I hope you’ve been doing well!
💪 Bro-ing Out
This week I’m visiting by brother, who has kindly offered to host me in his 1 bedroom.
I knew it was going to be an auspicious visit, as when I was leaving the airport I saw a family carrying a sign that said “Congrats on getting out of prison early.” (True story)
We’re fairly different people, but we’re going to bond over getting swole at the gym.
He likes South Park and I like musicals, so I had him listen to some of the Book of Mormon soundtrack (same creators), which he liked. Check out You and Me (But Mostly Me) if you haven’t seen it.
I figure after spending a week largely in the same room, if we’re both still alive, we’ll have grown closer 😂
🤖 Daniel Miessler: The future of AI and Security
Next Wednesday (June 28) I’m joining my bud Daniel Miessler to chat live about uses of AI in cybersecurity.
We’ll discuss topics like:
-
What areas of security are likely to be disrupted? Which aren’t?
-
How might this affect your day-to-day work?
-
What should you do to future-proof your career?
We’re going to leave a ton of time for Q&A, so show up with questions, we’d love to hear your thoughts 😎
P.S. Daniel and I also recorded an ~hour long discussion on AI + security that we’ll share after the session.
📣 The Cloud Security Model Cheat Sheet
How leading security orgs stay ahead!
As more processes move to the cloud, security teams are stuck playing catch-up. But leading security orgs are staying ahead. And the numbers prove them right. In this cheat sheet you’ll learn:
-
The 4-step process to adapt your cloud security strategy
-
How to prioritize the right pillars in your team
-
Data-backed research that proves why this is a winning approach
It’s all in the Cloud Security Model Cheat Sheet.
Hang it on the walls of your open space (or share it with your team on Slack).
📜 In this newsletter…
-
AppSec: Building Blocks, Building Security Tools is the Wrong Approach, AppSec Through the Lens of Developer Experience
-
Cloud Security: AWS Pentest Methodology, How Cloud Providers Do Business, Risks in Managed Kubernetes Cluster Middleware, PrivEsc via AWS Batch
-
Container Security: Bypassing vulnerability scanners
-
Supply Chain: Update deps in GitHub Actions, Good Practices for Supply Chain Cybersecurity, Generation of SLSA3+ provenance for artifacts created in a Docker container, Argo Supply Chain Security, Finding Pwnable Terraform Modules
-
Red Team: CVExploits Search
-
Machine Learning + Security: AI Canaries, awesome LLM security tools, tool to find AWS IAM config issues, GPT Burp extension, exfiltrating data from Bing Chat
-
Machine Learning: Massive list of resources from a16z
-
Misc: Destroyed by Breach, InfoSecMap, Expectations Debt, Gratitude practice reframe
AppSec
Building Blocks
PentesterLab’s Louis Nyffenegger does a great, concise (3min) overview of the idea and benefits of “secure building blocks” / “secure defaults” / “paved road” concept, where security teams partner with engineering teams to build safe by construction ways for devs to do common tasks securely (e.g. authorization, parsing XML, JWT stuff, etc.).
…if we are to get true mass adoption of tools that can significantly improve security, they will have to be tools that first and foremost solve a ‘gunshot to the chest’ problem for software developers, and then solve a ‘gunshot to the chest’ problem for security teams as a side effect as well. Just reducing friction is not enough.
Jason includes a number of great resources at the bottom, including this DevEx paper.
📣 Tailscale, a frustratingly simple VPN
Tailscale is the simple and secure way to build and manage your team’s network.
We handle network configurations on your behalf to navigate firewalls and routers, so you don’t need to hassle with manual configuration or port forwarding. Authenticating is effortless with SSO, and Tailscale enables roaming so teammates stay connected wherever they go, even if they switch between Wi-Fi and cell networks.
Plus, you can get started in minutes. Just install and authenticate Tailscale on two or more devices, and you’re ready to roll.
Cloud Security
My AWS Pentest Methodology
Lizzie Moratti shares recommendations for offensive-focused practitioners on how to approach pentesting AWS environments, including useful tools, mapping account usage, reviewing account configurations, and conducting dynamic tests from an attacker’s perspective.
Cloud providers once focused on customer retention via innovation and customer satisfaction. Today, they have enough deterrent business practices in place to make switching providers an expensive Herculean undertaking.
Kubernetes Grey Zone: Risks in Managed Cluster Middleware
Wiz’s Shay Berkovich explores the risks associated with managed cluster middleware (MCM) (services ran by the cloud provider) and the additional security vulnerabilities and attacks that can arise from them. Shay presents two attack scenarios to highlight the potential impact of a compromised MCM, privilege escalation via Node Problem Detector and privilege escalation via Fluent Bit ConfigMap, and offers mitigation guidelines.
Messing Around With AWS Batch For Privilege Escalations
Doyensec’s Francesco Lacerenza and Mohamed Ouad explore AWS Batch, a self-managed and self-scaling scheduler for tasks. They outline a vulnerable scenario involving EC2 compute environments when the container operates in bridged network mode, and offer mitigation suggestions. TIL that containers running in ECS and EKS have the Container Metadata Service (CMDS), which is basically IMDS but for containers and pods in AWS. Associated Terraform lab here.
Supply Chain
BoostSecurity’s François Proulx describes how they downloaded all Terraform providers and modules, ran various static code analysis tools like Semgrep on them, looking for GitHub Actions workflows vulnerable to “pwn request” attacks, and found several hundreds of vulnerable modules.
Red Team
CVExploits Search
A comprehensive database for CVE exploits, collected automatically from GitHub, GitLab, Packet Storm Security, Metasploit modules, and more.
Machine Learning + Security
AI Canaries
Daniel Miessler describes the idea of placing canary prompt injection payloads around your site (e.g. robots.txt) that alert you when an AI agent is interacting with your site.
tenable/EscalateGPT
An AI-powered tool for discovering privilege escalation opportunities in AWS IAM configurations, by Tenable. “In our testing against real-world AWS environments, we found that GPT4 managed to identify complex scenarios of privilege escalation based on non-trivial policies through multi-IAM accounts.”
tenable/Burp-extension-for-GPT
A Burp Suite extension that leverages OpenAI to analyze HTTP traffic and identify potential security concerns. “We tested some real-world scenarios and we found that GPT3.5 and GPT4 successfully identified XSS and misconfigured HTTP headers without requiring any additional fine-tuning.”
Machine Learning
AI Canon
An impressive list of resources from a16z covering a gentle introduction, foundational learning, tech deep dive, practical guides to building with LLMs, market analysis, and landmark research results.
Misc
InfoSecMap
An awesome resource to search for security events by date, location and topic, by Martín Villalba. They plan to add support for searching CFPs as well.
I once heard that 90% of culture is just “winning,” – when a company is winning, everyone’s happy, rich, being promoted, and they see their work as contributing to something bigger than themselves.
Expectations are like a debt that must be repaid before you get any joy out of what you’re doing.
An asset you don’t deserve can quickly become a liability.
Companies should want the valuation they deserve, and not a penny more.
Workers should want a salary that matches their skill, and nothing more.
None of those are about settling or giving up. It’s about avoiding a certain kind of psychological debt that comes due when reality catches up.
There’s a stoic saying: “Misfortune weighs most heavily on those who expect nothing but good fortune.”
Morgan Housel
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.
If you find this newsletter useful and know other people who would too, I’d really appreciate if you’d forward it to them 🙏