- tl;dr sec
- [tl;dr sec] #43 - Continuous AppSec Scanning, Threat Modeling, Career Advice from Feynman
[tl;dr sec] #43 - Continuous AppSec Scanning, Threat Modeling, Career Advice from Feynman
How to continuously discover, monitor, and assess your web assets, threat modeling + agile, Richard Feynman on the problems you choose to tackle.
I hope you've been doing well!
🕶️ Broken Vendor Shades Fashion Icon
This was before COVID-19, but I remember it like it was yesterday. I was taking a walk and something magical happened.
I was wearing some vendor sunglasses that, like much of my wardrobe, I had received for free at a security conference. (I would buy clothes, but I keep all of my money in avocado toast-related index funds (AVTO), as they yield consistent 12% returns.)
Now, these vendor sunglasses unfortunately had one side of them broken off, the part that goes over your right ear, because I had dropped them. So the sunglasses were balancing on my left ear, my nose, and periodic cocks of my head to keep them aligned.
I was crossing the street when a guy also crossing looked over and said,
Grinning ear to ear, I thanked him, and went about my day. #NeverForget
📢 Security Monitoring by Datadog
Datadog's recently announced Security Monitoring product allows you to easily detect threats in real time across your applications, network, and infrastructure. Accelerate security investigations and break down silos between developers, security, and operations team by correlating your threats, metrics, traces, and logs all in one place. Learn more about Datadog, sign up for a live demo and receive a free T-shirt
📜 In this newsletter...
AppSec: The value of secure defaults and a list of some secure-by-default libraries
Threat Modeling: Making threat modeling and agile play nice and making security work visible
Cloud Security: Running your SaaS on the cheap, using G Suite with AWS SSO, Slack bot to give you AWS billing updates, tool to find over-privileged IAM users and roles
Kubernetes: Evaluating six static analysis tools that scan Kubernetes YAML files, diagrams explaining Kubernetes
Network Security: Passively discover active network hosts using ARP traffic
Red Team: Reverse shell over Slack, abusing GitLab runners
Politics / Privacy: Moxie on Signal PINs, privacy resources, thoughs on Trump being compromised by Russia
Misc: Free book on evidence-based software engineering
The Slack Social Network: Stratechery's reflections on Slack vs Teams
Do not remain nameless to yourself: Letter from Feynman to a former student on having a career and life you're proud of
📚 Reducing Our Attack Surface with AppSec Platform
Michael Whiteman describes a neat automation platform they’ve built that can continuously discover, monitor, and assess the security posture of web assets.
A List of Secure Defaults
I think secure defaults / building a “paved road” for developers is one of the best ways to scale security. So naturally, I like this post by Abhay Bhargav. He also lists a number of useful secure by default libraries at the bottom, covering cryptography, client-side output encoding, input validation, and more.
Using SAFe® to align cyber security and executive goals in an agile setting
Nicely detailed article by F-Secure on threat modeling effectively in agile dev environments. It discusses threat modeling at two different granularities: epic planning (higher level) and feature planning (more tactical, specific tasks to be done).
Performing threat modelling within feature refinement. The team has either enough time for threat modelling here, or the features that require threat modelling are simple enough.
When threat modelling seems to take a lot of time, it can be pushed onto the Program Increment with all the development work. The threat modelling results may cause changes to the increment content, or the results can be just pushed on the backlog for later implementation.
Our AWS bill is ~ 2% of revenue. Here’s how we did it
Sankalp Jonna describes how their bootstrapped start-up kept costs low by choosing the right cloud products. Specifically: Lightsail instances instead of EC2, RDS, and ElastiCache (Redis), using the build-in Shopify CDN instead of CloudFront, self-hosted NGINX instead of ELB.
How to use G Suite as an external identity provider for AWS SSO
“You can grant access by assigning G Suite users to accounts governed by AWS Organizations. The user’s effective permissions in an account are determined by permission sets defined in AWS SSO.”
“Simple AWS Lambda powered Slack bot that reports your AWS Costs for the current month to a channel.”
Validating Kubernetes YAML for best practice and policies
@Learnk8s article that compares six static analysis tools to validate and score Kubernetes YAML files for best practices and compliance: kubeval, kube-score, config-lint, copper, conftest and polaris.
A tool to passively discover active hosts on a network by monitoring ARP traffic. Extracts basic data about each active host, such as IP address, MAC address and manufacturer.
A simple reverse shell over Slack
Abusing GitLab Runners
Nick Frichette describes how GitLab runners work, and how if you gain access to a GitLab runner registration token, you may be able to access the source code of a project to which you do not have access, pilfer environment variables potentially gaining sensitive secrets, and more.
Politics / Privacy
Privacy Links by productsecuritygroup.com
Forums/Groups/News sites, law firm blogs, tools and methodologies, articles (“privacy by design”), and more.
Why I Believe Trump is Compromised by Russia
Too often I feel people have been getting caught up trying to concretely prove collusion. This post by Daniel Miessler asks, in my opinion, a much better question: “Are Trump’s actions helping Putin’s long-term plan to diminish the United States’ position in the world?” From fighting with our allies, to bungling COVID-19, to pulling out of the WHO– again and again, it’s making America less respected and influential in global politics.
Evidence-based Software EngineeringAn ambitious (free) book that examines a massive number of studies about what factors and environments lead to effective software engineering.
Interesting Stratechery (Ben Thompson) article on Slack vs Microsoft Teams. Teams has likely surpassed Slack in Daily Active Users (DAU) due to a combination of factors: it’s free (if you have a Microsoft 365 subscription), Microsoft has a massive team and partner network in which it shares subscription revenue for Azure and Office 365, and an ecosystem that all plays nicely together (One Drive, Planner, …).
How does Slack double down on its advantages and stay differentiated? Shared channels, that enable easy communication between different companies.
"Slack Connect is about more than chat: not only can you have multiple companies in one channel, you can also manage the flow of data between different organizations; to put it another way, while Microsoft is busy building an operating system in the cloud, Slack has decided to build the enterprise social network."
Snippets from a letter by Richard Feynman to one of his former students.
Michael Whiteman describes a neat automation platform they’ve built at WW (formerly Weight Watchers), that can continuously discover, monitor, and assess the security posture of web assets. Asset inventory FTW! 🤘
Here are some things I love about this approach:
You're getting a continuous, programmatic update-to-date view of your attack surface, and can easily focus on the new and most risky apps.
New tools can easily be plugged in, so the AppSec Platform gets incrementally, progressively more useful over time.
Contextual info that the security team needs to assess a situation is grabbed automatically.
It integrates with the security team's existing tools and workflows (e.g. Slack).
1. Asset Discovery and Reconnaissance
New assets are particularly interesting, so the Product Security team is notified via a Slack message when a DNS record is discovered for the first time.
2. Continuous Security Monitoring
Apps are then scanned for security issues that are easy to find and fix and that can be identified quickly at scale, including CORS or TLS miconfigurations, subdomain takeovers, exposed secrets, and content discovery / server misconfigurations.
The Product Security team receives a Slack alert for each identified issue, who can then process the issue directly from Slack.
The issue database is automatically updated when the Slack message has been triaged or when the scanning tools no longer detect an issue, which marks them as fixed.
3. Platform Dashboard
The Platform Dashboard provides CRUD operations and searching capabilities, so that team members can analyze and monitor data in real time, like:
What web apps are using a given third-party component or library?
Do any apps have potentially dangerous ports or services exposed? (e.g. anonymous FTP, ElastiCache, Redis, etc.)
Which apps are written in “non-standard” programming languages (e.g. PHP)?
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them
Thanks for reading!