• tl;dr sec
  • Posts
  • [tl;dr sec] #146 - CI/CD Security, Lightweight Approach to Secure SDLC, End-to-End Threat Detection Rule Testing

[tl;dr sec] #146 - CI/CD Security, Lightweight Approach to Secure SDLC, End-to-End Threat Detection Rule Testing

Lessons learned compromising real world CI/CD pipelines, how to implement a lightweight SSDLC, new framework to ensure your threat detection rules work, from logging to processing pipeline to alerting.

Hey there,

I hope you’ve been doing well!

A Sport We Can Excel At

Many kids, when they’re growing up, want to be an astronaut, firefighter, or pro athlete.

When people asked me what I wanted to be when I grew up, I said, “Engineer.”

True story. I was probably 5 or so. I knew my dad was an engineer, and I thought that must be pretty cool.

So while I was never destined to be on ESPN for ball sports, I just came across something wonderful:

This thread includes some great clips, and links to a 2.5 hour video of the competition.

Did I watch it for 15+ minutes instead of finishing this newsletter? I’ll quote an announcer:

It’s going to be an exciting day today. We’re watching the E-Sports All Star Battle. Eight household names in Excel…

OK, so it starts out with a few minutes of highlight reel snippets to get you pumped. Then, it goes into a “get to know the players” montage with some bumping beats and rad geometic shapes in the background. And they ask the classic question:

If there’s one thing we can learn from all this, I think it’s: never give up on your dreams.

(I also enjoyed this Microsoft Excel Stream Highlights video by KRAZAM, who does some pretty funny tech-related comedy videos.)


📢 Benchmark your cloud configuration in minutes with JupiterOne

See how your configuration compares against CIS Foundations benchmarks in just a few clicks. Once your cloud provider is integrated with JupiterOne, this framework is automatically imported based on which cloud provider you use, giving you greater understanding of how to improve your configuration and security posture.

📜 In this newsletter...

  • CI/CD: Should you pay for CI/CD, lessons learned from 5 years of real-world CI/CD pipeline compromise, abusing source code management systems

  • AppSec: Makefile linter, sandboxing Make, a lightweight approach to secure SDLC

  • Web Security: Hacking APIs workshop, browser-powered desync

  • Cloud Security: Enable logging for AWS resources that aren't, AWS serverless snippets collection, an open source permission management framework, codify your best practices using SCPs, service-level fault injection testing

  • Blue Team: Open Cybersecurity Schema Framework, how to stand up a major cyber incident investigations board, framework for end-to-end testing of threat detection rules

  • Machine Learning + Art: An artist's thread on AI image generators, replacing a blog's thumbnails using DALL-E 2, the AI art apocalypse, DALL-E, the Metaverse, and Zero Marginal Content


🤔Should You Pay for CI/CD in 2022?
Sym’s Adam Buggia and Brian Tarbox give a nice history of the evolution of CI/CD approaches and offerings. The takeaway:

If you are comparing the cost of a CI/CD vendor to that of a do-it-yourself project, consider that home grown systems carry the risk being “free like a puppy.” The human capital, dilution of focus and maintenance burden are easy to underestimate and can dwarf the cost of a paid service.


RCE-as-a-Service: Lessons Learned from 5 Years of Real-World CI/CD Pipeline Compromiseabstract
Black Hat talk by NCC Group’s Iain Smart and Viktor Gazdag (slides) in which they walk though a number of interesting attack scenarios. As previously called out in tl;dr sec, see also: 10 real-world stories of how we’ve compromised CI/CD pipelines.

Controlling the Source: Abusing Source Code Management Systems
IBM X-Force Red’s Brett Hawkins on material he presented at Black Hat USA 2022 (whitepaper). He discusses attack scenarios for GitHub Enterprise, GitLab Enterprise, and Bitbucket, including reconnaissance, manipulation of user roles, repository takeover, pivoting to other DevOps systems, user impersonation, and maintaining persistent access. Brett also released a tool: SCMKit.


An experimental tool for linting and checking Makefiles, by Daniel Schauenberg. Also, this made me laugh:

Using Landlock to Sandbox GNU Make
This is really cool. Justine Tunney modified GNU Make to support strict dependency checking.

The basic idea is when Make runs a command, that command should only have access to a limited number of files.

If some rogue unit test accidentally tries to rm -rf /, the kernel will simply reject it using an EACCES error, because your root directory wasn’t declared as a dependency in your Makefile config.

A Lightweight Approach To Implement Secure Software Development LifeCycle (Secure SDLC)
Thirty Madison’s Anshuman Bhartiya walks through rolling out a secure SDLC, discussing Rapid Risk Assessments, architecture reviews, threat modeling, and more.

I agree with his approach to rolling out SAST, and have seen that approach effectively used at a number of companies. That is: roll out new checks carefully, test them, tune them, and use the following progression for checks as you gain confidence:

  • First notify the security team privately

  • Then surface as PR comments to developers (non blocking)

  • Finally, PR comment + blocking (only when you’re very confident):

"The trick here is going to be - how do you balance scanning whilst ensuring engineering toil is at minimum, yet providing value. You could look to roll this out in phases i.e. run a rule ad-hoc, see the results, fine-tune it to a point where you can be absolutely confident it wouldn’t produce any false positive or false negative and only then introduce it on every PR/CICD pipeline in a blocking mode. Semgrep allows us to do this because of its ability to write custom rules."

Web Security

Hacking APIs: Workshop
Presentation notes from Corey Ball’s DEF CON workshop. Also check out Corey’s recently published No Starch book: Hacking APIs: Breaking Web Application Programming Interfaces.

Kettle demonstrated how he was able to turn a victim’s web browser into a desync delivery platform, shifting the request smuggling frontier by exposing single-server websites and internal networks.

He was able to combine cross-domain requests with server flaws to poison browser connection pools, install backdoors, and release desync worms – in turn compromising targets including Amazon, Apache, Akamai, Varnish, and multiple web VPNs.

Cloud Security

Find AWS resources that are not logging, and turn them on.

Introducing the new AWS Serverless Snippets Collection
A new page hosted on Serverless Land that makes it easier to discover, copy, and share common code that can help with serverless application development.

We’ve designed Approvals so that it only has the ability to assign roles to existing users, rather than create new roles or new users. By design, the blast radius of Granted Approvals being compromised is that existing users in your directory could be granted access to roles, rather than external users being created. Better yet — Approvals is deployed as a serverless application which runs in your own AWS account, so Common Fate won’t have access to any data in your Granted Approvals deployment.

Codify your best practices using service control policies: Part 2
AWS’s Som Chatterjee discusses how you can think of creating SCPs using constructs from AWS Well-Architected, covering observability, security, and cost management. Som presents a number of SCPs, including:

  • Denying changes to CloudWatch monitors/logs or Config

  • Denying accounts from leaving the organization

  • Limiting permissions to accounts in your Sandbox org

  • Denying actions outside approved regions

  • Denying the ability to pass IAM roles

They’ve open sourced Filibuster, the prototype implementation of Service-level Fault Injection Testing, written in Python.

Service-level Fault Injection Testing is a technique for identifying resilience issues in microservice-based applications in development, before code ships to production. Filibuster has been designed to be easy to use, lightweight, and able to be integrated into a continuous integration environment, like GitHub Actions or Amazon’s CodeBuild CI/CD environment.


📢 Think Like a Hacker - Inside the Minds & Methods of Modern Adversaries

Organizations typically look at the latest TTPs from a defense perspective – “how to mitigate this or prevent it from happening again.” But adversaries are smart and can quickly adapt to changes made in enterprise security defenses. So, SANS and Bishop Fox endeavored to see TTPs through the eyes of an adversary by polling hundreds of ethical hackers to discover their favorite vectors, top vulnerabilities encountered, what stops them in their tracks, and more. Check out key findings & sign up for a webcast with SANS instructor Matt Bromily & Bishop Fox’s Tom Eston on Sept 27.

Blue Team

Open Cybersecurity Schema Framework
A proposed standard (whitepaper) for sharing security information. By standardizing alerts and logs from various tools, data scientists and analysts can work with a common language for threat detection and investigation. Companies involved include: Amazon, Splunk, IBM, Crowdstrike, Rapid7, Palo Alto, and Cloudflare.

How to Stand Up a Major Cyber Incident Investigations Board
Victoria Ontiveros and Tarah Wheeler gave a Black Hat talk (abstract, The Register) on how the aviation industry draws lessons learned from aviation incidents, and how a process could be applied to cyber incident investigations. In collaboration with Adam Shostack, they’ve released the Major Cyber Incident Investigations Playbook.

A guide for independent organizations and state and local governments to develop a sustainable mechanism for investigating and drawing lessons-learned from cyber incidents both in the immediate aftermath of a cyber incident and long-term.

Introducing Threatest, A Go Framework For End-to-end Testing Of Threat Detection Rules
Datadog’s Christophe Tafani-Dereeper introduces threatest, which allows you to define scenarios where you detonate an attack technique (over SSH or using Stratus Red Team), then assert that an alert was produced on a third-party platform.

The only way to gain full confidence in our ability to detect threats is to perform end-to-end testing of our detections. Namely, we consider all our logging and processing pipelines as a blackbox; we reproduce the attacks we expect to detect and verify on the other end that an expected alert is produced.

Reference: Bill Hader’s Stefon character on SNL.

Machine Learning + Art

A new AI image generator appears to be capable of making art that looks 100% human made. As an artist I am extremely concerned.

What makes this AI different is that it’s explicitly trained on current working artists. You can see below that the AI generated image(left) even tried to recreate the artist’s logo of the artist it ripped off.

This thing wants our jobs, its actively anti-artist.

  • Prompt engineering is hard, and requires creativity.

  • You get better at writing prompts with practice.

  • Stylistic modifiers are critical to getting interesting images.

  • It’s worth browsing r/dalle2 to get ideas for what goes into a good prompt.

  • You may need to photoshop out gibberish text.

  • You can edit your images after.

  • Getting a specific thing, a specific color, a specific number of things, or a thing in a specific place is hard.

  • I wouldn’t go long on $GETY (Getty Images).

The AI Art Apocalypse
On the economics of it, will people still make art, why people make art, having cheap and available art, AI as a tool, cultural implications, and more.

Artists will be put out of jobs. This is pretty much inevitable given that work which once took multiple hours will now take seconds, or maybe minutes if it’s difficult to get a good generation. I really do need to stress that the technology is in its infancy, and 95% of the obvious problems that it has now will be solved with larger models, different approaches, or better UI.

If you’ve played around with Stable Diffusion or MidJourney or DALL-E 2, then you know how hard it is to get a good result for a specific idea you’ve had. I’ve been keeping up with the papers, and these problems are going to disappear. They’ve disappeared already in the current crop of non-public models, and they’re going to disappear from the public-facing models as well. Specificity is one of the key things that human artists have going for them right now, but it’s not something that’s going to continue.

What is fascinating about DALL-E is that it points to a future where these three trends can be combined. DALL-E, at the end of the day, is ultimately a product of human-generated content, just like its GPT-3 cousin. The latter, of course, is about text, while DALL-E is about images. Notice, though, that progression from text to images; it follows that machine learning-generated video is next. This will likely take several years, of course; video is a much more difficult problem, and responsive 3D environments more difficult yet, but this is a path the industry has trod before:

• Game developers pushed the limits on text, then images, then video, then 3D

• Social media drives content creation costs to zero first on text, then images, then video

• Machine learning models can now create text and images for zero marginal cost

In the very long run this points to a metaverse vision that is much less deterministic than your typical video game, yet much richer than what is generated on social media. Imagine environments that are not drawn by artists but rather created by AI: this not only increases the possibilities, but crucially, decreases the costs.

Machine learning generated content is just the next step beyond TikTok: instead of pulling content from anywhere on the network, GPT and DALL-E and other similar models generate new content from content, at zero marginal cost. This is how the economics of the metaverse will ultimately make sense: virtual worlds needs virtual content created at virtually zero cost, fully customizable to the individual.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!