• tl;dr sec
  • Posts
  • [tl;dr sec] #7 - AppSec Cali 2019 DevSecOps Panel Summary

[tl;dr sec] #7 - AppSec Cali 2019 DevSecOps Panel Summary

Notes from an AppSec Cali 2019 panel, AWS security tools, fuzzing with grammars and Gitlab, and Google P0's iOS exploit chain discovery.

Hey there,

I hope you've been doing well and enjoyed the long weekend!

I used it to

work on this blog post and continue moving to a new apartment. Some people think I take the latter half of "work hard, play hard" too seriously. What can I say, no one's perfect.

⭐️ New Summary

I'm excited for an upcoming panel I'm on at DevSecCon Seattle (come say "hi" if you're around!), so I decided to revisit this panel from AppSec Cali 2019.

I've spent hundreds of hours reviewing blog posts, books, and con talks about scaling security/DevSecOps, and I can honestly say this is one of the single best resources I know of. It's like years of insights condensed into 50min.

If you're interested in modern AppSec best practices and DevSecOps, I highly encourage you to read the summary

Fortinet potentially accidentally shipped a release with a backdoor-- "Lol sorry, that was meant for just one customer."

A thorough blog post by Soroush Dalili on getting code execution or stored XSS when uploading a web.config file.

toniblyx/my-arsenal-of-aws-security-tools is probably the longest list of AWS tools (offensive, defensive, auditing, DFIR, S3 bucket auditing, training, and more) I've ever seen.

Grammarinator is a fuzzer that creates test cases based on a provided ANTLR v4 grammar. Has found almost 200 issues so far according to its trophy page.

An article on how to integrate fuzzing using AFL into your CI/CD pipeline using Gitlab. Gitlab is apparently planning to add fuzzing capabilities into the DAST offerings of Gitlab Enterprise and here's the list of fuzzers they're considering. Very early stages at this point, but neat that it's on their radar.

I enjoyed Marco Rogers’ thoughts on being an effective manager in tech without burning out.

Google Project Zero uncovered some iOS exploit chains being sent to any visitor to several sites (with thousands of visitors/week) that was live for ~2 years. This is interesting because for pretty much all prior cases I know of, exploit chains of this quality tend to be highly targeted.

  • 5 iOS exploit chains using 14 unique vulns, providing functionality including stealing private messages (iMessage, Telegram, etc.), photos, and real-time GPS location data.

  • The malware didn't persist - rebooting would remove it.

Real users make risk decisions based on the public perception of the security of these devices. The reality remains that security protections will never eliminate the risk of attack if you’re being targeted. To be targeted might mean simply being born in a certain geographic region or being part of a certain ethnic group. All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly.

I hope to guide the general discussion around exploitation away from a focus on the the million dollar dissident and towards discussion of the marginal cost for monitoring the n+1’th potential future dissident. I shan’t get into a discussion of whether these exploits cost $1 million, $2 million, or $20 million. I will instead suggest that all of those price tags seem low for the capability to target and monitor the private activities of entire populations in real time.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

Also, if there's anyone you think who would find this newsletter interesting or useful, I'd really appreciate if you'd forward it to them. 🙏

Thanks for reading!