• tl;dr sec
  • Posts
  • [tl;dr sec] #152 - Infra as Code Security, Linux Distro for Supply Chain Security, CI/CD Security

[tl;dr sec] #152 - Infra as Code Security, Linux Distro for Supply Chain Security, CI/CD Security

Detailed IaC security guide with ~90 references, new Linux with default security measures for the software supply chain, securing and attacking SCM and CI systems.

Hey there,

I hope you’ve been doing well!

Peer Review

Code reviews are an important part of software development.

They’re a great way to learn, improve your code, and reduce single points of failure by spreading context across the team.

But sometimes they can be frustrating.

I hope you’ve been having a smooth and productive week, and that this bumper sticker doesn’t resonate with you.

Sponsor

📢 Forrester Total Economic Impact of JupiterOne - Report Now Available!

JupiterOne commissioned Forrester to assess the ROI customers can expect to see when using JupiterOne. Through customer interviews and financial modeling, Forrester was able to quantify the benefits, costs, and value of the JupiterOne platform. Forrester also highlights core challenges that can be addressed by implementing JupiterOne.

📜 In this newsletter...

  • Conferences: USENIX best papers, Hitcon 2022 videos

  • Web Security: Tool to look for common Nginx misconfigurations and vulnerabilities, secure your web app against info disclosure

  • YubiKey: Virtual USB device that implements FIDO, relaying YubiKeys

  • CI/CD: Static checker for GitHub Actions workflow files, many GitHub Actions on the marketplace include known vulnerable dependencies, abusing repo webhooks to access internal CI systems, the risks of using the workflow_run GitHub trigger in Actions

  • Supply Chain: There's no software supply chain, the first Linux (un)distro designed for supply chain security

  • Cloud Security: The many ways to manage access to an EC2 instance, toolkit to set up minimal alerting on suspicious AWS account activities, AWS services explained in Victorian English

  • Infrastructure as Code: How DoorDash ensure velocity and reliability through policy-based guardrails, a guide to improving security through infrastructure as code

  • Container Security: A Kubernetes engine focused on data security, what's inside a distroless container image, Scout Suite can now scan Kubernetes clusters

  • Politics / Privacy: Serverless ad blocking with Cloudflare Gateway

  • Misc: Tool to examine a PDF's inner file structure, Obsidian for the terminal, 10 lessons learned from 10 years at AWS, pick a seasonal obsession

Conferences

USENIX Best Papers
List of USENIX best papers across security, SOUPS, OSDI, NSDI, and more.

Hitcon 2022 Videos
Taiwan’s leading cybersecurity conference. Some talks that sound interesting:

Web Security

stark0de/nginxpwner
Nginxpwner is a simple tool to look for common Nginx misconfigurations and vulnerabilities, by Daniel Peso.

How to secure against Forced Browsing
Information disclosure via forced browsing is when you can find sensitive data (such as credentials or secret keys) in a file not referenced by the application. These are generally found using content discovery tools like fuzzers. rez0 describes a process of enumerating files and routes on the web server and then automatically, continuously testing if they’re externally visible.

YubiKey

bulwarkid/virtual-fido
A virtual USB device that implements the FIDO2/U2F protocol (like a YubiKey) to support 2FA and WebAuthN.

We are not relaying actual physical YubiKeys, we are relaying the APDU packets that the server application wants to get signed by a private key to verify the identity of the authentication so this attack works on all PIV Smart Cards but a YubiKey was used during the testing so therefore the title.

CI/CD

rhysd/actionlint
Static checker for GitHub Actions workflow files, by @Linda_pp.

Analyzing the GitHub marketplace - Dependency security is a big issue
Rob Bos crawled ~10.5K GitHub Actions from the official marketplace, shares some overall composition stats, and as you’d expect, Dependabot reports a number of High and Critical issues from NPM packages alone in about 1/3 of the Actions. It’s unclear how much any of these are actually exploitable though.

How we Abused Repository Webhooks to Access Internal CI Systems at Scale
Some clever work by Cider Security’s Omer Gil and Asi Greenholts. In short: organizations take multiple measures to protect and limit access to self-hosted CI systems (like Jenkins), including restricting inbound IPs to SaaS SCM vendors’ (e.g. GitHub, GitLab) webhook services. However, this is a false sense of security, as any attacker can leverage SCM webhook infrastructure to send traffic to internal CI systems and conduct malicious activities which range from obtaining valid CI credentials to running exploits (e.g. using known Jenkins CVEs).

Vulnerable GitHub Actions Workflows Part 1: Privilege Escalation Inside Your CI/CD Pipeline
Legit Security’s (epic name) Noam Dotan walks through the risks of using the workflow_run GitHub trigger with concrete examples, and in part 2 Noam demonstrates how a minor bug in a custom popular GitHub action could potentially lead to privilege escalation inside your CI/CD pipeline.

Supply Chain

There is no “software supply chain”
iliana etaoin argues that third party dependencies are not in fact a “software supply chain,” because no money is exchanging hands.

If an open source maintainer leaves a project unmaintained for whatever reason, that’s not the maintainer’s fault, and the companies that relied on their work are the ones who get to solve their problems in the future.

I just want to publish software that I think is neat so that other hobbyists can use and learn from it, and I otherwise want to be left the hell alone.

The focus on securing the “software supply chain” has made it even more likely that releasing software for others to use will just mean more work for me that I don’t benefit from.

Introducing Wolfi – the first Linux (Un)distro designed for securing the software supply chain
Chainguard’s Dan Lorenc describes Wolfi, the first community Linux (un)distribution built with default security measures for the software supply chain. Key features: a high-quality, build-time SBOM for all packages, packages are designed to be granular and independent to support minimal images, uses apk, fully declarative and reproducible build system, designed to support glibc and musl.

Also, Chainguard Images, now powered by Wolfi, are a suite of distroless images that provide support for both musl and glibc. By distroless, they mean they are minimal to the point of not even having a package manager (such as apt or apk)– simplifies auditing and updating images, and reduces attack surface.

Cloud Security

The Many Ways to Manage Access to an EC2 Instance
By Sym’s Mathew Pregasen. Options: EC2 key pairs, SSH access via 3rd-party tools, SSH access via IAM policies, eliminate direct access via GitOps (SSM’s Run Command), and temporary or JIT access.

zoph-io/aws-security-survival-kit
Victor Grenu helps you set up minimal alerting on typical suspicious activities on your AWS Account. Using this kit, you will deploy CloudWatch EventRules and CW alarms on:

  1. Root User activities

  2. CloudTrail changes

  3. AWS Personal Health Events

  4. IAM Users changes

  5. MFA updates

  6. Unauthorized Operations

  7. Failed AWS Console login authentication

AWS services, explained in Victorian English
By GPT-3 and @thesephist. How all companies should describe their products 🤣

S3 is a glorious bastion of uptime in the otherwise storm-tossed sea of the World Wide Web, a shining beacon of safety to which one may entrust one’s most valuable data, whether files, or precious objects, or even blobs of the most unique and ephemeral content.

Route 53, the fleet-footed messenger of the gods, delivers your DNS traffic across the Internet with the speed of a Thracian chariot, and at a fraction of the cost.

Sponsor

📢 FREE training on Threat Modeling Soft Skills

As a regular tl;dr sec reader I am excited to invite you to a FREE training on Soft Skills for a Threat Modeler.

Everybody knows how to do some basic threat modeling. But we often overlook the crucial soft skills necessary to turn an average meeting into an exciting workshop.

In a 1-hour training on October 10th, you will:

  • Learn the necessary soft skills to become a threat modeling master

  • Discover Maslow’s hierarchy of threat modeling

  • Sharpen your existing threat modeling skills

— Seba Deleersnyder, CTO Toreon, threat modeling trainer at Black Hat USA (last 6 years)

Six years of giving Black Hat trainings?! Nice. #goalz

Infrastructure as Code

How DoorDash Ensures Velocity and Reliability through Policy Automation
How DoorDash leverages OPA to build policy-based guardrails with codified rules that ensure velocity and reliability for cloud infrastructure automated deployments.

When a GitHub pull request is created, Atlantis runs a Terraform plan and passes the plan file to Conftest, which then pulls custom policies written in Rego from an AWS S3 bucket, evaluates the OPA policy based on the Terraform plan, then comments the output to the PR — all in a single action.

A Guide to Improving Security Through Infrastructure-as-Code
Epic post by NCC Group’s Viktor Gazdag with almost 90 references. Viktor shares a guide on how to integrate security into infrastructure as a code and shows how these security checks and gates, tools and procedures secure the infrastructure by mentioning free and/or open-source tools.

Container Security

edgelesssys/constellation
By Edgeless Systems: A Kubernetes engine that aims to provide the best possible data security by wrapping your K8s cluster into a single confidential context that is shielded from the underlying cloud infrastructure. Everything inside is always encrypted, including at runtime in memory.

What’s Inside Of a Distroless Container Image: Taking a Deeper Look
Ivan Velichko walks through the challenges in building a minimal container image from scratch, the difference between a container built from a distroless base and a container built from scratch, and more.

Tool Release – Project Kubescout: Adding Kubernetes Support to Scout Suite
By NCC Group’s Liyun Li: Scout Suite can now scan Kubernetes clusters in addition to cloud environments. It currently has a base subset of rules, including CIS Benchmarks rules, and core integrations for building out futher Kubernetes security analyses.

Politics / Privacy

Serverless Ad Blocking with Cloudflare Gateway
Super cool 👍 Marco Lancini describes a serverless approach to Pi-hole like ad blocking using Cloudflare’s Gateway and WARP. Benefits: no server to maintain, no performance impact, and ad blocking is not tied to a single network: he can switch to a mobile network on his phone and still maintain the protection of the filters enforced by Cloudflare Gateway.

Misc

5f0ne/pdf-examiner
Provides an overview of the inner file structure of a PDF and extracts /URI and /JS data.

araekiel/jot
A feature-stripped version of Obsidian focused on rapid note management through the terminal. It uses the same format of storage as Obsidian, i.e. markdown files for notes, and local folders for vaults (and sub-folders).

5) Be visible. To disrupt, you need to be heard. People do this in different ways: code, write narratives, design novel architectures, speak. Find your superpowers, learn how you best communicate your ideas, and be relentless about giving them the attention they deserve.

8) Make time. Focusing on the right things means making time to get them done. Free time is made, not found. Have fun and don’t burn out. Write that doc, learn a new programming language, file a patent, take a vacation. I block big chunks in my calendar for focus time.. and fun!

Something a mentor of mine once told me that I will pass along: a great way to stay curious/stretch yourself into something new is to pick a new-to-you obsession every season – can be a word, a genre, an actor, a color, a place – and curate your own little festival around it

and suddenly you start to refract the world around that thing – so if you pick, say, opera, or F1 racing, or emily dickinson, or diana ross, or ANYTHING + start reading books about it + listening to podcasts/albums + doing double-feature movie nites new patterns will emerge

and suddenly the world is bigger and more open to you than you imagined, because things you didn’t even expect have resonance just because you are trying to shove them into your seasonal obsession; you start to see connections that weren’t there before.

this is how i discovered most if not all of my favorite things…just trawling for material to fit into my little seasonal projects.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint