• tl;dr sec
  • Posts
  • [tl;dr sec] #60 - Cartography + IAM, Security Scorecard, Self-service Security

[tl;dr sec] #60 - Cartography + IAM, Security Scorecard, Self-service Security

Use Cartography to understand AWS permissions, tool to grok the risk of open source libraries, developers taking security into their own hands.

Hey there,

I hope you’ve been doing well!

The U.S. election concluded and there haven’t been any massive protests or rioting yet, so that’s cool 👍

Twitter #suggestions

Last week, when I was about to share a link related to Burp Suite, Twitter auto-suggested something I didn’t quite expect:

Another time, when I was trying to reference a link related to Ghidra, I was recommended some… not quite safe for work hash tags.

Maybe because security is such a hot topic? 😆

Upcoming Speaking

Later today (Thursday, Nov 11) I’ll be speaking at All Day DevOps.

This Sunday (Nov 15) I’ll be joining my friends Nancy Gariché, Nicole Becher and crew on the OWASP DevSlop podcast:Meetup event, Youtube livestream.

And next Tuesday (Nov 17) I’ll be joining my friends Seth Law and Ken Johnson on their Absolute AppSec podcast.

All guaranteed to help you grow 2 inches, get a raise at work, and finally reach inner enlightenment.

Hope to see you there! 👋


📢 Free Salesforce Log Analysis Service from AppOmni Labs

AppOmni Labs is excited to announce the industry’s first self-service Salesforce Log Analysis Service. The new service enables you to identify misconfigurations in your Salesforce environment that can lead to data exposure. Recent research revealed common misconfigurations in Salesforce that can lead to sensitive data being exposed to guest users. The Salesforce Log Analysis Service analyzes your Salesforce logs to detect any trace of the techniques used to exploit this misconfiguration. For more information and to start your FREE log analysis, please visit our Salesforce Log Analysis Service Page.

📜 In this newsletter...

🔗 Links:

  • AppSec: Misconfigured SonarQubes leaking source code, story of a developer fixing a security bug then proactively preventing it from occurring again

  • Cloud Security: Scan your Azure environment against the CIS Azure Benchmark

  • Container Security: Static analysis tool for your Kubernetes YAML and Helm charts

  • Red Team: 34c3 talk on exploiting and protecting against type confusion bugs, tool for bidirectional XPC message interception

  • Politics / Privacy: Soon iOS and Mac apps will have privacy labels, retailers using AI to make you buy more

  • Misc: PLATYPUS: a novel software-based power side-channel attack

  • IAM whatever you say IAM: Lyft's Cartography tool now supports IAM

  • Security Scorecards for Open Source Projects: Tool to gauge how much you should trust an open source library

Sharing is Caring

Like a link? Click the icon to impress your friends with an artisanally hand-crafted description.


FBI: Hackers stole source code from US government agencies and private companies
By Catalin Cimpanu: According to the FBI, threat actors are abusing misconfigured SonarQube applications to access and steal source code repositories from US government agencies and private businesses. Lesson: secure defaults matter. Most companies don’t change the default settings, leading to public SonarQube instances requiring no auth or using default creds (admin:admin).

Fixing leaky logs: how to find a bug and ensure it never returns
A neat example of quick feedback loops and “self-service security.” Developer and engineering manager Nathan Brahms found that sensitive information was being logged, decided on a fix and pushed it out, and then wrote a code-base specific Semgrep pattern to ensure that issue never happened again, all without involving the AppSec team. Total time start to finish: a few hours.

Cloud Security

A security compliance scanning tool using the CIS Azure Benchmark 1.2, by Kesten Broughton.

Container Security

A static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices, by StackRox.

Red Team

Type confusion: discovery, abuse, and protection
34c3 talk by Mathias Payer: “Type confusion, often combined with use-after-free, is the main attack vector to compromise modern C++ software like browsers or virtual machines. Typecasting is a core principle that enables modularity in C++. For performance, most typecasts are only checked statically, i.e., the check only tests if a cast is allowed for the given type hierarchy, ignoring the actual runtime type of the object. Using an object of an incompatible base type instead of a derived type results in type confusion. We discuss the details of this vulnerability type and how such vulnerabilities relate to memory corruption. Based on an LLVM-based sanitizer that we developed, we will show how to discover such vulnerabilities in large software through fuzzing and how to protect yourself against this class of bugs.”

By @hot3eed: Bidirectional XPC message interception and more for iOS and macOS, powered by Frida.

Politics / Privacy

Privacy Labels for iOS and Mac Apps Are Coming
Apple continues to position itself as the privacy-focused, not Facebook/Google tech giant:

Starting Dec. 8, developers will need to provide information about what kind of data their apps collect and how the data will be used. Just as food manufacturers are required to print nutritional labels on food to provide nutrition information such as calories and ingredients, these apps will have “privacy labels” telling users upfront how the apps use information.

How artificial intelligence may be making you buy things
Using data from loyalty cards as well as our online shopping carts and product viewing behavior, more and more retailers are using AI to recommend items you’re more likely to purchase.

As excellently posed in The Social Dilemma, I think this starts to raise ethical questions as businesses toe the line between offering “helpful” suggestions and deals for consumers vs exploiting cognitive tendencies to maximize profit.

“The AI module is designed not only to do the obvious stuff, but it learns as it goes along and becomes anticipatory. It can start to build a picture of how likely you are to try a different brand, or to buy chocolate on a Saturday.” And it can offer what he calls “hyper-personalised offers”, like cheaper wine on a Friday night.

“With the app we have found that the average contents of a basket are up 20%, and people with the app are three times more likely to return to shop in that store.”


PLATYPUS: With Great Power comes Great Leakage
Academic paper: “With PLATYPUS, we present novel software-based power side-channel attacks on Intel server, desktop and laptop CPUs. We exploit the unprivileged access to the Intel RAPL interface exposing the processor’s power consumption to infer data and extract cryptographic keys.”


Lyft’s Alex Chantavy and Andrew Johnson describe some Cartography updates. If you’re not familiar, Cartography is a baller tool that can query various services you’re using (e.g. AWS, GitHub, Okta, …), enumerate objects and their relationships, put that info in Neo4J, and then let you query it for relevant security insights. See tl;dr sec 21 and 51 for additional links about Cartography.

This post describes how Cartography can now incorporate AWS IAM info.

You can then specify “Resource Permission Relationships” to evaluate offline what a principal can access. Using the Okta integration, you can also determine what an individual user has access to.

Lastly, and I want to emphasize how awesome this is, you can use Cartography’s Drift Detection feature to inform you via Slack alerts whenever meaningful IAM changes have occurred, so that you can investigate.


When you introduce a new open source dependency into your company’s software, there’s generally no easy indication of how secure that package is. That’s why the Open Source Security Foundation (OpenSSF) has released a Security Scorecard tool on GitHub whose goal is to “automate analysis and trust decisions on the security posture of open source projects.”

Each check returns a Pass / Fail decision, as well as a confidence score between 0 (unable to get any real signal) and 10 (completely sure of the result).

The tool currently checks if a target project:

  • Contains a security policy

  • Has contributors from at least two different organizations

  • Declares and freezes dependencies?

  • Cryptographically signs releases and release tags

  • Runs tests in CI

  • Requires code review before code is merged

  • Has a CII Best Practices Badge?

  • Uses Pull Requests for all code changes

  • Uses fuzzing (e.g. OSS-Fuzz) or static analysis tools

  • Is active (had commits or releases in the last 90 days)

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!