[tl;dr sec] #192 - Google's AI Red Teaming, OWASP on Cloud Security, Trail of Bits' Testing Guide

🤦‍♀️ Deck Pics

Narrator: This week, on #PeakBayArea.

A friend of mine recently told me that she had to change her job on dating apps from “VC” to “finance.”

Why? Because she kept matching with guys who’d say, “Hey… so… can I show you my pitch deck?”

She’d respond, “Sure, but you have to choose whether this is going to a romantic or business dynamic, it can only be one.”

And then a number of times she did actually end up having an impromptu pitch meeting 🤣 Who says romance is dead.

I feel like this is romcom waiting to happen. *Closes eyes, engages screenwriting mode* 

If you have any funny #PeakBayArea or dating stories you’d like to share, feel free to send them to me.

🔥 tl;dr sec t-shirts

I’m thrilled to announce that for the first time ever I’m printing tl;dr sec t-shirts and bringing 300 to Vegas.

Next week I’ll share more about where you can find me / get one.

If you’re not attending Hacker Summer Camp this year, don’t worry, I’ll give them out another time too.

Sponsor

📣 Wiz for CSPM: A Modern Approach to Security in the Cloud

Security risks grow exponentially as your cloud footprint increases. That’s why picking the right Cloud Security Posture Management (CSPM) solution is critical to building your security strategy. In this free resource, Wiz breaks down market trends to help you understand how to find the right solution for your org.

Here’s exactly what you’ll learn:

• Why cloud-forward security orgs are adopting CSPM

• What are the differences between modern vs legacy CSPM

• How cloud security leaders use Wiz to improve security posture

• Key features and functionality to assess in your CSPM evaluation

📜 In this newsletter…

• AppSec: The difference between product security and application security, the Trail of Bits testing guide

• Web Security: Using MiTMProxy as a scriptable pre-proxy for BurpSuite, web app black-box testing

• Cloud Security: OWASP’s cloud architecture security cheat sheet, replacing AWS access keys with other options, bucket looter, IAMActionHunter,

• Container Security: Kubernetes security basics: container deployment

• Supply Chain: Tool to check repo for SLSA conformance, supply chain security tools for Go, tool to track software from dev to prod

• Red Team: Tool to send Microsoft Teams phishing messages, benchmark for identifying debuggers

• Machine Learning + Security: Google’s AI red team whitepaper, an academic’s LLM red teaming slides, tool for testing models against adversarial threats

• Machine Learning: Explaining to NPCs that they’re not real, AI will produce the biggest K-shaped recovery, generative AI company overview, Zuck vs Elon

• Misc: Love and tragedy are linked

AppSec

What’s the difference between Product Security and Application Security?
Tanya Janca shares her and others’ thoughts on the difference between an AppSec and ProdSec engineer. In my experience, job responsibilities for those two titles depends a lot on the company and how they organize their security teams.

Sometimes one of them is responsible for securing the software the company writes, and the other may actually help build security features into the product (e.g. 2FA, authentication or authorization libraries or user flows, etc.).W

Announcing the Trail of Bits Testing Handbook
Trail of Bits’ Maciej Domanski announces their Testing Handbook, which covers the shortest path for developers and security professionals to derive maximum value from static and dynamic analysis tools. The first chapter covers Semgrep.

Sponsor

📣 Privileged Access Management for the Cloud, new from ConductorOne

Managing access to cloud infrastructure can be a headache. ConductorOne’s Cloud PAM solution gives teams just-in-time (JIT) access to cloud resources, drastically reducing standing access and permissions. No more tickets. No more waiting.

Find out how you can take control of accounts and permissions throughout your environment and achieve least privilege access for AWS, GCP, AzureAD, Snowflake and more.

Just in time access / least privilege for cloud environments and various apps is a hot up-and-coming area it seems. Neat to see companies tackling this.

Web Security

Using MiTMProxy as a scriptable pre-proxy for BurpSuite
Zolder's Rik Van Duijn demonstrates how you can use MiTMProxy to modify traffic before it gets to Burp (in this case, decompressing a zlib-packed request body and modifying its headers), hopefully avoiding the need to build a Burp extension.

Web Application Black-Box Testing
YesWeHack describes black-box testing techniques for web apps, includes fuzzing, regression testing, and error guessing, which can provoke unexpected behavior and thus hopefully vulnerabilities. It also explains effective payload creation for fuzzing applications and recognizing changed behavior.

Cloud Security

Cloud Architecture Security Cheat Sheet
Nice overview guide by OWASP covering risk Analysis, threat Modeling, and attack Surface Assessments, public and private components, trust boundaries, security tooling, and self-managed tooling maintenance.

How to get rid of AWS access keys – Part 3: Replacing the authentication
Wiz’s Scott Piper discusses alternative solutions to using access keys, including OpenID Connect for other clouds and IAM Roles Anywhere or Systems Manager Hybrid Activation for on-prem.

redhuntlabs/BucketLoot
By Umair Nehri: An automated S3-compatible bucket inspector that can extract assets, flag secret exposures, and search for custom keywords and regular expressions from publicly-exposed storage buckets. Can scan buckets on AWS, Google Cloud Storage, and DigitalOcean Spaces.

IAMActionHunter: Query AWS IAM permission policies with ease
Rhino Security's Dave Yesland announces IAMActionHunter, a tool that can be used to search for potential privilege escalation opportunities in AWS accounts by querying various AWS IAM permissions that might be exploited. It supports a more manual review approach and can identify potential privilege escalation when permissions are spread across multiple principals.

Container Security

Kubernetes Security Basics Series: Container Deployment
KSOC discusses the importance of verifying orchestrator configuration files' integrity before deployment, utilizing admission controllers, immutable infrastructure, drift prevention, patching, centralized logging, monitoring, and other important topics.

Supply Chain

oracle/macaron
By Oracle Labs: A supply chain security analysis tool that focuses on the build integrity of an artifact and its dependencies- checks if a project conforms to the SLSA specification. Currently supports the Maven and Gradle Java build systems, Python's Pip and Poetry are in progress.

Supply chain security for Go, Part 3: Shifting left
Google's Julie Qiu and Jonathan Metzman discuss the Go extension for Visual Studio Code with its govulncheck integration to identify vulnerabilities in third-party dependencies and Go's built-in fuzz testing functionality.

Announcing the Alpha release of the Chalk™ open source project
Crash Override’s John Viega announces Chalk, “like GPS for software, allowing you to easily see where software came from, and where else it is deployed. Chalk collects, stores, and reports metadata about software from build to production.”

Tracking software from build to production and vice versa is a challenge I’ve heard from a number of companies, excited to see how this goes!

Red Team

Octoberfest7/TeamsPhisher:
By Alex Reid: A Python tool that facilitates the delivery of phishing messages and attachments to Microsoft Teams users whose organizations allow external communications.

hfiref0x/WubbabooMark
A benchmark for identifying traces left by popular debuggers and testing how effectively they are concealed by anti-detection software. The tool implements a wide range of tests, including verification of loaded kernel modules, running processes, client threads, and examination of system handle dumps, and more.

Machine Learning + Security

Cloud CISO Perspectives: Early July 2023
Google’s Phil Venables interviews Royal Hansen about how Google is securing its use of AI. There’s also a whitepaper from Google on:

1. What red teaming in the context of AI systems is and why it’s important

2. What types of attacks AI red teams simulate (prompt attacks, extraction of training data, backdooring the AI model, adversarial examples to trick the model, data poisoning, and exfiltration)

3. Lessons learned.

Structured LLM Red-teaming
Slides by Leon Derczynski, including a few examples of the types of prompts that tend to bypass LLM guardrails.

Trusted-AI/adversarial-robustness-toolbox
By LF AI & Data Foundation: Adversarial Robustness Toolbox (ART) is a Python library for ML security that provides tools that enable developers and researchers to defend and evaluate ML models and applications against the adversarial threats of evasion, poisoning, extraction and inference.

Machine Learning

Someone playing Matrix Awakens explaining to AI NPCs they’re in a simulation
This will be interesting as AI is leveraged more in games.

AI Will Produce the Biggest K-Shaped Recovery We've Ever Seen
Opinion piece by Daniel Miessler that AI will give the top percent of people who leverage it unprecedented economic benefit, and everyone else will be worse off.

I thought his points on how AI could improve each step of the flywheel interesting: understanding what you/your company wants → understanding the challenges → creating ideas → rating ideas → testing ideas → and executing on the winners.

Misc

Quicklinks

• The man who won the lottery 14 times

• Blue Bunny - SNL sketch with Benedict Cumberbatch at an ice cream tasting.

• Ability to See Expertise is a Milestone Worth Aiming For

Rumors of Tears: An interview with Nicholas Sparks

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler