• tl;dr sec
  • Posts
  • [tl;dr sec] #154 - The State of AWS Security, Career Resources, Authorization

[tl;dr sec] #154 - The State of AWS Security, Career Resources, Authorization

Insights from the security posture of 600+ orgs, security career pathways mindmap and security communities overview, a number of resources about authorization.

Author

Clint Gibler
October 12, 2022

Hey there,

I hope you’ve been doing well!

Complexion: Alabaster

My parents both have fairly pale skin.

In some cultures, this is a highly desirable trait, indicating high status (you weren’t working long hours outside).

In my experience, it can lead to blinding nearby people from the reflection of your skin, like a time I’ll always treasure when my family was on a black sand beach in Hawaii.

But it’s getting colder in the Bay Area, so I no longer have to do this as much:

Sponsor

📢 How Booz Allen Hamilton uses Detection-as-Code to Transform Security in the Federal Government

In Booz Allen Hamilton’s support of the Federal government at the multi-million endpoint scale, they had to rethink the process for delivering detection at scale efficiently and effectively to meet the needs of their teams deployed at dozens of locations. Detection-as-Code enabled them to rapidly build, test, share, and deploy detections across some of the US’ most critical governmental organizations.

📜 In this newsletter...

  • Career: Cyber security career pathways mindmap, guide to the various communities of security

  • AppSec: How Wise orchestrates container scanning and rolled it out successfully

  • Authorization: Evolution of access control explained, what authz can learn from Rails, visualize your authz logic in your browser, finding authz bugs at scale using Semgrep

  • Web Security: Fast CLI tool to find SSRF or out-of-band resource loading, top 25 SSRF bug bounty reports, SSRF vulnerabilities and where to find them, the great SameSite confusion, how to turn security research into profit

  • Cloud Security: AWSome pentesting, the state of AWS security, set up cron-style stop/start schedules to cut AWS costs, confidential computing is for the tinfoil hat brigade, Cloudflare open sources Workers runtime

  • Blue Team: Cross platform forensics tool, announcing MITRE ATT&CK Campaigns, how Panther deployed WebAuthN

  • Misc: Day old sea otter floating with mom, DodgeBow, Blockbuster by Netflix, PDF processing and analysis tools

Career

Cyber Security Career Pathways
Marco Lancini shares a mindmap of grouping security roles into macro-functions commonly found in tech companies.

Field Guide to the Various Communities of Security
Google Cloud CISO Phil Venables outlines 14 different security communities and a bit about how they differ. I liked this, as (cyber)security is often thought about as a monolith.

AppSec

Our Application Security Journey (Part 1)
Wise’s Cristiano Corrado describes how Wise orchestrates scanning with Trivy, handles assigning ownership of services and vulnerabilities to the right teams, manages vulnerabilities with DefectDojo, stores data in Snowflake and visualizes it with Looker.

Our Application Security Journey (Part 2)
Wise’s Lisa Fiander describes their process rolling out the SCA dashboards described above and how they collaborated with the broader engineering teams. They worked with the SRE team to mitigate as many vulnerabilities as possible within base images (reducing duplicate work), improved documentation, set an SLA process around vulnerabilities and made that easily visible in dashboards, and had a company-wide “swarm” week in which engineers across the company collectively worked on buying down container vulnerability debt.

Authorization

Evolution of Access Control Explained Using Python
Sym’s Adam Buggia presents three access control methods beginning with Access Control List (ACL) - the mechanism implemented by Multics - then explores Role Based Access (RBAC) followed by Attribute Based Access (ABAC).

What can authorization learn from Rails?
Oso’s Sam Scott argues that like Rails, an authorization system needs to be opinionated but flexible – opinionated to get you from zero to best practices quickly, but flexible to support all the things your app needs. Also, congrats to the Oso team on the recent general availability of Oso Cloud.

Most engineers don’t come to the table with strong opinions on how to model their domain’s authorization. The value of picking up a system off the shelf that tells you how to do it is you save yourself the time of making decisions, and hopefully the pain of making bad ones.

Permify Playground
Permify has launched a web UI that enables you to test, model, and visualize your authorization logic in your browser.

A Guide To Identify Authorization Vulnerabilities At Scale Using Semgrep
Thirty Madison’s Anshuman Bhartiya walks through a solid variety of examples of using Semgrep to find authorization vulnerabilities in a hypothetical NextJS web app, which uses Guard annotations to denote a request’s user persona. He shares concrete Semgrep rules that find:

  • Endpoints with no guards

  • Usages of bespoke (non security-approved) guards

  • Instances where guards are not used properly

  • Instances when guard strategies are not implemented correctly

  • Instances when incorrect guards are imported

  • IDOR vulnerabilities where additional checks need to be performed apart from using the standard guards

The inability to find AuthZ issues at scale appears to plague almost every organization I’ve worked at so far. And, understandably so, because it is not a straightforward / trivial vulnerability class that could be easily found by scanners as scanners seem to lack the application context and the overall business logic usecase.

Sponsor

📢 Scale Your Security Questionnaire Response and Audit Preparedness Processes

What do answering security questionnaires and preparing for IT compliance assessments (i.e. SOC 2 Type 2) have in common? It turns out, a whole lot. Both processes are data intensive, repetitive, and require getting accurate answers from subject experts, while only getting more painful as your company expands. But what if you could respond to those requests in minutes instead of hours or days? On this webinar, join Loopio and Hyperproof to see how you can scale these processes without hiring more staff.

Web Security

knassar702/lorsrf
By Khaled Nassar: A fast CLI tool to find the parameters that can be used to find SSRF or out-of-band resource loading by adding an OAST host like Burp Collaborator to the parameter value.

Top 25 Server-Side Request Forgery (SSRF) Bug Bounty Reports
Lohitaksh Nandan shares a curated list of 25 SSRF bug bounty reports from HackerOne, selected according to their upvotes, bounty, severity level, complexity, and uniqueness.

SSRF vulnerabilities and where to find them
Hakluke outlines what SSRF is, the places that they are most commonly found, and how you can bypass SSRF protections.

The great SameSite confusion
Great post by @jub0bs teasing out the subtle but important differences between “site” and “origin,” and how that impacts web security.

Also, from Justin Gardner:

Interesting trick: if a website uses Same-Site=Strict for their cookies and has an unexploitable GET-based CSRF, it is possible to trigger the CSRF via a client-side open/closed redirect since the request will be coming from the “Same-Site.” Always keep note of those endpoints.

If research is poorly explained or under-hyped, you can sometimes have major success simply by applying it.

Immediately after a presentation is published there’s likely to be many vulnerable systems, and you can beat other hackers to reporting them simply by being faster, understanding the technique better, doing more recon, or being more persistent. Over a few weeks and months, this will become tougher and less effective. At this point, you’ll need to innovate.

Identifying opportunities to build on someone else’s research is a bit of an art form. Start by getting really familiar with the research, and then ask yourself some questions:

• Did the researcher miss anything?

• Did they release a scanning tool? If not, can I make one?

• If they did release a scanner, does it detect every vulnerability mentioned in the paper?

• Can I see any blind spots in their scanner’s design or code?

Cloud Security

pop3ret/AWSome-Pentesting
A guide to help pentesters learning more about AWS misconfigurations and ways to abuse them. Cheatsheet of useful commands for a variety of AWS services, covering enumeration, data exfiltration, privilege escalation, and more.

The State of AWS Security
Datadog’s Christophe Tafani-Dereeper presents insights from the security posture of 600+ orgs and thousands of AWS accounts. He examines some of the main challenges of managing static, long-lived credentials; the importance of identifying and fixing insecure defaults early; and how the complexity of IAM may lead organizations to unintentionally expose sensitive resources publicly.

sqlxpert/lights-off-aws
Tag instances & databases with cron-style stop/start schedules to cut AWS costs. Also schedule EBS, EC2 & RDS backups, plus CloudFormation stack updates.

Confidential Computing Is for the Tinfoil Hat Brigade
Last Week in AWS’s Corey Quinn argues that the threat model for confidential computing (e.g. preventing data access from cloud operators, malicious admins, and privileged software such as the hypervisor) doesn’t really make sense.

Introducing workerd: the Open Source Workers runtime
Cloudflare’s Kenton Varda announces the first beta release of workerd, the JavaScript/Wasm runtime based on the same code that powers Cloudflare Workers. The post walks through some really interesting design choices, including “nanoservices” (every Cloudflare edge server runs their entire stack, makes scaling/load balancing easier), eliminating SSRF by default, and more.

Nanoservices are a new model that achieve the benefits of independent deployment with overhead closer to that of library calls. With workerd, many Workers can be configured to run in the same process. Each Worker runs in a separate “isolate”, which gives the appearance of running independently of the others: each isolate loads separate code and has its own global scope. However, when one Worker explicitly sends a request to another Worker, the destination Worker actually runs in the same thread with zero latency. So, it performs more like a function call.

In workerd, we do things differently. An application starts out with no ability to talk to the rest of the world, and must be configured with specific capability bindings that provide it access to specific external resources.

…we can now restrict the global fetch() function to accept only publicly-routable URLs. This makes applications totally immune to SSRF attacks!

 

Blue Team

fox-it/dissect
An incident response framework built from various parsers and implementations of file formats, developed by Fox-IT. Dissect allows you to quickly gain access to forensic artefacts, such as Runkeys, Prefetch files, and Windows Event Logs. Works in the same way regardless of the underlying container, filesystem, or OS.

Introducing Campaigns to MITRE ATT&CK
MITRE will soon release ATT&CK Campaigns, which “describe a grouping of intrusion activity conducted over a specific period of time with common targets and objectives. A key aspect of Campaigns is that the activity may or may not be linked to a specific threat actor.”

As adversaries evolve, their TTPs often change, and by introducing some structure with Campaigns, we hope to allow you to glean more actionable intelligence and context to inform your defense prioritization. Campaigns will enable you to identify trends, track significant changes in techniques used by various actors, and monitor the introduction of new capabilities (or exploited vulnerabilities). You’ll also be able to identify continued threat actor reliance on certain techniques regardless of the campaign objective and/or targets.

See also this ATT&CKcon talk on Campaigns.

Going Phishless: How Panther Deployed WebAuthN with Okta & YubiKeys
Francis Geronimo and Zeeshan Khadim describe how Panther deployed phishless FIDO2 (WebAuthn) security keys. Each employee receives two security keys, a Yubikey 5ci (for mobile) and a Yubikey 5c Nano (for laptops), and registers a biometric factor (TouchID/FaceID for macOS and iOS, Fingerprint Auth for Android).

They also describe Panther’s migration strategy from a mix of TOTP and push-based MFA, constraints and challenges, and share detection rules to validate that things are working as expected.

Misc

Day old sea otter floating with mom
My heart is melting with joy.

DodgeBow
Dodge ball, but with bows and arrows. Looks awesome, but it seems to currently only be in Montreal.

Blockbuster | Official Trailer
Laughing over its slain rival An upcoming Netflix comedy about the last Blockbuster store.

PDF processing and analysis with open-source tools
Massive list of tools, commands, and descriptions for a variety of common PDF tasks, including:

  • Document information and metadata extraction

  • Text, link, and image extraction

  • Conversion to other (graphics) formats

  • Conversion of multiple images to PDF

  • Cross-comparison of two PDFs

  • and more

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint