• tl;dr sec
  • Posts
  • [tl;dr sec] #167 - SBOM, Scaling Security Alert Management, Mitigating RBAC-Based PrivEsc in Kubernetes

[tl;dr sec] #167 - SBOM, Scaling Security Alert Management, Mitigating RBAC-Based PrivEsc in Kubernetes

Generating SBOMs and evaluating their quality, how Brex manages and automates security alerts at scale, how popular k8s platforms hardened themselves.

Hey there,

I hope you’ve been doing well!

Come say “How ya?” at OWASP Dublin

If you’re going to be attending OWASP Global AppSec in Dublin, you can hang out with some of my cool colleagues!

Fall in love all over again with open source security tools at a Happy Hour Mixer, co-hosted with Jit, on Tuesday Feb 14 (Valentine’s Day).

You can also check out our Expert Panel with some awesome folks who will be discussing scaling security programs and running highly effective AppSec/ProdSec teams.

Hope to see you there!

Moar Staff Security Engineer Stories

I’m thrilled to announce that Rami McCarthy has rounded up two new stories you can read now:

  • Jonathan Fisher from Praetorian Labs on “Staff Level” work in a consulting team

  • Anthony Barbieri, Principal Security Architecter at Grainger, on his experience at the intersection of enterprise and solution architecture, and “innersourcing” as a lever for Staff+ Impact

If you’re Staff or Principal level and you’d like to share your story too, feel free to reach out to Rami!

Sponsor

 📢 Real-Time Defense For Mission-Critical Workloads 

⏱️Don’t blink!... SentinelOne delivers real-time cloud workload protection. It works alongside other cloud security controls to stop what they do not: runtime threats, like ransomware and zero-days. Hybrid or multi-cloud, in containers, VMs, or K8s, SentinelOne stops attacks in real-time, to help keep your workloads available, resilient, and secure.

  • Business continuity

  • High performance, scalable, efficient

  • Analytic visibility

  • AWS, Azure, Google Cloud, private cloud

  • Servers, VMs, containers, Kubernetes

📜 In this newsletter...

  • Software Bill of Materials (SBOM): Generate an SBOM for Java apps, SBOM scorecard, SBOM drift

  • AppSec: XXE in C# applications, tool that wraps many OSS security scanning tools, using Semgrep on Jupyter Notebook files

  • Web Security: Purposefully vulnerable app to practice OWASP API Top 10, ransacking your password reset tokens, Truffle Security is now hosting XSSHunter

  • Cloud Security: AWS could do more about SSO device auth phishing, tampering user attributes in AWS Cognito user pools, catch IaC issues before deploying, write-up of RCE in Azure services, solving for cloud security at scale with Chris Farris

  • Container Security: An instant Kubernetes service dependency map right to your Grafana, mitigating RBAC-Based privilege escalation in popular Kubernetes platforms

  • Blue Team: Trends and top cybersecurity takeaways from 2022, employee-facing mutual TLS, elevating security alert management using automation

  • Machine Learning: Use GPT-3 to write commit messages, the future of programming and AGI

  • Misc: Auto-accept cookies, protocol-agnostic interface definition language, MrBeast helps thousand people see again, Shakespeare in Fallout, students have turned my class into dating service, how to be 18 years old again for only $2 million a year

Software Bill of Materials (SBOM)

eclipse/jbom
Generates Runtime and Static SBOMs for local and remote Java apps.

eBay/sbom-scorecard
When generating first-party SBOMs, it’s hard to know if you’re generating something good (e.g. rich metadata that you can query later) or not. This tool hopes to quantify what a well-generated SBOM looks like.

Fast and Furious: Doubling Down on SBOM Drift
Anchore’s Josh Bressers describes how an application’s dependencies, as analyzed by Syft, change from your initial direct dependencies, to transitive dependencies after npm install, to adding a container image, etc.

Sponsor

 📢 5 Must Haves in an Automated Security Platform 

Researching and committing to an automated security platform can be a confusing process. You know you need to get compliant – quickly. And, you understand that an automated platform can help make that happen. The problem is, what exactly should you focus on when deciding which platform is right for you?

Vanta’s guide will answer this question and more. Download the guide to learn more about:

  • The five features to look for in an automated platform

  • How these features can accelerate your compliance process

  • Why investing in the right compliance platform now can enhance your security in the future

AppSec

Vulnerabilities due to XML files processing: XXE in C# applications in theory and in practice
PVS-Studio’s Sergey Vasiliev provides an overview of XXE, relevant C# components, an example vulnerability, and how to protect your code.

aws-samples/automated-security-helper
A tool that simply wraps a number of other open source tools, including git-secrets, bandit, Semgrep, Grype, Syft, nbconvert, npm-audit, checkov, cdk-nag and cfn-nag.

Using Semgrep with Jupyter Notebook files
NCC Group’s Jose Selvi describes using Semgrep’s “extract” mode to scan Python code in Jupyter Notebooks. Extract mode can be used to analyze specific parts of a file that may be in another language, like Bash in a Dockerfile or GitHub Action workflow, JavaScript in HTML, etc.

Semgrep initially wasn’t quite doing what Jose wanted for this use case, so he submitted a PR adding that functionality! Huzzah, the power of open source 🙌

Web Security

Checkmarx/capital
By Checkmarx: A built-to-be-vulnerable API application based on the OWASP top 10 API vulnerabilities. Use c{api}tal to learn, train and exploit API Security vulnerabilities within your own API Security CTF.

Ransacking your password reset tokens
Positive Security’s Lukas Euler describes how the popular Ruby library “Ransack” can be abused to exfiltrate sensitive data via character by character brute-force. They compromised multiple applications this way and found hundreds more via Common Crawl that could be vulnerable.

Truffle Security is proud to host a new XSSHunter
Truffle Security has partnered with the creator of XSSHunter, Mandatory, to stand up a new version of the popular open-source blind cross-site scripting detection platform that comes with a number of privacy and feature enhancements. Enhancements include:

  • CORS analysis

  • Detection of secrets on the page the payload fires

  • Detection of exposed .git directory

  • Privacy features that reduce the risk of accidental data breach

  • Google SSO login to prevent the use of passwords

Cloud Security

AWS Could Do More About SSO Device Auth Phishing
Great overview by Rami McCarthy about SSO device auth phishing, what AWS should and could do, and what you can do to protect your org.

Tampering User Attributes In AWS Cognito User Pools
Doyensec’s Francesco Lacerenza and Mohamed Ouad share another CloudSec tidbit: In AWS Cognito, App Integrations (Clients) have default read/write permissions on User Attributes. Consequently, authenticated users are able to edit their own attributes by using the access token (JWT) and AWS CLI, which could let a user escalate their privileges or access another user’s data.

tinystacks/precloud
An open source CLI that runs checks on infrastructure as code to catch potential deployment issues before deploying. It contains rules that check for names, quotas, and resource-specific constraints and it works by comparing resources in CDK diffs and Terraform Plans against the state of your cloud account.

EmojiDeploy: Smile! Your Azure web service just got RCE’d ._.
Ermetic’s Liv Matan describes the process of finding an RCE affecting services such as Function Apps, App Service and Logic Apps on Azure cloud and other cloud sovereigns.

What I found interesting about this write-up is the nuances around bypassing the server’s origin check, experimenting with how browsers treat special characters, and dealing with Same Origin Policy preflight requests.

Solving for Cloud Security at Scale with Chris Farris
Chris Farris joins Corey Quinn on Last Week in AWS to discuss how he wound up in the world of DevRel at Turbot and what he sees for the future of multi-cloud security practitioners.

Corey: One post you had recently that I find myself in wholehearted agreement with is on the adoption of Tailscale in the enterprise. I use it for all of my personal nonsense and it is transformative. I like the idea of what that portends for a multi-cloud architecture. Historically one of the biggest problems in getting two clouds to speak to one another and manage them in an intelligent way is the security models are different, the user identity stuff is different as well, and the network stuff has always been nightmarish.

Well, with Tailscale, you don’t have to worry about that in the same way at all. You can, more or less, ignore it, turn on host-based firewalls for everything and just allow Tailscale. And suddenly, okay, I don’t really have to think about this in the same way.

Container Security

groundcover-com/caretta
An instant Kubernetes service dependency map, right to your Grafana. Carreta leverages eBPF to efficiently map all service network interactions in a Kubernetes cluster, and Grafana to query and visualize the collected data.

Mitigating RBAC-Based Privilege Escalation in Popular Kubernetes Platforms
Previously, Prisma Cloud and Unit 42 released a report examining the use of powerful credentials in popular Kubernetes platforms (AKS, EKS, GKE, and more), which found most platforms install privileged infrastructure components that could be abused for privilege escalation.

In this post, Palo Alto Networks’s Yuval Avrahami walks through the different mitigations the platforms implemented to address privilege escalation and powerful permissions in Kubernetes.

Blue Team

Trends and Top Cybersecurity Takeaways from 2022
entinelOne shares attack trends based on telemetry from tens of millions of endpoints, covering the top ransomware variants, initial infection vectors, emerging malware, most used commodity tooling and techniques, notable cybercrime toolkits, and more.

Employee-facing Mutual TLS
Follow-up post by Armen Tashjian on Pinterest’s device authentication and compliance initiative, describing how they’ve implemented employee-facing mutual TLS with a custom identity provider in a way that results in a positive user experience.

Elevating Security Alert Management Using Automation
Josh Liburdi describes the Brex Detection and Response Team’s approach to managing and automating security alerts at scale. Covered topics include:

  • Requirements for Scaling Alerts

  • Blueprint for a Loosely Coupled Alert Management System

  • Contextual Suppression and Deduplication

  • Artisanal and Mass-Produced Automation

  • Labeling, Metrics, and You

  • Choosing Impactful Metrics

Machine Learning

Never write a commit message again (with the help of GPT-3)
A post describing gptcommit, a new tool that uses the official completions API from OpenAI to summarize the changes in each file.

The future of programming, as captured in his essay Software 2.0, is neural network weights. AIs will feed data into neural nets and produce weights, and that will be the software. Humans are bad coders. Our job will be to ask the right questions and provide quality data sets.

Humans are biological bootloaders for AGI, and so are all other civilizations, most likely. So if aliens advance enough they’ll end up as AGIs, so it’ll just be AGIs meeting AGIs at some point.

Misc

Super Agent
A browser extension which lets you decide which cookies you want and don’t want, auto-accepts cookie pop-ups for you, and warns you whenever it finds a website not respecting your preferences.

awslabs/smithy
A protocol-agnostic interface definition language and set of tools for generating clients, servers, and documentation for any programming language.

MrBeast helps thousand people with eyesight issues see again
Wow, awesome. Also, America: where YouTube influencers provide healthcare that our government won’t 🦅 #JusticeIsBlind #SoIsFreedom

All the (open) world’s a stage: how the video game Fallout became a backdrop for live Shakespeare shows
Apparently a group is rehearsing and performing live Shakespeare plays within Fallout. I love this.

Need help with students who’ve turned my class into a dating service
Academia Stack Exchange post. At some university, senior engineering students have created an app that aggregates the diversity data the university publishes, and then lists courses that would be easy for engineering majors to excel in in which the majority of the class is young women. Drama ensues.

Bryan Johnson, 45, is an ultrawealthy software entrepreneur who has more than 30 doctors and health experts monitoring his every bodily function. The team, led by 29-year-old regenerative medicine physician Oliver Zolman, has committed to help reverse the aging process in every one of Johnson’s organs. Zolman and Johnson obsessively read the scientific literature on aging and longevity and use Johnson as a guinea pig for the most promising treatments, tracking the results every way they know how.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint