- tl;dr sec
- [tl;dr sec] #149 - Incident Response in AWS, CISA's Supply Chain Security Guidance, Recon
[tl;dr sec] #149 - Incident Response in AWS, CISA's Supply Chain Security Guidance, Recon
How to prep for and handle an incident in AWS well, detailed PDF guide by NSA and CISA on software supply chain security, various OSINT and recon tools.
I hope you’ve been doing well!
Here’s Claudio and I, ten hours in to continuously prepping for the workshop:
I did manage to take at least one quick break though to get some delicious wiener schnitzel:
I don’t know how they do it, but it’s so crispy and fairly light actually. Would recommend 😍
📢 The Software Supply Chain Security Checklist ✅
Learn 7 best practices for protecting your components and pipelines from attack in this step-by-step guide. You’ll get research on common security risks at each layer of your software supply chain and security best practices so you can quickly identify, prioritize, and address risks to prevent supply chain breaches.
If you want to better understand how to secure your software supply chain components such as open source packages, IaC templates, and the underlying delivery pipelines, this checklist is for you!
📜 In this newsletter...
AppSec: SPF deep dive and unexpected behavior, Elixir secure coding training
Web Security: Burp extension for AWS SigV4 signing, an intro to SAML and SAML security
Supply Chain: GitHub Action that can generate provenance documents for projects in any programming language, software supply chain guidance for developers from NSA and CISA, reflections on that doc
Cloud Security: Honest recap and summary of fwd:cloudsec and re:Inforce, incident response in AWS, interview with AWS CISO
Container Security: A blind spot many scanners have with popular Docker images, an interactive debugger for Dockerfiles, Dockerfile security best practices with Semgrep, implementing a quarantine pattern for container images
OSINT / Recon: Recon and vulnerability scanning automation with Trickest and GitHub, the ultimate wordlist tool, building your own historical DNS solution with DNSx, Golang implementation of Wappalyzer technology detection, tool to gather info about a domain or FQDN
Misc: Zelda Breath of the Wild Street View, time till open source alternative, announcing the Trail of Bits podcast
An interactive cybersecurity curriculum designed for enterprise use at software companies using Elixir, by Podium’s Holden Oullette. The curriculum is broken into the following 8 primary topics: OWASP Top 10, secure SDLC, GraphQL security, Elixir security, cookie security, security anti-patterns, CI/CD tooling, the secure road.
SAML: An Introduction to SAML and its security
Ruxmon 2022 talk by PentesterLab’s Louis Nyffenegger covering how SAML works and various attacks, including XXE, XML signature shenanigans, malicious identity providers, etc.
General availability of SLSA3 Generic Generator for GitHub Actions
There is now a SLSA3 Generic Generator that can generate provenance documents for projects developed in any programming language, while keeping your existing build workflows.
A number of popular projects are always using it, meaning you can download artifacts (zip, binaries, etc.) from these projects and verify that the expected workflow was used to build the source code, without any modifications.
NSA, CISA, ODNI Release Software Supply Chain Guidance for Developers
New 64 page PDF covering developing secure code, verifying third-party components, hardening build environments, and delivering code securely.
An honest recap of fwd:cloudsec and AWS re:Inforce 2022
Resmo’s Mustafa Akın provides a nice summary of several fwd:cloudsec talks as well a number of re:Inforce announcements.
CJ Moses might be the CISO of AWS, but service leaders own their own security
Interesting interview with AWS’s CJ Moses covering topics including:
What are your duties as CISO?
What is AWS’ security strategy?
What’s the biggest threat to cloud security right now and how do you stay ahead of all these bad actors?
What are the biggest security mistakes that you see enterprise customers repeating?
📢 How to slash the time of mobile app penetration testing by up to 50%!
Mobile pentesting, emulators and clouds don’t mix. You need the fidelity and environment that only a physical phone can provide. Until now. Only Corellium offers an Arm-native virtual device platform for iOS and Android that enables powerful pentesting in half the time - in the cloud or fully onsite.
With Corellium, you can spin-up near limitless device and OS combinations, with full root access, even the latest iOS, with no jailbreak required. And you can save more time by automating file, app, and script installation and execution through a powerful API.
Dan Lorenc on a blind spot many scanners have with popular Docker images
tl;dr: Many Docker images manually install a specific version of a language like NodeJS using a custom script instead of an official Debian NodeJS package. This could lead to failing to report many open CVEs.
An interactive debugger for Dockerfiles, with support for IDEs (VS Code, Emacs, Neovim, etc.), by Kohei Tokunaga. Source-level inspection, breakpoints and step execution, interactive shell, supports rootless containers.
Enforcing a “custom” distroless image.
Using rootless containers.
App user control (last user must be the “app” user).
Check health check instructions.
Using a multistage build.
Implementing Quarantine Pattern for Container Images
Agitare Tech’s Toddy Mladenov describes a “quarantine pattern” for container images, that prevents an image from being used unless certain conditions are met.
OSINT / Recon
Recon and Vulnerability Scanner via Trickest and GitHub
Trickest’s Mohammed Diaa describes how to structure a GitHub repo and set up a GitHub Action so you can push nuclei templates and root domains to the repository and have it automatically kick off recon and vulnerability scanning.
A tool for generating wordlists or extending an existing one using mutations, by @d4rckh. It can build wordlists based on: patterns, common password or username formats, words from scraping a web page, or extending existing wordlists using mutations.
Building Your Own Historical DNS Solution with DNSx
Ben Bidmead describes how to modify the pdiscovery-bot to build an efficient and simple to modify DNS tracking system that will continuously enumerate domains and then you on the existence of new domains, using all Project Discovery tools.
A passive host and domain name lookup tool by Joon that gathers info about a domain or FQDN using various OSINT services and outputs them in a human-friendly readable way. Leverages VirtusTotal, Passivetotal, IPWhois, and Shodan.
Zelda Breath of The Wild Street View
Google maps’ street view meets Zelda Breath of The Wild.
Time Till Open Source Alternative
An informal look at the length of time between a proprietary piece of software being released in an area and an open source alternative.
Announcing the new Trail of Bits podcast
The first five episode season of the new Trail of Bits podcast is out, by Trail of Bits’s Dan Guido, Nick Selby, and many more. Episodes on: Zero Knowledge Proofs, are blockchains really decentralized?, intern spotlight, third-party dependency security (it-depends), and what we can learn about the future of security from companies building high assurance software that the rest of the industry may see in 18 to 24 months.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!