• tl;dr sec
  • Posts
  • [tl;dr sec] #89 - MITRE D3FEND, Lambda Authorizer Gotchas, Google's Supply Chain Integrity Framework

[tl;dr sec] #89 - MITRE D3FEND, Lambda Authorizer Gotchas, Google's Supply Chain Integrity Framework

MITRE releases the defensive countermeasures counterpart to ATT&CK, how IAM wildcard expansion can bite you, Google's 4-level supply chain maturity framework and reference GitHub Action.

Author

Clint Gibler
June 23, 2021

Hey there,

I hope you've been doing well!

A Game with an Unexpected Twist

I was very fond of video games growing up.

They taught me math (Number Munchers), history (Age of Empires), and how to hopefully make peace with future alien civilizations (Starcaft).

I was actually excellent in history class one year because it focused on the Middle Ages, and I played Age of Empires II obsessively often. If I recall correctly, one of the projects I submitted was a custom map I built that recreated a famous battle we covered in class involving Saladin.

But sometimes video games can take a surprising turn, as Sara Schaefer described:

"Everything leading up to this was benign like picking outfits and making her a smoothie."

Man, you can’t trust anything anymore 😂

Sponsor

📢  Keep your Attack Surface under control

Focused on cutting-edge offensive cyber security techniques, we deliver real value-added security services to companies.

Faraday Security Services goes far beyond standard pentesting or traditional scannings to understand your security posture and ensure that no rock is left unturned.

What if you could involve third-party security services into current processes easily, get high-quality results on time, use them to educate your team and increase vulnerability mitigation faster?

Let us show you how to rethink Vulnerability Management.

📜 In this newsletter...

  • AppSec: Auditing Salesforce Lightning Components, reflections on practical static analysis in the real world

  • Mobile Security: Vulnerable Android app with CTF examples

  • Web Security: Bypassing HTML lexical parsing security controls

  • Cloud Security: Google Cloud CISO perspectives, IAM wildcard expansion in Lambda Authorizers can bite you

  • Supply Chain: How GitLab secures their packages, Google's end-to-end framework for supply chain integrity

  • Blue Team: MITRE's D3FEND, the defensive countermeasures counterpart to ATT&CK

  • Red Team: An intro to binary exploitation / reverse engineering course based around CTF challenges

  • Privacy: Clone a voice in 5 seconds to generate arbitrary speech in real-time, GDPR compliant database for PII

  • Current Events: John McAfee dead, Replit swings the legal hammer at a former intern

  • Programming: Run GitHub Actions locally, collection of modern *nix command replacements

  • Misc: Bay Area Landlords be like, check if your project idea's name means something bad in another language

AppSec

Lightning Components: A treatise on Apex Security from an External Perspective
Whitepaper by AppOmni’s Aaron Costello on the architecture of Lightning Aura components, how a call to an Apex (Salesforce’s proprietary programming language) method with parameters crafted from nothing but the provided Javascript signature, and security best practices for using these components safely.

The paper contains some basic live labs to work through that demonstrate everything from how to dissect a component via built-in Apex controllers + leveraging controller / helper JS, to exploiting basic CRUD / SOQL injection / Blind SOQL injection issues.

Semgrep: The Surgical Static Analysis Tool
Parsia Hakimian takes a frank look at practical static analysis in the real world and Semgrep’s trade-offs. He likes that Semgrep rules are easy to write, that it doesn’t require buildable code, is open source, and has a great team and community.

Semgrep is a means to help with the endgame of appsec. Scaling. There are tons of thought leadership articles about scaling but in my opinion as a product security engineer, it boils down to:

1. Create secure defaults.

2. Involve dev teams in security via security champions.

3. Deploy automated tooling.

Mobile Security

B3nac/InjuredAndroid
“A vulnerable Android application with CTF examples based on bug bounty findings, exploitation concepts, and pure creativity,” by Kyle Benac.

Web Security

LEXSS: Bypassing Lexical Parsing Security Controls
Bishop Fox’s Chris Davis describes how carefully crafted HTML tags can break HTML parsing logic, resulting in XSS, even when the parser tries to strip out dangerous content. He gives a few WYSIWYG HTML editor examples. In general, DOMPurify is pretty solid and worth using.

Cloud Security

Cloud CISO Perspectives
Google Cloud CISO Phil Venables discusses post-RSA takeaways, ransomware, supply chain security, the recent Executive Order on Cybersecurity, and more. Emphasis below mine.

For too long, the public sector has tried to solve security challenges by spending more on security products, but as recent events have proved, spending billions of dollars on cybersecurity on an unmodernized IT platform is like building on sand. We strongly support this push towards modernization and agree with the government’s focus on making security simple and scalable, by default.

Security Implications of AWS API Gateway Lambda Authorizers and IAM Wildcard Expansion
Tenchi Security’s Alexandre Sieira and Leonardo Viveiros describe how wildcard expansion when specifying HTTP verbs and paths that are allowed can potentially expose things you did not intend. Man, sometimes AWS feels like Complexity/Footguns-as-a-Service. Like Intuit lobbying against making taxes easier because it’s not in their financial interests.

Supply Chain

  • How they confirmed that their package managers are safe against dependency confusion by default.

  • Package Hunter, a tool GitLab is planning to open source, that uses dynamic behavior analysis to identify malicious packages that try to exfiltrate sensitive data or run unintended code.

  • Their plan to introduce a new product category called the “Dependency Firewall,” with features that aim to help users prevent suspicious dependencies from being downloaded.

Introducing SLSA, an End-to-End Framework for Supply Chain Integrity
Google’s Kim Lewandowski and Mark Lodato describes SLSA, Google’s proposed end-to-end framework for ensuring the integrity of software artifacts throughout the software supply chain. SLSA has 4 levels of maturity, and they’ve released a GitHub Action example fulfilling SLSA Level 1.

1. SLSA 1 requires that the build process be fully scripted/automated and generate provenance.

2. SLSA 2 requires using version control and a hosted build service that generates authenticated provenance.

3. SLSA 3 further requires that the source and build platforms meet specific standards to guarantee the auditability of the source and the integrity of the provenance, respectively.

4. SLSA 4 is currently the highest level, requiring two-person review of all changes and a hermetic, reproducible build process.

Blue Team

MITRE D3FEND
The NSA has funded D3FEND, a framework for cybersecurity professionals to tailor defenses against specific cyber threats. This technical knowledge base of defensive countermeasures for common offensive techniques is complementary to MITRE’s ATT&CK, a knowledge base of cyber adversary behavior.

Red Team

Nightmare
An intro to binary exploitation / reverse engineering course based around CTF challenges. Over 90 challenges covering assembly, stack buffer overflows, format strings, array indexing, return oriented programming, heap exploitation, symbolic execution, and more.

Privacy

CorentinJ/Real-Time-Voice-Cloning
By Corentin Jemine: Clone a voice in 5 seconds to generate arbitrary speech in real-time. Imagine calling an executive or manager at a company, cloning their voice, then using that to vish one of their employees 😅 

securitybunker/databunker
By Yuli Stremovsky et al: A network-based, self-hosted, GDPR compliant, secure database for personal data or PII.

Current Events

John McAfee: Anti-virus creator found dead in prison cell
Hours after a Spanish court agreed to extradite him to the US to face tax evasion charges.

How Replit used legal threats to kill my open-source project
The founder/CEO of Replit, Amjad Masad, threatened a former intern with legal action because Amjad felt an open source project the intern published was too similar to work done during the internship, though Amjad did not provide specifics. Protecting your company is important, but not a great look to bring in the big guns against a single person building something in good faith with no commercial plans. From the HN thread:

It’s also notable that Amjad used to work at Codecademy on up-and-going interactive coding experiences. Now he has his own company building up-and-going interactive coding experiences. What did Amjad learn while he was at CodeAcademy, being privy to internal business operations?

So Amjad used nothing he learned at Codecademy for Replit? 🤔

Programming

nektos/act
Run your GitHub Actions locally, by Casey Lee. Get faster feedback during development and you can use the GitHub Actions defined in your .github/workflows/ to replace your Makefile.

ibraheemdev/modern-unix
A collection of modern/faster/saner alternatives to common *nix commands.

Misc

Bay Area landlords be like
Pretty hilarious (and painfully true) meme about Bay Area housing. H/T Isaac Evans.

WordSafety.com
Trying to decide a name for a website, app or other project? WordSafety.com checks your word against swear words and unwanted associations in 19 languages. H/T Martin Jambon.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint