Last week I mentioned some work by Alex Birsan who successfully typosquatted internal package names for a number of companies. This tool by Joona Hoikkala aims to combat this attack by checking for lingering free namespaces for private package names referenced in dependency configuration for Python (PyPI,
package.json), or PHP (Composer,
Flávio Heleno shared with me this article describing what Composer does to prevent dependency confusion. They seem to have thought through this threat scenario well and even allow you to place an exclude filter on third-party package repositories banning packages that do not start with
By Sourcetrail: A free and open-source cross-platform source explorer that helps you get productive on unfamiliar source code. It does lightweight static analysis on C, C++, Java, and Python source code to extract class and method definitions, member fields, class hierarchies, and more.
Defending software build pipelines from malicious attack
Recommendations by the NCSC, covering topics including:
- Protect builds from each other - running in containers/VMs instead of sharing an OS kernel, use network isolation, prevent jobs from each other’s build artifacts.
- Establish a chain of custody - ensure security checks are performed consistently and that the build isn’t modified afterwards (TLS everywhere, source code checksums).
- Consider a managed service for your build pipelines.
Pipelines need to be defended against attack at least as effectively as the environments it deploys to.
Building a secure CI/CD pipeline for Terraform Infrastructure as Code
Great blog post by OVO’s Chongyang Shi evaluating how to securely deliver infrastructure changes in CI/CD pipelines. He highlights current limitations of popular platforms, discusses what they’d like in an ideal solution, and finally presents the architecture they’ve decided on that meets those requirements. Great discussion of the team’s reasoning and thought process 👍
Network security challenges
Malicious jobs can steal secrets, bypassing two person requirements
The end architecture OVO settled on
Electronegativity GitHub Action
Use this GitHub Action to easily run Electronegativity, a tool to identify misconfigurations and security anti-patterns in Electron applications by Doyensec, into GitHub CI/CD. The Action produces a GitHub compatible SARIF file for uploading to the repository ‘Code scanning alerts’.
Electron APIs Misuse: An Attacker’s First Choice
Doyensec’s Luca Carettoni and Lorenzo Stella discuss a list of APIs they’ve successfully abused during past engagements for high impact, like RCE.
By @bytebutcher: Burp extension that adds a customizable “Send to…” context menu, enabling you to easily pass input to arbitrary CLI tools, like
gobuster, etc. Here’s a blog post about it by @ƒyoorer.
A CLI tool that generates temporary email address and automatically extracts OTPs or confirmation links from the incoming mails using 1secmail.com’s API to generate temporary emails, by Somdev Sangwan.
A ffuf Primer
Nice overview and walkthrough by Daniel Miessler of the Golang CLI web fuzzing tool ffuz.
By @projectdiscovery: “a multi-cloud tool for getting Assets (Hostnames, IP Addresses) from Cloud Providers.” Can be used by blue teams to augment Attack Surface Management efforts by maintaining a centralized list of assets across multiple clouds with little configuration efforts.
AWS security project ideas
Scott Piper has decided to shut down his consulting business and join Aurora, a self driving car company. This blog post lists some neat AWS security projects that would push the industry forward. If you’re looking for somewhere to get started, check it out!
By Cilium: A visual editor for learning how to create Network Policies for Kubernetes. The tutorial “explains basic network policy concepts and guides you through the steps needed to achieve the desired least- privilege security and zero-trust concepts.”
By Guardicore: A tool for tracing interprocess communication (IPC) on Linux. Useful tool for debugging multi-process applications or understanding how the different moving parts in your system communicate with one another. It covers most of the common IPC mechanisms – pipes, fifos, signals, unix sockets, loopback-based networking, and pseudoterminals. Collects info from BPF hooks placed on
kprobes and tracepoints at key functions in the kernel, though it also fills in some bookkeeping from
An illustrated guide to bitcoin mining and the blockchain
Nice entry-level overview by The Hustle’s Zachary Crockett, told through a gold mining metaphor.
Still Alive - Astral Codex Ten
The author Slate Star Codex reflecting on closing down his blog, and now starting things again. Funny, insightful, and reflective.
Warrior on HBO Max is a pulpy, Bruce Lee-inspired joy
Bruce Lee’s daughter, Shannon, found an 8 page manuscript her father had written that has now been made into a two season show on HBO Max. 1870s San Francisco Chinatown, rival gangs, Western-esque, excellent martial arts sequences– I haven’t watched it yet but it sounds great.
Tech entrepreneurship thoughts from Daniel Miessler’s newsletter:
Ask yourself: “What are the awesome technologies that are hard for companies to take advantage of?”, and, “What company can I start to make that easy for them?”
H/T Pablo Estrada for the link.
I teased out virality and said: You cannot do it. Don’t talk about it, don’t touch it, I don’t want you to give me any product plans that revolve around this idea of virality — I don’t want to hear it.
What I want to hear about are the three most difficult and hard problems that any product has to deal with:
- How do you get people in the front door?
- How do you get them to an a-ha moment as quickly as possible?
- And how do you deliver core product value as often as possible?
After all of that is said and done, only then can you propose to me about how you are going to get people to get more people.
And that single decision about not even allowing the conversation to revolve around virality was the most important thing that we did.
Thanks for reading!