🛣 Webinar: Jason Chan & the Paved Road

I’ve been a fan of Jason Chan (former VP of InfoSec at Netflix) and the Netflix security team for years.

Building security into the libraries, frameworks, and overall development process is a core focus of almost every forward-thinking security team I've spoken with recently.

So I’m thrilled to be hosting a live webinar with Jason on April 25th at 10am PT. We’ll discuss:

• Lessons learned from being the first security executive at VMware to tackling cloud security at Netflix

• How Paved Road is a philosophy and the Paved Road continuum

• Neflix's core security principles

There’ll be plenty of time for questions, so join us and ask about whatever is most pressing and useful to you.

Hope to see you there!

🔥 Announcing: awesome-secure-defaults

Speaking of! More than (almost) anything in security, I'm a fan of secure defaults and killing bug classes 😍 

That's why I worked with my bud Rami McCarthy to put together this GitHub repo compiling all the great libraries out there that do just that.

Search by language to find everything applicable to your stack, or by bug class to get some inspiration for your own open-source endeavors.

Libraries for: setting security HTTP headers, crypto, SSRF, CSRF, templating and sanitizing HTML, regexes, handling tar and zip archives, XML, or SVGs, and more!

Check it out and let us know what you think! Contributions welcome 🙏

https://github.com/tldrsec/awesome-secure-defaults

Shout-out to Shawn Webb and Neil Matatall for already contributing PRs!

Sponsor

📣 The Security Leaders Handbook

Practical steps to secure your cloud. 

As organizations continue to adopt more cloud technologies, security teams are left grappling with how to protect their apps and data in the cloud. We created the Security Leaders Handbook: The Strategic Guide to Cloud Security to help answer the biggest questions when it comes to securing everything you build and run in the cloud.  

In this guide, you’ll learn:  

• Practical steps to achieve cloud security maturity  

• Best practices to extend the reach of your security team 

• How to transform processes to scale for cloud adoption 

• Ways to ensure secure code development  

AppSec

klarna-incubator/gram
Klarna's Secure Development team open-sourced this very polished looking threat model diagramming tool. It's a web app with collaborative editing, automatic suggestions for threats and controls based on your tech stacks, and integrations with Okta and Jira.

How I Tripped Over the Debian Weak Keys Vulnerability
Matt Palmer takes us back to March 2008, and his experience with CVE-2008-0166 - where for ~18 months, the Debian OpenSSL package was generating entirely predictable private keys. Fascinating look at some behind the scenes GitHub context.

Also: “I thought I’d share it as a tale of how ‘huh, that’s weird’ can be a powerful threat-hunting tool – but only if you’ve got the time to keep pulling at the thread.”

Brex’s Josh Liburdi on Buy vs Build
“Building many of your most critical security solutions in-house can have major repercussions later (in reality, probably impacting your successors). MVP is easy, but building reliable solutions that can grow with the org and be maintained for years is difficult. IMO even the biggest and most skilled teams should rely on COTS / vendor solutions for most of their tech stack; if you do that, then you can focus engineering efforts on new problems that aren’t yet solved.” Nice discussion in the thread.

Fighting cookie theft using device bound sessions
Google is starting to prototype Device Bound Session Credentials (DBSC), which can mitigate cookie theft by binding authentication sessions to specific devices. Cookie-theft can be particularly impactful, given that attackers then have access post-login, one of the few places strong multi-factor authentication doesn't help. Of course, attackers can still exploit compromised sessions, but they'll have to do so on-device where you have additional detection opportunities. The DBSC API allows a server to associate a session with a public key, verifying proof-of-possession of the private key throughout the session lifetime, and uses non-exportable keys (e.g stored in Trusted Platform Modules (TPMs)).

This is an excellent example of systematic efforts to eliminate entire vulnerability or attack classes, and raising the bar of an ecosystem. Love it!

Sponsor

📣 WorkOS: Enterprise-grade Auth for your B2B SaaS App

WorkOS is the only auth solution your B2B SaaS app needs to start selling to enterprises.

→ WorkOS supports both the foundational auth you need as well as more complex enterprise features like single sign-on (SSO).

→ It provides flexible and easy-to-use APIs, helping companies like Vercel, Loom, and Webflow offer enterprise-grade auth.

→ WorkOS also features the Admin Portal that streamlines the onboarding experience for your customers' IT teams, saving your engineers hours of troubleshooting.

→ And best of all, WorkOS User Management supports up to 1 million MAUs for free.

Your users, your data, maximum flexibility.

Implementing auth and SSO can be a pretty big pain. Might review this for something I’ve been thinking about 🤔 

Cloud Security

ekristen/libnuke
Erik Kristensen took his fork of aws-nuke, rewrote it in Go, factored out the core into libnuke, and then used that to ship azure-nuke! aws-nuke is super handy for managing sandbox accounts, as it lets you lets you remove all resources.

Open-source cloud Certificate Authority
Q-Solution's Paul Schwarzenberger announces serverless-ca, an open-source AWS Private CA at 0.5% the cost. Totally serverless, it uses KMS for private key storage, and offers a public Terraform module for easy installation and configuration.

ovotech/cloud-key-rotator
By OVOEnergy: A Golang program that helps manage AWS and GCP service account key rotation. Supports keys in a ton of locations: Atlas, CircleCI, Datadog, GCS, Git, GitHub secrets, GoCD, GKE, SSM, and AWS Secrets Manager. It can be set to an audit mode, where it just posts key ages to the Datadog metric API.

aws_organizations_migration_notes.md
By Houston Hopkins: It's common to end up stuck in AWS with a "bad" management account, especially if your Organization was set up a while ago. Unfortunately, once set it's a pain to change which account is the management account. This gist offers a braindump of how to navigate the process, from someone who has been there. Covers IAM, Billing, timing, security controls, and much more.

Career

How Ryan Peterman went from Junior to Staff in 3 years at Meta: ownership mindset, focusing on impact, project success.

Everything I Learned to Negotiate Your Salary - Some solid tips and a nice overview by Chloe Shih

Google Cloud Skills Boost
The "Security Engineer Learning Path," direct from Google Cloud, is a great 14 part course on GCP security. You can use the 30 day free trial to learn GCP basics, networking, security best practices, and the most common GCP services.

How to make $1M, $5M, or $10M+ in Silicon Valley
Maven’s Gagan Biyani shares a number of archetypes he’s observed, including: The Startup Career Climber, The Small Business Owner, The High Flying Startup Career Climber, The IC Engineer, The Failed Founder, The Lucky Duck.

Incident Responder Interview Questions
A collection of IR interview questions and answers by LetsDefend covering network analysis, event log analysis, digital forensics, incident response, and more. From the same team as the (previously shared) SOC-Interview-Questions repo.

Blue Team

target/goalert
An open-source on-call and alerting platform, with super active development. Supports: scheduling, automated escalations; triggering alerts via API endpoint, email, Grafana, Prometheus, etc.; delivering notifications via SMS and Voice using Twilio, email using Mailgun, or Slack.

k1nd0ne/VolWeb
By k1nd0ne: A web application that wraps and visualizes the Volatility 3 framework. Includes automatic processing and extraction of artifacts. Offers a centralized portal for memory collection and forensic analysis, for incident responders and digital forensics investigators.

Unraveling SIEM Correlation Techniques
By Panther’s Jack Naglieri: A review of the kinds of SIEM correlation rules, and how to develop them. Uses Okta Brute Force as an example, as well as Elastic’s open-source detection-rules repository. Covers:

• Atomics: single technique and log source

• Sequential: actions in order within a time frame

• Temporal: set of actions in any order within a time frame

Red Team

GraphSpy – The Swiss Army Knife for Attacking M365 & Entra
By Spotit's Keanu Nys: GraphSpy helps you perform Device Code phishing, and then post-compromise activities against Office365 applications with the resultant access token. Visually browse compromised user content in Sharepoint and OneDrive, access Outlook directly, use the Microsoft Search API, and even extend the tool with custom API request templates.

Adventures in Stegoland
Steganography (hiding shellcode in an image) has been used in malware for at least a decade. This post walks through a proof of concept of loader using steganography, and tests it against default Microsoft Defender for Endpoint and "another top tier EDR." Sorry to report: the payload was not blocked and no alerts were generated. By Tier Zero Security's Claudio Contin.

c6fc/npk
By Brad Woodward: A distributed hash-cracking platform built entirely of serverless components in AWS including Cognito, DynamoDB, and S3. Features include an intuitive campaign builder, campaign price and coverage estimates, max price enforcement and runaway instance protection, and more.

AI + Security

Measuring the Persuasiveness of Language Models
Study by Anthropic that found a general scaling trend (as models get larger and more capable, they become more persuasive), and Claude 3 Opus is roughly as persuasive as humans. What could go wrong? 😅

AIxCC Semifinal Competition
DARPA’s AI cyber challenge, an open competition for participants to build AI systems that can autonomously find and fix vulnerabilities, have finalized their procedures and scoring guide, and have released a Linux Exampler Challenge Project on GitHub. Congrats to Shellphish, Trail of Bits, and the other Small Business Track winners 🙌 

The DL on LLM Code Analysis
Excellent 🔥 CanSecWest 2024 talk by Richard Johnson providing an overview of deep learning (model architectures, tokenizers, embeddings), retrieval augmented generation (RAG), and applying AI to reverse engineering, fuzzing, solving CTF challenges, autonomously testing websites, code analysis, threats against AI systems and tools, and more.

Wiz identifies critical risks in AI-as-a-Service platforms
By Shir Tamari & Sagi Tzadik: Wiz continues their rampage of cross-tenant attack on cloud service providers. In this case, they found that by uploading a malicious pickle file to Hugging Face's Inference offering, they could leverage the code execution within the backend AWS EKS environment to gain the node's role via IMDS, which they could use to retrieve secrets and move laterally.

They also found an issue in Hugging Face Spaces, where they could use a malicious Dockerfile to execute commands in the build environment (the RUN instruction), which revealed use of a multi-tenant container registry in which they could overwrite other customers' images.

💡 Note that other than the malicious Pickle file, most of these vulns/attack steps are non-AI specific, standard known security issues (aka this is a high impact example of applying known attack techniques to new targets). Given the speed of innovation of most AI companies, I expect there are many places where shaking the tree hard enough will cause critical vulns to fall out.

Misc

• After AI beat them, professional Go players got better and more creative

• Google Colab notebook that uses Claude to generate Magic Cards

• Tim Urban (What But Why) on the Eclipse

• Linux tools to use during a crisis

• Infographic: 15 methods to master your time. Pomodoro, Eisenhower Matrix, 2 minute rule, etc.

• HN’s favorite 404 pages

• A GitHub Action that when triggered will order a pizza from Domino’s

• Oh My Git! - An open source game about learning git.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler