[tl;dr sec] #60 - Cartography + IAM, Security Scorecard, Self-service Security
Use Cartography to understand AWS permissions, tool to grok the risk of open source libraries, developers taking security into their own hands.
I hope you’ve been doing well!
The U.S. election concluded and there haven’t been any massive protests or rioting yet, so that’s cool 👍
Last week, when I was about to share a link related to Burp Suite, Twitter auto-suggested something I didn’t quite expect:
Another time, when I was trying to reference a link related to Ghidra, I was recommended some… not quite safe for work hash tags.
Maybe because security is such a hot topic? 😆
Later today (Thursday, Nov 11) I’ll be speaking at All Day DevOps.
All guaranteed to help you grow 2 inches, get a raise at work, and finally reach inner enlightenment.
Hope to see you there! 👋
📢 Free Salesforce Log Analysis Service from AppOmni Labs
AppOmni Labs is excited to announce the industry’s first self-service Salesforce Log Analysis Service. The new service enables you to identify misconfigurations in your Salesforce environment that can lead to data exposure. Recent research revealed common misconfigurations in Salesforce that can lead to sensitive data being exposed to guest users. The Salesforce Log Analysis Service analyzes your Salesforce logs to detect any trace of the techniques used to exploit this misconfiguration. For more information and to start your FREE log analysis, please visit our Salesforce Log Analysis Service Page.
📜 In this newsletter...
AppSec: Misconfigured SonarQubes leaking source code, story of a developer fixing a security bug then proactively preventing it from occurring again
Cloud Security: Scan your Azure environment against the CIS Azure Benchmark
Container Security: Static analysis tool for your Kubernetes YAML and Helm charts
Red Team: 34c3 talk on exploiting and protecting against type confusion bugs, tool for bidirectional XPC message interception
Politics / Privacy: Soon iOS and Mac apps will have privacy labels, retailers using AI to make you buy more
Misc: PLATYPUS: a novel software-based power side-channel attack
IAM whatever you say IAM: Lyft's Cartography tool now supports IAM
Security Scorecards for Open Source Projects: Tool to gauge how much you should trust an open source library
Sharing is Caring
Like a link? Click the icon to impress your friends with an artisanally hand-crafted description.
FBI: Hackers stole source code from US government agencies and private companies
By Catalin Cimpanu: According to the FBI, threat actors are abusing misconfigured SonarQube applications to access and steal source code repositories from US government agencies and private businesses. Lesson: secure defaults matter. Most companies don’t change the default settings, leading to public SonarQube instances requiring no auth or using default creds (
Fixing leaky logs: how to find a bug and ensure it never returns
A neat example of quick feedback loops and “self-service security.” Developer and engineering manager Nathan Brahms found that sensitive information was being logged, decided on a fix and pushed it out, and then wrote a code-base specific Semgrep pattern to ensure that issue never happened again, all without involving the AppSec team. Total time start to finish: a few hours.
Type confusion: discovery, abuse, and protection
34c3 talk by Mathias Payer: “Type confusion, often combined with use-after-free, is the main attack vector to compromise modern C++ software like browsers or virtual machines. Typecasting is a core principle that enables modularity in C++. For performance, most typecasts are only checked statically, i.e., the check only tests if a cast is allowed for the given type hierarchy, ignoring the actual runtime type of the object. Using an object of an incompatible base type instead of a derived type results in type confusion. We discuss the details of this vulnerability type and how such vulnerabilities relate to memory corruption. Based on an LLVM-based sanitizer that we developed, we will show how to discover such vulnerabilities in large software through fuzzing and how to protect yourself against this class of bugs.”
Politics / Privacy
Privacy Labels for iOS and Mac Apps Are Coming
Apple continues to position itself as the privacy-focused, not Facebook/Google tech giant:
How artificial intelligence may be making you buy things
Using data from loyalty cards as well as our online shopping carts and product viewing behavior, more and more retailers are using AI to recommend items you’re more likely to purchase.
As excellently posed in The Social Dilemma, I think this starts to raise ethical questions as businesses toe the line between offering “helpful” suggestions and deals for consumers vs exploiting cognitive tendencies to maximize profit.
PLATYPUS: With Great Power comes Great Leakage
Academic paper: “With PLATYPUS, we present novel software-based power side-channel attacks on Intel server, desktop and laptop CPUs. We exploit the unprivileged access to the Intel RAPL interface exposing the processor’s power consumption to infer data and extract cryptographic keys.”
Lyft’s Alex Chantavy and Andrew Johnson describe some Cartography updates. If you’re not familiar, Cartography is a baller tool that can query various services you’re using (e.g. AWS, GitHub, Okta, …), enumerate objects and their relationships, put that info in Neo4J, and then let you query it for relevant security insights. See tl;dr sec 21 and 51 for additional links about Cartography.
This post describes how Cartography can now incorporate AWS IAM info.
You can then specify “Resource Permission Relationships” to evaluate offline what a principal can access. Using the Okta integration, you can also determine what an individual user has access to.
Lastly, and I want to emphasize how awesome this is, you can use Cartography’s Drift Detection feature to inform you via Slack alerts whenever meaningful IAM changes have occurred, so that you can investigate.
When you introduce a new open source dependency into your company’s software, there’s generally no easy indication of how secure that package is. That’s why the Open Source Security Foundation (OpenSSF) has released a Security Scorecard tool on GitHub whose goal is to “automate analysis and trust decisions on the security posture of open source projects.”
Each check returns a Pass / Fail decision, as well as a confidence score between 0 (unable to get any real signal) and 10 (completely sure of the result).
The tool currently checks if a target project:
Contains a security policy
Has contributors from at least two different organizations
Declares and freezes dependencies?
Cryptographically signs releases and release tags
Runs tests in CI
Requires code review before code is merged
Has a CII Best Practices Badge?
Uses Pull Requests for all code changes
Uses fuzzing (e.g. OSS-Fuzz) or static analysis tools
Is active (had commits or releases in the last 90 days)
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!