• tl;dr sec
  • Posts
  • [tl;dr sec] #73 - JSON Woes, Career Advice, and Blub Studies

[tl;dr sec] #73 - JSON Woes, Career Advice, and Blub Studies

JSON libraries parse differently and that can lead to bugs, a number of career advice resources, and how to become compoundingly more effective.

Author

Clint Gibler
March 03, 2021

Hey there,

I hope you’ve been doing well!

Presenting at BSidesSF Virtual

BSidesSF 2021 is virtual this year, and they’ve decided to restream some of their favorite talks from past years.

I’m honored to say that my “How to 10X Your Security” (slides) is one of them!

Check out the schedule, there are a bunch of great talks 😍

And if you want to flame me have a civil discussion on the Internetz, I’ll be answering questions on r/BSidesSF this Sunday, March 7th at 1:40pm.

Sponsor

📢 Calling all DevSecOps nerds

Are you excited by DevSecOps, shifting left, security automation, and all things cloud? Do you want to focus on original research, helping the most ambitious organizations on the planet to turbo-charge their AppSec programmes? You already know PortSwigger from Burp Suite. Our world-class research team is now looking for someone like you.

It’s no secret that I’m a big fan of Portswigger☝️ Dafydd Stuttard bootstrapped the company with no external funding, they’ve built the standard web app pen testing tool, their Academy has awesome free web security training, and they churn out world-class security research, every year.

In my opinion, they really knocked it out of the park with this job description. Probably one of the best I’ve seen *chef’s kiss*. Also, I just discovered their culture doc, which is super compelling as well 😍

If you’re into cloud security and doing research, you should check this out. But not in front of your boss, I don’t want them to be mad at me.

📜 In this newsletter...

🔗 Links:

  • AppSec: How to do security team engineering embeds well, tool for testing SSO interfaces, Dependency-Check GitHub Action, resources for getting into bug bounty

  • JSON Woes: Study showing that different JSON libraries parse differently, suggestions for mitigating these risks

  • Cloud Security: Assume AWS IAM roles from GitHub Actions workflows with no stored secrets, Journey parody about AWS

  • Container Security: ATT&CK for containers

  • Blue Team: Tool for orchestrating Security Operations and providing Threat Intelligence feeds

  • Red Team: Tool for collaborative reverse engineering with multiple tools

  • Politics / Privacy: Firefox Total Cookie Protection mode, engage 🤖

  • Career Advice: Panel on getting your security dream job, mind map of cybersecurity domains, soft yes and fast quit, directions and advice on what you should do with your life

  • Twitter: Your threat model is not my threat model, hospital edition

  • In defense of blub studies: How to become compoundingly more effective

AppSec

🔥 Shifting Engineering Right: What security engineers can learn from DevSecOps
This post by Segment’s Leif Dreizler is one of the best posts I’ve read on how AppSec/ProdSec teams can integrate with engineering teams, both big picture perspective as well as tactical tips for security professionals embedding in dev teams successfully. Highly recommend.

RandoriDev/test-saml-idp
Tool by Randori’s Eric McIntyre: a simple SAML Identity Provider (IdP) for testing SSO interfaces. It can produce various malformed responses to determine if the service exhibits unexpected or unexpected behaviors.

dependency-check/Dependency-Check_Action
Run OWASP Dependency-Check as a GitHub Action, by Javier Dominguez.

nahamsec/Resources-for-Beginner-Bug-Bounty-Hunters
A list of resources for those interested in getting started in bug bounties, by Ben Sadeghipour.

JSON Woes

An Exploration of JSON Interoperability Vulnerabilities
JSON is widely used, but due to varying specs and implementations, different languages and libraries parse JSON differently. Bishop Fox’s Jake Miller surveyed 49 JSON parsers and catalogued their quirks, and presents a variety of attack scenarios and Docker Compose labs to highlight the risks.

I like the thoroughness and methodology of this post. If you’re looking to do a nice ecosystem-level study, give this a read as a good example.

Best Practices to Mitigate JSON Interoperability Vulnerabilities
Claudio Salazar’s post walks through several of Jake’s labs and discusses how to mitigate the respective bugs. You could use JSON Schema to validate user input, but that seems to allow attributes not declared in your schema by default. Instead, Claudio recommends a data validation library like marshmallow.

Cloud Security

glassechidna/actions2aws
By Aidan Steele: “Assume AWS IAM roles from GitHub Actions workflows with no stored secrets.” AWS recommends creating an IAM user with a long-lived access key and storing those credentials as GitHub secrets. This repo is a GitHub action that can grant your workflows access to AWS via an AWS IAM role session, thus you don’t need to store long-lived credentials in GitHub. The role sessions are even tagged with repo, SHA, run numbers, etc. for saner CloudTrail trawling.

Don’t Stop Releasin’ by Billie Perry
Want to indulge your 80s nostalgia and combine it with some cloud-related snark? Well this Journey parody is the video for you 😂 Also, who knew Corey Quinn could hit those high notes?!

Container Security

Update: Help Shape ATT&CK for Containers
MITRE’s Jen Burns provides updates on ATT&CK for containers, including new entries in Execution, Privilege Escalation, Defense Evasion, Credential Access, and Discovery.

Blue Team

PatrowlHears - Vulnerability Intelligence Center
By PatrOwl: A “free and open-source solutions for orchestrating Security Operations and providing Threat Intelligence feeds.” Users have access to a comprehensive and continuously updated vulnerability database scored and enriched with exploit and threat news information.

Red Team

Martyx00/CollaRE
A tool for collaborative reverse engineering that aims to allow teams that do need to use more then one tool during a project to collaborate without the need to share the files on a separate locations. Supports Binary Ninja, Cutter (Rizin), Ghidra, Hopper Dissassembler, IDA and JEB.

Politics / Privacy

Firefox 86 Introduces Total Cookie Protection
Total Cookie Protection confines cookies to the site where they were created (by maintaining a separate “cookie jar” for each website you visit), which prevents tracking companies from using these cookies to track your browsing from site to site.

Career Advice

Get your security dream job
OWASP Bay Area panel with:

  • Types of jobs in security (Farshad Abasi, Chief Security Officer – Forward Security)

  • How to land security interviews (Tom Alcock, Founder – Code Red Partners)

  • How to ace a culture interview (Walta Nemariam, Senior Technical Recruiter – Netflix)

  • Interviewing for management/leadership roles (Coleen Coolidge, CISO – Segment)

  • What to do when you have a new job (John Menerick, Information Security Officer – Plastiq)

  • How to do security work in your current role (Divya Dwarakanath, Engineering Manager – Snap)

  • How to ace a technical interview (Pavan Kolachoor, Staff Security Engineer – Databricks)

The Map of Cybersecurity Domains (version 2.0)
One thing I found challenging when I was initially considering pursuing security as a career is knowing even what sort of opportunities are out there. Henry Jiang created a great mind map that gives some useful perspective.

“Hell Yes, or No” vs. “Soft Yes, and Fast Quit”
Good career advice by Phil Venables. Try a bunch of things, as you often don’t know what will be a “Hell Yes” before you do it. Then, double down on the things that are and gracefully step back from things that aren’t. Many of the connections and knowledge you gain from the things you stopped will still be valuable later.

What Should You Do with Your Life? Directions and Advice
Lots of useful links and byte-sized snippets in this great post by Alexey Guzey. H/T to my friend David Nichols for sharing. Topics include:

  • What to work on?

  • How to actually work on the problem you like?

  • Cold emails and twitter

  • Where to find funding to work on any of these problems?

Your threat model is not my threat model, hospital edition pic.twitter.com/YHvZGCkWcs

— Nik (@hvcco) February 23, 2021

Ben Kuhn argues that to become a better programmer, rather than learning an obscure programming language or reading a textbook on something like ML, instead go “really deep on what you already know: your main programming language, web framework, object-relational mapper, UI library, version control system, database, Unix tools, etc. “

If you spend half your programming time debugging, and being a blub expert lets you debug twice as fast, then just the speed gain from blub expertise will let you increase your output by a third.

If you know enough different blubs, you can end up at the point where you don’t even need to look things up to figure out how they’re (probably) implemented. An experienced Python programmer can guess immediately how SQLAlchemy’s “declarative” ORM works under the hood. That’s the point when your blub expertise will really start compounding—almost as soon as you start working with something new, you’ll start figuring out how it works and extracting the kernel of generally-interesting ideas.

How to get started?

First, I’ll try to go deeper than necessary. If I really want to ship something, it’s easy to give into temptation to, say, Google an error message, copy-paste a fix from Stack Overflow, and move on with my day. But it often doesn’t take that much longer to actually read the error message, understand what it means, and try to figure out why that Stack Overflow answer fixed my problem. Similarly, if I’m stuck in a tricky yak shave, I’ll bias against “guess-and-check” style debugging in favor of getting a better understanding of the system I’m trying to debug.

The second part of my blub flywheel is to pay attention to magic. Whenever I’m working with something new, I try to continuously update my best-guess mental model of how it’s implemented. If I realize I’m wrong, I’ll dig in and update. If I have no idea at all how something could work, that usually means it’s time to read a book.

Over time, by consistently exploring the guts of anything I’m working with that seems magical, I’ve built up a broad base of knowledge about how various technical systems work. This helps me in tons of different ways. It makes it easier to track down tricky bugs across many layers of the stack. I can learn new languages and libraries quickly by pattern-matching them to what I already know. It gives me better ideas for software designs, by imitating other systems I’ve seen, or by reusing ideas or tools I’ve heard of in a different context. Maybe most importantly, it gives me the confidence that, if I run into a tricky problem, I can learn enough to solve it, instead of feeling like I’m at the mercy of a system too complex to hope to understand.

So if you’re looking to learn something that will make you a better, and happier, programmer, ask yourself which parts of your most-used blub seem magical to you, and try to understand how they work.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint