[tl;dr sec] #78 - Scaling Threat Modeling at Segment, Bootstrapping vs VCs, Security as Value Unlock
[tl;dr sec] #78 - Scaling Threat Modeling at Segment, Bootstrapping vs VCs
tl;dr sec is a newsletter about AppSec and scaling security, automated bug finding, conference talk and paper summaries, and useful links from around the web. You can subscribe here and see past issues here.
(You can also read this issue on our blog
I hope you’ve been doing well!
Slogans that are not Security Companies but Should Be
I was taking a walk recently and I saw some branding that made me do a double take- it was a plumbing company that had the perfect slogan for an infosec company.
I walked up, took a picture, and then scurried strutted away when I realized that there were two people still sitting inside.
“Uhh… what are you doing?” one of them asked. “Oh, I just really like the design.” And then I meandered away, full of joy.
📢 How the history of SaaS is preventing businesses from embracing modern SaaS security
Businesses are investing more heavily in SaaS, but investment in SaaS security is lagging. Why? Much of the answer lies in the history of early SaaS applications, many of which were sold to individual business units, completely bypassing IT and security teams. Today, SaaS has grown to be a major part of the legitimate tech stack, but its origin as shadow IT still haunts organizations and prevents SaaS security from being correctly prioritized. AppOmni CEO Brendan O’Connor details four ways to modernize SaaS security processes. Originally published as a feature in SC Media.
📜 In this newsletter...
AppSec: How Segment is scaling threat modeling, Semgrep now has first-class YAML support
Web Security: Automating blind SQLi over websocket
Cloud Security: PMapper update, another IaC static analysis tool, HackerOne's first AWS CTF, attacking and auditing S3 buckets
Red Team: Free reverse engineering course, intercepting mTLS of Java thick clients, tool for macOS persistence
Neat CLI tools: Find files with SQL-like queries, exa, a better ls, problems you can solve with strace
Bootstrapping vs VCs: Thinkst has bootstrapped to $11M ARR, a story of a bootstrapped company trying to compete with a VC-backed one, DHH weighs in, Hamilton parody of the situation
Chaos Engineering: What computer security can learn from safety and complex systems research in other fields
Security as Value Unlocker: Minimizing risk is setting your sights too low, security can unlock significant business value
Redefining Threat Modeling: Security team goes on vacationGreat post by Segment’s Jeevan Saini. Similar to what Jacob Salassi and I discussed in our blog post, Segment realized they needed developers to lead threat modeling if they were truly going to scale. This post gives a nice overview of the problem space and details on how they actually rolled out their program, and they’ve open sourced their threat modeling training slides. As the kids say these days- yeet!
How we made Semgrep rules run on Semgrep rulesBy r2c’s Emma Jin: Semgrep now has first-class support for anything YAML, which includes Kubernetes configs, CircleCI workflows, and more. You can even lint Semgrep rules with… more Semgrep rules! (yo dawg, I heard you like… 🤣). The post also has some neat info about implementation details, if you’re curious to get a peak at Semgrep internals.
Principal Mapper v1.1.0 UpdateBy NCC Group’s Erik Steringer: PMapper, an IAM permission analysis tool, now supports AWS Organizations as well as other types of policies: Service Control Policies (SCPs), Session Policies, Resource Policies, and Permission Boundaries.
Checkmarx/kicsA static analysis tool that can find security vulnerabilities, compliance issues, and misconfigurations in infrastructure as code. Currently supports: Terraform, Kubernetes, Docker, CloudFormation, Ansible, Helm.
AWS and Hackerone CTF“Put your cloud skills to the test and participate in HackerOne’s first-ever AWS Capture the Flag on Monday, April 5th starting at 12:00 PM PT until Monday, April 12th 12:00 PM PT.” Learn how to escalate privileges through SSRF and elevate your access by exploiting misconfigurations of AWS services.
HowTo: intercept mutually-authenticated TLS communications of a Java thick clientNice walkthrough by @SAERXCIT, which involves: dumping the password from the client to decrypt the private key from the ClientKeyStore and loading a fake TrustStore in place of the legitimate ClientTrustStore to bypass pinning. See also Piergiovanni Cipolloni ’s SSL pinning bypass in Android using Frida.
CyborgSecurity/PoisonAppleBy Cyborg Security’s Austin Jackson: A CLI tool to perform various persistence mechanism techniques on macOS, designed to be used by threat hunters for cyber threat emulation purposes. Currently includes ~16 persistence mechanisms, including LaunchAgent, LoginHook, and more.
Neat CLI Tools
jhspetersson/fselectFind files with SQL-like queries.
Why I use exa instead of ls on Linuxexa improves on ls with more features and better defaults. It uses colors to distinguish file types and metadata, and it knows about symlinks, extended attributes, and Git.
What problems do people solve with strace?If you haven’t already heard of her work, Julia Evans writes great content (and fun Zines) about various tech tools and concepts, highly recommended. People use strace to answer: where’s a program’s config file, what other files does a program depend on, determine why it’s hanging, stuck, or slow, diagnosing hidden permission errors, determining what CLI arguments are being used, why network connections are failing, and more.
Bootstrapping vs VCs
We bootstrapped to $11 million in ARRInspiring blog post by Haroon Meer about how Thinkst grew to $11M ARR with no external funding by focusing on solving customer problems, keeping promises, and great company culture. If you’re not familiar, Thinkst is one of the few security companies that users rave about, and Haroon is such a kind, humble, A+ dude. I couldn’t be happier for their success. Check this post for some great tips on culture, values, and also some trade-offs of not raising money. See also Haroon’s response to 👇
It’s hard to draw lessons from your own failuresBy @DHH: “Wilkinson was inspired by our funding model – bootstrapped from consulting – but didn’t follow any of the principles that go with that model.”
Security Chaos Engineering: How to Security DifferentlyVerica’s Aaron Rinehart discusses computer security in relation to resiliency and robustness in other domains with complex systems. He includes a few references to other non-security domain work on complex systems, minimizing human error, and safety. There’s a few high level ideas that I thought were pretty interesting:
Traditionally security focuses on counting security negatives: unpatched software, security log events, bugs, etc.
Instead, we should focus on security positives: capabilities that help keep systems in secure states, help us understand what’s going on, and prevent bad events.
Focus on adaptive capacity— the ability to respond, monitor, learn, and anticipate errors.
One common fallacy is we assume that when we wrote the policy, designed the system, and implemented the relevant security measures that we had an accurate understanding of how the entire system behaved to begin with.
Security as Value Unlocker
A few weeks ago I had the privilege of presenting some of my colleagues and my work on secure defaults and eliminating vulnerability classes at the Bay Area CSO Council (thanks Flee!).
There were some other great presentations and interesting free-form discussions, but one of my favorite parts was a comment by Adrian Ludwig (currently CISO at Atlassian, formerly Director of Android Security at Google), right at the end.
The following is my paraphrased version, sharing with Adrian’s permission:
Thanks for reading!