[tl;dr sec] #93 - Reading Your CSO's Performance Review, Fuzzing, NSO Group
[tl;dr sec] #93 - Reading Your CSO's Performance Review, Fuzzing
tl;dr sec is a newsletter about AppSec and scaling security, automated bug finding, conference talk and paper summaries, and useful links from around the web. You can subscribe here and see past issues here.
(You can also read this issue on our blog
I hope you’ve been doing well!
Love at First Meme
People used to find their spouse through family, mutual friends, or who happened to live nearby.
But something was missing.
Then, dating websites and apps proliferated, leading to a greater pool of potential candidates. Dating became gamified, as you were always only a few swipes away from texting a cutie.
But something was missing.
But something was still missing.
In case you weren’t already sold:
Wow 🤣 Well, we live in a society.
📢 Why the Largest SaaS Providers are investing in SaaS Security and in AppOmni
People are often surprised to learn that Salesforce Ventures and ServiceNow Ventures are investors in AppOmni, and in SaaS Security in general. But they shouldn’t be. One of the primary goals of SaaS vendors is to ensure that their customers maintain secure SaaS environments, and they know that AppOmni is one of the best ways to do so. AppOmni automates the tracking of security settings, user permissions, 3rd party app access, and API configurations. We make it easy for security and IT teams to keep SaaS data secure, without adding additional workload. Watch the video to find out more.
📜 In this newsletter...
AppSec: Cybersecurity for the Board, RCE in cdnjs
Cloud Security: Scott Piper discusses his Cloud Security Roadmap, AWS incident response playbooks, how would you do your AWS from scratch?
Container Security: Istio's first security assessment released, sign container images with cosign and verify with OPA
Fuzzing: Fuzzing Android native libraries, fuzzing macOS, automatically generate harnesses, libafl
Blue Team: Mapping of technology and vendor tools to NIST CSF, TTPs used by Chinese state-sponsored actors
Red Team: Exploit development and kernel pools
Politics / Privacy: Data leak shows NSO Group tools targeting activists, how to catch NSO Group's Pegasus, toolkit to detect potential compromise of mobile devices, companies that map mobile ad IDs to PII, senior U.S. military officials were making plans to prevent a coup after the 2020 election
OSINT: Collection of 300+ OSINT tools
Leadership: Mindful leadership, a CSO who shares his performance review with the full company
Misc: Search TV shows and movies by a word or phrase, it's never been better to be talent
Remote code execution in cdnjs of CloudflareRyotaK describes a remote code execution bug they found in Cloudflare’s CDNJS that, no big deal, could have allowed tampering of 12.7% of all websites 😅 Path traversal via specially crafted .tgz name and some symbolic links trickery. Nice example of a security review workflow.
Building Cloud Security RoadMapScott Piper joins Ashish Rajan’s Cloud Security Podcast to discuss Scott’s excellent AWS Security Maturity Roadmap, cloud security from start-ups to medium and large companies, getting started in cloud security, and more.
aws-samples/aws-incident-response-playbooksRepo by AWS’ Frank Phillis that contains playbooks covering several common scenarios: credential compromise, unintended S3 bucket access, web app DoS / DDoS, and ransomware. The playbooks outline steps based on the NIST Computer Security Incident Handling Guide.
Lessons learned: if you could do it “all” from the start again, what would you do differently in your AWS?Reddit post with some useful context and ideas.
Announcing the results of Istio’s first security assessmentIstio describes the results of NCC Group’s assessment and shares the report. No Criticals, 4 Highs, the rest Medium, Low, and Informational. See the Security Best Practices and hardening guide.
Sign Container Images with cosign and Verify signature with Open Policy AgentBatuhan Apaydın and Furkan Türkal describe how to ensure only images that have valid signatures can be deployed into production-grade Kubernetes clusters.
parikhakshat/autoharnessA tool that automatically generates fuzzing harnesses for you, using LLVM and Clang for libfuzzer, CodeQL for finding functions, and Python for the overall program.
AFLplusplus/LibAFLBy Andrea Fioraldi, Dominik Maier, and team: a collection of reusable pieces of fuzzers, written in Rust. Fast, multi-platform (Windows, Android, MacOS, Linux), no_std compatible, and scales over cores and machines. Includes different modes like binary-only Frida mode, easy to extend with grammar fuzzing, and more.
mikeprivette/NIST-to-TechAn open-source listing of cybersecurity technologies and vendor tools mapped to the NIST Cybersecurity Framework (CSF).
CISA: Chinese State-Sponsored Cyber Operations: Observed TTPsTactics, techniques, and procedures (TTPs) used by Chinese state-sponsored cyber actors as well as recommended mitigations.
Exploit Development: Swimming In The (Kernel) Pool - Leveraging Pool Vulnerabilities From Low-Integrity ExploitsAn impressively detailed blog post by Connor McGarr.
Politics / Privacy
Revealed: leak uncovers global abuse of cyber-surveillance weaponThe Guardian reports that NSO Group sold spyware to authoritarian regimes who used it to target activists, politicians and journalists.
Forensic Methodology Report: How to catch NSO Group’s PegasusGreat, detailed write-up by Amnesty International and Citizen Lab.
mvt-project/mvtMobile Verification Toolkit by Amnesty International’s @botherder and @tenacioustek is a collection of utilities to simplify and automate the process of gathering forensic traces helpful to identify a potential compromise of Android and iOS devices.
Mindful Leadership: A Conversation between Tara Brach and Michelle Maldonado“In these times of mistrust and dividedness, our world desperately needs each of us to cultivate the qualities of focus, presence, care, respect, clarity, and curiosity that mark a true leader.” H/T Jason Chan.
A C-suite executive shared his performance review to all 1,400 people in the company to promote a culture of feedback. Read the email he sent.Pretty cool transparency by Gusto CSO Fredrick Lee. Unpaywalled images of his review: 1 2 3 4 5. H/T Rami for the Archive.org trick.
yarn.coSearch a vast amount of TV shows and movies by word or phrase, filter by genre, decade, title, and more.
It’s Never Been Better To Be TalentFacebook, TikTok, YouTube, Pinterest, and others have all pledged millions to billions of funding for creators. Unrelatedly, I’ve been working on launching OnlySec.com, where you can tune in for my personal musings on security, unkempt as I make my morning coffee, during my night time bed routine, etc. #nofilter
Thanks for reading!