The Open Policy Agent (OPA) project provides a policy language, Rego, that can be used to automate policy enforcement (e.g. for compliance, security, Kubernetes, microservice authorization, policies that define organisational best practices, etc.). This is a CLI tool that makes Rego policies searchable.
Four levels of maturity that bridge the AppSec / engineering divide
Django co-creator Jacob Kaplan-Moss describes 4 levels of maturity in how AppSec teams and engineering can work together productively as they build a continuous integration and automation pipeline:
- Security finds problems; Engineering fixes them
- Security and Engineering collaborate to produce test cases and remediations
- After the issue is fixed, Security and Engineering collaborate to find systemic fixes and develop checks
- Security and Engineering now also proactively look for new classes of issues and create systemic checks before an actual problem occurs
A browser extension that lets you edit HTTP(S) requests and responses without a proxy. So like Burp Suite/ZAP, but just your browser.
A CLI tool for finding sites vulnerable to NoSql injection, with a focus on MongoDB, by Charlie Belmer. Charlie works at DuckDuckGo and has a nice blog with articles about security and privacy, and a mailing list if you want to keep up with the cool stuff he’s working on.
AWS Security Maturity Roadmap 2021
The third annual release of Scott Piper’s excellent guide for securely running on AWS. Probably one of the best, concise, actionable guides on this I know of.
@goserverless will copy up your AWS API creds to their service and execute things on your behalf
Oof, thanks Corey Quinn for the heads up.
Accelerate infrastructure as code development with open source Former2
If you have existing AWS infrastructure that has not yet been ported to infrastructure as code, you can use Former2 (landing page, GitHub) to automatically generate CloudFormation, Terraform, or Troposphere templates from your existing AWS resources.
Evolving Container Security With Linux User Namespaces
Nicely detailed blog post by Kabio Kung and the Netflix container team on the challenges of securing containers in multi-tenant systems and how adopting user namespaces (“rootless containers”) helps them embrace defense-in-depth. Great overview of the problem space, and a discussion of how their architecture has changed over time.
Before User Namespaces
After User Namespaces
Repo by Michael Koczwara collecting hunting and detection tools, YARA rules, indicators of compromise, research articles and more re: detecting the use of Cobalt Strike.
Linux Hardening Guide
Pretty massive hardening guide covering a range of topics including kernel hardening, mandatory access control, sandboxing, hardened memory allocator and compilation flags, memory safe languages, the root account, firewalls, identifiers, file permissions, core dumps, entropy, physical security, and more.
Politics / Privacy
WhatsApp gives users an ultimatum: Share data with Facebook or stop using the app
Wait whaaat, Facebook wants access to your private data?! 😱 No one could have seen this coming.
Hello! You’ve Been Referred Here Because You’re Wrong About Section 230 Of The Communications Decency Act
Great TechDirt article by Mike Masnick if you’re curious about how or when Section 230 applies, or if you’re tired of explaining it and just want to link people to something.
Hello! You’ve Been Referred Here Because You’re Wrong About The First Amendment
Same as above, but for the First Amendment.
Bro, Do You Even Rust?
“Have you considered rewriting in Rust?” has been said so many times that it’s become a meme.
But I think there’s something to it. For one example: Microsoft: Rust Is the Industry’s ‘Best Chance’ at Safe Systems Programming. I came across a few Rust-related links this week so I decided to group them.
I also wrote up a handy cheatsheet in case you’re considering using C:
Like smoking or eating Big Macs for every meal, while it’s not illegal to use C in 2021, it should be discouraged.
Sad that Flash is going away? Then check out this Flash Player emulator written in Rust. Because - why not? 😂
“A new OS written from scratch in Rust to experiment with novel OS structure, better state management, and how to shift OS responsibilities like resource management into the compiler.”