[tl;dr sec] #206 - Security Engineer Interview Tips, Security Making Eng Faster, GitHub Action Scanner

John Steven & Security as Engineering Accelerant

John Steven is one of the most technically strong people I’ve ever met, and his interpersonal ninja-ry in causing change across teams in big orgs is also quite impressive.

I guess it makes sense, as he worked as a consultant up to CTO at Cigital over 9,000 18 years, working with hundreds of companies, across every sector. He’s also been a CTO at a number of security product companies and has advised many security start-ups.

John was also my manager when I was but a wee Cigital intern 🥰 

In this podcast, we discussed a number of key lessons learned and insights in building modern, scalable security programs, including:

• Threat modeling as a strategic means of defining one’s approach to security posture

• Effectively having the security team being on the critical software delivery path, and helping engineers ship faster and better

• Using security tools as guardrails, rather than for vulnerability discovery  

• Paved roads and security controls

• and so much more!

You can watch it here on Youtube, or listen on Apple Podcasts or Spotify.

Sponsor

📣 AWS Security Checklist 

Rampant cloud usage requires an advanced security playbook. 

Wiz put together these AWS security best practices from leading cloud security orgs.

Benchmark your strategy and improve your security posture across your AWS footprint with:  

• Techniques to enforce least privilege across all identities 

• How to limit uncontrolled exposure of sensitive assets 

• Playbooks to extend protection of Kubernetes clusters (EKS) 

• Plus critical recommendations by resource type (IAM, S3, Cloudtrail) 

All of these advanced best practices for AWS are compiled in this checklist. 

Conferences

OffSec Evolve: Cyber Skills and Training Summit
OffSec, the company behind Kali Linux and OSCP, is holding a free virtual event on Wednesday, November 15th. Topics: leadership and talent management, attacker mindset, a CISO panel on human factors in cybersecurity training, how to attract and assess top talent, and more.

InfoSec Map v1 Launched
The free web app by Martín Villalba to search for security events by date, location and topic now lets you search by Call For Papers/Sponsors/Trainers/Volunteers and other improvements.

Sponsor

📣 Shortcut compliance — without shortchanging security

A growing business likely means more tools, third-party vendors, and data sharing — in other words, way more risk.

Vanta brings GRC and security efforts together. Integrate information from multiple systems and reduce risks to your business and your brand, all without the need for additional staffing.

And because Vanta automates up to 90% of the work for SOC 2, ISO 27001, and more, you’ll be able to focus on strategy and security, not maintaining compliance.

Join 6,000 fast-growing companies that leverage Vanta to manage risk and prove security in real-time. Watch the on-demand demo to learn more. 

AppSec

FiloSottile/age
By Filippo Valsorda: A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.

CycodeLabs/raven
By Cycode: RAVEN (Risk Analysis and Vulnerability Enumeration for CI/CD) is a security tool designed to perform massive scans for GitHub Actions CI workflows and digest the discovered data into a Neo4j database. Queries are in the library/ folder.

Web Security

gotr00t0day/Gsec
By @gotr00t0day: A web security scanner that uses tools like Shodan, RapidDNS, Certsh, Waybackurls, and Nuclei for asset discovery, subdomain enumeration, old link fetching, HTTP security scanning, CMS misconfiguration detection, and vulnerability scanning.

HAR File Sanitizer
Upload an HTTP Archive (HAR) file and this web app will remove sensitive data client-side, without sending it off your device. This is what happened recently with Okta.

Cloud Security

A short note on AWS KEY ID
Tal Be’ery shares a Python script to decode an AWS account ID from an AWS access key ID, revealing that the account ID is base32 encoded and shifted by one bit within the key.

Orange-Cyberdefense/GOAD
By Orange Cyberdefense: A Game of Thrones-inspired intentionally vulnerable Active Directory lab project, to give security testers practice. I suspect HR would like to have a word with some of these AD users.

The security attendee’s guide to AWS re:Invent 2023
An overview of the security talks. Topics: sessions for security leaders, the role of generative AI in security, architecting and operating container workloads securely, zero trust, and managing identities and encrypting data.

Container Security

Securing attacks targeted at user or kernel level with KubeArmor & AWS Bottlerocket
AccuKnox describes how AWS Bottlerocket provides a secure foundation for host and worker nodes, and KubeArmor offers granular control over pods and applications, discussing scenarios like: blocking access to Kubernetes service account tokens, denying execution of certain processes, and enabling specific network primitives.

Blue Team

CVE Crowd
A web app that lists CVEs that are currently being discussed on Mastodon, by Konstantin.

Understanding and Improving The Ghidra UI for Malware Analysis
@embee_research share a few recommendations: enabling dark mode, cursor text highlighting, the entropy view window, the function call tree, the function graph, and disabling type casting.

FalconForceTeam/FalconHound
By FalconForce’s Olaf Hartong: A blue team multi-tool that allows you to utilize and enhance the power of BloodHound in a more automated fashion. It’s designed to be used in conjunction with a SIEM or other log aggregation tool. Unlike BloodHound, which takes a snapshot in time, FalconHound includes functionality to keep a graph of your environment up-to-date.

See also Olaf’s WWHackinFest slides about FalconHound here.

Red Team

nneonneo/ghidra-rickroll
TIL Ghidra automatically detects and renders image and audio files embedded in a binary, including GIFs. Robert Xiao shows how to do media insertion for rickrolling reverse engineers using Ghidra. Love it.

D00Movenok/BounceBack
By Georgii Gennadev: A highly customizable reverse proxy with WAF functionality, designed to hide red team operations from blue teams, sandboxes, and scanners, using real-time traffic analysis, IP filtering (includes known IT security vendors' IP pools), domain fronting, and other advanced features.

RoseSecurity-Research/WolfPack
WolfPack combines the capabilities of Terraform and Packer to streamline the deployment of red team redirectors on a large scale. It allows efficiently scaling out the creation and management of Apache redirectors, which mimic authentic websites.

Career

How To NOT Get Screwed As A Software Engineer
YC on how to get paid your worth as a technical person (I think this applies equally to security professionals), as a founder, early employee, or at a big FAANG-type company.

Machine Learning + Security

NSA Director Rob Joyce shares a meme about NSA + AI
And it involves Taylor Swift 😂 Apparently it’s Meme-tober.

ARPSyndicate/puncia
By Ayush Singh: A subdomain & exploit hunter powered by AI. Basically a wrapper around two APIs: Subdomain Center (uses Apache's Nutch, Calidog's Certstream, OpenAI's Embedding Models) & Exploit Observer (also uses Apache Nutch, which is a scalable, production-ready Web crawler).

This new data poisoning tool lets artists fight back against generative AI
A tool called Nightshade lets artists add small, pixel-level changes to their art to poison models trained on it- e.g. cause images of “dogs” to have too many limbs or cartoonish faces or look like cats instead. This attack would require tech companies to painstakingly find and delete each corrupted sample.

Analyzing the Security of Machine Learning Research Code
NVIDIA’s Joe Lucas shares findings from analyzing the 140GB of source code released in the Meta Kaggle for Code dataset, using manual analysis, TruffleHog, and Semgrep.

Primary findings: plaintext credentials, insecure deserialization (using pickle instead of ONNX), typos (packages could be typosquatted), and lack of adversarial robustness (not using tools like Adversarial RobustnessToolbox (ART), Counterfit).

Joe also released lintML, which wraps TruffleHog and Semgrep, and does other checks.

Machine Learning

Quicklinks

• Greg Rutkowski is one of the most common names included in AI-generated art prompts due to his beautiful fantasy artwork.

• MonsterAPI: A new platform that allows users to fine-tune open source LLMs without writing any code.

• Air.ai: AI agents for sales and customer service reps. “Can have 10-40 minute long phone calls that sound like a real human, with infinite memory, perfect recall, and can autonomously take actions across 5,000 plus applications. It can do the entire job of a full time agent without having to be trained, managed or motivated. It just works 24/7/365.”

• Javi Lopez prototyped a working pumpkin-themed Angry Birds clone using only Midjourney/DALL-E 3 for art and GPT-4 for the code. He shares the prompts and code.

petrgazarov/salami
By Petr Gazarov: A declarative domain-specific language for cloud infrastructure based on natural language descriptions. Uses GPT-4 to convert the natural language to Terraform.

How to Get Samantha from Her or TARS from Interstellar on Your iPhone/Android
Daniel Miessler on how OpenAI added high quality voices to ChatGPT and how you can easily start a 2-way conversation with iOS shortcuts.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler