• tl;dr sec
  • Posts
  • [tl;dr sec] #150 - How to Start an AppSec Program with the OWASP Top 10, Leadership in Cybersecurity, Magic GitHub API Proxy

[tl;dr sec] #150 - How to Start an AppSec Program with the OWASP Top 10, Leadership in Cybersecurity, Magic GitHub API Proxy

Building an effective and scalable AppSec program by leaning into secure defaults, leadership tips, proxy that enables least privilege use of GitHub API tokens.

Hey there,

I hope you’ve been doing well!

Bedtime Stories

Some of my favorite memories as a child are my dad telling me bedtime stories.

I remember him reading to me from The Hobbit and Lord of the Rings. I loved them, though I periodically told him to fast forward parts if I was getting bored by the multi-page genealogy description of trees.

I hope to similarly read epic fantasy and science fiction to my (yet to be born) kids one day.

But I also want my kids to be digitally literate, and hopefully hackers.

Kids can absorb new knowledge amazingly quickly, but sometimes they’re not ready for the harsh realities of the world out there, as my bud Josh Yavor found:

Sponsor

📢 Is your SecOps ready for cloud, containers and Kubernetes?

Join Skyscanner, Sysdig and SANS on 20th October and learn ways to bolster threat detection and response in cloud environments using EDR-like workflows, machine learning and the MITRE ATT&CK framework.

One lucky registrant will win a SANS Cloud Security Course worth $8,200!

📜 In this newsletter...

  • Web Security: Tool to bypass 40X response codes, local file inclusion exploitation tool, structure-aware HTTP fuzzing library, GraphQL password brute-force and fuzzing tool

  • AppSec: GitHub API proxy that enables GitHub API token least privilege, abusing self hosted GitHub runners at Facebook, popular Python packages cause subtle math errors, Golang tool to flag vulnerable dependencies

  • Secure Defaults: Twitter thread on security being a subset of program correctness, how to start an AppSec program with the OWASP Top 10

  • Security Leadership: How to hire and build your cybersecurity team, how to transition from a high performing IC to an inspiring leader

  • Cloud Security: Create a point in time assessment with Prowler and Scout, transitioning to multiple AWS accounts, authenticating to AWS the right way, an open source security lake platform for AWS

  • Container Security: Kubernetes API server bypass risks, Kubernetes security checklist, learn Istio

  • Misc: 'Arcane' becomes first streaming show to win Animated Emmy, nearly 2 in 5 American college graduates regret their majors, a lightweight multi-protocol CLI download utility, the optimal amount of fraud is non-zero

Web Security

devploit/dontgo403
A tool to bypass 40X response codes, by Daniel Púa.

mzfr/liffy
A local file inclusion exploitation tool, by Mehtab Zafar.

epi052/feroxfuzz
A structure-aware HTTP fuzzing library, by Ben Risher. Its overall design is derived from LibAFL, and it implements most of the components listed in LibAFL: A Framework to Build Modular and Reusable Fuzzers.

nicholasaleks/CrackQL
By Nick Aleks and Dolev Farhi: A GraphQL password brute-force and fuzzing utility. It exploits poor rate-limit and cost analysis controls to brute-force credentials and fuzz operations. Attack use cases: defense evasion, password spraying brute-forcing, 2FA OTP bypass, user account enumeration, IDOR, and general fuzzing.

AppSec

google/magic-github-proxy
By Stargirl and Google’s Colin Nelson: A stateless GitHub API proxy that allows creation and use of access-limited GitHub API tokens. Basically, it’s identity and access management for GitHub API tokens.

Zuckerpunch - Abusing self hosted github runners at Facebook
Marcus Young describes how he abused Github Actions to get full root into the PyTorch CI runners. What I found especially interesting is some git trickery that causes the GitHub UI to show no changes between your malicious PR and the default branch (git rebase -i HEAD^ then git push origin {branch_name} -f) and after a few seconds there’s no way to show the changes.

Someone’s Been Messing With My Subnormals!
This is such a neat post by Brendan Dolan-Gavitt on deep diving into what code you’re actually running, downloading and analyzing a massive number of shared libraries from PyPI, and doing an ecosystem-level study on one laptop (lol). Also, note that pip install --dry-run can still run arbitrary code on your machine from a package’s setup.py.

After noticing an annoying warning, I went on an absurd yak shave, and discovered that because of a tiny handful of Python packages built with an appealing-sounding but dangerous compiler option, more than 2,500 Python packages—some with more than a million downloads per month—could end up causing any program that uses them to compute incorrect numerical results.

Vulnerability Management for Go
Google’s Julie Qiu introduces the new govulncheck command a low-noise, reliable way for Go users to learn about known vulnerabilities that may affect their projects. It only surfaces vulnerabilities that actually affect you, based on which functions in your code are transitively calling vulnerable functions.

Secure Defaults

@postmodern_mod3 thread on security being a subset of program correctness
In response to a slide from my sec4dev keynote, in which I argued that security is not separate from correctness and code quality, but rather a subset of it.

How do we make it easier to achieve Program Correctness? By giving programmers better tools. Better frameworks, better libraries, better programming languages, better concepts such as Monads (aka railroad programming) which guarantee that every edge-case is handled.

For years InfoSec has essentially functioned as bandaid salesmen, promising they can fix security post-facto with fuzzers and code audits. This strategy may have reduced the amount of low-hanging-fruit vulns, but hasn’t eliminated nor stopped the creation of new security vulns.

 

How to start an AppSec program with the OWASP Top 10
This OWASP article is like a page out of my own heart, H/T Ishaq Mohammed for sharing.

The paved road concept is the easiest way to make the most impact and scale AppSec resources with development team velocity, which only increases every year.

The paved road concept is “the easiest way is also the most secure way” and should involve a culture of deep partnerships between the development team and the security team, preferably such that they are one and the same team. The paved road aims to continuously improve, measure, detect and replace insecure alternatives by having an enterprise-wide library of drop-in secured replacements, with tooling to help see where improvements can be made by adopting the paved road. This allows existing development tools to report on insecure builds and help development teams self-correct away from insecure alternatives.

Security Leadership

How to hire and build your cybersecurity team
Netflix’s former InfoSec leader Jason Chan offers early stage founders six “green flags” to look out for when hiring and building cybersecurity teams that truly make an impact.

The right cybersecurity leader is like “a step-down transformer,” said Jason. “In electricity, a step-down transformer takes something high-voltage and moves it to a lower voltage. The analog for humans is, you come into a situation, you lower the temperature, relative stress, and anxiety of the situation. It doesn’t mean that you have no emotions or no stress. It just means relative to the rest of the room, you can calm things down.”

Leadership in Cybersecurity: A Guide to Your First Role
Excellent post by NCC Group’s Lawrence Munro on how to transition from a high performing individual contributor to an inspiring leader.

One of the most important things in leadership is your mindset. You need to respect the craft and acknowledge that you’re starting again as if you’ve changed career. Some people will take to leadership very naturally, while others will take more time to find their style. Don’t be disheartened if it doesn’t happen right away. I’ve always found that relationships with your team and getting buy-in takes longer than you’d like, but if you keep doing the right things, it’ll happen.

On changing your relationship with knowledge and expertise:

You could retain expertise in a niche area that is a sub-set of your previous expertise. This means that staying current is more manageable, however, you can risk micromanagement or dominating the narrative in this area. The temptation may be to jump into your comfort zone to fix tactical issues, rather than remediating single points of failure or addressing strategic challenges.

It could be that you’re a ‘player-manager’, and this is mostly fine, but in most cases you need to adjust.

An alternative approach is to aim for a more ‘meta’ understanding and focus on augmenting existing knowledge at a higher level of abstraction.

Sponsor

📢 Powerful iOS 16 security testing without the jailbreak need

Apple continually enhances iOS security to combat cyber criminals, including their ability to gain iOS root access (jailbreaking). But oddly, root access is what the good guys - security and privacy testers - need to make the world safer.

Corellium to the rescue. The Corellium Virtual Hardware platform enables iOS 16 root access without the jailbreak. Simply spin-up any virtual iPhone model and iOS combo and dive in. Why spend time jailbreaking a phone when you’re trying to discover and prevent such vulnerabilities in the first place?

Read our blog on iOS 16 and new Lockdown and Developer Modes.

Cloud Security

awslabs/aws-security-assessment-solution
An AWS tool to help you create a point in time assessment of your AWS account using Prowler and Scout as well as optional AWS developed ransomware checks.

Transitioning to multiple AWS accounts
AWS’s Justin Plock discusses transitioning from a single-account environment to a multi-account environment, including decisions you need to make about account migration, user management, networking, security, and architecture.

Authenticating to AWS the right way for (almost) every use-case
Lee Briggs covers the right way to authenticate to AWS in a variety of scenarios:

matanolabs/matano
By Matano: An open source security lake platform for AWS that lets you ingest petabytes of security and log data from various sources, store and query them in an open Apache Iceberg data lake, and create Python detections as code for realtime alerting.

Matano is fully serverless and designed specifically for AWS and focuses on enabling high scale, low cost, and zero-ops.

Container Security

Kubernetes API Server Bypass Risks
Kubernetes documentation page that describes the ways in which the security controls built into the Kubernetes API server can be bypassed, so that cluster operators and security architects can ensure that these bypasses are appropriately restricted.

Kubernetes Security Checklist
Kubernetes documentation page that provides a basic list of guidance with links to more comprehensive docs on each topic. Topics: authentication and authorization, network security, pod security, pod placement, secrets, images, admission controllers.

Learn Istio – How to Manage, Monitor, and Secure Microservices
solo.io’s Rinor Maloku provides an intro to Istio, Istio’s architecture, how to use Istio in practice, how to run the services on the mesh, ingress gateway (how to admit traffic into the mesh), observability, traffic management (canary deployments), and Istio Security.

Misc

‘Arcane’ Becomes First Streaming Show To Win Animated Emmy
Huh, I thought a TV series based on a video game (League of Legends) would be bad, but apparently not.

Almost half of humanities and arts majors regret their choice — and enrollment in those disciplines is shrinking rapidly.

By 2021, disciplines such as history, English and religion graduated less than half as many students as they did in their early 2000s heyday, relative to the overall size of the graduating student body.

aria2
A lightweight multi-protocol & multi-source command-line download utility. It supports HTTP/HTTPS, FTP, SFTP, BitTorrent and Metalink. aria2 can be manipulated via built-in JSON-RPC and XML-RPC interfaces.

The optimal amount of fraud is non-zero
Interesting post by Patrick McKenzie on trust, fraud, society, that crime rates are a policy choice, that fraud is a necessary business expense, and more.

Directors of Fraud are aware that the policy choices available to them impact the user experience of fraudsters and legitimate users alike. They want to choose policies which balance the tradeoff of lowering fraud against the ease for legitimate users to transact.

Businesses with high margins also tend to be more accepting of payments fraud than businesses with low margins. Consider businesses which sell IP, like video game companies, streaming services, or SaaS. Because their margins are often 90%+, if you were to present them with a menu of strategies which traded off conversion rate and fraud rate, they’d maximize for conversion rates until fraud at the margin reached levels not seen in even the most corrupt places imaginable.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint