[tl;dr sec] #152 - Infra as Code Security, Linux Distro for Supply Chain Security, CI/CD Security
Detailed IaC security guide with ~90 references, new Linux with default security measures for the software supply chain, securing and attacking SCM and CI systems.
I hope you’ve been doing well!
Code reviews are an important part of software development.
They’re a great way to learn, improve your code, and reduce single points of failure by spreading context across the team.
But sometimes they can be frustrating.
I hope you’ve been having a smooth and productive week, and that this bumper sticker doesn’t resonate with you.
📢 Forrester Total Economic Impact of JupiterOne - Report Now Available!
JupiterOne commissioned Forrester to assess the ROI customers can expect to see when using JupiterOne. Through customer interviews and financial modeling, Forrester was able to quantify the benefits, costs, and value of the JupiterOne platform. Forrester also highlights core challenges that can be addressed by implementing JupiterOne.
📜 In this newsletter...
Conferences: USENIX best papers, Hitcon 2022 videos
Web Security: Tool to look for common Nginx misconfigurations and vulnerabilities, secure your web app against info disclosure
YubiKey: Virtual USB device that implements FIDO, relaying YubiKeys
CI/CD: Static checker for GitHub Actions workflow files, many GitHub Actions on the marketplace include known vulnerable dependencies, abusing repo webhooks to access internal CI systems, the risks of using the workflow_run GitHub trigger in Actions
Supply Chain: There's no software supply chain, the first Linux (un)distro designed for supply chain security
Cloud Security: The many ways to manage access to an EC2 instance, toolkit to set up minimal alerting on suspicious AWS account activities, AWS services explained in Victorian English
Infrastructure as Code: How DoorDash ensure velocity and reliability through policy-based guardrails, a guide to improving security through infrastructure as code
Container Security: A Kubernetes engine focused on data security, what's inside a distroless container image, Scout Suite can now scan Kubernetes clusters
Politics / Privacy: Serverless ad blocking with Cloudflare Gateway
Misc: Tool to examine a PDF's inner file structure, Obsidian for the terminal, 10 lessons learned from 10 years at AWS, pick a seasonal obsession
USENIX Best Papers
List of USENIX best papers across security, SOUPS, OSDI, NSDI, and more.
Hitcon 2022 Videos
Taiwan’s leading cybersecurity conference. Some talks that sound interesting:
How to secure against Forced Browsing
Information disclosure via forced browsing is when you can find sensitive data (such as credentials or secret keys) in a file not referenced by the application. These are generally found using content discovery tools like fuzzers. rez0 describes a process of enumerating files and routes on the web server and then automatically, continuously testing if they’re externally visible.
A virtual USB device that implements the FIDO2/U2F protocol (like a YubiKey) to support 2FA and WebAuthN.
Analyzing the GitHub marketplace - Dependency security is a big issue
Rob Bos crawled ~10.5K GitHub Actions from the official marketplace, shares some overall composition stats, and as you’d expect, Dependabot reports a number of High and Critical issues from NPM packages alone in about 1/3 of the Actions. It’s unclear how much any of these are actually exploitable though.
How we Abused Repository Webhooks to Access Internal CI Systems at Scale
Some clever work by Cider Security’s Omer Gil and Asi Greenholts. In short: organizations take multiple measures to protect and limit access to self-hosted CI systems (like Jenkins), including restricting inbound IPs to SaaS SCM vendors’ (e.g. GitHub, GitLab) webhook services. However, this is a false sense of security, as any attacker can leverage SCM webhook infrastructure to send traffic to internal CI systems and conduct malicious activities which range from obtaining valid CI credentials to running exploits (e.g. using known Jenkins CVEs).
Vulnerable GitHub Actions Workflows Part 1: Privilege Escalation Inside Your CI/CD Pipeline
Legit Security’s (epic name) Noam Dotan walks through the risks of using the workflow_run GitHub trigger with concrete examples, and in part 2 Noam demonstrates how a minor bug in a custom popular GitHub action could potentially lead to privilege escalation inside your CI/CD pipeline.
Introducing Wolfi – the first Linux (Un)distro designed for securing the software supply chain
Chainguard’s Dan Lorenc describes Wolfi, the first community Linux (un)distribution built with default security measures for the software supply chain. Key features: a high-quality, build-time SBOM for all packages, packages are designed to be granular and independent to support minimal images, uses apk, fully declarative and reproducible build system, designed to support glibc and musl.
Also, Chainguard Images, now powered by Wolfi, are a suite of distroless images that provide support for both musl and glibc. By distroless, they mean they are minimal to the point of not even having a package manager (such as apt or apk)– simplifies auditing and updating images, and reduces attack surface.
The Many Ways to Manage Access to an EC2 Instance
By Sym’s Mathew Pregasen. Options: EC2 key pairs, SSH access via 3rd-party tools, SSH access via IAM policies, eliminate direct access via GitOps (SSM’s Run Command), and temporary or JIT access.
Victor Grenu helps you set up minimal alerting on typical suspicious activities on your AWS Account. Using this kit, you will deploy CloudWatch EventRules and CW alarms on:
Root User activities
AWS Personal Health Events
IAM Users changes
Failed AWS Console login authentication
📢 FREE training on Threat Modeling Soft Skills
As a regular tl;dr sec reader I am excited to invite you to a FREE training on Soft Skills for a Threat Modeler.
Everybody knows how to do some basic threat modeling. But we often overlook the crucial soft skills necessary to turn an average meeting into an exciting workshop.
In a 1-hour training on October 10th, you will:
Learn the necessary soft skills to become a threat modeling master
Discover Maslow’s hierarchy of threat modeling
Sharpen your existing threat modeling skills
— Seba Deleersnyder, CTO Toreon, threat modeling trainer at Black Hat USA (last 6 years)
Six years of giving Black Hat trainings?! Nice. #goalz
Infrastructure as Code
How DoorDash Ensures Velocity and Reliability through Policy Automation
How DoorDash leverages OPA to build policy-based guardrails with codified rules that ensure velocity and reliability for cloud infrastructure automated deployments.
When a GitHub pull request is created, Atlantis runs a Terraform plan and passes the plan file to Conftest, which then pulls custom policies written in Rego from an AWS S3 bucket, evaluates the OPA policy based on the Terraform plan, then comments the output to the PR — all in a single action.
A Guide to Improving Security Through Infrastructure-as-Code
Epic post by NCC Group’s Viktor Gazdag with almost 90 references. Viktor shares a guide on how to integrate security into infrastructure as a code and shows how these security checks and gates, tools and procedures secure the infrastructure by mentioning free and/or open-source tools.
By Edgeless Systems: A Kubernetes engine that aims to provide the best possible data security by wrapping your K8s cluster into a single confidential context that is shielded from the underlying cloud infrastructure. Everything inside is always encrypted, including at runtime in memory.
What’s Inside Of a Distroless Container Image: Taking a Deeper Look
Ivan Velichko walks through the challenges in building a minimal container image from scratch, the difference between a container built from a distroless base and a container built from scratch, and more.
Tool Release – Project Kubescout: Adding Kubernetes Support to Scout Suite
By NCC Group’s Liyun Li: Scout Suite can now scan Kubernetes clusters in addition to cloud environments. It currently has a base subset of rules, including CIS Benchmarks rules, and core integrations for building out futher Kubernetes security analyses.
Politics / Privacy
Serverless Ad Blocking with Cloudflare Gateway
Super cool 👍 Marco Lancini describes a serverless approach to Pi-hole like ad blocking using Cloudflare’s Gateway and WARP. Benefits: no server to maintain, no performance impact, and ad blocking is not tied to a single network: he can switch to a mobile network on his phone and still maintain the protection of the filters enforced by Cloudflare Gateway.
Provides an overview of the inner file structure of a PDF and extracts /URI and /JS data.
A feature-stripped version of Obsidian focused on rapid note management through the terminal. It uses the same format of storage as Obsidian, i.e. markdown files for notes, and local folders for vaults (and sub-folders).
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!