- tl;dr sec
- [tl;dr sec] #92 - Hardening Kubernetes, Ransomware, Authz at Scale
[tl;dr sec] #92 - Hardening Kubernetes, Ransomware, Authz at Scale
Securing AWS EKS and lessons from a k8s security report, inside the ransomware economy, and building fine-grained authorization that works at scale.
I hope you’ve been doing well!
Programming or security themed parodies can be hit or miss, but this parody of Aladdin’s “A Whole New World” is 👌
Thanks Malware Unicorn for sharing!
I’m tempted to include some lines, but I don’t want to spoil it, so here’s a taste:
I’ve had the privilege of chatting with some awesome people recently.
I joined Lewis Ardern on one of the best named British Bake Off security podcasts, SecuriTEA & Crumpets. See this video for the Semgrep demo portion with minute markers, and the beginning of the full video for how I got into improv comedy, the origin of tl;dr sec and some lessons learned growing it, career thoughts, and more.
I also chatted with John Kinsella and Adrian Sanabria on Application Security Weekly #156 on scaling security programs via secure defaults, how modern AppSec teams work with their engineering counterparts 🤝, and other good stuff.
📢 Live Workshop: Cloud DevSecOps with Terraform and Bridgecrew
Gain hands-on experience implementing an automated Terraform security workflow from code to cloud. Don’t miss the
with Bridgecrew and HashiCorp on July 29th! You’ll leverage infrastructure as code and your favorite dev tools to find, fix, and prevent misconfigs and cloud drift.
📜 In this newsletter...
AppSec: Massive list of resources, Orange Tsai's CTF exercises, web app decision tree generator, finding oversharing in Salesforce, guide to determine if you should run a bug bounty
Authorization: Carta's highly scalable permissions system inspired by Google's Zanzibar, code patterns for API authz, layering authz into an existing web app
Cloud Security: Getting partial AWS account IDs for any Cloudfront website, defending against DNS exfiltration in AWS, building an attribute-based access control strategy with AWS SSO and Okta
Container Security: AWS Lambda deep dive, two resources on hardening AWS EKS, Red Hat State of Kubernetes Security Report 2021
Ransomware: Inside the ransomware economy, site tracking ransomware profits, political methods to stop ransomware
Politics / Privacy: Iran's government planned kidnapping in the U.S.
OSINT: Find profiles across 350 sites by username
Misc: Drama inside Blizzard
Deciduous: A Security Decision Tree Generator
Ryan Petrich and Kelly Shortridge describe a web app they’ve released (source) that lets you focus on attacker actions, potential mitigations, and how attackers will respond, and Deciduous will dynamically generate an organized and styled graph.
Are you oversharing (in Salesforce)? Our new tool could sniff it out!
NCC Group’s Jerome Smith has released raccoon, an open source tool to identify potential misconfigurations that could expose sensitive data within Salesforce. It establishes which Profiles and Permissions Sets (with active users) have some combination of read/edit/delete permissions to ALL records for a given set of objects, based on their effective sharing and objects settings.
Is a Bug Bounty Program Right for You?
Chapter 2 from the Bug Bounty Community of Interest is probably one of the most detailed, practical guides about real world concerns and best practices of running a bug bounty program at your company. Factors to consider, vulnerability management details, leadership buy-in, communications, internal processes, operationalizing, and more.
AuthZ: Carta’s highly scalable permissions system
Carta’s Aaron Tainter describes how they went from JWT-based authorization, decided against OPA, to building their own system inspired by Google’s Zanzibar. Great example of building an MVP and iterating quickly based on internal customer feedback (your engineering colleagues).
The HN discussion contains some interesting anecdotes from other companies and links to a number of open source and commercial authz tool options.
Code Patterns for API Authorization: Designing for Security
NCC Group’s Tanner Prynn describes four different common patterns when implementing authorization for web apps and APIs, and compares their security trade-offs: ad hoc, route-based, centralized, and object-based.
I saw many different authorization schemes as a security consultant, including many legacy ones that companies were struggling with or revamping after it was making new development painful. This is tough to do well, and I appreciated seeing this overview of different approaches in one place.
Layering authorization into a web application
Gusto’s Flora Jin discusses introducing granular authorization into their app and API (2019). They used the CanCanCan authorization gem, and their authorization specification (in a separate file) looks like:
subject(Payroll, company_id: params(:company_id)) do
can [:read], with: Permissions::READ_PAYROLLS
can [:create, :update, :destroy], with: Permissions::MANAGE_PAYROLLS
# Route annotation
authorize :read, resource
# raises 401 if you don’t have access to the resource
Getting Partial AWS Account IDs for any Cloudfront Website
Chime’s Arkadiy Tetelman describes how using a new Cloudfront API and a crypto trick.
Build an end-to-end attribute-based access control strategy with AWS SSO and Okta
By AWS’ Louay Shaat: “This blog post discusses the benefits of using an attribute-based access control (ABAC) strategy and how to use ABAC with AWS SSO when you’re using Okta as an identity provider. With ABAC, you can simplify your access control strategy by granting access to groups of resources, which are specified by tags, instead of managing long lists of individual resources.”
Hardening AWS EKS security with RBAC, secure IMDS, and audit logging
Snyk’s Kamil Potrec provides a nice overview of how to harden default AWS EKS settings: authentication/authorization, restricting access to the Kubernetes API and the instance metadata service, and enabling logging.
Guide to Designing EKS Clusters for Better Security
Excellently detailed guide by StackRox’s Karen Bruner including: VPC layout, dedicated IAM role for cluster creation, managed vs self-managed node groups, controlling SSH access, EC2 Security Groups for nodes, and more.
Red Hat: State of Kubernetes Security Report 2021
A few of the things that stuck out to me:
94% of respondents experienced at least one security incident in their Kubernetes environments in the last 12 months (Kubernetes, so easy to use! 😂).
88% of respondents use Kubernetes as their container orchestrator, with 74% in production.
Six different open source security tools are used by at least 20% of respondents, with KubeLinter and OPA as the top two.
Ming Zhao: Inside the Ransomware Economy
Fascinating thread, highly recommend reading.
This crowdsourced payments tracker wants to solve the ransomware visibility problem
Krebs Stamos Group’s Jack Cable has built Ransomwhe.re, a site keeps a running tally of ransoms paid out to cybercriminals in Bitcoin, made possible thanks to the public record-keeping of transactions on the blockchain and self-reported incidents. Filter by time, ransomware group, and more.
Insider leak on the current happenings inside Blizzard
StarCraft and Warcraft brought me countless of hours of joy (and swearing) with my friends growing up. Sounds like Blizzard has been having trouble.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!