[tl;dr sec] #195 – Kubernetes Exposed, SBOMs, Elastic’s Vuln Management

This year was my first time in Vegas since the pandemic, and I even managed to survive BSidesLV through DEF CON. I hope you did too 😅 

With the help of many friends, I managed to hand out ~300 t-shirts and >1,000 stickers. If you didn’t get one, stay tuned, I’m working on it.

A few moments that stood out:

• Getting polygraphed by Zack Allen (who writes the excellent Detection Engineering newsletter) the first time we ever met.

• Meeting other podcast and newsletter nerds for the first time in person- shout-out to Tromzo and Miscreants for making it happen.

• Attending an Aussie party and watching Louis from PentesterLab make an American hop 4 times like a kangaroo to become an “honorary Australian.”

• Caleb Sima managing to lose the t-shirt I gave him in literally the two hours between my seeing him at different events 🤣 

If you attended, I hope your Hacker Summer Camp was memorable and safe!

FYI there’s an upcoming free full-day training for developers and security folks interested in application, product, and cloud security.

September 5th in Austin, Texas.

Featuring Jim Manico, James Wickett, Reddit’s Matt Johansen, Cloudflare’s Sri Pulla, Netflix’s Esha Kanekar, and many more!

Opal is designed to give teams the building blocks for identity-first security: view authorization paths, manage risk, and seamlessly apply intelligent policies built to grow with your organization.

They are built from the ground up to synthesize the data needed to construct and monitor all of your company’s access – from a single pane of glass.

Opal is used by best-in-class security teams today, such as Blend, Databricks, Drata, Figma, Scale AI, and more. There is no one-size-fits-all when it comes to access, but they provide the foundation to scale least privilege the right way.

• AppSec: Tool to run CodeQL at scale, a walkthrough of 👈️ , Semgrep for Prometheus queries

• Web Security: Burp extension to encode and fuzz custom Protobuf messages

• Cloud Security: Tool for AWS subnet observability, hacking GitHub AWS integrations again, AWS security monitoring in 2023

• Container Security: Survey of exposed Kubernetes clusters in the wild

• Supply Chain: SBOM query language tool, protobom (a format-neutral SBOM representation), limitations of using SBOMs for vulnerability response, BlackHat talk on trust in the software supply chain

• Blue Team: TTPForge, how Elastic uses Elastic for vuln management, monitoring Vault at scale

• Red Team: Collection of Chrome sandbox escape PoCs, collection of vulnerable WordPress plugins, memory corruption in JS engines tutorial

• Politics / Privacy: Chrome extension to monitor other extensions’ network calls

• Machine Learning + Security: U.S. gov’t AI competition, managing risk for apps leveraging 3rd party LLMs

• OSINT / Recon: Tool to discover URLs associated with a domain

• Misc: BlackHat USA vendor announcement overview, hacking card-shuffling machines

Finding Vulnerabilities with MRVA CodeQL
Maiky discusses scanning many repos at scale using GitHub’s CodeQL, using either a built-in list of top 1K repos or a custom built list using GitHub Code Search for repos that have specific functionality you’re targeting. Maiky demonstrates this approach for finding server-side template injection in Ruby and unsafe deserialization in Python.

Guardrails for PromQL using Semgrep
Aiven’s Michael Hoffmann is a Site Reliability Engineer who recently added support for PromQL to Semgrep, a query language for Prometheus, the open-source CNCF monitoring system. Michael walks through how you can “extract” PrompQL from YAML files and then run analyze the PromQL with Semgrep to enforce best practices or find bugs.

Semgrep’s Extract mode let’s you do the same thing with JavaScript in HTML, Bash in Docker files or YAML, etc. Neat to see Semgrep solving developer/SRE challenges, not just security 💪 

Named “Zenbleed” (CVE-2023-20593) by its reporter/discoverer Tavis Ormandy, this new vulnerability primarily targets AMD Zen CPUs and has the potential to cause substantial damage, much like previous CPU vulnerabilities such as Spectre and Meltdown. The Lacework Labs cloud security research team breaks down this new vulnerability in our latest blog article.

Daniel excellently links to related work and and has a very fun tone- this is a solid example of a great blog post 👌

AWS Security Monitoring in 2023: Untangle the chaos
Cloudonaut’s Michael Wittig writes about recommendations for implementing an effective security monitoring strategy in AWS. Michael introduces a structured approach, categorizing key AWS services into three fundamental groups: sources of information, best practices, and anomaly detection and aggregation. Includes an 👌 overview image.

Kubernetes Exposed: One Yaml away from Disaster
AquaSec’s Michael Katchinskiy and Assaf Morag found Kubernetes clusters belonging to more than 350 organizations, openly accessible and largely unprotected. They discovered the clusters using Shodan, and the two primary misconfigurations they found were: allowing anonymous access with privileges and running the kubectl proxy with certain arguments that lead to unknowingly exposing the cluster to the Internet.

Reflections on Trust in the Software Supply Chain
BlackHat talk (slides) by Jeremy Long on the current state of software supply chain security, what SLSA, SBOMs, and code signing do and don’t get you, and a PoC malicious build-time dependency that injects a backdoor. This occurs before code signing happens, so from that point of view, all looks well.

How InfoSec uses the Elastic Stack for vulnerability management
Elastic’s Clement Fouque writes about how the Elastic Stack can be utilized as a data management platform for vulnerability management. Clement outlines the three main components of their vulnerability management architecture and explains how to automate the process of retrieving, enriching, and sharing scan results with different teams.

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I’d really appreciate if you’d forward it to them 🙏