[tl;dr sec] #151 - Why Security Products Fail, Pentesting.Cloud, CVE North Stars
Why security products can be ineffective, cloud pen testing exercises, review CVEs to learn vulnerability discovery.
I hope you’ve been doing well!
Product’s Back, Alright!
I’ve recently been learning a lot about Product thinking from my bud Luke O’Malley, and I’ve always loved an apt diagram, so this one tickled my fancy:
📢 The Benefits of Using Python to Write SIEM Detections
Legacy SIEM solutions have offered a number of operational challenges for a security team. One of the key pillars contributing to these challenges is the usage of proprietary SIEM languages within the tools. In this blog, learn about the challenges of proprietary SIEM coding languages, ways to optimize threat detection with Python-based rules, and the impacts on mean-time-to-detection (MTTD) and overall SIEM costs.
📜 In this newsletter...
AppSec: Use CVEs to learn vulnerability discovery, time to deprecate C/C++, threat intel should just say "use webauthn"
Web Security: XSS scanning tool, tool to use AWS API Gateway as a proxy to enable web scraping, Spring actuator security, how to bypass Cloudflare
Supply Chain: White House guidance on software supply chain security, a criticism of CISA/NSA's supply chain security guide, case study of finding exposed and vulnerable jQuery versions
Apple: Apple is killing the password with passkeys, iOS 16 security and privacy features overview
Cloud Security: Debug AWS Lambda functions locally, cloud pentesting challenges, tool to gain understanding and find attack paths in AWS environments, some useful cloud design patterns
Container Security: PCI guidance for containers and container orchestration tools, Kubernetes security for CISOs
Misc: Hamilton has been translated to German, Cloudflare's replacement HTTP proxy written in Rust, tech workers are paying for leg-lengthening surgery
The Long Haul: What we're learning about long COVID
Why do security products fail?: Four reasons why security products can fail and principles every security product should consider
A practical method to focus on a set of CVEs to discover and generalize a vulnerability class.
How to apply patch diffing (with Ghidra) to relevant security updates to determine what changes were made to fix a specific vulnerability.
Perform Root Cause Analysis to determine whether a specific security patch was effective.
Mark is the CTO of Microsoft Azure.
Spring Actuator Security, Part 2: Finding Actuators using Static Code Analysis with Semgrep
In Part 1, iteratec’s Max Maass walked through how Spring Actuators can be used to steal secrets. In this post, Max shows how to write Semgrep rules to find all Actuators, filter out intentionally exposed actuators, and ignore cases when a specific port and address have been specified. Nice example of iterating on a custom rule and easily analyzing YAML files.
How to Bypass Cloudflare: A Comprehensive Guide
Enhancing the Security of the Software Supply Chain to Deliver a Secure Government Experience
Guidance published by the White House. (PDF)
Securing the Supply Chain of Nothing
In tl;dr sec #149, I referenced the document Securing the Software Supply Chain – Recommended Practices Guide for Developers, by CISA, NSA, and ODNI. In this post, Kelly Shortridge writes a rebuttal in the form of ten objections.
Software Dependency Failures: jQuery, a Canary in the Coal Mine
An interesting case study in how many public web apps are affected by a CVE in a popular library. Lari Huttunen chose a jQuery CVE that affects most jQuery versions and then used a jQuery UI dork on Shodan to find affected hosts. Based on a sample of 100K hosts, he found that:
~26% of all the publicly reachable jQuery UI web apps contain a vulnerable version
~21% of jQuery UI instances are end-of-life (no longer supported versions)
Apple’s Killing the Password. Here’s Everything You Need to Know
With iOS 16 and macOS Ventura, Apple is introducing passkeys—a more convenient and secure alternative to passwords. Under the hood, Apple’s passkeys are based on the Web Authentication API (WebAuthn), and can be synced across devices using iCloud’s Keychain.
iOS 16 Security and Privacy Features: Everything You Need to Know
I love to see all of these.
Safety Check: Quickly reset all of the data and location access that they have granted to other people (aimed at people in domestic or intimate partner violence situations).
Emergency Reset: One-tap option that immediately stops sharing everything with all people and apps. It also lets you remove all emergency contacts and reset your Apple ID and password so no one can log into your account.
Manage Sharing: See an overview of what you’re sharing so you can’t be secretly tracked or monitored using location sharing, shared albums, or other iPhone features.
In the iOS 16 Photos app, the Hidden and Recently Deleted albums are not able to be opened up without authentication.
Rapid Security Response: With iOS 16, Apple can send out security updates without needing to update the entire operating system.
Apps in iOS 16 need explicit user permission before accessing the clipboard.
Passkeys: Described above.
Lockdown Mode: Limits or disables functionality of many iPhone features for activists, journalists, and others who are targeted by sophisticated cyberattacks.
By Thundra: A live AWS Lambda function development and debugging tool. MerLoc allows you to run AWS Lambda functions on your local while they are still part of a flow in the AWS cloud remote.
Free cloud-focused security challenges, covering: bypassing IMDSv2 meta-data controls, S3 buckets, leaky CloudFormation templates, etc.
Bishop Fox’s Seth Art and Carlos Vendramini describe CloudFox, a CLI tool that helps you gain situational awareness in unfamiliar cloud environments. It was created to help penetration testers and other offensive security professionals find exploitable attack paths in cloud infrastructure.
New Information Supplement: Guidance for Containers and Container Orchestration Tools
The PCI Council has published their best practice guidance for containers and container orchestration tools. See also Rory McCune’s blog post that gives an excellent overview, calls out important points, and some of the implications of the recommendations.
Secure authentication solutions
Kubernetes habits: single vs multi tenancy, observability, namespaces
Scanning and verifying container images
📢 20 Tips to Make the Most of Your Pen Test
Penetration tests are an essential weapon in your offensive security arsenal. But not all pen tests are created equal. There are common pitfalls that can cost you in terms of quality, project delays, or unnecessary expense. Learn how to avoid them with these 20 tips curated from our team of expert pen testers, with thousands of security engagements under their belts. Whether you’re a pen test veteran, or are about to contract your first one, this eBook will help get you on the right track — and stay on it throughout the process.
Speaking as a former penetration tester, these are good tips 👍
They Translated ‘Hamilton’ Into German. Was It Easy? Nein.
Eee!! 🙌😍 H/T r2c’s Emily Fortuna.
How we built Pingora, the proxy that connects Cloudflare to the Internet
Cloudflare discusses Pingora, a new HTTP proxy they’ve built in-house using Rust that serves over 1 trillion requests a day, boosts performance, and enables many new features for Cloudflare customers, all while requiring only a third of the CPU and memory resources of our previous proxy infrastructure (NGINX). They plan to open source Pingora in the future.
Google cancels half the projects at its internal R&D group Area 120
From 14 projects -> 7. The division is now focusing its efforts to only AI-first projects.
Tech Workers Are Paying $75K for Leg-Lengthening Surgery
Ow. How it works: the doctor breaks the patients’ femurs, or thigh bones, and inserts metal nails into them that can be adjusted. The nails are extended a tiny bit every day for three months with a magnetic remote control. Growing 3-6 inches costs $70 - $150K.
While technology has advanced, security is still dealing with the same problems of the past. Datadog CISO Emilio Escobar weighs in on why security products can fail:
They introduce toil
Lack of attention to user experience
They’re built for security, by security
Lack of measurable effectiveness
Principles every security product should consider:
Time to decision
Think of all the customer personas
Use what’s already there
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!