[tl;dr sec] #180 - Scaling AppSec, tl;dr sec Swag 🤯, GCP Pentesting Guide
Riot Games and Segment on Scaling AppSec, help me decide what tl;dr sec swag to make, resources and techniques to do an effective GCP pentest.
I hope you’ve been doing well!
A few fun anecdotes from RSA week:
I attended a panel in which 3/8 of the words in the title were “Cyber.” The Guinness World Record committee was there, and there was a beautiful ceremony after.
An RSA vendor’s marketing pitch was “4D ”. Thankfully my optometrist said there’s likely no permanent damage from my eyes rolling so hard.
There was a man on the RSA floor who was doing a balancing act while in a straightjacket. He still had his badge scanned.
I befriended some Aussies and learned the Australian Handshake. If you’re curious, Frenchie will be happy to teach you.
Probably my favorite thing was getting to hang out with a bunch of amazing people sharing great security content.
🎁 Exclusive tl;dr sec Swag
I periodically get asked if I’m going to create tl;dr sec swag.
I’m thinking about having a few options to thank people for sharing tl;dr sec with their friends (or enemies, I’m not picky). For everyone who already has, thank you so much, you are amazing!
I want to make sure the swag is something you like, so I created a quick ~3min form so you can tell me what you want, like I’m Ryan Gosling in The Notebook.
📢 Ockam: Connect Apps, Not Networks
If you need to connect two networks to each other, use a VPN. If what you really want is to connect apps across networks, there’s Ockam.
Finally there is a developer tool to end-to-end encrypt connections between applications, to that database in that private network on the other side of the internet, or even data that flows through Kafka. And it doesn’t stop at your network boundary... it extends all the way to the application layer!
Come and see why we’re one of the most popular and fastest growing OSS security projects on GitHub.
📜 In this newsletter...
Web Security: State of DNS Rebinding in 2023
OSINT / Recon: A fast domain resolver and subdomain brute-forcer
AppSec: Netchecks, The birth of Semgrep Pro Engine, Building a Scaled Application Security Program
Cloud Security: Tool for SCP management, example SCP policies, GCP Pentesting Guide, automate migration to IMDSv2, AWS EC2 IMDS – What You Need to Know, Azure Threat Research Matrix
Container Security: Let's talk about Kubelet authorization, Argo CD end user threat model
Conferences: OpenSSF Day 2023
Machine Learning: IBM to pause hiring in plan to replace 7,800 jobs with AI, AWS' LLM code gen and security scanning tool, Google brings generative AI to cybersecurity, impact on customer service reps in a company that adopted AI
Misc: How Stephen Colbert knew his wife was the one, Python but fast, Signal v. Noise in the RSA Innovation Sandbox
Leveling up your application security program: How Riot Games approaches AppSec
State of DNS Rebinding in 2023
NCC Group’s Roger Meyer discusses the current state of DNS rebinding, including Local Network Access, a new draft W3C specification that has been implemented in some browsers to prevent DNS rebinding. Roger also highlights two potential bypasses for this specification and covers the impact of DNS Bit 0x20 and WebRTC IP address leak mitigation on DNS rebinding attacks.
OSINT / Recon
📢 Attacks can happen anywhere. So, Cloudflare is everywhere.
Your workers, applications, and data are now everywhere. Your security should be too. That's why Cloudflare has taken a fundamentally different approach – a unified platform, powered by an intelligent global network that sees and stops 136 billion threats per day. With over 25 security services delivered on a single control plane, you can strengthen and simplify security everywhere you do business.
A tool to periodically probe the network to detect when security assumptions are violated. Netchecks takes a cloud native, policy as code approach, making no assumptions about how your security controls are implemented.
The birth of Semgrep Pro Engine
Emma Jin and Colleen Dai share the inside scoop on adding interfile analysis to Semgrep, a tale of wily bugs and pesky product managers. Good example of building a security tool with tight feedback from users.
Building a Scaled Application Security Program
Great BSides Vancouver talk by Segment’s Jeevan Singh on AppSec Program Maturity, building a scaled program (hiring, democratizing vuln management, scaling security tools), and leadership potholes to avoid.
Example AWS Service control policies to get started or mature your usage of AWS SCPs. Categories: data perimeter guardrails, deny changes to security services, privileged access controls, protect cloud platform resources, region controls, and sensitive data protection, plus a top 5 recommended SCPs to get started with.
GCP Pentesting Guide
Vasilis Orlof shares insights on how security professionals working with GCP can leverage different resources and techniques to obtain a comprehensive overview of the infrastructure and perform a successful security assessment.
AWS EC2 IMDS – What You Need to Know
Ermetic’s Lior Zatlavi and Ermetic’s Liv Matan provides an in-depth analysis of the IMDS component, highlighting the significant differences between its two API versions. Lior discusses the importance of enforcing IMDSv2 and offers practical tips for preventing attackers from exploiting weak points in the EC2 service and accessing your cloud infrastructure.
Azure Threat Research Matrix
Microsoft’s Ryan Hausknecht et al have published an Azure Threat Research Matrix that provides a searchable list of tactics, techniques and procedures (TTPs), with specific examples of how to weaponize them, detection techniques, and links to the relevant documentation.
Let’s talk about Kubelet authorizationRory McCune discusses the limitations of using RBAC for Kubernetes clusters, and explores the Node authorization mode and NodeRestriction admission controller as mechanisms to provide rights to Kubelets to access the resources they need to function while restricting access to secrets and other objects.
Argo CD end user threat model: security considerations for hardening declarative GitOps CD on KubernetesAndres
Vega from ControlPlane and Michael Crenshaw from Intuit have released a comprehensive threat modeling analysis of a typical production setup of Argo CD, providing visualizations of the identified threat landscape in the form of attack trees, deployment architecture, and code to reproduce it for validation, as well as accompanying security considerations.
OpenSSF Day 2023
May 10th in Vancouver, sessions on security open source software, SBOM, supply chain security and more. Virtual registration is free.
📢 2023 Code to Cloud Cybersecurity Summit: Level up your security across the entire application lifecycle 💫
RSVP for the worldwide virtual Code to Cloud Cybersecurity Summit coming up on June 21-22 & July 11. You’ll learn from the most loved experts and up-and-coming voices in cloud, DevOps and cybersecurity across 20+ keynotes, technical sessions, roundtable discussions and hands-on labs. Speakers include Nir Zuk (Founder & CTO, Palo Alto Networks), Armon Dadgar (Founder & CTO, HashiCorp), Jimmy Mesta (Co-Founder & CTO, KSOC) and more. Join us at the intersection of code and cloud security as we explore the risks and dependencies at each stage of the application.
I’m experimenting with sponsored events, let me know what you think!
Use Amazon CodeWhisperer for Your AWS Security
Sena Yakut introduces Amazon CodeWhisperer, an AI code service that provides real-time code suggestions. Sena shares some code generation examples based on the CIS AWS Foundations Benchmark and shows how CodeWhisperer can identify security vulnerabilities in code in your IDE.
Google brings generative AI to cybersecurity
Google announces Cloud Security AI Workbench, a cybersecurity suite powered by a specialized “security” AI language model called Sec-PaLM. Applications:
Mandiant’s Threat Intelligence AI, which will leverage Sec-PaLM to find, summarize and act on security threats.
VirusTotal: use Sec-PaLM to help subscribers analyze and explain the behavior of malicious scripts.
Chronicle search security events and interact “conversationally” with the results.
Security Command Center AI: “human-readable” explanations of attack exposure, including impacted assets, recommended mitigations and risk summaries for security, compliance and privacy findings.
This company adopted AI. Here’s what happened to its human workers
The average customer support representative became, on average, 14% percent more productive. Highly skilled reps saw little to no benefit, less experienced, lower-skilled reps saw the biggested gains (people with 2 months experience performed like they had 6 months of experience).
Stephen Colbert tells the story of when he knew his wife Evie was the one
Guaranteed to warm your heart.
Mojo may be the biggest programming advance in decades
“Mojo is a new programming language, based on Python, which fixes Python’s performance and deployment problems.” Neat read if you’re a programming language nerd.
Signal v. Noise in the RSA Innovation Sandbox
I love posts like this. Rami McCarthy and Mike Privette’s latest publication delves into the impact of RSA Conference Innovation Sandbox on cybersecurity startups, offering a deep dive into winner outcomes, anti-portfolio insights, and key observations that highlight the event’s industry significance.
Companies that didn’t win that have done really well: Yubico, Sumo Logic, Sontatype, Cylance, Sentinel One, Sqreen, Wiz.
Leveling up your application security program Devoxx 2016 talk in which David Rook shares lessons learned from building an application security program and culture at Riot Games, including how to implement controls without impacting product development or player experience.
I love the framing of AppSec teams like support heroes in League of Legends, who help their teammates (developers) thrive.
Instead of just building or buying tools and then making devs use them, ask dev teams, “What’s one thing you’d love from us?”
Riot’s AppSec team spends “50%-80%” of their time writing code.
They built some automation to try to auto-reproduce bug bounty submissions (e.g. reflected XSS).
They created a secure coding cheatsheet note card that they mailed each dev to keep on their desk (see below).
Note: 110% agree with this- instead of static docs devs need to remember, if you can programmatically enforce it on every PR, that saves everyone a lot of time. Also, if you have nice infrastructure and an easy to extend tool to do these checks, devs can use it for performance, best practices, etc.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!