• tl;dr sec
  • Posts
  • [tl;dr sec] #43 - Continuous AppSec Scanning, Threat Modeling, Career Advice from Feynman

[tl;dr sec] #43 - Continuous AppSec Scanning, Threat Modeling, Career Advice from Feynman

How to continuously discover, monitor, and assess your web assets, threat modeling + agile, Richard Feynman on the problems you choose to tackle.

Hey there,

I hope you've been doing well!

šŸ•¶ļø Broken Vendor Shades Fashion Icon 

This was before COVID-19, but I remember it like it was yesterday. I was taking a walk and something magical happened.

I was wearing some vendor sunglasses that, like much of my wardrobe, I had received for free at a security conference. (I would buy clothes, but I keep all of my money in avocado toast-related index funds (AVTO), as they yield consistent 12% returns.)

Now, these vendor sunglasses unfortunately had one side of them broken off, the part that goes over your right ear, because I had dropped them. So the sunglasses were balancing on my left ear, my nose, and periodic cocks of my head to keep them aligned.

I was crossing the street when a guy also crossing looked over and said,

Those are some cold-ass shades man āœŠ

Grinning ear to ear, I thanked him, and went about my day. #NeverForget

Sponsor

šŸ“¢ Security Monitoring by Datadog

Datadog's recently announced Security Monitoring product allows you to easily detect threats in real time across your applications, network, and infrastructure. Accelerate security investigations and break down silos between developers, security, and operations team by correlating your threats, metrics, traces, and logs all in one place. Learn more about Datadog, sign up for a live demo and receive a free T-shirt

.

šŸ“œ In this newsletter...

šŸ”— Links:

  • AppSec: The value of secure defaults and a list of some secure-by-default libraries

  • Threat Modeling: Making threat modeling and agile play nice and making security work visible

  • Cloud Security: Running your SaaS on the cheap, using G Suite with AWS SSO, Slack bot to give you AWS billing updates, tool to find over-privileged IAM users and roles

  • Kubernetes: Evaluating six static analysis tools that scan Kubernetes YAML files, diagrams explaining Kubernetes

  • Network Security: Passively discover active network hosts using ARP traffic

  • Red Team: Reverse shell over Slack, abusing GitLab runners

  • Politics / Privacy: Moxie on Signal PINs, privacy resources, thoughs on Trump being compromised by Russia

  • Misc: Free book on evidence-based software engineering

  • The Slack Social Network: Stratechery's reflections on Slack vs Teams

  • Do not remain nameless to yourself: Letter from Feynman to a former student on having a career and life you're proud of

šŸ“š Reducing Our Attack Surface with AppSec Platform

Michael Whiteman describes a neat automation platform theyā€™ve built that can continuously discover, monitor, and assess the security posture of web assets.

AppSec

A List of Secure Defaults
I think secure defaults / building a ā€œpaved roadā€ for developers is one of the best ways to scale security. So naturally, I like this post by Abhay Bhargav. He also lists a number of useful secure by default libraries at the bottom, covering cryptography, client-side output encoding, input validation, and more.

Threat Modeling

Using SAFeĀ® to align cyber security and executive goals in an agile setting
Nicely detailed article by F-Secure on threat modeling effectively in agile dev environments. It discusses threat modeling at two different granularities: epic planning (higher level) and feature planning (more tactical, specific tasks to be done).

Though it may be tempting to create a security epic under which to add all security work, this should be avoided. Doing so would lead to work not being suitably prioritized, with security needs not explicitly linked to business value. Itā€™s possible that security requirements buried under their own security epic never get seen again by anyone in the business.

Instead of treating security and privacy aspects as non-functional requirements, the goal is to make them features and enablers in their own right. This forces product management to make explicit decisions when allocating developer time for functionality or security. Security over spending is kept in check as a result, whilst direct evidence of security work is proven through its ticketing.

Performing threat modelling within feature refinement. The team has either enough time for threat modelling here, or the features that require threat modelling are simple enough.

When threat modelling seems to take a lot of time, it can be pushed onto the Program Increment with all the development work. The threat modelling results may cause changes to the increment content, or the results can be just pushed on the backlog for later implementation.

Once threat modelling becomes the commonplace for epics and features, business and product management can expect to see that security and privacy are no longer costs and sources of schedule risks. Instead, security may be balanced with tasks that create immediate business value and that can be articulated in terms of customer value.

Key take-aways:

Security and privacy work need to be visible on backlogs. This visibility will make time allocation and relative priorities explicit and at the same time produce evidence of security work performed. It will also give organizationā€™s security and privacy functions a way to follow up on the security activities without extra reporting.

Donā€™t use non-functional requirements with security. Each security requirement needs to boil down into either a hard, functional requirement or an actual enabler.

Cloud Security

Our AWS bill is ~ 2% of revenue. Hereā€™s how we did it
Sankalp Jonna describes how their bootstrapped start-up kept costs low by choosing the right cloud products. Specifically: Lightsail instances instead of EC2, RDS, and ElastiCache (Redis), using the build-in Shopify CDN instead of CloudFront, self-hosted NGINX instead of ELB.

How to use G Suite as an external identity provider for AWS SSO
ā€œYou can grant access by assigning G Suite users to accounts governed by AWS Organizations. The userā€™s effective permissions in an account are determined by permission sets defined in AWS SSO.ā€

galesky/aws-billing-slack-lambda
ā€œSimple AWS Lambda powered Slack bot that reports your AWS Costs for the current month to a channel.ā€

duo-labs/cloudtracker:Helps you find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies, by Scott Piper.

Kubernetes

Validating Kubernetes YAML for best practice and policies
@Learnk8s article that compares six static analysis tools to validate and score Kubernetes YAML files for best practices and compliance: kubeval, kube-score, config-lint, copper, conftest and polaris.

cloudogu/k8s-diagrams
A collection of diagrams explaining Kubernetes (e.g. Deployment -> Pod -> Container, services, nodes, and pods, etc.). Written in PlantUML, so theyā€™re easy to edit.

Network Security

wintrmvte/Netenum
A tool to passively discover active hosts on a network by monitoring ARP traffic. Extracts basic data about each active host, such as IP address, MAC address and manufacturer.

Red Team

SierraTwo:
A simple reverse shell over Slack

Abusing GitLab Runners
Nick Frichette describes how GitLab runners work, and how if you gain access to a GitLab runner registration token, you may be able to access the source code of a project to which you do not have access, pilfer environment variables potentially gaining sensitive secrets, and more.

Politics / Privacy

Privacy Links by productsecuritygroup.com
Forums/Groups/News sites, law firm blogs, tools and methodologies, articles (ā€œprivacy by designā€), and more.

Why I Believe Trump is Compromised by Russia
Too often I feel people have been getting caught up trying to concretely prove collusion. This post by Daniel Miessler asks, in my opinion, a much better question: ā€œAre Trumpā€™s actions helping Putinā€™s long-term plan to diminish the United Statesā€™ position in the world?ā€ From fighting with our allies, to bungling COVID-19, to pulling out of the WHOā€“ again and again, itā€™s making America less respected and influential in global politics.

Misc

Evidence-based Software EngineeringAn ambitious (free) book that examines a massive number of studies about what factors and environments lead to effective software engineering.

Interesting Stratechery (Ben Thompson) article on Slack vs Microsoft Teams. Teams has likely surpassed Slack in Daily Active Users (DAU) due to a combination of factors: itā€™s free (if you have a Microsoft 365 subscription), Microsoft has a massive team and partner network in which it shares subscription revenue for Azure and Office 365, and an ecosystem that all plays nicely together (One Drive, Planner, ā€¦).

By virtue of doing everything, even if mediocrely, Microsoft is providing a whole that is greater than the sum of its parts, particularly for the non-tech workers that are in fact most of the market.

How does Slack double down on its advantages and stay differentiated? Shared channels, that enable easy communication between different companies.

"Slack Connect is about more than chat: not only can you have multiple companies in one channel, you can also manage the flow of data between different organizations; to put it another way, while Microsoft is busy building an operating system in the cloud, Slack has decided to build the enterprise social network."

Snippets from a letter by Richard Feynman to one of his former students.

Unfortunately your letter made me unhappy for you seem to be truly sad. It seems that the influence of your teacher has been to give you a false idea of what are worthwhile problems. The worthwhile problems are the ones you can really solve or help solve, the ones you can really contribute something to. A problem is grand in science if it lies before us unsolved and we see some way for us to make some headway into it. I would advise you to take even simpler, or as you say, humbler, problems until you find some you can really solve easily, no matter how trivial. You will get the pleasure of success, and of helping your fellow man, even if it is only to answer a question in the mind of a colleague less able than you. You must not take away from yourself these pleasures because you have some erroneous idea of what is worthwhile.

You met me at the peak of my career when I seemed to you to be concerned with problems close to the gods. But at the same time I had another Ph.D. Student (Albert Hibbs) whose thesis was on how it is that the winds build up waves blowing over water in the sea. I accepted him as a student because he came to me with the problem he wanted to solve. With you I made a mistake, I gave you the problem instead of letting you find your own; and left you with a wrong idea of what is interesting or pleasant or important to work on (namely those problems you see you may do something about).

I have worked on innumerable problems that you would call humble, but which I enjoyed and felt very good about because I sometimes could partially succeed.

No problem is too small or too trivial if we can really do something about it.

You say you are a nameless man. You are not to your wife and to your child. You will not long remain so to your immediate colleagues if you can answer their simple questions when they come into your office. You are not nameless to me. Do not remain nameless to yourself ā€“ it is too sad a way to be. Know your place in the world and evaluate yourself fairly, not in terms of your naĆÆve ideals of your own youth, nor in terms of what you erroneously imagine your teacherā€™s ideals are.

Michael Whiteman describes a neat automation platform theyā€™ve built at WW (formerly Weight Watchers), that can continuously discover, monitor, and assess the security posture of web assets. Asset inventory FTW! šŸ¤˜

Here are some things I love about this approach:

  • You're getting a continuous, programmatic update-to-date view of your attack surface, and can easily focus on the new and most risky apps.

  • New tools can easily be plugged in, so the AppSec Platform gets incrementally, progressively more useful over time.

  • Contextual info that the security team needs to assess a situation is grabbed automatically.

  • It integrates with the security team's existing tools and workflows (e.g. Slack).

 1. Asset Discovery and Reconnaissance 

Scanning tools (Amass, Subfinder) are deployed as Kubernetes jobs, running between every five minutes to one hour, and results feed into the AppSec Platform API.

New assets are particularly interesting, so the Product Security team is notified via a Slack message when a DNS record is discovered for the first time.

New assets are automatically screenshotted with Aquatone, their tech stack is fingerprinted with Wappalyzer, and port scanned with nmap.

 2. Continuous Security Monitoring 

Apps are then scanned for security issues that are easy to find and fix and that can be identified quickly at scale, including CORS or TLS miconfigurations, subdomain takeovers, exposed secrets, and content discovery / server misconfigurations.

The Product Security team receives a Slack alert for each identified issue, who can then process the issue directly from Slack.

The issue database is automatically updated when the Slack message has been triaged or when the scanning tools no longer detect an issue, which marks them as fixed.

 3. Platform Dashboard 

The Platform Dashboard provides CRUD operations and searching capabilities, so that team members can analyze and monitor data in real time, like:

  • What web apps are using a given third-party component or library?

  • Do any apps have potentially dangerous ports or services exposed? (e.g. anonymous FTP, ElastiCache, Redis, etc.)

  • Which apps are written in ā€œnon-standardā€ programming languages (e.g. PHP)?

We frequently consult the dashboard to identify potentially higher-risk applications and drive attack surface reduction with the appropriate teams.

āœ‰ļø Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them

šŸ™

Thanks for reading!

Cheers,

Clint