- tl;dr sec
- Posts
- [tl;dr sec] #66 - Automating Infra as Code Creation, Container Security++ with User Namespaces, #RustLyfe
[tl;dr sec] #66 - Automating Infra as Code Creation, Container Security++ with User Namespaces, #RustLyfe
A tool to create IaC from an existing AWS environment, container defense-in-depth with user namespaces, rewriting things in Rust.
Clint Gibler
January 13, 2021
Hey there,
I hope you’ve been doing well!
I wanted to give a shout out to this newsletter by Trevor McKendrick.
It’s a weekly, nicely curated list of links on writing, productivity, inspiration, tech, Twitter, and more.
This week I came across the Section 230 and First Amendment links (below) from his newsletter, so thanks!
📰 News
A few cool things have happened recently.
I was invited to reflect on security trends in Portswigger’s Swig Security Review 2020 along with a number of great people.
On the work front:
r2c was called out as the “Disruptive Innovator” in the 2020 Forbes Cybersecurity Awards.
Semgrep was included in The Daily Swig’s latest web hacking tools roundup of Q4 2020.
Trail of Bits used Semgrep to assess the backend code of The Markup’s Facebook Inspector.
And Semgrep was even referenced as a “nice to have” in a job description on Hacker News.
I’m pretty sure the next step is to be covered in a drama by David Fincher. I call dibs on being played by Justin Timberlake. Or Keanu, but like, Keanu as John Wick as me.
Sponsor
📢 Codify your cloud security with Bridgecrew
Bridgecrew embeds security directly into developer workflows. By leveraging automation and delivering security-as-code,
empowers teams to find, fix, and prevent misconfigurations in deployed cloud resources and in infrastructure as code without slowing them down. Streamline your infrastructure security from commit to cloud with Bridgecrew.
📜 In this newsletter...
🔗 Links:
AppSec: CLI tool to search Rego policies, four levels of maturity in how AppSec and Eng teams can work together re: automation
Web Security: Browser extension to edit/replay HTTP traffic without a separate proxy, NoSQL injection tool
Cloud Security: Updated AWS Security Maturity Roadmap, Serverless framework will gobble your AWS creds, automate existing AWS infra -> infra as code
Container Security: Netflix on using user namespaces for container security defense-in-depth
Blue Team: Resources on defending against Cobalt Strike, Linux hardening guide
Politics / Privacy: WhatsApp will share your info with creepy uncle parent company Facebook, Section 230 FAQ, First Amendment FAQ
Bro, Do You Even Rust?: Memes, when to use C, Flash emulator in Rust, experimental OS written in Rust
Capitol Reflections: As much as I'd prefer to avoid it, I feel compelled to share at least a few relevant links
AppSec
policy-hub/policy-hub-cli
The Open Policy Agent (OPA) project provides a policy language, Rego, that can be used to automate policy enforcement (e.g. for compliance, security, Kubernetes, microservice authorization, policies that define organisational best practices, etc.). This is a CLI tool that makes Rego policies searchable.
Four levels of maturity that bridge the AppSec / engineering divide
Django co-creator Jacob Kaplan-Moss describes 4 levels of maturity in how AppSec teams and engineering can work together productively as they build a continuous integration and automation pipeline:
Security finds problems; Engineering fixes them
Security and Engineering collaborate to produce test cases and remediations
After the issue is fixed, Security and Engineering collaborate to find systemic fixes and develop checks
Security and Engineering now also proactively look for new classes of issues and create systemic checks before an actual problem occurs
Web Security
Tamper Dev
A browser extension that lets you edit HTTP(S) requests and responses without a proxy. So like Burp Suite/ZAP, but just your browser.
Charlie-belmer/nosqli
A CLI tool for finding sites vulnerable to NoSql injection, with a focus on MongoDB, by Charlie Belmer. Charlie works at DuckDuckGo and has a nice blog with articles about security and privacy, and a mailing list if you want to keep up with the cool stuff he’s working on.
Cloud Security
AWS Security Maturity Roadmap 2021
The third annual release of Scott Piper’s excellent guide for securely running on AWS. Probably one of the best, concise, actionable guides on this I know of.
@goserverless will copy up your AWS API creds to their service and execute things on your behalf
Oof, thanks Corey Quinn for the heads up.
Accelerate infrastructure as code development with open source Former2
If you have existing AWS infrastructure that has not yet been ported to infrastructure as code, you can use Former2 (landing page, GitHub) to automatically generate CloudFormation, Terraform, or Troposphere templates from your existing AWS resources.
Container Security
Evolving Container Security With Linux User Namespaces
Nicely detailed blog post by Kabio Kung and the Netflix container team on the challenges of securing containers in multi-tenant systems and how adopting user namespaces (“rootless containers”) helps them embrace defense-in-depth. Great overview of the problem space, and a discussion of how their architecture has changed over time.
Before User Namespaces
After User Namespaces
Blue Team
MichaelKoczwara/Awesome-CobaltStrike-Defence
Repo by Michael Koczwara collecting hunting and detection tools, YARA rules, indicators of compromise, research articles and more re: detecting the use of Cobalt Strike.
Linux Hardening Guide
Pretty massive hardening guide covering a range of topics including kernel hardening, mandatory access control, sandboxing, hardened memory allocator and compilation flags, memory safe languages, the root account, firewalls, identifiers, file permissions, core dumps, entropy, physical security, and more.
Politics / Privacy
WhatsApp gives users an ultimatum: Share data with Facebook or stop using the app
Wait whaaat, Facebook wants access to your private data?! 😱 No one could have seen this coming.
Hello! You’ve Been Referred Here Because You’re Wrong About Section 230 Of The Communications Decency Act
Great TechDirt article by Mike Masnick if you’re curious about how or when Section 230 applies, or if you’re tired of explaining it and just want to link people to something.
Hello! You’ve Been Referred Here Because You’re Wrong About The First Amendment
Same as above, but for the First Amendment.
Bro, Do You Even Rust?
“Have you considered rewriting in Rust?” has been said so many times that it’s become a meme.
But I think there’s something to it. For one example: Microsoft: Rust Is the Industry’s ‘Best Chance’ at Safe Systems Programming. I came across a few Rust-related links this week so I decided to group them.
I also wrote up a handy cheatsheet in case you’re considering using C:
Like smoking or eating Big Macs for every meal, while it’s not illegal to use C in 2021, it should be discouraged.
Ruffle
Sad that Flash is going away? Then check out this Flash Player emulator written in Rust. Because - why not? 😂
theseus-os/Theseus
“A new OS written from scratch in Rust to experiment with novel OS structure, better state management, and how to shift OS responsibilities like resource management into the compiler.”
Capitol Reflections
Hey friend 👋 It’s a stressful time right now. I know I feel it. So I put this in its own section at the end so you can skip it if you’d like.
I generally don’t write about politics, as I’d rather not, but I think this is too momentous a point in history to not at least mention.
I’m proud of America and being an American. We’re in a tough spot, but we’ll pull through. The key is being kind to each other, embracing listening over shouting, and taking threats against democracy seriously.
A French police official responsible for public security in a key section of central Paris and two intelligence officials from NATO countries who directly work in counterterrorism and counterintelligence operations involving the US, terrorism, and Russia said the circumstantial evidence available pointed to what would be openly called a coup attempt in any other nation.
… they believed that an investigation would find that someone interfered with the deployment of additional federal law-enforcement officials on the perimeter of the Capitol complex; the official has direct knowledge of the proper procedures for security of the facility.
“The broader damage around the world will be extensive in terms of reputation, and that’s why Putin doesn’t mind at all that Trump lost. He’s got to be happy to take his chips and count his winnings, which from the Trump era will be a shockingly quick decline in American prestige and moral high ground.
“Every moment the Americans spend on their own self-inflicted chaos helps China, it helps Putin, and, to a lesser extent, it helps the mini-dictators like Erdogan and Orban, who breathe cynicism about politics, human rights, and democracy as their air,” the official said.
Here are some recent things I find especially concerning:
A number of outside groups were given a tour of the Capitol complex on January 5th (the day before), which would only have been permitted entry by a member of Congress or a staffer. Capitol tours have been prohibited since March due to COVID-19.
Looters found their way to Congressman Clyburn’s unmarked, third floor office instead of his clearly marked ceremonial office in Statuary Hall, and one of the rioters told The New York Times that a Capitol Police officer directed them to Senate Democratic Leader Chuck Schumer’s office.
Every panic button in Congresswoman Pressley’s office was torn outbefore the rioters entered the Capitol. That implies someone with access to her office had purposefully done this beforehand.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!
Cheers,
Clint