• tl;dr sec
  • Posts
  • [tl;dr sec] #227 - Securing GitHub Actions, State of DevSecOps, Paved Road Webinar

[tl;dr sec] #227 - Securing GitHub Actions, State of DevSecOps, Paved Road Webinar

Tools to scan build piplines & remove short-lived tokens, study by Datadog, join Jason Chan and I on the origin of Netflix's Paved Road

Hey there,

I hope you’ve been doing well!

🍦 Two Scoops, with a side of Feature Request

New #PeakBayArea level unlocked!

I was grabbing ice cream with a friend, and I was about to start complaining about Zapier.

How the Gmail action to create a draft response has been broken for over a year despite dozens of upvotes, how the API coverage for most integrations is minimal, etc.

But before I got into it, one of the only two other people in the store said, “Oh hey… I work at Zapier. I’d love to hear your feedback.”

She sat down next to me and we did a mini user interview 😂 She was super friendly!

Anywho, it’s hard to imagine the probability of mentioning a niche-ish SaaS app and having someone who works there be right next to you 🤯

(If you work at Zapier and want feedback, let me know.)

🛣️ Netflix’s Paved Road: The Origin Story

They say at the end of their life, people most regret the things they didn’t do.

Which is why you should text a family member or friend how much you appreciate them. I’ll wait to type the rest until you’re done… OK good.

Also, you should come hang out with Jason Chan, former VP of InfoSec at Netflix, and I next Thursday, April 25 at 10am PT.

Jason is one of the sharpest and most thoughtful security leaders I know, so it’s going to be chock full of insights on how to build a scalable security program, with lots of time for your questions. Hope to see you there!

⭐️ Join the Webinar ⭐️ 

Sponsor

📣 WorkOS: Enterprise-grade Auth for Modern SaaS Apps

WorkOS is a modern identity platform for leading B2B SaaS apps, providing a quicker path to land enterprise deals.

→ WorkOS supports both the foundational auth you need as well as more complex enterprise features like Single Sign-On (SSO), SCIM provisioning, and Audit Logs.

→ It provides flexible and easy-to-use APIs, helping companies like Vercel, Loom, and Webflow offer enterprise-grade auth.

→ WorkOS also features the Admin Portal that allows you to onboard IT teams to SSO in minutes.

→ And best of all, WorkOS User Management supports up to 1 million MAUs for free.

Your users, your data, maximum flexibility.

Used by Vercel, Loom and Webflow and free up to 1 million MAUs! 🤯

 

AppSec

tldrsec/awesome-secure-defaults
A collection of open source libraries to help you eliminate bug classes 🔥 Search by language to find everything applicable to your stack, or by bug class to get some inspiration for your own open-source endeavors. Libraries for: setting security HTTP headers, crypto, SSRF, CSRF, templating and sanitizing HTML, regexes, and more. Huge shout-out to Rami McCarthy for making it happen!

State of DevSecOps
Datadog shares their findings from tens of thousands of apps and container images and thousands of cloud environments, including:

  • 90% of Java services are vulnerable to 1+ critical or high severity vulnerabilities, vs an average of 47% for other languages.

  • At least 38 percent of organizations in AWS had used ClickOps in all their AWS accounts within a 14-day window preceding the writing of this study.

  • Most AWS orgs still use long-lived credentials in GitHub Actions (IAM users vs OIDC)

Kobold letters
Lutra Security's Konstantin Weddige coins a security risk in HTML emails, in which you use CSS styling to include elements in the email that appear or disappear depending on the context in which the email is viewed. Examples are given against Thunderbird, Outlook, and Gmail, that show how to create content that is only visible when the email is forwarded. Gmail is technically not vulnerable because it strips all styling from the email when forwarding it, but this just results in "hidden" text appearing.

Using Nuclei Templates for Vulnerability Scanning
From Orca's Ofir Yakobi: A demonstration of how to use Nuclei to find vulnerabilities in cloud-hosted applications. Covers two examples: an SSRF in an Azure-hosted web application and an authentication bypass in a TeamCity CI/CD server. Nuclei's AI prompt feature was used to generate custom Nuclei templates for these vulnerabilities.

Sponsor

📣 Compete in a Lacework CTF Challenge

Join Lacework for a virtual Cloud Security Capture the Flag Challenge on May 15. You’ll have one hour to complete as many challenges as possible. Plus, the top 3 scorers will win a Valve Steam Deck. Spots are limited, so register now.

👉️ Register Now 👈️

Cloud Security CTF!? Win a Valve Steam Deck!? Let’s go! 🤘 

Cloud Security

Security Principles Stand the Test of Time
Stephen Haywood shares the series of questions he uses when securing a new infrastructure paradigm. The core principles: network segmentation, workload separation, user management, and access control.

awslabs/terraform-iam-policy-validator
A command line tool that validates AWS IAM Policies in a Terraform template against AWS IAM best practices, by running them through IAM Access Analyzer policy validation checks and (optionally) through IAM Access Analyzer custom policy checks.

IMDSv2 enforcement: coming to a region near you!
Christophe Tafani-Dereeper discusses two new AWS APIs that enable you to set default EC2 instance metadata options at the region level, such as enforcing IMDSv2 (to prevent SSRF), which you can also use via Terraform. Note that this is only about the defaults, to prohibit IMDSv1 you’d need an SCP or explicit deny.

Sponsor

📈Attacks targeting infrastructure increased by 75% YoY in 2023 

With comprehensive analysis backed by the latest 2023 Data Breach Investigations and insights from leading cybersecurity experts, this "Changing the Paradigm: Modernizing Secure Access to Infrastructure” white paper by IAM analyst Jack Poller serves as a critical guide for IT professionals and DevOps teams aiming to reinforce their infrastructure against identity-based threats.

👉️ Download PDF 👈️

Supply Chain

OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt
The JavaScript ecosystem has noticed several similar attempts to take over projects, similar to the XZ utils. This may indicate a broader campaign attempt.

The end of GitHub PATs: You can’t leak what you don’t have
Chainguard's Matt Moore describes how they were able to replace their usage of long-lived GitHub Personal Access Tokens (PATs) with short-lived credentials across several GitHub organizations managed by Chainguard. To eliminate the need for the long-lived creds, they created and the GitHub App Octo STS to act as a “Security Token Service” (STS) for GitHub credentials.

Unveiling 'poutine': An Open Source Build Pipelines security scanner
Boost Security announces poutine, an open source security scanner CLI you can use to detect misconfigurations and vulnerabilities in build pipelines. It currently has ~12 rules targeting GitHub Actions workflows and GitLab pipelines.

Poutine can also create an inventory of build-time dependencies so you can track known vulnerabilities (CVEs), and they’ve released MessyPoutine, a “goat project” for GitHub Actions designed as a Capture The Flag contest where you can exploit workflows.

Fixing Typos and Breaching Microsoft’s Perimeter
John Stawinski and Adnan Khan continue to slay. In this case, they found a Microsoft repo that used a domain-joined workstation as a non-ephemeral, self-hosted runner on the public DeepSpeed repo. They fixed a typo in the repo → got RCE on a machine joined to Microsoft’s largest Active Directory domain with the privileges of a Microsoft Senior Developer. MSRC rewarded them with… $0.

I have incredibly smart and talented friends working at Microsoft who I respect highly, but given the past few years, I feel like using O365/AD/Azure is like smoking: 20+ years ago it was common and accepted, maybe even cool, but nowadays feels a bit negligent.

Blue Team

cgosec/Blauhaunt
A tool collection for filtering and visualizing logon events. Designed to help answering the "Cotton Eye Joe" question (Where did you come from where did you go) in security incidents and threat hunts.

CISA Releases Malware Next-Gen Analysis System for Public Use
CISA has released its threat hunting and internal malware analysis system, Malware Next-Gen, for public use, enabling organizations to submit malware samples and suspicious artifacts for automated analysis. The system uses both static and dynamic analysis tools and insights are shared with CISA partners.

Implementing a Modern Detection Engineering Workflow (Part 1)
In this three-part blog series, Dan Lussier shares his methodology for implementing an automated Detection Engineering workflow to manage detection rules in Chronicle Security Operations.

Tools used: Ludus, a system to build easy-to use cyber “ranges,” Detection Framework, a structured resource to build repeatable documentation for detections, SSDT, a tool to execute tests on any OS to generate logs and test detection and alerting capabilities, and more.

Red Team

bcoles/kasld
Kernel Address Space Layout Derandomization (KASLD) - A collection of various techniques to infer the Linux kernel base virtual address as an unprivileged local user, for the purpose of bypassing Kernel Address Space Layout Randomization (KASLR).

The-Z-Labs/linux-exploit-suggester
A Linux privilege escalation auditing tool that can a) assess the current kernel’s exposure on publicly known exploits and b) verify the state of its hardening security measures, verifying not only the kernel compile-time configurations (CONFIGs) but also the run-time settings (sysctl).

Evilginx 3.3 - Go & Phish
Kuba Gretzky announces the latest Evilginx updates, including that it now has an official integration with GoPhish, so you can create phishing campaigns for sending emails with valid Evilginx lure URLs and enjoy all the benefits of GoPhish's lovely UI, seeing which emails were opened, which lure URLs were clicked and which clicks resulted in successful session capture.

EvilGophish’s Approach to Advanced Bot Detection with Cloudflare Turnstile
Dylan Evans shares quite the diabolical idea: when you’re running a phishing campaign, you don’t want automated agents from security scanners noticing and reporting your infrastructure. So, he describes how to use Cloudflare Turnstile, an anti-bot product, to detect and block security bots from your phishing infrastructure 😂 Protecting your malicious infra via a “defense” tool!

AI + Security

NSA Publishes Guidance for Strengthening AI System Security
The NSA has published a new 12 page whitepaper, Deploying AI Systems Securely: Best Practices for Deploying Secure and Resilient AI Systems. Honestly, mostly fairly obvious stuff in my opinion 🤷 

Azure/Copilot-For-Security
Azure has open sourced a number of resources related to Microsoft’s Copilot for Security, including customer guides, Logic Apps, Plugins, sample prompts, promptbook samples, and technical workshops.

The Power of Artificial Intelligence - From Search to Detection Rule at Light Speed
Google’s David Nehoda walks through several examples of starting with a natural language query (e.g. English) to Chronicle SIEM and then generating a concrete rule from it, as well as important considerations and potential enhancements for each. Examples: find large network data transfers, Bitcoin mining in AWS, GCP Cloud SQL Admin usage, and detecting traffic to known bad actors in other countries.

Misc

“The advertising technology ecosystem is the largest information-gathering enterprise ever conceived by man.”

“After acquiring a data set on Russia, the team realized they could track phones in the Russian president Vladimir Putin’s entourage (drivers, security personnel, political aides). As a result, PlanetRisk knew where Putin was going and who was in his entourage.”

“Even if you’re just a private citizen. I’m here to tell you if you’ve ever been on a dating app that wanted your location or if you ever granted a weather app permission to know where you are 24/7, there is a good chance a detailed log of your precise movement patterns has been vacuumed up and saved in some data bank somewhere that tens of thousands of total strangers have access to. That includes intelligence agencies. It includes foreign governments. It includes private investigators. It even includes nosy journalists.”

For a few $100K’s/month, you can buy a global feed of (nearly) every phone on earth. For reference, the U.S. 2020 intelligence budget was $62.7B.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler