[tl;dr sec] #79 - Memory Safety FTW, Reference Architectures, Content Discovery++ with OpenAPI Specs
Moar evidence against memory unsafe languages, the power of secure reference architectures, and leveraging OpenAPI specs to more effectively detect attack surface.
I hope you’ve been doing well!
Language of the Gods
Recently I’ve been watching Battlestar Galactica for the first time, which is an interesting blend of science fiction and mysticism / religion. If you haven’t already seen it, would recommend.
So it felt like destiny when I came across this meme by John Jackson:
I’m giving a workshop with my DevSlop buds on Sunday, April 25th at 1:00 ET.
It’s going to be full of live demos and hands-on exercises on finding bugs and preventing them from even happening in the first place.
Hope to see you there!
This year DevSecCon24 will be remote, June 23-24.
I’m on the CFP committee, and I want to hear about the cool stuff you’ve been working on!
CFP closes May 8th, gogogo 📨
📢 Evolving Risks, Insecure Defaults, Watering Hole Threats – Oh, My!
Adoption of cloud native technologies are on the rise, changing the threat landscape faced by organizations. Accurics’ research identifies common trends, like Identity and Access Management moving into Infrastructure as Code, rapid adoption of CSP-managed services in dev and pre-prod, and insecure default configurations for many resource types.
📜 In this newsletter...
Authorization: Open source implementation of Google's authz, real-time updates in OPA
AppSec: GitHub's token format changed to be more greppable, getting buy-in via "risk sign-off sheets"
Uncomplicate Security for Developers using Reference Architectures: How to build secure primitives that devs adopt
Web Security: Improving content discovery by leveraging OpenAPI specs
Cloud Security: Checkov 2.0, least-privilege IAM policy creation tool, IAM Access Analyzer can now generate fine-grained policies, AWS yanks Elastic's work and postures as a hero
Container Security: Post-exploitation C2 server focused on containerized environments, Kubernetes pentest methodology, Kubernetes threat matrix v2
Memory Safe Languages FTW: Rust in the Android platform, how to prioritize the parts to rewrite in Rust, the Five Stages of Grief of knowing C/C++ are inherently insecure
Career: Confessions of an overnight tech millionaire, what tech job would let me get away with the least work
Machine Learning: Using reinforcement learning to model attacking and defending networks
An open source (Go) implementation of “Zanzibar: Google’s Consistent, Global Authorization System.” Ships gRPC, REST APIs, newSQL, and an easy and granular permission language. Supports ACL, RBAC, and other access models.
OPAL: Open-Policy Administration Layer
OPAL adds real-time updates to Open Policy Agent (OPA) by detecting changes to both policy and policy data in realtime and pushing live updates to agents. As app state changes, OPAL ensures your services are always in sync with the authorization data and policy they need.
Behind GitHub’s new authentication token formats
GitHub has changed their various token formats to have identifiable prefixes, making them easy to grep for. If your company creates API or other tokens, you should do that too!
How to build a successful application security program
If you’re responsible for security but are having trouble getting things fixed, I think this idea by my friend Tanya Janca is pretty clever.
You create a “risk sign-off sheet” that lists all the security risks and exactly what could happen to the business, print it out, and bring it to the Director of Security and/or CIO to sign.
Then, they either own the risk, or give you authority to make things better.
Great article by Salesforce’s Anunay Bhatt, H/T Bryan Solari for sharing. I highlighted like 90% of this post in Pocket. From discussions I’ve had with security teams at a number of companies, secure reference architectures and secure guardrails that are easy to adopt are one of the best, highest leverage things you can do as a security team.
Start with a security blueprint.
Build a sample application or use an open source one.
Use all the dev best practices in your org (Git setup, CI/CD), no shortcuts.
Integrate security controls with the sample application.
Create a “How to” guide with concrete code examples that can be copied directly. Document security choices (why Tool X vs Tool Y).
Make it easy for developers to use your reference architecture and track adoption.
Use automation to turn “How to” guides into one-click templates, leverage existing scaffolding processes/teams in your company, offer security controls as infrastructure as code scripts.
Example reference architecture
Contextual Content Discovery: You’ve forgotten about the API endpoints
Assetnote’s Shubham Shah describes Kiterunner, a new content discovery tool they’ve developed that leverages a large dataset of OpenAPI/Swagger specifications they’ve crawled to more effectively bruteforce the right HTTP methods, headers, parameters and values of endpoints. Cool work, and a nice walkthrough of their methodology.
Checkov 2.0: Deeper, broader, and faster IaC scanning
250 new out-of-the-box policies, Dockerfile scanning, and the Terraform scanning backend is now graph-based, enabling multi-resource queries, rendering variables (and module inheritance) more efficiently, and more.
I built a tool which automatically suggests least-privilege IAM policies
Reddit post describing iam-zero, a tool that provides an instrumentation layer that captures AWS API calls and then suggests one or more least privilege IAM policies that enable that functionality to succeed. You can give new users or services zero permissions as a baseline and then quickly review and grant new permissions as needed. Neat demo video.
IAM Access Analyzer makes it easier to implement least privilege permissions by generating IAM policies based on access activity
IAM Access Analyzer can now generate fine-grained policies based on access activity from CloudTrail logs. For reference, the first commit in Netflix’s RepoKid tool was in May 2017 (Enigma 2018 talk by Travis McPeak), only… 4 years ago.
“Nice open source project ya got there, it’d be a shame if a $1 Trillion dollar company were to wrap it and build a directly competing product.” Being mad at Elastic for changing their licensing is like being mad at a mom and pop ice cream shop who stopped publishing their recipes after Ben and Jerry’s built a factory next to their house and started selling ice cream using the mom and pop’s recipes.
By Eviatar Gerzi: A cross-platform post-exploitation HTTP/2 Command & Control server and agent written in Golang, focused on containerized environments. Its current modules include several container breakouts, scanning for CVEs and open ports, fingerprinting services, and more.
Kubernetes Pentest Methodology Part 1
Quite detailed, three part series by Or Ida. The first covers dangerous RBAC configurations, the second discusses black box, remote attack vectors, and the final covers internal attack vectors (container and network), where an attacker has a foothold on one of the pods.
Secure containerized environments with updated threat matrix for Kubernetes
Post by Yossi Weizman describing the second version of the threat matrix for Kubernetes, with several new techniques.
Memory Safe Languages FTW
One of my favorite topics to harp on is how important secure defaults (“guardrails”, “paved road”) are: making it easy to do the secure thing, and hard to do the insecure thing.
So it was great this week to come across a number of resources on the dangers of non memory safe languges, one of my favorite punching bugs examples.
Rust in the Android platform
By Jeff Vander Stoep and Stephen Hines: Some new Android OS code will be written in Rust instead of C/C++ going forward, as “memory safety bugs continue to be a top contributor of stability issues, and consistently represent ~70% of Android’s high severity security vulnerabilities.” Other interesting points:
“Most of our memory bugs occur in new or recently modified code, with about 50% being less than a year old.”
A limitation of focusing on finding bugs is that bug detection (e.g. testing, fuzzing) is scaling faster than bug fixing, as bug fixing is a long and costly process. Often there are only a handful of people capable of developing and reviewing the fix, and even with a high amount of effort spent on fixing bugs, sometimes the fixes are incorrect.
Prioritizing Memory Safety Migrations
Chrome sandboxing lead Chris Palmer makes the case that while you can’t always rewrite everything in Rust, you can effectively mitigate risk by first rewriting the parts that are most directly externally exposed to attackers.
Quantifying Memory Unsafety and Reactions to It
USENIX Enigma 2021 talk by Alex Gaynor makes the case that C and C++ are not tenable for modern secure development, and presents what he’s learned about how developers respond to this fact, in the frame of the Five Stages of Grief.
Confessions of an Overnight Tech Millionaire
An anonymous millenial tech worker describes how earning $6 million from her company’s IPO affected how she views herself, dating, family and interpersonal relationships and more.
Ask HN: What tech job would let me get away with the least real work possible?
Finally! Someone asking the important questions. But really, I think it’s critical to reflect on what you personally find important: is it status? Money? Autonomy? Freedom? Structuring your goals primarily around what society expects is not a good recipe for happiness.
Gamifying machine learning for stronger security and AI models
Microsoft has released CyberBattleSim, a toolkit for creating simulated network environments and seeing how they fare against attacks. “Enterprise defenders and researchers create various nodes on the network and indicate which services are running, what vulnerabilities are present, and what security controls are in place. Automated agents (using reinforcement learning), representing threat actors, are deployed in the attack simulation to randomly execute actions as they try to take over the nodes.” (VentureBeat overview)
Figure 1. Mapping reinforcement learning concepts to security
Figure 2. Visual representation of lateral movement in a computer network simulation
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!