• tl;dr sec
  • Posts
  • [tl;dr sec] #82 - Supply Chain Security, Career Resources, Differentiate or Die

[tl;dr sec] #82 - Supply Chain Security, Career Resources, Differentiate or Die

Detecting dependency confusion across many ecosystems, getting started in tech or security, the middle of VCs and products are dying.

Hey there,

I hope you’ve been doing well!

Man’s Best Friend Cryptocurrency

Sometimes life can feel like a bit much. One minute you’re disrupting the automotive industry, the next you’re trying to send humans to Mars.

You just need some time and the right activity to recharge the ol’ internal battery.

So you bust out MS Paint and crank out a meme hyping a joke cryptocurrency:

I too hope to one day use my $Billions and social influence for good the lulz and to troll the finance industry.

Also, I may have come across the most #peak2021 picture: the above meme on a mask.

India Needs Help

India has been experiencing a massive surge in coronavirus cases, with some reports indicating some 300,000 new infections daily.

People are dying due to lack of medical supplies.

Question: how bad is it?

Answer: there are news articles with “round-the-clock mass cremations” in the title.

Daniel Miessler shared a New York Times article with a number of resources on how you can donate.

I donated to UNICEF here.

Also, many employers offer donation matching, which is an easy way to double your contributions! Check for an internal employer portal.

Sponsor

📢 Burp Suite as you've never seen it before

Burp Suite Enterprise Edition is the automated web vulnerability scanner built to help you shift left. By enabling you to scale and accelerate security testing, it frees time to do more.

Using the same Burp Scanner trusted by over 50,000 pentesters worldwide, Burp Suite Enterprise Edition can help you find and eliminate bugs before they reach production.

📜 In this newsletter...

  • AppSec: Initial Rust support in Semgrep

  • Supply Chain Security: Tool to check for dependency confusion exposure across many languages, dep confusion in Unity games and Bundler, CISA's recommended defenses

  • Web Security: Open source tool for out-of-band vuln testing, exploiting race conditions with Nuclei

  • Cloud Security: Free SRE conference, automate AWS patching, guide to AWS cost control

  • Container Security: Docker tag and pinning overview, mirror images for Kubernetes internally, offense-focused Docker tool, talk on backdooring and hardening Docker build processes

  • Blue Team: What's new in ATT&CK v9

  • Career: How to start in bug bounty, landing your first job as a bootcamp grad, getting your first cybersecurity job, find remote jobs, a list of security engineer interview questions

  • Politics / Privacy: Amazon used seller data to boost their own sales, history of FAANG acquisitions

  • Misc: The dangers of not taking a break, what's Salesforce?

  • Differentiating: For Companies and VCs: The importance of differentiating (the middle is dying)

AppSec

Advancing Rust Support in Semgrep
This post by Kudelski Security describes how they’ve been furthering Semgrep’s Rust support via contributions to the tree-sitter-rust grammar and other parts of Semgrep core.

Not only is Semgrep’s community contributing new rules, they’re also helping Semgrep support more languages. I don’t know of any other commercial grade static analysis tool where this is the case. Pretty cool.

Supply Chain Security

salesforce/DazedAndConfused
A tool to help determine dependency confusion exposure that currently works on 12+ types of dependency files (more than any other tool I’ve seen). Also has support for scanning GitHub and GitLab servers. H/T Emre Saglam.

Dependency Confusion Vulnerabilities in Unity Game Development
By IncludeSec’s Jason Kielpinski: “A game studio that uses a private package registry configured to also pull from the public npmjs registry (which is the default configuration of Verdaccio) is vulnerable… Because the Unity package manager client doesn’t support package namespaces, the standard way of preventing this attack doesn’t work with Unity. Instead, mitigations have to be applied at the package registry server level.”

Bundler is Still Vulnerable to Dependency Confusion Attacks 
By @Zofrex: “Bundler will fetch implicit dependencies (dependencies of your explicit dependencies) from any declared source in the Gemfile, even if their parents are limited to a particular source.” Potential mitigations: virtual namespacing, scope all gems, publicly register all of your gems, or explicitly provide source for each dependency.

Defending Against Software Supply Chain Attacks
16 page PDF by guide by CISA, covering supply chain risks, common attack techniques, recommendations to customers (mitigating deployed malicious or vulnerable software, increasing resilience to a successful exploit), and recommendations for vendors (preventing supplying malicious or vulnerable software, post-deployment mitigations).

Web Security

Interactsh: Open-Source Solution for OOB Testing
New tool by Project Discovery that can help you identify blind out-of-band (OOB) vulnerabilities by generating dynamic URLs, which when requested by the target, trigger a callback. Interactsh comes with a server that can emulate HTTP, DNS, and SMTP with wildcards enabled. Nuclei integration coming!

See this Portswigger article for more info about OOB vulnerabilities.

Exploiting Race conditions with Nuclei
Project Discovery describes how to use nuclei to test for race conditions against a single HTTP request or even chaining multiple HTTP requests together.

Cloud Security

cloud-native-sre.wtf
A free virtual conference (May 20, 2021) about site reliability engineering, DevSecOps, observability, multicloud, and working with complex distributed systems at scale.

Automate Patching Using AWS Systems Manager
ByteCheck’s Nick McLaren describes patch baselines, setting up automated patches, patching groups based on tags, and monitoring compliance.

My Comprehensive Guide to AWS Cost Control
GumGum’s Corey Gale describes three stages of managing AWS costs that has lead his company to save millions of dollars per year:

  1. Tracking and understanding costs.

  2. Using those insights to reduce costs and the risk of making cost-saving changes.

  3. Integrating these cost insights into our processes.

Container Security

Winning with Docker Pinning
This post by Atomist’s James Carnegie explores how Docker tags work, the risks and benefits of using them, and a mechanism for pinning to specific digests to bring us closer to reproducible builds.

estahn/k8s-image-swapper
By Enrico Stahn: “A mutating webhook for Kubernetes, downloading images into your own registry and pointing the images to that new location.” It will transparently consolidate all images into a single registry without the need to adjust manifests, reducing the impact of external registry failures, rate limiting, network issues, change or removal of images while reducing data traffic and therefore cost.

cr0hn/dockerscan
By Daniel Garcia and Roberto Munoz: An offense-focused Docker tool that can scan a network looking for Docker registries, look for sensitive info within a Docker image, or inject a reverse shell into a Docker image.

RootedCON 2017 - Docker might not be your friend. Trojanizing Docker
Daniel and Roberto’s talk in which they announced dockerscan. Includes an overview of Docker, CI, and manipulating Docker images. Their recommendations for hardening build processes include:

  • Do not trust name or tags, use digests instead in FROM declarations.

  • Always check the integrity of anything downloaded at build time.

  • Ideally only build servers are allowed to push images to registries.

  • Implement signing (Notary) and don’t execute unsigned images.

Their slides look pretty hilarious, worth taking a look.

Blue Team

  • Updated: revamp of data sources, refreshes to macOS techniques.

  • New: consolidation of IaaS platforms, the Google Workspace platform, ATT&CK for Containers (and not the kind on boats).

Career

How To Start Bug Bounty For Beginners
A number of talks and resources by @securibee.

Remote Hunt
Find remote jobs.

tadwhitaker/Security_Engineer_Interview_Questions
By Tad Whitaker: A deduplicated list of questions asked during security engineer interviews based on Glassdoor.com, covering: encryption and authentication, networking and logging, OWASP Top 10 and AppSec, databases, tools and games, programming and code, and compliance.

Politics / Privacy

Amazon knew seller data was used to boost company sales
I’ll take, “Things anyone could have seen coming a mile away” for $800, Alex(a).

An internal audit seen by POLITICO warned Amazon’s senior leadership in 2015 that 4,700 of its workforce working on its own sales had unauthorized access to sensitive third-party seller data on the platform — even identifying one case in which an employee used the access to improve sales.

Amazon, Apple, Facebook, and Google became big tech companies by acquiring hundreds of smaller companies
Pretty neat overview of the history of these companies and their acquisitions.

Misc

The dangers of not taking a break
Scary story by @TinkerSec on what happens when you work too hard and never take a break: you can actually burn out all of the glucose in your brain and have seizures. H/T Ishaq Mohammed for the link.

What’s Salesforce?
This post by Taimur Abdaal on the history of customer-relationship management (CRM) and how Salesforce came to be the juggernaut it is today was quite fascinating.

Also, I saw this meme on Taimur’s Twitter and couldn’t not include it:

Differentiating: For Companies and VCs

Companies and their products must be so differentiated that no one else can copy them (the boutique coffee shop), or they must be “full stack” and 100% exactly what we want (Starbucks).

So what’s one to do? There are two options:

1. Go as differentiated as possible and serve the customer exactly what they want.

2. Power law everything — don’t pick the winners; have the winners all pick you.

Build a “pointy business” that’s purely differentiated, or “no stack”. Or build a “utility business” that does all of the underlying work as a truly “full stack” company/product.

Don’t get stuck in the middle.

Playing Different Games
Fascinating breakdown by Everett Randle of why Tiger Global is eating other VC’s lunch. Tiger is attractive to founders (more money, less dillution, less involved - you run your company), and because they do more deals faster, each deal doesn’t need to be as profitable (less due diligence -> faster deals -> more deals, by pre-empting other VCs).

The article also focuses on the core mechanics of successful investing, and shows how eschewing cultural norms that don’t actually matter can give you a significant competitive advantage.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint