[tl;dr sec] #52 - Prioritizing 3rd Party Vulnerabilities to Fix, LangSec History, Distilled Compliance Controls
How to prioritize vulnerabilities in your dependencies, some history and context around LangSec, and a set of common controls across 10+ standards.
I hope you’ve been doing well.
Last weekend I watched Deadpool 2, and it was pretty good. If you liked the first one, you’ll probably like it. Also, if you need something to cheer you up, here is Deadpool interpretive dancing to Celine Dion singing a catchy power ballad.
Screaming Snarking into the Void
They say journaling is really cathartic, but I’ve never really done it. But now I know why.
Watching a lot of conference talks, you inevitably come across some talks that are not good. Perhaps the material is too basic or not novel, they make claims that aren’t substantiated by data, it’s mostly shilling a commercial product, etc.
Although I feel compelled to write a screed about them, I don’t, because there’s many reasons why this could be the case: they’re a new speaker, some content couldn’t make it through legal, or other factors I’m not aware of. There’s enough negativity in the security industry at times, so I work hard not to add to it.
But last weekend I gave myself permission to let loose and write Peak Snark™ into my private notes, never to be shared publicly.
And it felt great.
📢 Modern DAST with StackHawk
StackHawk is a dynamic application security testing tool built for today’s software engineering teams. With StackHawk, finding, triaging, and fixing security bugs is simple and automated in CI/CD. Developers can run AppSec tests on every PR, recreate findings with automated curl commands, and tie into engineering workflows with integrations like Slack and Jira. Get a demo or test out StackHawk today.
.One neat thing about StackHawk is that they hired Simon Bennet, the founder of OWASP ZAP. It’s always nice to see commercial support for prominent open source projects 👍
📜 In this newsletter...
Machine Learning: Threat modeling and practically attacking a machine learning-based service
AppSec: Unauth RCE on MobileIron MDM by Orange Tsai, how to prioritize which out-of-date vulnerable dependencies to fix
Web Security: Burp extension enabling the creation of sequences of steps and extracting info to use in later steps
Cloud Security: Find sensitive info in S3 buckets at scale, purposefully vulnerable Cloudformation, AWS CDK, and Terraform repos
Blue Team: Extending Thinkst Canary to be an interactive honeypot
Red Team: Massive list of pen testing resources, creating your own leaded credential search engine, a PHP backdoor management and generation tool
Politics / Privacy: Chinese state-sponsored hackers target the F5 VPN flaws, NIST on threat modeling differential privacy systems, the influence and power of WeChat
OSINT: Tool to run OCR on images available on Lightshot, a utility program to perform operations on subnet/CIDR ranges, tool to retrive all of the IPs of a target organization
JSON 4 Days: A wrapper around
jqto avoid typing common patterns, a faster implementation of
jqin Reason, a semantic comparing and tool for JSON/XML/HTML/YAML/TOML
Misc: Minimalist CLI knowledge base manager for your hacking cheatsheets, a massive deep dive into K-pop
Injection and an Impromptu LangSec History Story: A SQL / SQLi tokenizer parser analyzer to detect SQLi payloads, a lovely random Twitter encounter about some LangSec history
📚 Peeling the Web Application Security Onion Without Tears
Quick summary of this BSidesSF 2020 talk by Adobe Document Cloud’s Noam Lorberbaum and Keith Mashinter, which presents lessons in how building reusable, secure-by-default services and infrastructure improves your security and reduces compliance burden.
The machine learning pipeline and attacks
Blog post series by Johann Rehberger on practically attacking a machine learning-based service, from threat modeling the system to brute forcing images to find incorrect predictions. The latter was done in a Python Jupter Notebook, which I feel like I keep seeing everywhere in security recently.
How I Hacked Facebook Again! Unauthenticated RCE on MobileIron MDM
More impressive work by Orange Tsai. Blackbox testing to greybox using some Google-fu (found an RPM) -> bypass ACLs via breaking parser logic -> Java deserialization.
The Devil’s in the Dependency: Data-Driven Software Composition Analysis
This Black Hat USA 2020 talk by Ben Edwards and Chris Eng is kind of like the talk version of Veracode’s State of Software Security Volume 10 report, with a focus on vulnerabilities in third-party dependencies. The slides contain some interesting slicing and dicing of a pretty big dataset, by vulnerability class, programming language, etc.
One thing that stuck out to me is their thoughts on prioritizing remediation, which is super important. Also, thanks Ben for answering my questions on Twitter 🙏
Of the apps that have at least one flaw introduced by a library (70% of total dataset), 2.6% have ‘closed’ their flaws by either patching or accepting the risk.
So 97.4% of the remaining apps have at least 1 open flaw
52.3% have an open flaw with a public PoC
25% of those PoCs are known to have been exploited in the wild by Kenna Security
1% fulfill the above + the app uses the vulnerable library function in its code
In short: If you prioritize addressing third-party vulnerabilities that a) have public PoCs, b) are actively being exploited, c) in which your app calls the vulnerable function, you’ll both maximally reduce your risk and you’ll limit your scope to ~1% of all of the dependencies you could patch.
Burp Suite Extension: Stepper
By Corey Arthur: “Stepper is designed to be a natural evolution of Burp Suite’s Repeater tool, providing the ability to create sequences of steps and define regular expressions to extract values from responses which can then be used in subsequent steps.”
S3Insights: Derive insights about your S3 environment at scaleMore neat work from Uber’s Ashish Kurmi (See also: How Uber Continuously Monitors the Security of its AWS Environment). S3Insights is a platform for efficiently deriving security insights about S3 data through system metadata analysis. Rather than analyzing the content of individual objects, S3Insights harvests S3 inventory data from multiple buckets in a multi-account environment to help discover and manage sensitive data.
Purposefully Vulnerable Config Management Repos by Bridgecrew
Extending a Thinkst Canary to become an interactive honeypotHow to extend Thinkst Canary to give attackers an SSH “shell” (actually a Docker container) so you can observe their behavior, by Liam Stevenson.
The only Penetration testing resources you need
Pretty massive list of resources by KaliTut covering pen testing resources and tools, network, web, Linux, Windows, OSINT, and other security tools, books, and more.
DIY Leaked Credential Search Engine - Part 1
By Kevin Dick: “This post will walk through the process we followed to build a search engine for leaked credentials from publicly disclosed breaches/database leaks using Django REST Framework and PostgreSQL. At the end of this blog, you should have all you need to build an API and frontend Web Application that searches over 5 billion passwords in seconds.”
gellin/bantamA PHP backdoor management and generation tool featuring end to end encrypted payload streaming designed to bypass WAF, IDS, and SIEM systems.
Politics / Privacy
Chinese State-Sponsored Attackers Target F5, VPN Flaws“Attacks against the F5 flaw (CVE-2020-5902) began almost immediately after the company disclosed it on June 30 and CISA said it has responded to several incidents in government agencies and enterprises involving successful exploits against the bug.”
NIST: Threat Models for Differential Privacy
The point of differential privacy is to allow one to search and calculate stats on a dataset without being able to determine things about an individual within the dataset. This post is a nice overview of central vs local differential privacy and hybrid models. See also the first post of this blog series for a nice introduction to differential privacy.
Figure 1: Central Model of Differential Privacy
Figure 2: Local Model of Differential Privacy
By @mxrchreborn: “Darkshot is a scraper tool on steroids, to analyze all of the +2 Billions pictures publicly available on Lightshot. It uses OCR to analyze pictures and auto-categorize them via keywords and detection functions. You can find pretty much everything: credentials, personal informations (emails, phone numbers, addresses, ID cards, passports), banking information, etc. Since it’s modulable, you can make your own detection function and use it as a monitoring tool.”
A small utility program to perform multiple operations for a given subnet/CIDR ranges, developed to ease load distribution for mass scanning operations, by ProjectDiscovery.io.
By Leonid Hartmann: Retrieves all of the IPs of a target organization. It uses the IP or domain name and looks up the Autonomous System Number (ASN), retrieves the Classless Inter-Domain Routing (CIDR) subnet masks and converts them to IPs. Uses HackerTarget.
JSON 4 Days
For some reason there were a few JSON-related links this week 🤷
Graphtage: A New Semantic Diffing Tool
By Trail of Bits: “Graphtage is a command line utility and underlying library for semantically comparing and merging tree-like structures such as JSON, JSON5, XML, HTML, YAML, and TOML files.” You can also compare across file formats, like comparing JSON to YAML.
gnebbia/kb: A minimalist knowledge base manager
“kb is a text-oriented minimalist command line knowledge base manager. kb can be considered a quick note collection and access tool oriented toward software developers, penetration testers, hackers, students or whoever has to collect and organize notes in a clean way. I use it in the context of penetration testing to organize pentesting procedures, cheatsheets, payloads, guides and notes.”
A Deep Dive into K-pop
If you’re curious to learn about Korean pop music, this ~50 page treatise may be for you.
Injection and an Impromptu LangSec History Story
A SQL / SQLi tokenizer parser analyzer created by Signal Sciences CTO and co-founder Nick Galbreath from Signal Sciences that aims to detect SQL injection payloads. Libinjection can be useful for WAFs because being able to operate on tokenized input generally performs better than regex-based rules.
When I shared the above on Twitter, Andrew van der Stock kindly referenced some related earlier academic work, by Robert J. Hansen and Meredith L. Patterson (paper: Guns and Butter: Towards Forma Axioms of Input Validation).
The Twitter thread that followed (note: you may have to refresh, sometimes Twitter breaks redirects) had some interesting context, including:
“The historical foundation of langsec.org can be traced to two hungry grad students eating cheap seafood at a restaurant in the middle of nowhere, Iowa”
What happens when you’re thinking about patents but you have to deal with major DB players with patent portfolios
And Robert’s lessons learned (lightly edited):
I wrote a quick summary of this BSidesSF 2020 talk by Adobe Document Cloud’s Noam Lorberbaum and Keith Mashinter, which presents lessons from Adobe in how building reusable, secure-by-default services and infrastructure improves your security and reduces compliance burden.
One aspect you may find particularly useful is Adobe evaluated over 10 different standards (e.g. SOC, FedRAMP, ISO 27001, HITRUST) with around ~1,350 control requirements, and distilled that down to ~290 common controls across 20 control domains. Ideally, by handling these common controls, you can easily check off a wide swathe of compliance requirements. Check out the common controls list here.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!