- tl;dr sec
- Posts
- [tl;dr sec] #71 - Securing CI/CD, Electron Security, Growing Your Userbase by Ignoring 'Virality'
[tl;dr sec] #71 - Securing CI/CD, Electron Security, Growing Your Userbase by Ignoring 'Virality'
Tips and best practices for securing your CI/CD pipeline, Electron tooling and dangerous APIs, what to focus on instead of virality to grow your userbase.
Hey there,
I hope you’re doing well, and that you got to spend some quality time with loved ones this past weekend.
The tl;dr sec branded chocolates, flower arrangements, and Valentine’s Day cards didn’t come in on time for the merch store, but hopefully next year.
Sponsor’d
Thank you so much for everyone who reached out about sponsoring tl;dr sec! I’m floored by how many people want to support these efforts 🙏
tl;dr sec is mostly sold out through the rest of the year! And it’s only *checks steam punk pocket watch* February. Phew.
Pro-tip: if you want to ensure that you continue doing something, have someone else put money down on the fact that you will. It’s a much stronger enforcement mechanism than willpower 😅
Sponsor
📢 ⚡ Register Now for ZAPCon
The first-ever user conference for OWASP ZAP is taking place March 9th! This virtual event will dig into using ZAP at scale and application security best practices. Your free ticket will let you watch sessions, chat with speakers, and connect with other ZAP users. If you are interested in AppSec and how you can use the world's most widely used web app scanner, you won't want to miss ZAPCon!
📜 In this newsletter...
🔗 Links:
AppSec: Defending against dependency confusion, tool to grok new code bases more easily
Securing CI/CD: NCSC on protecting software build pipelines, building a secure pipeline for Infra as Code
Electron Security: GitHub action for scanning Electron apps, Electron APIs that can be abused for high impact
Web Security: Burp extension to easily "send to" CLI tools, CLI tool to generate temporary email addresses and read OTPs and other info from them, ffuf primer
Cloud Security: Tool to get your assets from cloud providers, Scott Piper's up for grabs security project ideas, visual editor for learning how to create Network Policies for Kubernetes
Misc: Tool for tracing IPC on Linux, illustrated guide to bitcoin mining and the blockchain, Slate Star Codex returns, new Bruce Lee-inspired TV show, Daniel Miessler entrepreneurial thoughts
How we put Facebook on the path to 1 billion users: By ignoring "virality"
AppSec
visma-prodsec/confused
Last week I mentioned some work by Alex Birsan who successfully typosquatted internal package names for a number of companies. This tool by Joona Hoikkala aims to combat this attack by checking for lingering free namespaces for private package names referenced in dependency configuration for Python (PyPI, requirements.txt
), JavaScript (NPM, package.json
), or PHP (Composer, composer.json
).
Flávio Heleno shared with me this article describing what Composer does to prevent dependency confusion. They seem to have thought through this threat scenario well and even allow you to place an exclude filter on third-party package repositories banning packages that do not start with your-org/
prefix.
CoatiSoftware/Sourcetrail
By Sourcetrail: A free and open-source cross-platform source explorer that helps you get productive on unfamiliar source code. It does lightweight static analysis on C, C++, Java, and Python source code to extract class and method definitions, member fields, class hierarchies, and more.
Securing CI/CD
Defending software build pipelines from malicious attack
Recommendations by the NCSC, covering topics including:
Protect builds from each other - running in containers/VMs instead of sharing an OS kernel, use network isolation, prevent jobs from each other’s build artifacts.
Establish a chain of custody - ensure security checks are performed consistently and that the build isn’t modified afterwards (TLS everywhere, source code checksums).
Consider a managed service for your build pipelines.
Pipelines need to be defended against attack at least as effectively as the environments it deploys to.
Building a secure CI/CD pipeline for Terraform Infrastructure as Code
Great blog post by OVO’s Chongyang Shi evaluating how to securely deliver infrastructure changes in CI/CD pipelines. He highlights current limitations of popular platforms, discusses what they’d like in an ideal solution, and finally presents the architecture they’ve decided on that meets those requirements. Great discussion of the team’s reasoning and thought process 👍
Network security challenges
Malicious jobs can steal secrets, bypassing two person requirements
The end architecture OVO settled on
Electron Security
Electronegativity GitHub Action
Use this GitHub Action to easily run Electronegativity, a tool to identify misconfigurations and security anti-patterns in Electron applications by Doyensec, into GitHub CI/CD. The Action produces a GitHub compatible SARIF file for uploading to the repository ‘Code scanning alerts’.
Electron APIs Misuse: An Attacker’s First Choice
Doyensec’s Luca Carettoni and Lorenzo Stella discuss a list of APIs they’ve successfully abused during past engagements for high impact, like RCE.
Web Security
bytebutcher/burp-send-to
By @bytebutcher: Burp extension that adds a customizable “Send to…” context menu, enabling you to easily pass input to arbitrary CLI tools, like sqlmap
, gobuster
, etc. Here’s a blog post about it by @ƒyoorer.
s0md3v/ote
A CLI tool that generates temporary email address and automatically extracts OTPs or confirmation links from the incoming mails using 1secmail.com’s API to generate temporary emails, by Somdev Sangwan.
A ffuf Primer
Nice overview and walkthrough by Daniel Miessler of the Golang CLI web fuzzing tool ffuz.
Cloud Security
projectdiscovery/cloudlist
By @projectdiscovery: “a multi-cloud tool for getting Assets (Hostnames, IP Addresses) from Cloud Providers.” Can be used by blue teams to augment Attack Surface Management efforts by maintaining a centralized list of assets across multiple clouds with little configuration efforts.
AWS security project ideas
Scott Piper has decided to shut down his consulting business and join Aurora, a self driving car company. This blog post lists some neat AWS security projects that would push the industry forward. If you’re looking for somewhere to get started, check it out!
Cilium Editor
By Cilium: A visual editor for learning how to create Network Policies for Kubernetes. The tutorial “explains basic network policy concepts and guides you through the steps needed to achieve the desired least- privilege security and zero-trust concepts.”
Misc
guardicore/IPCDump
By Guardicore: A tool for tracing interprocess communication (IPC) on Linux. Useful tool for debugging multi-process applications or understanding how the different moving parts in your system communicate with one another. It covers most of the common IPC mechanisms – pipes, fifos, signals, unix sockets, loopback-based networking, and pseudoterminals. Collects info from BPF hooks placed on kprobes
and tracepoints at key functions in the kernel, though it also fills in some bookkeeping from /proc
.
An illustrated guide to bitcoin mining and the blockchain
Nice entry-level overview by The Hustle’s Zachary Crockett, told through a gold mining metaphor.
Still Alive - Astral Codex Ten
The author Slate Star Codex reflecting on closing down his blog, and now starting things again. Funny, insightful, and reflective.
Warrior on HBO Max is a pulpy, Bruce Lee-inspired joy
Bruce Lee’s daughter, Shannon, found an 8 page manuscript her father had written that has now been made into a two season show on HBO Max. 1870s San Francisco Chinatown, rival gangs, Western-esque, excellent martial arts sequences– I haven’t watched it yet but it sounds great.
Tech entrepreneurship thoughts from Daniel Miessler’s newsletter:
Ask yourself: “What are the awesome technologies that are hard for companies to take advantage of?”, and, “What company can I start to make that easy for them?”
H/T Pablo Estrada for the link.
I teased out virality and said: You cannot do it. Don’t talk about it, don’t touch it, I don’t want you to give me any product plans that revolve around this idea of virality — I don’t want to hear it.
What I want to hear about are the three most difficult and hard problems that any product has to deal with:
1. How do you get people in the front door?
2. How do you get them to an a-ha moment as quickly as possible?
3. And how do you deliver core product value as often as possible?
After all of that is said and done, only then can you propose to me about how you are going to get people to get more people.
And that single decision about not even allowing the conversation to revolve around virality was the most important thing that we did.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!
Cheers,
Clint