[tl;dr sec] #73 - JSON Woes, Career Advice, and Blub Studies
JSON libraries parse differently and that can lead to bugs, a number of career advice resources, and how to become compoundingly more effective.
I hope you’ve been doing well!
Presenting at BSidesSF Virtual
BSidesSF 2021 is virtual this year, and they’ve decided to restream some of their favorite talks from past years.
I’m honored to say that my “How to 10X Your Security” (slides) is one of them!
Check out the schedule, there are a bunch of great talks 😍
And if you want to flame me have a civil discussion on the Internetz, I’ll be answering questions on r/BSidesSF this Sunday, March 7th at 1:40pm.
📢 Calling all DevSecOps nerds
Are you excited by DevSecOps, shifting left, security automation, and all things cloud? Do you want to focus on original research, helping the most ambitious organizations on the planet to turbo-charge their AppSec programmes? You already know PortSwigger from Burp Suite. Our world-class research team is now looking for someone like you.
It’s no secret that I’m a big fan of Portswigger☝️ Dafydd Stuttard bootstrapped the company with no external funding, they’ve built the standard web app pen testing tool, their Academy has awesome free web security training, and they churn out world-class security research, every year.
In my opinion, they really knocked it out of the park with this job description. Probably one of the best I’ve seen *chef’s kiss*. Also, I just discovered their culture doc, which is super compelling as well 😍
If you’re into cloud security and doing research, you should check this out. But not in front of your boss, I don’t want them to be mad at me.
📜 In this newsletter...
AppSec: How to do security team engineering embeds well, tool for testing SSO interfaces, Dependency-Check GitHub Action, resources for getting into bug bounty
JSON Woes: Study showing that different JSON libraries parse differently, suggestions for mitigating these risks
Cloud Security: Assume AWS IAM roles from GitHub Actions workflows with no stored secrets, Journey parody about AWS
Container Security: ATT&CK for containers
Blue Team: Tool for orchestrating Security Operations and providing Threat Intelligence feeds
Red Team: Tool for collaborative reverse engineering with multiple tools
Politics / Privacy: Firefox Total Cookie Protection mode, engage 🤖
Career Advice: Panel on getting your security dream job, mind map of cybersecurity domains, soft yes and fast quit, directions and advice on what you should do with your life
Twitter: Your threat model is not my threat model, hospital edition
In defense of blub studies: How to become compoundingly more effective
🔥 Shifting Engineering Right: What security engineers can learn from DevSecOps
This post by Segment’s Leif Dreizler is one of the best posts I’ve read on how AppSec/ProdSec teams can integrate with engineering teams, both big picture perspective as well as tactical tips for security professionals embedding in dev teams successfully. Highly recommend.
Tool by Randori’s Eric McIntyre: a simple SAML Identity Provider (IdP) for testing SSO interfaces. It can produce various malformed responses to determine if the service exhibits unexpected or unexpected behaviors.
A list of resources for those interested in getting started in bug bounties, by Ben Sadeghipour.
An Exploration of JSON Interoperability Vulnerabilities
JSON is widely used, but due to varying specs and implementations, different languages and libraries parse JSON differently. Bishop Fox’s Jake Miller surveyed 49 JSON parsers and catalogued their quirks, and presents a variety of attack scenarios and Docker Compose labs to highlight the risks.
I like the thoroughness and methodology of this post. If you’re looking to do a nice ecosystem-level study, give this a read as a good example.
Best Practices to Mitigate JSON Interoperability Vulnerabilities
Claudio Salazar’s post walks through several of Jake’s labs and discusses how to mitigate the respective bugs. You could use JSON Schema to validate user input, but that seems to allow attributes not declared in your schema by default. Instead, Claudio recommends a data validation library like marshmallow.
By Aidan Steele: “Assume AWS IAM roles from GitHub Actions workflows with no stored secrets.” AWS recommends creating an IAM user with a long-lived access key and storing those credentials as GitHub secrets. This repo is a GitHub action that can grant your workflows access to AWS via an AWS IAM role session, thus you don’t need to store long-lived credentials in GitHub. The role sessions are even tagged with repo, SHA, run numbers, etc. for saner CloudTrail trawling.
Don’t Stop Releasin’ by Billie Perry
Want to indulge your 80s nostalgia and combine it with some cloud-related snark? Well this Journey parody is the video for you 😂 Also, who knew Corey Quinn could hit those high notes?!
Update: Help Shape ATT&CK for Containers
MITRE’s Jen Burns provides updates on ATT&CK for containers, including new entries in Execution, Privilege Escalation, Defense Evasion, Credential Access, and Discovery.
PatrowlHears - Vulnerability Intelligence Center
By PatrOwl: A “free and open-source solutions for orchestrating Security Operations and providing Threat Intelligence feeds.” Users have access to a comprehensive and continuously updated vulnerability database scored and enriched with exploit and threat news information.
A tool for collaborative reverse engineering that aims to allow teams that do need to use more then one tool during a project to collaborate without the need to share the files on a separate locations. Supports Binary Ninja, Cutter (Rizin), Ghidra, Hopper Dissassembler, IDA and JEB.
Politics / Privacy
Firefox 86 Introduces Total Cookie Protection
Total Cookie Protection confines cookies to the site where they were created (by maintaining a separate “cookie jar” for each website you visit), which prevents tracking companies from using these cookies to track your browsing from site to site.
Get your security dream job
OWASP Bay Area panel with:
Types of jobs in security (Farshad Abasi, Chief Security Officer – Forward Security)
How to land security interviews (Tom Alcock, Founder – Code Red Partners)
How to ace a culture interview (Walta Nemariam, Senior Technical Recruiter – Netflix)
Interviewing for management/leadership roles (Coleen Coolidge, CISO – Segment)
What to do when you have a new job (John Menerick, Information Security Officer – Plastiq)
How to do security work in your current role (Divya Dwarakanath, Engineering Manager – Snap)
How to ace a technical interview (Pavan Kolachoor, Staff Security Engineer – Databricks)
The Map of Cybersecurity Domains (version 2.0)
One thing I found challenging when I was initially considering pursuing security as a career is knowing even what sort of opportunities are out there. Henry Jiang created a great mind map that gives some useful perspective.
“Hell Yes, or No” vs. “Soft Yes, and Fast Quit”
Good career advice by Phil Venables. Try a bunch of things, as you often don’t know what will be a “Hell Yes” before you do it. Then, double down on the things that are and gracefully step back from things that aren’t. Many of the connections and knowledge you gain from the things you stopped will still be valuable later.
What Should You Do with Your Life? Directions and Advice
Lots of useful links and byte-sized snippets in this great post by Alexey Guzey. H/T to my friend David Nichols for sharing. Topics include:
What to work on?
How to actually work on the problem you like?
Cold emails and twitter
Where to find funding to work on any of these problems?
Ben Kuhn argues that to become a better programmer, rather than learning an obscure programming language or reading a textbook on something like ML, instead go “really deep on what you already know: your main programming language, web framework, object-relational mapper, UI library, version control system, database, Unix tools, etc. “
How to get started?
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!