Lightning Components: A treatise on Apex Security from an External Perspective
The paper contains some basic live labs to work through that demonstrate everything from how to dissect a component via built-in Apex controllers + leveraging controller / helper JS, to exploiting basic CRUD / SOQL injection / Blind SOQL injection issues.
Semgrep: The Surgical Static Analysis Tool
Parsia Hakimian takes a frank look at practical static analysis in the real world and Semgrep’s trade-offs. He likes that Semgrep rules are easy to write, that it doesn’t require buildable code, is open source, and has a great team and community.
Semgrep is a means to help with the endgame of appsec. Scaling. There are tons of thought leadership articles about scaling but in my opinion as a product security engineer, it boils down to:
- Create secure defaults.
- Involve dev teams in security via security champions.
- Deploy automated tooling.
“A vulnerable Android application with CTF examples based on bug bounty findings, exploitation concepts, and pure creativity,” by Kyle Benac.
LEXSS: Bypassing Lexical Parsing Security Controls
Bishop Fox’s Chris Davis describes how carefully crafted HTML tags can break HTML parsing logic, resulting in XSS, even when the parser tries to strip out dangerous content. He gives a few WYSIWYG HTML editor examples. In general, DOMPurify is pretty solid and worth using.
Cloud CISO Perspectives
Google Cloud CISO Phil Venables discusses post-RSA takeaways, ransomware, supply chain security, the recent Executive Order on Cybersecurity, and more. Emphasis below mine.
For too long, the public sector has tried to solve security challenges by spending more on security products, but as recent events have proved, spending billions of dollars on cybersecurity on an unmodernized IT platform is like building on sand. We strongly support this push towards modernization and agree with the government’s focus on making security simple and scalable, by default.
Security Implications of AWS API Gateway Lambda Authorizers and IAM Wildcard Expansion
Tenchi Security’s Alexandre Sieira and Leonardo Viveiros describe how wildcard expansion when specifying HTTP verbs and paths that are allowed can potentially expose things you did not intend. Man, sometimes AWS feels like Complexity/Footguns-as-a-Service. Like Intuit lobbying against making taxes easier because it’s not in their financial interests.
A deep dive into how we investigate and secure GitLab packages
By GitLab’s Vitor Meireles De Sousa.
- How they confirmed that their package managers are safe against dependency confusion by default.
- Package Hunter, a tool GitLab is planning to open source, that uses dynamic behavior analysis to identify malicious packages that try to exfiltrate sensitive data or run unintended code.
- Their plan to introduce a new product category called the “Dependency Firewall,” with features that aim to help users prevent suspicious dependencies from being downloaded.
Introducing SLSA, an End-to-End Framework for Supply Chain Integrity
Google’s Kim Lewandowski and Mark Lodato describes SLSA, Google’s proposed end-to-end framework for ensuring the integrity of software artifacts throughout the software supply chain. SLSA has 4 levels of maturity, and they’ve released a GitHub Action example fulfilling SLSA Level 1.
- SLSA 1 requires that the build process be fully scripted/automated and generate provenance.
- SLSA 2 requires using version control and a hosted build service that generates authenticated provenance.
- SLSA 3 further requires that the source and build platforms meet specific standards to guarantee the auditability of the source and the integrity of the provenance, respectively.
- SLSA 4 is currently the highest level, requiring two-person review of all changes and a hermetic, reproducible build process.
The NSA has funded D3FEND, a framework for cybersecurity professionals to tailor defenses against specific cyber threats. This technical knowledge base of defensive countermeasures for common offensive techniques is complementary to MITRE’s ATT&CK, a knowledge base of cyber adversary behavior.
An intro to binary exploitation / reverse engineering course based around CTF challenges. Over 90 challenges covering assembly, stack buffer overflows, format strings, array indexing, return oriented programming, heap exploitation, symbolic execution, and more.
By Corentin Jemine: Clone a voice in 5 seconds to generate arbitrary speech in real-time. Imagine calling an executive or manager at a company, cloning their voice, then using that to vish one of their employees 😅
By Yuli Stremovsky et al: A network-based, self-hosted, GDPR compliant, secure database for personal data or PII.
John McAfee: Anti-virus creator found dead in prison cell
Hours after a Spanish court agreed to extradite him to the US to face tax evasion charges.
How Replit used legal threats to kill my open-source project
The founder/CEO of Replit, Amjad Masad, threatened a former intern with legal action because Amjad felt an open source project the intern published was too similar to work done during the internship, though Amjad did not provide specifics. Protecting your company is important, but not a great look to bring in the big guns against a single person building something in good faith with no commercial plans. From the HN thread:
It’s also notable that Amjad used to work at Codecademy on up-and-going interactive coding experiences. Now he has his own company building up-and-going interactive coding experiences. What did Amjad learn while he was at CodeAcademy, being privy to internal business operations?
So Amjad used nothing he learned at Codecademy for Replit? 🤔
Run your GitHub Actions locally, by Casey Lee. Get faster feedback during development and you can use the GitHub Actions defined in your
.github/workflows/ to replace your
A collection of modern/faster/saner alternatives to common *nix commands.
Bay Area landlords be like
Pretty hilarious (and painfully true) meme about Bay Area housing. H/T Isaac Evans.
Trying to decide a name for a website, app or other project? WordSafety.com checks your word against swear words and unwanted associations in 19 languages. H/T Martin Jambon.
Thanks for reading!