[tl;dr sec] #206 - Security Engineer Interview Tips, Security Making Eng Faster, GitHub Action Scanner
Security roles overview, skills required, and how to land them, how security teams can help devs ship faster, tool to scan GH Action files at scale
I hope you’ve been doing well!
John Steven is one of the most technically strong people I’ve ever met, and his interpersonal ninja-ry in causing change across teams in big orgs is also quite impressive.
I guess it makes sense, as he worked as a consultant up to CTO at Cigital over 9,000 18 years, working with hundreds of companies, across every sector. He’s also been a CTO at a number of security product companies and has advised many security start-ups.
John was also my manager when I was but a wee Cigital intern 🥰
In this podcast, we discussed a number of key lessons learned and insights in building modern, scalable security programs, including:
Threat modeling as a strategic means of defining one’s approach to security posture
Effectively having the security team being on the critical software delivery path, and helping engineers ship faster and better
Using security tools as guardrails, rather than for vulnerability discovery
Paved roads and security controls
and so much more!
📣 AWS Security Checklist
Rampant cloud usage requires an advanced security playbook.
Wiz put together these AWS security best practices from leading cloud security orgs.
Benchmark your strategy and improve your security posture across your AWS footprint with:
Techniques to enforce least privilege across all identities
How to limit uncontrolled exposure of sensitive assets
Playbooks to extend protection of Kubernetes clusters (EKS)
Plus critical recommendations by resource type (IAM, S3, Cloudtrail)
All of these advanced best practices for AWS are compiled in this checklist.
OffSec Evolve: Cyber Skills and Training Summit
OffSec, the company behind Kali Linux and OSCP, is holding a free virtual event on Wednesday, November 15th. Topics: leadership and talent management, attacker mindset, a CISO panel on human factors in cybersecurity training, how to attract and assess top talent, and more.
InfoSec Map v1 Launched
The free web app by Martín Villalba to search for security events by date, location and topic now lets you search by Call For Papers/Sponsors/Trainers/Volunteers and other improvements.
📣 Shortcut compliance — without shortchanging security
A growing business likely means more tools, third-party vendors, and data sharing — in other words, way more risk.
Vanta brings GRC and security efforts together. Integrate information from multiple systems and reduce risks to your business and your brand, all without the need for additional staffing.
And because Vanta automates up to 90% of the work for SOC 2, ISO 27001, and more, you’ll be able to focus on strategy and security, not maintaining compliance.
Join 6,000 fast-growing companies that leverage Vanta to manage risk and prove security in real-time. Watch the on-demand demo to learn more.
By Cycode: RAVEN (Risk Analysis and Vulnerability Enumeration for CI/CD) is a security tool designed to perform massive scans for GitHub Actions CI workflows and digest the discovered data into a Neo4j database. Queries are in the library/ folder.
By @gotr00t0day: A web security scanner that uses tools like Shodan, RapidDNS, Certsh, Waybackurls, and Nuclei for asset discovery, subdomain enumeration, old link fetching, HTTP security scanning, CMS misconfiguration detection, and vulnerability scanning.
A short note on AWS KEY ID
Tal Be’ery shares a Python script to decode an AWS account ID from an AWS access key ID, revealing that the account ID is base32 encoded and shifted by one bit within the key.
By Orange Cyberdefense: A Game of Thrones-inspired intentionally vulnerable Active Directory lab project, to give security testers practice. I suspect HR would like to have a word with some of these AD users.
The security attendee’s guide to AWS re:Invent 2023
An overview of the security talks. Topics: sessions for security leaders, the role of generative AI in security, architecting and operating container workloads securely, zero trust, and managing identities and encrypting data.
Securing attacks targeted at user or kernel level with KubeArmor & AWS Bottlerocket
AccuKnox describes how AWS Bottlerocket provides a secure foundation for host and worker nodes, and KubeArmor offers granular control over pods and applications, discussing scenarios like: blocking access to Kubernetes service account tokens, denying execution of certain processes, and enabling specific network primitives.
Understanding and Improving The Ghidra UI for Malware Analysis
@embee_research share a few recommendations: enabling dark mode, cursor text highlighting, the entropy view window, the function call tree, the function graph, and disabling type casting.
By FalconForce’s Olaf Hartong: A blue team multi-tool that allows you to utilize and enhance the power of BloodHound in a more automated fashion. It’s designed to be used in conjunction with a SIEM or other log aggregation tool. Unlike BloodHound, which takes a snapshot in time, FalconHound includes functionality to keep a graph of your environment up-to-date.
See also Olaf’s WWHackinFest slides about FalconHound here.
TIL Ghidra automatically detects and renders image and audio files embedded in a binary, including GIFs. Robert Xiao shows how to do media insertion for rickrolling reverse engineers using Ghidra. Love it.
By Georgii Gennadev: A highly customizable reverse proxy with WAF functionality, designed to hide red team operations from blue teams, sandboxes, and scanners, using real-time traffic analysis, IP filtering (includes known IT security vendors' IP pools), domain fronting, and other advanced features.
WolfPack combines the capabilities of Terraform and Packer to streamline the deployment of red team redirectors on a large scale. It allows efficiently scaling out the creation and management of Apache redirectors, which mimic authentic websites.
How To NOT Get Screwed As A Software Engineer
YC on how to get paid your worth as a technical person (I think this applies equally to security professionals), as a founder, early employee, or at a big FAANG-type company.
InsiderPhD’s Curated InfoSec RSS Feed List
Katie Paxton-Fear shares her favorite newsletters, podcasts, blogs, and videos. Lots of great stuff I also follow there, and I’m honored that tl;dr sec is included 🙏
Hiring and Interviewing as Security Engineers
BSidesSF 2023 talk by Databricks’ Arpita Biswas (slides) that provides a nice overview of different titles and roles, the skills required, and how to improve your interviewing for them, from software security engineer, to cloud security, detection engineering/incident response, and more.
Machine Learning + Security
NSA Director Rob Joyce shares a meme about NSA + AI
And it involves Taylor Swift 😂 Apparently it’s Meme-tober.
By Ayush Singh: A subdomain & exploit hunter powered by AI. Basically a wrapper around two APIs: Subdomain Center (uses Apache's Nutch, Calidog's Certstream, OpenAI's Embedding Models) & Exploit Observer (also uses Apache Nutch, which is a scalable, production-ready Web crawler).
This new data poisoning tool lets artists fight back against generative AI
A tool called Nightshade lets artists add small, pixel-level changes to their art to poison models trained on it- e.g. cause images of “dogs” to have too many limbs or cartoonish faces or look like cats instead. This attack would require tech companies to painstakingly find and delete each corrupted sample.
Analyzing the Security of Machine Learning Research Code
NVIDIA’s Joe Lucas shares findings from analyzing the 140GB of source code released in the Meta Kaggle for Code dataset, using manual analysis, TruffleHog, and Semgrep.
Primary findings: plaintext credentials, insecure deserialization (using pickle instead of ONNX), typos (packages could be typosquatted), and lack of adversarial robustness (not using tools like Adversarial RobustnessToolbox (ART), Counterfit).
Joe also released lintML, which wraps TruffleHog and Semgrep, and does other checks.
Greg Rutkowski is one of the most common names included in AI-generated art prompts due to his beautiful fantasy artwork.
MonsterAPI: A new platform that allows users to fine-tune open source LLMs without writing any code.
Air.ai: AI agents for sales and customer service reps. “Can have 10-40 minute long phone calls that sound like a real human, with infinite memory, perfect recall, and can autonomously take actions across 5,000 plus applications. It can do the entire job of a full time agent without having to be trained, managed or motivated. It just works 24/7/365.”
Javi Lopez prototyped a working pumpkin-themed Angry Birds clone using only Midjourney/DALL-E 3 for art and GPT-4 for the code. He shares the prompts and code.
How to Get Samantha from Her or TARS from Interstellar on Your iPhone/Android
Daniel Miessler on how OpenAI added high quality voices to ChatGPT and how you can easily start a 2-way conversation with iOS shortcuts.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!