploiting GitHub Actions on open source projects, CVSS score deep dive
Cost-Related: Programmatically delete AWS resources based on allowlist and TTL, cross-cloud cost allocation models for k8s workloads, a serverless cost optimization bot, exploring AWS costs beyond the service level
Cloud Security: fwd:cloudsec 2022 playlist, AWS term glossary, a tool to reduce the risk of privilege escalation
Container Security: Admission controller that can enforce policy based on verifiable supply-chain metadata from cosign, the Kubernetes networking guide
Blue Team: Threat hunting in Okta logs, an analysis of Twitch's internal security tools, a new UEFI firmware rootkit
Politics / Privacy: Why Corey Quinn doesn't like One Medical's acquisition, an Amazonified One Medical may be too convenient to resist, Amazon might bring useful competition to the healthcare industry, Ring shares doorbell data with police without user consent
Misc: Curated list of static site generators, SQLite extension for querying HTML elements, get NFTs for getting a good night's sleep, life is not short
Hacker Summer Camp
“Hacker Summer Camp” is what many use to refer to the combined week of Blackhat, DEF CON, BSidesLV, and the Diana Initiative.
Jason Haddix’s Hacker Summer Camp Calendar and Guide
Nice concise overview about what’s happening each day.
Digital and Personal Self-Care at #hackersummersamp - “New Normalish” Edition
Bugcrowd’s Casey John Ellis on how to get the most out of Hacker Summer Camp and how to stay safe digitally and physically. Lots of solid basics, and also a few neat tips I hadn’t thought of before.
Face masks for DEFCON
obert Graham tested a number of masks efficacy, for upcoming events like DEF CON. tl;dr: throw out your old cloth/surgical masks and get behind-the-head (instead of behind-the-ear) N95 masks that fit well, like the 3M Aura N95.
Building a Product Security program from scratch
Thirty Madison’s Anshuman Bhartiya covers what it means to be the founding ProdSec/AppSec engineer, understanding the organization (risk appetite and priorities), building relationships, understanding prior vulnerabilities, leaning into secure defaults, and more.
Building an AppSec Pipeline for Continuous Visibility
Chargebee’s Nikhil Mittal describes their approach to building an application security pipeline for continuous security scanning, using free and open-source tools for SAST (Semgrep), SCA (OWASP Dependency Check), Secrets Scanning (Gitleaks), and SBOM generation (CycloneDx).
All of Chargebee’s security solutions are deployed as independent containers on AWS ECR so they can be pulled directly from ECR to integrate into any workflows or can be used locally by developers. All of the tool results go to a DefectDojo dashboard via a Lambda function.
Exploiting GitHub Actions on open source projects
Tinder’s Tinder’s Rojan Rijal, Johnny Nipper, and Tinder’s Tanner Emek made an automation script (gh-workflow-auditor) that detects and flags vulnerable GitHub Actions. The script helped identify vulnerabilities that allowed write access in popular open-source projects such as Elastic’s Logstash. They share common security risks in GitHub Actions, their approach to detecting them, and their recommendations to mitigate vulnerabilities in GitHub Actions.
See also Protect Your GitHub Actions with Semgrep by r2c’s Grayson Hardaway, which to be honest I feel like discusses this topic in more detail, and also includes a demo repository for testing the attacks.
Further, the Tinder tool seems to mostly use regexes for its detection logic, vs Semgrep’s native YAML support and ability to extract, parse, and analyze nested languages (e.g. Bash in GitHub Actions. See Extract Mode docs for more details).
A closer look at CVSS scores
If you’ve been longing for a detailed treatise on CVSS (how it works, an analysis of the distribution of potential vs actual vulnerability ratings, critiques from a variety of sources), this is it. Shopify’s Jacques Chester deconstructs CVSSv3.1, looking at the data and how the calculation works, and then zooms out to look at CVSS in a broader context: other critiques, other scoring systems, and what the future holds.
See also Jacques’ SupplyChain Security Con talk How Do We Rank Project Risk? and released tool: SEER (Security Expert Elicitation of Risks), a prototype tool for security experts to provide estimates of risk for open source software.
Cross-cloud cost allocation models for Kubernetes workloads, by OpenCost. OpenCost models give teams visibility into current and historical Kubernetes spend and resource allocation. These models provide cost transparency in Kubernetes environments that support multiple applications, teams, departments, etc.
By Christian Bonzelet: The serverless cost optimization bot. This Construct Library provides L2 and L3 constructs for resources to build AWS Cost and Usage reports using the AWS Cloud Development Kit (CDK).
Exploring AWS Costs Beyond the Service Level
Post by Honeycomb’s Ben Hartshorne on using a derived column to directly connect individual customer experiences to the cost of providing that service with AWS Lambda. By leveraging these tools, they can better understand when their product is used in costly ways, and also provide tooling to better analyze and understand the cost effects of configuration changes.
YouTube playlist is now live! Some excellent talks, as always.
Hundreds of AWS product names and terms, described in a sentence or two, by Amazon.
IAM-Deescalate: An Open Source Tool to Help Users Reduce the Risk of Privilege Escalation
Palo Alto Networks Jay Chen describes IAM-Deescalate, a tool to mitigate privilege escalation risks in AWS. It first identifies the users and roles with privilege escalation risks using PMapper.
For each risky principal, IAM-Deescalate calculates a minimal set of permissions granted to this principal that can be revoked to eliminate the risks. IAM-Deescalate inserts an inline policy to explicitly deny the risky permissions that could allow the principal to escalate to administrator privilege.
📢 Faraday: Continuous testing, Continuous Security
Nowadays, the rise of cloud services and digital transformation have made system development much more agile. Updates are frequent, and attack surfaces are much more dynamic.
Testing continuously looks pretty much like the activities we see from attackers. At Faraday we accelerated this process by integrating our Red Team expertise into our vulnerability management platform. Providing a fast and efficient service of Continuous Security.
An admission controller that can be used to enforce policy on a Kubernetes cluster based on verifiable supply-chain metadata from cosign.
The Kubernetes Networking Guide
Guide by Michael Kashin providing an overview of various Kubernetes networking components with a specific focus on exactly how they implement the required functionality. Structure: the Kubernetes network model, CNI, services, ingress & egress, network policies, IPv6, DNS, and hands-on exercises.
Twitch Internal Security Tools: In-depth Analysis of the Leaked Twitch Security Tools
In the fall of 2021, Twitch suffered a data breach that included source code, internal databases, and more. FullHunt’s Mazin Ahmed reviewed the source code, configurations, build config process, and everything that became public knowledge due to the breach.
In this post, Mazin analyzes >120 internal security tools used by Twitch’s security program and tags them based on use case, services, and category. An interesting glimpse into a company’s security program.
CosmicStrand: the discovery of a sophisticated UEFI firmware rootkit
Kaspersky researchers describe a previously unknown UEFI firmware rootkit: because these are so low level, they’re difficult to detect, and persist even if the operating system is reinstalled or or the user replaces the machine’s hard drive entirely. They attribute it to an unknown Chinese-speaking threat actor, and believe it’s been in the wild since 2016. That’s 12 years without being discovered, yikes.
Politics / Privacy
“Why is Amazon acquiring One Medical bad news?”
Thread by Corey Quinn.
An Amazonified One Medical may be too convenient for customers to resist“
Amazon’s One Medical purchase is unlikely to deter consumers and employers from the service, experts said.” Corey is also quoted:
See also the thread by Ry Crist:
A curated list of static web site generators.
A SQLite extension for querying, manipulating, and creating HTML elements.
“Free NFTs every morning- get 1 free NFT after you wake up, 2 if you slept well.” At least this web3 app rewards healthy behavior before they inevitably either rugpull or lose your money.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!