[tl;dr sec] #206 – Security Engineer Interview Tips, Security Making Eng Faster, GitHub Action Scanner

John Steven is one of the most technically strong people I’ve ever met, and his interpersonal ninja-ry in causing change across teams in big orgs is also quite impressive.

I guess it makes sense, as he worked as a consultant up to CTO at Cigital over 9,000 18 years, working with hundreds of companies, across every sector. He’s also been a CTO at a number of security product companies and has advised many security start-ups.

John was also my manager when I was but a wee Cigital intern 🥰 

In this podcast, we discussed a number of key lessons learned and insights in building modern, scalable security programs, including:

• Threat modeling as a strategic means of defining one’s approach to security posture

• Effectively having the security team being on the critical software delivery path, and helping engineers ship faster and better

• Using security tools as guardrails, rather than for vulnerability discovery  

• Paved roads and security controls

• and so much more!

Rampant cloud usage requires an advanced security playbook. 

Wiz put together these AWS security best practices from leading cloud security orgs.

Benchmark your strategy and improve your security posture across your AWS footprint with:  

• Techniques to enforce least privilege across all identities 

• How to limit uncontrolled exposure of sensitive assets 

• Playbooks to extend protection of Kubernetes clusters (EKS) 

• Plus critical recommendations by resource type (IAM, S3, Cloudtrail) 

All of these advanced best practices for AWS are compiled in this checklist. 

OffSec Evolve: Cyber Skills and Training Summit
OffSec, the company behind Kali Linux and OSCP, is holding a free virtual event on Wednesday, November 15th. Topics: leadership and talent management, attacker mindset, a CISO panel on human factors in cybersecurity training, how to attract and assess top talent, and more.

InfoSec Map v1 Launched
The free web app by Martín Villalba to search for security events by date, location and topic now lets you search by Call For Papers/Sponsors/Trainers/Volunteers and other improvements.

A growing business likely means more tools, third-party vendors, and data sharing — in other words, way more risk.

Vanta brings GRC and security efforts together. Integrate information from multiple systems and reduce risks to your business and your brand, all without the need for additional staffing.

And because Vanta automates up to 90% of the work for SOC 2, ISO 27001, and more, you’ll be able to focus on strategy and security, not maintaining compliance.

Join 6,000 fast-growing companies that leverage Vanta to manage risk and prove security in real-time. Watch the on-demand demo to learn more. 

FiloSottile/age
By Filippo Valsorda: A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.

CycodeLabs/raven
By Cycode: RAVEN (Risk Analysis and Vulnerability Enumeration for CI/CD) is a security tool designed to perform massive scans for GitHub Actions CI workflows and digest the discovered data into a Neo4j database. Queries are in the library/ folder.

gotr00t0day/Gsec
By @gotr00t0day: A web security scanner that uses tools like Shodan, RapidDNS, Certsh, Waybackurls, and Nuclei for asset discovery, subdomain enumeration, old link fetching, HTTP security scanning, CMS misconfiguration detection, and vulnerability scanning.

HAR File Sanitizer
Upload an HTTP Archive (HAR) file and this web app will remove sensitive data client-side, without sending it off your device. This is what happened recently with Okta.

A short note on AWS KEY ID
Tal Be’ery shares a Python script to decode an AWS account ID from an AWS access key ID, revealing that the account ID is base32 encoded and shifted by one bit within the key.

Orange-Cyberdefense/GOAD
By Orange Cyberdefense: A Game of Thrones-inspired intentionally vulnerable Active Directory lab project, to give security testers practice. I suspect HR would like to have a word with some of these AD users.

The security attendee’s guide to AWS re:Invent 2023
An overview of the security talks. Topics: sessions for security leaders, the role of generative AI in security, architecting and operating container workloads securely, zero trust, and managing identities and encrypting data.

CVE Crowd
A web app that lists CVEs that are currently being discussed on Mastodon, by Konstantin.

FalconForceTeam/FalconHound
By FalconForce’s Olaf Hartong: A blue team multi-tool that allows you to utilize and enhance the power of BloodHound in a more automated fashion. It’s designed to be used in conjunction with a SIEM or other log aggregation tool. Unlike BloodHound, which takes a snapshot in time, FalconHound includes functionality to keep a graph of your environment up-to-date.

See also Olaf’s WWHackinFest slides about FalconHound here.

nneonneo/ghidra-rickroll
TIL Ghidra automatically detects and renders image and audio files embedded in a binary, including GIFs. Robert Xiao shows how to do media insertion for rickrolling reverse engineers using Ghidra. Love it.

D00Movenok/BounceBack
By Georgii Gennadev: A highly customizable reverse proxy with WAF functionality, designed to hide red team operations from blue teams, sandboxes, and scanners, using real-time traffic analysis, IP filtering (includes known IT security vendors’ IP pools), domain fronting, and other advanced features.

RoseSecurity-Research/WolfPack
WolfPack combines the capabilities of Terraform and Packer to streamline the deployment of red team redirectors on a large scale. It allows efficiently scaling out the creation and management of Apache redirectors, which mimic authentic websites.

This new data poisoning tool lets artists fight back against generative AI
A tool called Nightshade lets artists add small, pixel-level changes to their art to poison models trained on it- e.g. cause images of “dogs” to have too many limbs or cartoonish faces or look like cats instead. This attack would require tech companies to painstakingly find and delete each corrupted sample.

Primary findings: plaintext credentials, insecure deserialization (using pickle instead of ONNX), typos (packages could be typosquatted), and lack of adversarial robustness (not using tools like Adversarial RobustnessToolbox (ART), Counterfit).

Joe also released lintML, which wraps TruffleHog and Semgrep, and does other checks.

• Greg Rutkowski is one of the most common names included in AI-generated art prompts due to his beautiful fantasy artwork.

• MonsterAPI: A new platform that allows users to fine-tune open source LLMs without writing any code.

• Air.ai: AI agents for sales and customer service reps. “Can have 10-40 minute long phone calls that sound like a real human, with infinite memory, perfect recall, and can autonomously take actions across 5,000 plus applications. It can do the entire job of a full time agent without having to be trained, managed or motivated. It just works 24/7/365.”

• Javi Lopez prototyped a working pumpkin-themed Angry Birds clone using only Midjourney/DALL-E 3 for art and GPT-4 for the code. He shares the prompts and code.

petrgazarov/salami
By Petr Gazarov: A declarative domain-specific language for cloud infrastructure based on natural language descriptions. Uses GPT-4 to convert the natural language to Terraform.

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I’d really appreciate if you’d forward it to them 🙏