[tl;dr sec] #76 - Is Secure Design > Patching? and Supply Chain, Breaking Regexes
An argument for why secure design + threat modeling is higher ROI than patching, making code signing easy, finding regex bugs with regexploit or fuzzing.
I hope you’ve been doing well!
The Little Things
The smell of grinding your own coffee beans. The way your partner’s hair falls on their face as they sleep in on Sunday mornings. The texture of your favorite book’s pages as you turn its creased corners once more.
Some things inspire a sense of inner tranquility, or perhaps a smile that you couldn’t hide even if you wanted to.
One thing I can’t help but laugh when watching, and I don’t know why is… Goofy sings Evanescence’s Bring Me to Life.
Wait for it- the chorus surprises and delights.
📢 Nearly half of connected 3rd party apps were installed by end users, not IT teams
Major SaaS applications now host a wide range of 3rd party applications. But it’s not easy for security teams to gain visibility or manage data access to these apps - especially when about half of the apps discovered were installed by end users, not the IT team or the SaaS application owner. While there are a variety of ways for 3rd party apps to connect to cloud services, there are three in particular to focus on from a security perspective.
📜 In this newsletter...
AppSec: Finding DoS-able regexes, exploiting ML pickle files
Web Security: Finding bugs in regex logic using differential fuzzing
Cloud Security: Auto-remediating Internet accessible ports, type checking your Rego policies, generate Terraform from existing infrastructure
Container Security: Using kubelet client to attack the cluster, awesome k8s security list
Supply Chain: Making code signing of open source software easy, signing container images, how The Update Framework works
Opinion: Secure Design + Threat Modeling > Patching: An argument to reduce attack surface, isolate systems, and then worry about patching
Augmented Reality: Glasses by Microsoft to enable mixed reality sessions, Facebook's neural wristbands that it definitely won't abuse the data from
Misc: InfoSec income questionnaire, record educational tours of your code, college Essays as a Service
Regexploit: DoS-able Regular Expressions
Doyensec’s Ben Caller released regexploit, a tool that was able to find regular expression denial of service (ReDoS) vulnerabilities in a number of popular NPM, Python, and Ruby dependencies. Regexploit also has built-in support for extracting regexes from TypeScript, C#, JSON and YAML. Also, the power of secure defaults:
Never a dill moment: Exploiting machine learning pickle files
I’ve long been wary of Python’s pickle, and this post by Trail of Bits’ Evan Sultanik et al certainly hasn’t helped me gherkin on my trust issues. In short, many ML models are shared as pickle files and have no tampering checks. They’ve released fickling, a decompiler and static analyzer for pickle files that is safe to run on potentially malicious files, because it symbolically executes the code. Their recommended solution: don’t use pickle, use JSON, CBOR, ProtoBuf, etc. instead.
Finding Issues In Regular Expression Logic Using Differential Fuzzing
Many web apps use regexes to enforce certain security properties, like paths a user should or should not have access to, an allowlist for redirect URL paths, etc. Evan Custodio shows how you can use differential fuzzing to find bugs in these regexes.
As referenced in tl;dr sec 15 and 36, differential fuzzing is a clever idea where you basically compare the outputs of two programs or libraries implementing the same thing, and when their outputs differ you have a bug. In this case, Evan uses Google’s coverage-guided Python fuzzing engine, Atheris (referenced in issue 63).
How to auto-remediate internet accessible ports with AWS Config and AWS System Manager
Walkthrough blog post on how to develop an AWS Config custom rule to detect ports that aren’t expected to be open in security groups attached to Amazon EC2 instances, and auto-remediate them by isolating that security group and removing the noncompliant ports.
Type checking your Rego policies with JSON schema in OPA
By Mandana Vaziri, Ansu Varghese, and Torin Sandall: You can now pass a JSON schema to OPA to help it find typos and other bugs in your Rego code.
Infra as Code: OK. Infra TO code: 🔥 Terraformer generates tf/json and tfstate from your existing infrastructure, including AWS, GCP, Azure, and more.
A curated list of Awesome Kubernetes Security resources by Magno Logan, covering the basics, official pages, talks and videos, blogs and articles, books, certs, CVEs, slides, trainings, repos, papers, and more.
Introducing sigstore: Easy Code Signing & Verification for Supply Chain Integrity
By Google’s Kim Lewandowski and Dan Lorenc: “The mission of sigstore is to make it easy for developers to sign releases and for users to verify them. You can think of it like Let’s Encrypt for Code Signing. Just like how Let’s Encrypt provides free certificates and automation tooling for HTTPS, sigstore provides free certificates and tooling to automate and verify signatures of source code. Sigstore also has the added benefit of being backed by transparency logs, which means that all the certificates and attestations are globally visible, discoverable and auditable.”
Cosign — Signed Container Images
By Dan Lorenc: From GitHub: “Container Signing, Verification and Storage in an OCI registry. Cosign aims to make signatures invisible infrastructure.” This post provides a nice overview of
The Update Framework and You. Why does it need to be so TUF?
Great overview of The Update Framework (TUF) and its major components by Dan Lorenc. To my knowledge, people generally view TUF as a good option if you want to take securing your software updates to 11.
Opinion: Secure Design + Threat Modeling > Patching
What was once science fiction comes ever closer to reality.
Microsoft Mesh powers shared experiences in mixed reality
Architects and engineers could physically walk through a holographic model of a factory floor under construction, remote doctors could advise in an operating room, people around the world could attend a Cirque du Soleil presentation, or you could replace your Zoom fatigue with #holofatigue (which conveniently also connotes your feeling inside after a year of social isolation).
Microsoft Mesh, a new mixed reality platform, will allow geographically distributed teams to meet and collaborate in shared mixed reality sessions where participants appear as digital representations of themselves. Image by Microsoft.
💰 InfoSec Income Questionnaire
Google Sheet with >300 responses from security professionals including their title, IC vs Manager, years of experience, education, location, and total compensation. I love transparency efforts like this, I think it’s super important context for people to have so that they’re more likely to be compensated fairly.
Man, Microsoft’s VSCode extension game is on point 👌 This one “allows you to record and playback guided walkthroughs of your codebases. It’s like a virtual brownbag, or table of contents, that can make it easier to onboard to a new project/feature area, visualize bug reports, or understand the context of a code review/PR change.”
Academic “Ghost-Writing”: The Cheating Scandal No One Will Discuss
Wow. As services that detect plagiarism have gotten better, now there are several Essay as a Service companies that basically connect students with underemployed writers, grad students, and assistant professors to complete the students’ coursework for them. Some students will even outsource all of their work for a class, like online discussions, and even multiple classes over their university career. I wonder what’s going to happen when one day they have to actually, you know, do the work.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!