- tl;dr sec
- Posts
- [tl;dr sec] #70 - Scaling Threat Modeling, Dependency Confusion, Automating Open Source Vulnerabilit
[tl;dr sec] #70 - Scaling Threat Modeling, Dependency Confusion, Automating Open Source Vulnerabilit
[tl;dr sec] #70 - Scaling Threat Modeling, Dependency Confusion
tl;dr sec is a newsletter about AppSec and scaling security, automated bug finding, conference talk and paper summaries, and useful links from around the web. You can subscribe here and see past issues here.
(You can also read this issue on our blog
)
Hey there,
I hope you’re doing well, and that you had a great Superb Owl last weekend.
Learning to Draw in Procreate
Speaking of owls, recently I drew this:
It's amazing what an existing outline and idiot proof step-by-step guide can do
Drawing has been something I’ve historically found pretty frustrating (I mostly peaked with stick figures in grade school), but recently I’ve been following some Procreate tutorials on my iPad, and it’s been fun.
If you’re similarly artistically challenged, I’d recommend the Youtube channel “Art with Flo.” She has a nice “You Can Draw This” series that I’ve found almost impossible to screw up, like this sunset landscape.
Semgrep App: Now with Fix Rate, Auto-Setup, and More
My patron day job, r2c, is releasing a baker’s dozen of new features today. Here’s a few:
Fix rate: Are developers actually fixing the bugs you’re finding? If not, easily disable or tweak rules to make them higher signal.
Auto project setup: Semgrep App can now auto create PRs that will set up Semgrep scanning on all of your repos in minutes.
New languages: In the last few months, community members have contributed alpha support for 4 languages: C#, Rust, Lua, and R. They’re not quite production ready, but it’s pretty cool to see this level of community involvement.
Learn more about Semgrep here.
There are never enough talented security professionals for the challenges we face as an industry, and to build secure and abuse-resistant products, we need a broad variety of perspectives. Further, it’s hard to get into a field if you’re on the outside, especially when you don’t see many people like you in it.
Which is why I think events like #ShareTheMicInCyber are great.
On March 19th they’re going to be celebrating the stories of successful African American security practitioners. Check it out!
Sponsor
📢 Protect Access to Your SaaS Data with AppOmni
SaaS applications have evolved into complex platforms that provide access not only to internal users, but also to external users, 3rd party apps, contractors, and managed service providers. In short, there are now more categories of users, and more data access points for attackers to exploit. Over 95% of enterprises we’ve analyzed have over-provisioned external users with access to sensitive data. See who has access to your business-critical data with AppOmni’s free risk assessment.
📜 In this newsletter...
🔗 Links:
AppSec: Automating ASVS level 1 with ZAP, Kubernetes-based CTF platform, exploiting Java deserialization in 2021, automating vulnerability triage for open source
Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies: Typosquat company internal package names ➡️ profit
Web Security: Electron browser for finding XSS in the background
Cloud Security: Automatically compile an AWS SCP that only allows services in line with your compliance needs, autogenerate IAM policy from AWS client-side monitoring, how to do authn/authz on Lambdas
Container Security: A practical guide to writing secure Dockerfiles
Politics / Privacy: Fingerprint website visitors via favicons, AI can now learn to manipulate human behavior
Twitter: @litcapital for dank finance memes
🔥 Appsec Development: Keeping it all together at scale
A detailed walkthrough of how Jacob Salassi scaled threat modeling at Snowflake, including all the mistakes and lessons learned along the way.
AppSec
OWASP ASVS 4.0 Testing GuideAn unofficial guide by BlazingWindSec that describes how to automatically test level 1 controls for much of the ASVS standard using tools like OWASP ZAP and testssl.sh.
kCTF: a Kubernetes-based infrastructure for CTF competitionsOpen source project by Google. Each challenge gets its own node, flags stored as k8s secrets. H/T Ishaq Mohammed for the link.
Testing and exploiting Java Deserialization in 2021Great overview by Lukasz Mikula of what deserialization is, its root cause, auditing source code for deserialization vulnerabilities, testing with Ysoserial and discussion of its payloads, and troubleshooting exploitation attempts that aren’t quite working.
Launching OSV - Better vulnerability triage for open sourceIt can often be a pain to map a CVE to the vulnerable package versions, both as a user to determine if you’re affected, as well as for the overworked package maintainer to determine all affected versions and commits. This promising project by Google aims to reduce this burden by attempting to automatically determine affected package versions by, given a reproduction test case + how to build the app, bisects to find the impacted commit ranges and version/tags.
Currently the data is mostly C/C++ data from OSS-Fuzz, but they’re working to extend it with data from language ecosystems like NPM and PyPI. They’re also providing an API (here) you can query.
Alex Birsan used OSINT (crawling public JavaScript on websites, searching GitHub and major package hosting services) to find leaked names of internal company packages. He then typosquatted those names on NPM, Rubygems, or PyPi with a payload that beaconed back the username, hostname, and current path of each unique installation via DNS so the connection could get out from corporate networks.
These backdoored dependencies were ran inside more than 35 organizations to date across all three tested programming languages, earning Alex a $30K bounty each from Shopify, Apple, and PayPal, and $40K from Azure. Netflix, Yelp, and Uber were also affected.
Fun fact: several package managers, when specifying an internal index (e.g. pip install <library> --extra-index-url ...) look to see if library exists on the specified internal package index as well as the public one, and if so, installs whichever has a higher version. That is, an attacker’s typosquatted package just needs to use a high version number and it will be selected. Package managers, y u do dis 😅😅?!?!
Web Security
RenwaX23/XSSTRONBy @RenwaX23: An Electron browser that will automatically check for reflected, stored, and DOM-based XSS vulnerabilities in the background as you browse. Supports GET and POST requests.
Cloud Security
salesforce/aws-allowlisterBy Kinnaird McQuade and Jason Dyke: “Automatically compile an AWS Service Control Policy that ONLY allows AWS services that are compliant with your preferred compliance frameworks.” Currently supports: PCI, SOC 1/2/3, ISO/IEC, HIPAA BAA, and FedRAMP Moderate and High.
iann0036/iamliveTool by Ian Mckay that can automatically generate a basic IAM policy from AWS client-side monitoring (CSM).
How to Use AWS Services to Secure your Endpoints Without Provisioning InfrastructureGreat post by ScaleSec’s Anthony DiMarco on how to choose a technology for exposing your Lambdas, how to get free TLS certs from AWS, and how to separate authentication and authorization logic from your business logic with custom authorizers. For the latter, the post discusses Cognito User Pools, IAM-based authorization, Lambda Authorizers, and OpenID Connect / OAuth 2.
Container Security
A Practical Guide to Writing Secure DockerfilesSlides by Madhu Akula that reference many great resources and tools, including:
The Docker docs on Dockerfile best practices
Building images with BuildKit
Securely passing in secrets
hadolint for linting Dockerfiles for best practices
dockle: a container image linter for security
DockerSlim for minifying a Docker image and autogenerating Seccomp and AppArmor profiles
dive for exploring a Docker image and layer contents
conftest, docker-security-checker, and more
Politics / Privacy
jonasstrehle/supercookieProject by Jonas Strehle that uses favicons to fingerprint website visitors.
conventional cookies
supercookie
Identification accuracy
-
100%
Incognito / Private mode detection
❌
✅
Persistent after flushed website cache and cookies
❌
✅
Identify multiple windows
❌
✅
Working with Anti-Tracking SW
❌
✅
A team of researchers at CSIRO’s Data61, the data and digital arm of Australia’s national science agency, devised a systematic method of finding and exploiting vulnerabilities in the ways people make choices, using a kind of AI system called a recurrent neural network and deep reinforcement-learning.
…in one game the AI was out to maximise how much money it ended up with, and in the other the AI aimed for a fair distribution of money between itself and the human investor. The AI was highly successful in each mode.
The research has an enormous range of possible applications, from enhancing behavioural sciences and public policy to improve social welfare, to understanding and influencing how people adopt healthy eating habits or renewable energy. AI and machine learning could be used to recognise people’s vulnerabilities in certain situations and help them to steer away from poor choices.
The method can also be used to defend against influence attacks. Machines could be taught to alert us when we are being influenced online, for example, and help us shape a behaviour to disguise our vulnerability (for example, by not clicking on some pages, or clicking on others to lay a false trail).
There’s no way this research could play out poorly 😅😅
I stumbled across the handle @litcapital, which has some on point finance memes.
Out of 100s of AppSec articles I’ve read over the past few years, this is easily in my top 3 for threat modeling.
My bud Jacob Salassi and I wrote about his journey scaling threat modeling in a hypergrowth start-up: Snowflake.
Tons of detailed, actionable insights and a few spot-on Arrested Development memes.
If you’re lazy (or want to help promote the post), I wrote a short Twitter thread of the key points here.
Thanks for reading!Cheers,Clint@clintgibler