[tl;dr sec] #67 - Infra as Code, Cloud Auto-remediation, C.R.E.A.M

tl;dr sec is a newsletter about AppSec and scaling security, automated bug finding, conference talk and paper summaries, and useful links from around the web. You can subscribe here and see past issues here.

(You can also read this issue on our blog

here

)

Hey there,

I hope you’ve been doing well!

  RIP Adobe Flash 

I saw this in Tanya Janca’s newsletter and it made me laugh. H/T @Raybeorn for originally sharing.

  2021 Sponsorships Available! 

Shameless plug: I have a number of open slots for sponsors!

If you want to get your job ad or product in front of thousands of security professionals, ranging from ICs to team and org leads, CISOs, VCs, and more at companies ranging from small start-ups to FAANG-sized, you can respond directly to this email 👋

Each issue is sponsored exclusively by one company, and I do ~49 per year, so supplies are limited.

Call in the next 30 minutes and I’ll throw in a set of steak knives* and maybe write you a haiku**.

* Subject to tl;dr sec merch store availability** Infinite supply

Sponsor

  📢 How many third party applications are connected to your SaaS environment? 

AppOmni’s data reveals that enterprises have an average of 42 third party applications connecting to their SaaS environments. Of these applications, 22 haven’t been used for over six months but still have access to sensitive SaaS data. The nature of these connections makes them difficult for IT and security teams to manage and secure. Some are added by end users without security teams ever knowing. AppOmni’s CEO, Brendan O’Connor, details how third party applications can compromise otherwise secure SaaS environments and how security teams can best manage this risk.

📜 In this newsletter...

🔗 Links:

• Web Security: Swiss Army knife proxy tool

• Cloud Security: Compliance-as-code and auto-remediation with Lambdas + Cloud Custodian, Scott Piper on Last Week in AWS

• Infrastructure as Code: Effectively rolling out IaC scanning, musings on threat modeling via IaC, purposefully vulnerable Terraform infrastructure

• Container Security: Exploring rootless Docker

• Blue Team: NSA recommendations on how enterprises can securely adopted encrypted DNS (DoH)

• Red Team: macOS post-exploitation via VSCode extensions

• Misc: Daniel Miessler on life purpose and maximizing appreciation of life, book on risk communication for security leaders, Pirate Bay founder throws some shade

• Quote: Inspiring but height-ist thoughts on hiring

• Cash Rules Everything Around Me: It's hard to speak truth to power when there are large economic consequences

Web Security

projectdiscovery/proxifySwiss Army knife proxy tool for HTTP/HTTPS traffic capture, manipulation, and replay on the go. Supports multiple operations such as request/response dump, filtering and manipulation via DSL language, and upstream HTTP/Socks5 proxy. Includes a replay utility allowing importing into Burp or any other proxy by simply setting the upstream proxy to proxify.

  Cloud Security 

Compliance-as-code and auto-remediation with Cloud CustodianAWS blog post about using Cloud Custodian + Lambdas to enforce compliance-as-code and auto-remediation. Cloud Custodian is an open source, stateless rules engine that offers policy-level execution against multiple kinds of event streams, including CloudWatch Events, CloudTrail events, and more. 

Best Practices for AWS Security - Part 1 with Scott PiperScott Piper joins Corey Quinn on Last Week in AWS to discuss flaws.cloud, the fwd:cloudsec conference, what Scott thinks AWS does and doesn’t do well, and what Scott believes is the best security boundary on AWS. 

Infrastructure as Code

Building an IaC security and governance program step-by-stepBridgecrew’s Guy Eisenkot gives a nice overview of how to roll out an infrastructure as code scanning platform, including various trade-offs: leveraging your existing CI/CD pipeline or code hosting platform, annotating PRs with comments vs blocking the build, setting expectations and SLAs with dev teams, and leveraging approval rules and CODEOWNERS files.

Shifting Threat Modeling Left: Automated Threat Modeling Using TerraformIn this HashiConf Digital 2020 talk, Accurics co-founder Om Moolchandani describes how one can (in theory) extract information like resource (mis)configurations, resource relationships, network relationships, identity access and privilege relationships, trust boundaries, exposure, and more from Terraform code. He then demo’d using their open source tool terrascan.

I think building a model of an environment via analyzing infrastructure as code files (Terraform, CloudFormation, etc.) is a very promising and currently underutilized idea. While this talk references the idea of doing that, based on my read, it does not appear terrascan is currently leaning into this, but is rather scanning for a set of known misconfigurations (like most other existing tools).

accurics/KaiMonkey

Purposefully vulnerable Terraform infrastructure by 

.

Container Security

Exploring Rootless DockerRootless containers have left experimental status in Docker 20.10. Rory McCune describes peaking a bit under the hood to see what’s going on and how it compares to standard Docker re: user namespaces, capabilities, AppArmor, seccomp, and trying to break out.

  Blue Team 

NSA Recommends How Enterprises Can Securely Adopt Encrypted DNSThe NSA published a document explaining the benefits and risks of adopting the encrypted domain name system (DNS) protocol, DNS over HTTPs (DoH), in enterprise environments. Here’s a diagram from the 7 page PDF:

  Red Team 

macOS Post-Exploitation Shenanigans with VSCode ExtensionsMDSec’s Dominic Chell describes the process of creating a malicious VSCode extension on macOS that can be useful post-exploitation. In short: create a repo template with Yeoman, run JXA through osascript, then use Mythic or another C2 for persistence if you want.

  Misc 

Maximizing Appreciation of LifeOne thing I admire about my bud Daniel Miessler is how reflective he is. He’s played an influential role in helping me mentally flesh out what I want tl;dr sec to be, and how I want to navigate my career and life (“If everything were to go perfectly, where would you want to be in 10 years?”). Here’s Daniel’s life purpose 👇 I’m still working on mine. Do you know what yours is?

Responding to Community Outrage: Strategies for Effective Risk CommunicationRecommended by Devdatta Akhawe: “One of my favorite books about risk communication for security leaders is actually written in the context of public health/safety.” 

Pirate Bay Founder Thinks Parler’s Inability to Stay Online Is ‘Embarrassing’

Quote

  Cash Rules Everything Around Me 

An Oscar Winner Made a Khashoggi Documentary. Streaming Services Didn’t Want It.It is fundamentally hard (and unlikely) for global companies to step on any nation state toes that could lead to massive revenue loss.

That’s why, for example, Apple removed the Taiwan flag emoji for Chinese iPhones and all mainland China iCloud users have their data stored by a firm started by the Chinese government (#lolprivacy).

But when Fogel reached out to Netflix and many other streaming services, he didn’t hear back.

Also:

The point here is not to wag a finger at one particular company, but rather to point out that with strong economic incentives, you don’t need to be able to “force” someone (person, company, nation) to do something, they’ll do what’s in their best interests.

This has strong implications for:

• The movies and TV shows we see (and don’t see).

  • China is a massive market, don’t expect big media players to produce critical pieces.

• Social media communication paradigms and algorithms.

  • More engagement ➡️ more money (and more polarization / rapid spread of fake news).

• And much more.

I don’t have any answers here. This is hard 🤷

And on that positive note, have a great weekend!

Thanks for reading!

Cheers,

Clint