[tl;dr sec] #154 - The State of AWS Security, Career Resources, Authorization
Insights from the security posture of 600+ orgs, security career pathways mindmap and security communities overview, a number of resources about authorization.
I hope you’ve been doing well!
My parents both have fairly pale skin.
In some cultures, this is a highly desirable trait, indicating high status (you weren’t working long hours outside).
In my experience, it can lead to blinding nearby people from the reflection of your skin, like a time I’ll always treasure when my family was on a black sand beach in Hawaii.
But it’s getting colder in the Bay Area, so I no longer have to do this as much:
📢 How Booz Allen Hamilton uses Detection-as-Code to Transform Security in the Federal Government
In Booz Allen Hamilton’s support of the Federal government at the multi-million endpoint scale, they had to rethink the process for delivering detection at scale efficiently and effectively to meet the needs of their teams deployed at dozens of locations. Detection-as-Code enabled them to rapidly build, test, share, and deploy detections across some of the US’ most critical governmental organizations.
📜 In this newsletter...
Career: Cyber security career pathways mindmap, guide to the various communities of security
AppSec: How Wise orchestrates container scanning and rolled it out successfully
Authorization: Evolution of access control explained, what authz can learn from Rails, visualize your authz logic in your browser, finding authz bugs at scale using Semgrep
Web Security: Fast CLI tool to find SSRF or out-of-band resource loading, top 25 SSRF bug bounty reports, SSRF vulnerabilities and where to find them, the great SameSite confusion, how to turn security research into profit
Cloud Security: AWSome pentesting, the state of AWS security, set up cron-style stop/start schedules to cut AWS costs, confidential computing is for the tinfoil hat brigade, Cloudflare open sources Workers runtime
Blue Team: Cross platform forensics tool, announcing MITRE ATT&CK Campaigns, how Panther deployed WebAuthN
Misc: Day old sea otter floating with mom, DodgeBow, Blockbuster by Netflix, PDF processing and analysis tools
Field Guide to the Various Communities of Security
Google Cloud CISO Phil Venables outlines 14 different security communities and a bit about how they differ. I liked this, as (cyber)security is often thought about as a monolith.
Our Application Security Journey (Part 1)
Wise’s Cristiano Corrado describes how Wise orchestrates scanning with Trivy, handles assigning ownership of services and vulnerabilities to the right teams, manages vulnerabilities with DefectDojo, stores data in Snowflake and visualizes it with Looker.
Our Application Security Journey (Part 2)
Wise’s Lisa Fiander describes their process rolling out the SCA dashboards described above and how they collaborated with the broader engineering teams. They worked with the SRE team to mitigate as many vulnerabilities as possible within base images (reducing duplicate work), improved documentation, set an SLA process around vulnerabilities and made that easily visible in dashboards, and had a company-wide “swarm” week in which engineers across the company collectively worked on buying down container vulnerability debt.
Evolution of Access Control Explained Using Python
Sym’s Adam Buggia presents three access control methods beginning with Access Control List (ACL) - the mechanism implemented by Multics - then explores Role Based Access (RBAC) followed by Attribute Based Access (ABAC).
What can authorization learn from Rails?
Oso’s Sam Scott argues that like Rails, an authorization system needs to be opinionated but flexible – opinionated to get you from zero to best practices quickly, but flexible to support all the things your app needs. Also, congrats to the Oso team on the recent general availability of Oso Cloud.
A Guide To Identify Authorization Vulnerabilities At Scale Using Semgrep
Thirty Madison’s Anshuman Bhartiya walks through a solid variety of examples of using Semgrep to find authorization vulnerabilities in a hypothetical NextJS web app, which uses Guard annotations to denote a request’s user persona. He shares concrete Semgrep rules that find:
Endpoints with no guards
Usages of bespoke (non security-approved) guards
Instances where guards are not used properly
Instances when guard strategies are not implemented correctly
Instances when incorrect guards are imported
IDOR vulnerabilities where additional checks need to be performed apart from using the standard guards
📢 Scale Your Security Questionnaire Response and Audit Preparedness Processes
What do answering security questionnaires and preparing for IT compliance assessments (i.e. SOC 2 Type 2) have in common? It turns out, a whole lot. Both processes are data intensive, repetitive, and require getting accurate answers from subject experts, while only getting more painful as your company expands. But what if you could respond to those requests in minutes instead of hours or days? On this webinar, join Loopio and Hyperproof to see how you can scale these processes without hiring more staff.
By Khaled Nassar: A fast CLI tool to find the parameters that can be used to find SSRF or out-of-band resource loading by adding an OAST host like Burp Collaborator to the parameter value.
Top 25 Server-Side Request Forgery (SSRF) Bug Bounty Reports
Lohitaksh Nandan shares a curated list of 25 SSRF bug bounty reports from HackerOne, selected according to their upvotes, bounty, severity level, complexity, and uniqueness.
Also, from Justin Gardner:
How to turn security research into profit: a CL.0 case study
By Portswigger’s James Kettle.
A guide to help pentesters learning more about AWS misconfigurations and ways to abuse them. Cheatsheet of useful commands for a variety of AWS services, covering enumeration, data exfiltration, privilege escalation, and more.
The State of AWS Security
Datadog’s Christophe Tafani-Dereeper presents insights from the security posture of 600+ orgs and thousands of AWS accounts. He examines some of the main challenges of managing static, long-lived credentials; the importance of identifying and fixing insecure defaults early; and how the complexity of IAM may lead organizations to unintentionally expose sensitive resources publicly.
Tag instances & databases with cron-style stop/start schedules to cut AWS costs. Also schedule EBS, EC2 & RDS backups, plus CloudFormation stack updates.
Confidential Computing Is for the Tinfoil Hat Brigade
Last Week in AWS’s Corey Quinn argues that the threat model for confidential computing (e.g. preventing data access from cloud operators, malicious admins, and privileged software such as the hypervisor) doesn’t really make sense.
Introducing workerd: the Open Source Workers runtime
An incident response framework built from various parsers and implementations of file formats, developed by Fox-IT. Dissect allows you to quickly gain access to forensic artefacts, such as Runkeys, Prefetch files, and Windows Event Logs. Works in the same way regardless of the underlying container, filesystem, or OS.
Introducing Campaigns to MITRE ATT&CK
MITRE will soon release ATT&CK Campaigns, which “describe a grouping of intrusion activity conducted over a specific period of time with common targets and objectives. A key aspect of Campaigns is that the activity may or may not be linked to a specific threat actor.”
See also this ATT&CKcon talk on Campaigns.
Going Phishless: How Panther Deployed WebAuthN with Okta & YubiKeys
Francis Geronimo and Zeeshan Khadim describe how Panther deployed phishless FIDO2 (WebAuthn) security keys. Each employee receives two security keys, a Yubikey 5ci (for mobile) and a Yubikey 5c Nano (for laptops), and registers a biometric factor (TouchID/FaceID for macOS and iOS, Fingerprint Auth for Android).
They also describe Panther’s migration strategy from a mix of TOTP and push-based MFA, constraints and challenges, and share detection rules to validate that things are working as expected.
Day old sea otter floating with mom
My heart is melting with joy.
Dodge ball, but with bows and arrows. Looks awesome, but it seems to currently only be in Montreal.
Blockbuster | Official Trailer
Laughing over its slain rival An upcoming Netflix comedy about the last Blockbuster store.
PDF processing and analysis with open-source tools
Massive list of tools, commands, and descriptions for a variety of common PDF tasks, including:
Document information and metadata extraction
Text, link, and image extraction
Conversion to other (graphics) formats
Conversion of multiple images to PDF
Cross-comparison of two PDFs
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!