- tl;dr sec
- [tl;dr sec] #82 - Supply Chain Security, Career Resources, Differentiate or Die
[tl;dr sec] #82 - Supply Chain Security, Career Resources, Differentiate or Die
Detecting dependency confusion across many ecosystems, getting started in tech or security, the middle of VCs and products are dying.
I hope you’ve been doing well!
Man’s Best Friend Cryptocurrency
Sometimes life can feel like a bit much. One minute you’re disrupting the automotive industry, the next you’re trying to send humans to Mars.
You just need some time and the right activity to recharge the ol’ internal battery.
So you bust out MS Paint and crank out a meme hyping a joke cryptocurrency:
I too hope to one day use my $Billions and social influence for good the lulz and to troll the finance industry.
Also, I may have come across the most #peak2021 picture: the above meme on a mask.
India Needs Help
India has been experiencing a massive surge in coronavirus cases, with some reports indicating some 300,000 new infections daily.
People are dying due to lack of medical supplies.
Question: how bad is it?
Answer: there are news articles with “round-the-clock mass cremations” in the title.
Daniel Miessler shared a New York Times article with a number of resources on how you can donate.
I donated to UNICEF here.
Also, many employers offer donation matching, which is an easy way to double your contributions! Check for an internal employer portal.
📢 Burp Suite as you've never seen it before
Burp Suite Enterprise Edition is the automated web vulnerability scanner built to help you shift left. By enabling you to scale and accelerate security testing, it frees time to do more.
Using the same Burp Scanner trusted by over 50,000 pentesters worldwide, Burp Suite Enterprise Edition can help you find and eliminate bugs before they reach production.
📜 In this newsletter...
AppSec: Initial Rust support in Semgrep
Supply Chain Security: Tool to check for dependency confusion exposure across many languages, dep confusion in Unity games and Bundler, CISA's recommended defenses
Web Security: Open source tool for out-of-band vuln testing, exploiting race conditions with Nuclei
Cloud Security: Free SRE conference, automate AWS patching, guide to AWS cost control
Container Security: Docker tag and pinning overview, mirror images for Kubernetes internally, offense-focused Docker tool, talk on backdooring and hardening Docker build processes
Blue Team: What's new in ATT&CK v9
Career: How to start in bug bounty, landing your first job as a bootcamp grad, getting your first cybersecurity job, find remote jobs, a list of security engineer interview questions
Politics / Privacy: Amazon used seller data to boost their own sales, history of FAANG acquisitions
Misc: The dangers of not taking a break, what's Salesforce?
Differentiating: For Companies and VCs: The importance of differentiating (the middle is dying)
Advancing Rust Support in Semgrep
This post by Kudelski Security describes how they’ve been furthering Semgrep’s Rust support via contributions to the
tree-sitter-rust grammar and other parts of Semgrep core.
Not only is Semgrep’s community contributing new rules, they’re also helping Semgrep support more languages. I don’t know of any other commercial grade static analysis tool where this is the case. Pretty cool.
Supply Chain Security
A tool to help determine dependency confusion exposure that currently works on 12+ types of dependency files (more than any other tool I’ve seen). Also has support for scanning GitHub and GitLab servers. H/T Emre Saglam.
Dependency Confusion Vulnerabilities in Unity Game Development
By IncludeSec’s Jason Kielpinski: “A game studio that uses a private package registry configured to also pull from the public npmjs registry (which is the default configuration of Verdaccio) is vulnerable… Because the Unity package manager client doesn’t support package namespaces, the standard way of preventing this attack doesn’t work with Unity. Instead, mitigations have to be applied at the package registry server level.”
Bundler is Still Vulnerable to Dependency Confusion Attacks
By @Zofrex: “Bundler will fetch implicit dependencies (dependencies of your explicit dependencies) from any declared source in the Gemfile, even if their parents are limited to a particular source.” Potential mitigations: virtual namespacing, scope all gems, publicly register all of your gems, or explicitly provide
source for each dependency.
Defending Against Software Supply Chain Attacks
16 page PDF by guide by CISA, covering supply chain risks, common attack techniques, recommendations to customers (mitigating deployed malicious or vulnerable software, increasing resilience to a successful exploit), and recommendations for vendors (preventing supplying malicious or vulnerable software, post-deployment mitigations).
Interactsh: Open-Source Solution for OOB Testing
New tool by Project Discovery that can help you identify blind out-of-band (OOB) vulnerabilities by generating dynamic URLs, which when requested by the target, trigger a callback. Interactsh comes with a server that can emulate HTTP, DNS, and SMTP with wildcards enabled. Nuclei integration coming!
See this Portswigger article for more info about OOB vulnerabilities.
A free virtual conference (May 20, 2021) about site reliability engineering, DevSecOps, observability, multicloud, and working with complex distributed systems at scale.
Tracking and understanding costs.
Using those insights to reduce costs and the risk of making cost-saving changes.
Integrating these cost insights into our processes.
Winning with Docker Pinning
This post by Atomist’s James Carnegie explores how Docker tags work, the risks and benefits of using them, and a mechanism for pinning to specific digests to bring us closer to reproducible builds.
By Enrico Stahn: “A mutating webhook for Kubernetes, downloading images into your own registry and pointing the images to that new location.” It will transparently consolidate all images into a single registry without the need to adjust manifests, reducing the impact of external registry failures, rate limiting, network issues, change or removal of images while reducing data traffic and therefore cost.
By Daniel Garcia and Roberto Munoz: An offense-focused Docker tool that can scan a network looking for Docker registries, look for sensitive info within a Docker image, or inject a reverse shell into a Docker image.
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker
Daniel and Roberto’s talk in which they announced dockerscan. Includes an overview of Docker, CI, and manipulating Docker images. Their recommendations for hardening build processes include:
Do not trust name or tags, use digests instead in FROM declarations.
Always check the integrity of anything downloaded at build time.
Ideally only build servers are allowed to push images to registries.
Implement signing (Notary) and don’t execute unsigned images.
Their slides look pretty hilarious, worth taking a look.
Updated: revamp of data sources, refreshes to macOS techniques.
New: consolidation of IaaS platforms, the Google Workspace platform, ATT&CK for Containers (and not the kind on boats).
Find remote jobs.
By Tad Whitaker: A deduplicated list of questions asked during security engineer interviews based on Glassdoor.com, covering: encryption and authentication, networking and logging, OWASP Top 10 and AppSec, databases, tools and games, programming and code, and compliance.
Politics / Privacy
Amazon knew seller data was used to boost company sales
I’ll take, “Things anyone could have seen coming a mile away” for $800, Alex(a).
Amazon, Apple, Facebook, and Google became big tech companies by acquiring hundreds of smaller companies
Pretty neat overview of the history of these companies and their acquisitions.
The dangers of not taking a break
Scary story by @TinkerSec on what happens when you work too hard and never take a break: you can actually burn out all of the glucose in your brain and have seizures. H/T Ishaq Mohammed for the link.
Also, I saw this meme on Taimur’s Twitter and couldn’t not include it:
Differentiating: For Companies and VCs
Playing Different Games
Fascinating breakdown by Everett Randle of why Tiger Global is eating other VC’s lunch. Tiger is attractive to founders (more money, less dillution, less involved - you run your company), and because they do more deals faster, each deal doesn’t need to be as profitable (less due diligence -> faster deals -> more deals, by pre-empting other VCs).
The article also focuses on the core mechanics of successful investing, and shows how eschewing cultural norms that don’t actually matter can give you a significant competitive advantage.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!