[tl;dr sec] #197 - Career Resources, Modern Security Podcast, Smashing the State Machine

📺️ Modern Security Podcast: How to Scale Security with Secure Defaults

I just released a podcast episode with my friend Devdatta Akhawe!

If you don’t know Dev, he’s currently Head of Security at Figma, and was Director of Security Engineering at Dropbox before that.

A few years ago we did some DevSecOps panels with other awesome folks that are still highly worth checking out today.

I feel like Dev is usually thinking about and/or doing things that are a few years ahead of most, so it was great to chat with him about:

• The rise of security engineering

• Career advice

• Secure defaults

• What makes a security tool great

• Fancy stuff like: how to get continuous visibility into the code your company is writing and scale just-in-time developer education

You can watch the interview here 👈️ 

Let me know what you think!

Sponsor

📣 Just-in-time access for your cloud infrastructure with ConductorOne

Managing access to cloud infrastructure can be a headache.

ConductorOne’s Cloud PAM solution gives teams just-in-time (JIT) access to cloud resources, drastically reducing standing access and permissions. No more tickets. No more waiting.

Learn how you can take control of accounts and permissions throughout your environment and achieve least privilege access for AWS, GCP, AzureAD, Snowflake and more.

Web Security

Lissy93/wapalyzer
By Alicia Sykes: Community fork of the now removed Wappalyzer project, which can be used to detect the technologies used by a website.

Zigrin-Security/CakeFuzzer
By Zigrin's Dawid Czarnecki et al: A tool that uses an Interactive Application Security Testing (IAST) approach to autonomously and consistently uncover vulnerabilities in web applications built with the CakePHP framework.

Smashing the state machine: the true potential of web race conditions
Portswigger’s James Kettle continues his streak of legendary research, introducing a new class of race condition, exploits multiple high-profile websites and a popular authentication framework (Devise), introduces the single-packet attack, and releases a paper and a set of free online labs.

Key insight: “Every pentester knows that multi-step sequences are a hotbed for vulnerabilities, but with race conditions, everything is multi-step.”

Sponsor

📣 Rampant cloud activity?

Cloud risk can grow faster than your AWS bill (true story).

That’s why Wiz partnered with Wiley to create the AWS Security for Dummies ebook. This free PDF contains 46 pages of expert tips to harden your AWS environment, including:

• How to get the basics right to help scale security when your footprint (inevitably) grows

• How to secure specific resources based on your usage (VMs, S3, Cloudtrails, and more)

• Which critical weaknesses to prioritize so you aren’t caught off guard

Grab your free digital copy now and boost your AWS security posture.

Cloud Security

stephenbradshaw/aws_url_signer
By Stephen Bradshaw: Tool to create signed AWS API GET requests to bypass Guard Duty alerting of off-instance credential use via Server-Side Request Forgery (SSRF).

Risk in AWS SSM Port Forwarding
Rami McCarthy shares an unexpected default behavior within AWS Systems Manager Session Manager (SSM) when you’re using port forwarding- it implicitly grants shell access.

Methods to Backdoor an AWS Account
Fawaz Masood writes about different methods that adversaries can use to create backdoors in an AWS account and achieve persistence, including access keys, temporary security credentials, AssumeRole, changing Security Groups, EC2 UserData scripts, and EC2 SSM Send-Command.

See also Nick Frichette’s AWS IAM Persistence Methods.

Events

Semgrep on Tour!
Semgrep is loading up the (metaphorical) tour bus and hosting a series of half-day events across the U.S. where Tanya Janca and other cool people will be teaching AppSec, Semgrep, and more. Dates for San Francisco, San Jose, and Boston are posted, more soon!

ThreatModCon
The first threat modeling conference, October 29 in DC, right before OWASP Global AppSec DC. 10 insightful talks covering 7 key topics in threat modeling, 2 hands-on workshops, 20 industry-leading speakers.

The organizers have been kind enough to offer tl;dr sec readers:

• 3 free tickets - which I’ll randomly raffle to people how comment or share this tl;dr sec (#197) post on Twitter or LinkedIn.

• A 35% discount when you use the code TLDR_SEC.

Supply Chain

SBOMit
An SBOM format independent method for attesting components with additional verification information. Uses in-toto attestations and layouts.

Introducing the Enterprise Contract
Enterprise Contract is a policy-driven workflow built on sigstore and its container image verification tool, cosign. Ensure a group of images meet the requirements of a certain policy (e.g. built by expected build system).

Blue Team

C2 Server Hunting: Empowering Threat Intelligence with Nuclei Templates
ProjectDiscovery's Prithiv discusses how to detect Command and Control (C2) servers (e.g. Cobalt Strike, malware servers) using Nuclei and shares a number of templates, using detection techniques like: default SSL certificates, body hashes, and analyzing a server's TLS handshake process.

Spraying the Microsoft Cloud
BlueteamOps' Janantha Marasinghe writes about detecting precursors of MFA configuration probing and password spraying attacks in Microsoft 365 while utilizing open-source tools like MFASweep, o365spray, and MSOLSpray.

Red Team

herosi/CTO
By Hiroshi Suzuki & Christian Clauss: The Call Tree Overviewer is an IDA plugin designed to produce clear and effective function call tree graphs. It can also summarize function info like internal function calls, API calls, function calls from statically linked libraries, string references, structure member accesses, and more.

Machine Learning + Security

Prompt Injection Primer for Engineers
Detailed guide by Joseph Thacker to assist developers in creating secure AI-powered applications and features by helping them understand the actual risks of prompt injection. Joseph details different attacker vectors and explains how conventional web vulnerabilities such as SQL Injection or Remote Code Execution can be also accomplished through prompt injection, as well different mitigations to prevent this attack class.

AI-Powered Fuzzing: Breaking the Bug Hunting Barrier
Google’s Dongge Liu, Jonathan Metzman, and Oliver Chang describe how they were able to use an LLM to automatically write new fuzz targets for projects already being fuzzed by OSS-Fuzz, leading to greater code coverage and moar bugs!

Writing fuzzing test harnesses tends to be very manual/time intensive and a limiting factor in fuzzing effectiveness, so this could be a big deal if it works at scale.

Machine Learning

Quicklinks

• SQLCoder - A a state-of-the-art LLM for converting natural language questions to SQL queries, by Defog.ai.

• Maccarone - AI-managed code blocks in Python, by Bryan Silverthorn.

• How AI Gave a Paralyzed Woman Her Voice Back - Via a brain implant and digital avatar. Science is amazing! 🤘 

• Introducing Code Llama, a state-of-the-art LLM for coding from Meta

• Introducing ChatGPT Enterprise - Unlimited access to GPT-4, up to 2x faster performance, unlimited access to Code Interpreter, 32k token context windows, and more.

A Study on Robustness and Reliability of Large Language Model Code Generation
1208 coding questions pulled from StackOverflow on 24 Java APIs, 62% of the generated code from GPT-4 contains API misuses.

normal-computing/outlines
Ensure output will match a regular expressions or follow a JSON schema, and provides robust prompting primitives that separate the prompting from the execution logic and lead to simple implementations of few-shot generations, ReAct, meta-prompting, agents, etc.

Career

How to Build a Cybersecurity Career
This isn’t new, but if you haven’t read this guide by Daniel Miessler you’re missing out! It covers a wide range of topics from technologies to learn and useful resources, to building your brand and networking, CFP submissions, your first job, and more.

Getting into AWS cloud security research as a n00bcake
Daniel Grzelak shares some great advice and resources, grouped into how to go about it and where to start looking, with input from awesome cloud people like Christophe Tafani-Dereeper, Scott Piper, Houston Hopkins, Shir Tamari, Aidan Steele, Gafnit Amiga, and Ian Mckay.

Web AppSec Interview Questions
A tough set of questions by Tib3rius covering a wide range of topics including web cache deception and poisoning, session fixation, XSS, CSRF, SQL injection, the same-origin policy, HTTP request smuggling, DOM clobbering, HTTP parameter pollution, and much more.

The rise of cybersecurity certifications and why we should take an engineering approach to security education instead
LimaCharlie’s Ross Haleliuk on professional designations in cybersecurity - why we have them, what they are expected to do, what the problem with having so many certifications is, and where we can go from here.

Early Retirement - Some Reflections Two Years In
Jason Chan on retiring in 2021 at 45, at the peak of his earning power. Love the reflections, and he includes a great set of book, podcast, and article recommendations.

13 infosec career hacks Matt Johansen wished he had known
Some solid advice in this thread. Get in the room, find your personal moat, develop a growth mindset, comparison is the thief of joy, and more.

Meaningful Exits for Founders
Bryce Roberts shares some interesting stats and tables on the difference between meaningful exits for VCs vs founders. tl;dr: VCs want founders to go for home runs, despite that being a high risk path.

• A “meaningful exit” for a fund should return 33% of the fund, a “home run” exit should return the entire fund in a single investment.

• “A founder selling at the Series D price of $210M, would make the same amount of money at exit as they would have if they’d sold for $38M after having only raised a seed round.”

What I'm Doing and How It's Going
Impressively transparent post by Daniel Miessler on how he’s gone from a $350K FTE to $700K doing his own thing, including a breakdown by revenue stream.

I’m really happy for Daniel and I found his post inspiring. I hope you find it motivating too.

The best time to start working on yourself and your career is years ago, the second best time is today. Don’t get discouraged if you don’t see immediate traction- it took tl;dr sec 1-2+ years to start getting traction, and Daniel has been writing online for like 20 years. Put in the time, consistency is key. I believe in you ✊ 

Misc

Deep Dives into 15+ Security Companies
Francis Odum shares a round-up of deep dives into a number of security companies (history, products, place in market, etc.) including Wiz, Lacework, Snyk, Panther, Vanta, and more.

If you’re an operator or investor who wants to learn how to analyze cybersecurity technologies and the financials behind those companies, you might want to check out a bootcamp Francis will be co-leading soon.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler