- tl;dr sec
- Posts
- [tl;dr sec] #192 - Google's AI Red Teaming, OWASP on Cloud Security, Trail of Bits' Testing Guide
[tl;dr sec] #192 - Google's AI Red Teaming, OWASP on Cloud Security, Trail of Bits' Testing Guide
Google's whitepaper on how they approach AI red teaming, OWASP's cloud architecture security cheatsheet, ToB on static/dynamic analysis tooling
Hey there,
I hope you’ve been doing well!
🤦♀️ Deck Pics
Narrator: This week, on #PeakBayArea.
A friend of mine recently told me that she had to change her job on dating apps from “VC” to “finance.”
Why? Because she kept matching with guys who’d say, “Hey… so… can I show you my pitch deck?”
She’d respond, “Sure, but you have to choose whether this is going to a romantic or business dynamic, it can only be one.”
And then a number of times she did actually end up having an impromptu pitch meeting 🤣 Who says romance is dead.
I feel like this is romcom waiting to happen. *Closes eyes, engages screenwriting mode*
If you have any funny #PeakBayArea or dating stories you’d like to share, feel free to send them to me.
🔥 tl;dr sec t-shirts
I’m thrilled to announce that for the first time ever I’m printing tl;dr sec t-shirts and bringing 300 to Vegas.
Next week I’ll share more about where you can find me / get one.
If you’re not attending Hacker Summer Camp this year, don’t worry, I’ll give them out another time too.
Art by @snailpea
Sponsor
📣 Wiz for CSPM: A Modern Approach to Security in the Cloud
Security risks grow exponentially as your cloud footprint increases. That’s why picking the right Cloud Security Posture Management (CSPM) solution is critical to building your security strategy. In this free resource, Wiz breaks down market trends to help you understand how to find the right solution for your org.
Here’s exactly what you’ll learn:
Why cloud-forward security orgs are adopting CSPM
What are the differences between modern vs legacy CSPM
How cloud security leaders use Wiz to improve security posture
Key features and functionality to assess in your CSPM evaluation
📜 In this newsletter…
AppSec: The difference between product security and application security, the Trail of Bits testing guide
Web Security: Using MiTMProxy as a scriptable pre-proxy for BurpSuite, web app black-box testing
Cloud Security: OWASP’s cloud architecture security cheat sheet, replacing AWS access keys with other options, bucket looter, IAMActionHunter,
Container Security: Kubernetes security basics: container deployment
Supply Chain: Tool to check repo for SLSA conformance, supply chain security tools for Go, tool to track software from dev to prod
Red Team: Tool to send Microsoft Teams phishing messages, benchmark for identifying debuggers
Machine Learning + Security: Google’s AI red team whitepaper, an academic’s LLM red teaming slides, tool for testing models against adversarial threats
Machine Learning: Explaining to NPCs that they’re not real, AI will produce the biggest K-shaped recovery, generative AI company overview, Zuck vs Elon
Misc: Love and tragedy are linked
AppSec
What’s the difference between Product Security and Application Security?
Tanya Janca shares her and others’ thoughts on the difference between an AppSec and ProdSec engineer. In my experience, job responsibilities for those two titles depends a lot on the company and how they organize their security teams.
Sometimes one of them is responsible for securing the software the company writes, and the other may actually help build security features into the product (e.g. 2FA, authentication or authorization libraries or user flows, etc.).W
Announcing the Trail of Bits Testing Handbook
Trail of Bits’ Maciej Domanski announces their Testing Handbook, which covers the shortest path for developers and security professionals to derive maximum value from static and dynamic analysis tools. The first chapter covers Semgrep.
Sponsor
📣 Privileged Access Management for the Cloud, new from ConductorOne
Managing access to cloud infrastructure can be a headache. ConductorOne’s Cloud PAM solution gives teams just-in-time (JIT) access to cloud resources, drastically reducing standing access and permissions. No more tickets. No more waiting.
Find out how you can take control of accounts and permissions throughout your environment and achieve least privilege access for AWS, GCP, AzureAD, Snowflake and more.
Just in time access / least privilege for cloud environments and various apps is a hot up-and-coming area it seems. Neat to see companies tackling this.
Web Security
Using MiTMProxy as a scriptable pre-proxy for BurpSuite
Zolder's Rik Van Duijn demonstrates how you can use MiTMProxy to modify traffic before it gets to Burp (in this case, decompressing a zlib-packed request body and modifying its headers), hopefully avoiding the need to build a Burp extension.
Web Application Black-Box Testing
YesWeHack describes black-box testing techniques for web apps, includes fuzzing, regression testing, and error guessing, which can provoke unexpected behavior and thus hopefully vulnerabilities. It also explains effective payload creation for fuzzing applications and recognizing changed behavior.
Cloud Security
Cloud Architecture Security Cheat Sheet
Nice overview guide by OWASP covering risk Analysis, threat Modeling, and attack Surface Assessments, public and private components, trust boundaries, security tooling, and self-managed tooling maintenance.
How to get rid of AWS access keys – Part 3: Replacing the authentication
Wiz’s Scott Piper discusses alternative solutions to using access keys, including OpenID Connect for other clouds and IAM Roles Anywhere or Systems Manager Hybrid Activation for on-prem.
redhuntlabs/BucketLoot
By Umair Nehri: An automated S3-compatible bucket inspector that can extract assets, flag secret exposures, and search for custom keywords and regular expressions from publicly-exposed storage buckets. Can scan buckets on AWS, Google Cloud Storage, and DigitalOcean Spaces.
IAMActionHunter: Query AWS IAM permission policies with ease
Rhino Security's Dave Yesland announces IAMActionHunter, a tool that can be used to search for potential privilege escalation opportunities in AWS accounts by querying various AWS IAM permissions that might be exploited. It supports a more manual review approach and can identify potential privilege escalation when permissions are spread across multiple principals.
Container Security
Kubernetes Security Basics Series: Container Deployment
KSOC discusses the importance of verifying orchestrator configuration files' integrity before deployment, utilizing admission controllers, immutable infrastructure, drift prevention, patching, centralized logging, monitoring, and other important topics.
Supply Chain
oracle/macaron
By Oracle Labs: A supply chain security analysis tool that focuses on the build integrity of an artifact and its dependencies- checks if a project conforms to the SLSA specification. Currently supports the Maven and Gradle Java build systems, Python's Pip and Poetry are in progress.
Supply chain security for Go, Part 3: Shifting left
Google's Julie Qiu and Jonathan Metzman discuss the Go extension for Visual Studio Code with its govulncheck
integration to identify vulnerabilities in third-party dependencies and Go's built-in fuzz testing functionality.
Announcing the Alpha release of the Chalk™ open source project
Crash Override’s John Viega announces Chalk, “like GPS for software, allowing you to easily see where software came from, and where else it is deployed. Chalk collects, stores, and reports metadata about software from build to production.”
Tracking software from build to production and vice versa is a challenge I’ve heard from a number of companies, excited to see how this goes!
Red Team
Octoberfest7/TeamsPhisher:
By Alex Reid: A Python tool that facilitates the delivery of phishing messages and attachments to Microsoft Teams users whose organizations allow external communications.
hfiref0x/WubbabooMark
A benchmark for identifying traces left by popular debuggers and testing how effectively they are concealed by anti-detection software. The tool implements a wide range of tests, including verification of loaded kernel modules, running processes, client threads, and examination of system handle dumps, and more.
Machine Learning + Security
Cloud CISO Perspectives: Early July 2023
Google’s Phil Venables interviews Royal Hansen about how Google is securing its use of AI. There’s also a whitepaper from Google on:
What red teaming in the context of AI systems is and why it’s important
What types of attacks AI red teams simulate (prompt attacks, extraction of training data, backdooring the AI model, adversarial examples to trick the model, data poisoning, and exfiltration)
Lessons learned.
Structured LLM Red-teaming
Slides by Leon Derczynski, including a few examples of the types of prompts that tend to bypass LLM guardrails.
Trusted-AI/adversarial-robustness-toolbox
By LF AI & Data Foundation: Adversarial Robustness Toolbox (ART) is a Python library for ML security that provides tools that enable developers and researchers to defend and evaluate ML models and applications against the adversarial threats of evasion, poisoning, extraction and inference.
Machine Learning
Someone playing Matrix Awakens explaining to AI NPCs they’re in a simulation
This will be interesting as AI is leveraged more in games.
AI Will Produce the Biggest K-Shaped Recovery We've Ever Seen
Opinion piece by Daniel Miessler that AI will give the top percent of people who leverage it unprecedented economic benefit, and everyone else will be worse off.
I thought his points on how AI could improve each step of the flywheel interesting: understanding what you/your company wants → understanding the challenges → creating ideas → rating ideas → testing ideas → and executing on the winners.
Misc
Quicklinks
Blue Bunny - SNL sketch with Benedict Cumberbatch at an ice cream tasting.
Love and tragedy are linked.
You can’t have one without the other. The greater the love, the greater the tragedy.
Every day around the world, millions of people die. We all go on, we all show up to work, we don’t care.
But if it’s someone you love, your sister, spouse, grandparent, a friend-it’s like the world collapses.
So really, all love stories, whether if it’s between a couple or parents and children, by definition, all love stories have to end in tragedy.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!
Cheers,
Clint
@clintgibler