By Jay Gabriels: Quickly clone an entire org/users repositories into one directory. Supports GitHub, GitLab, Bitbucket, and more.
See also all-repos by Anthony Sottile, which makes it easy to clone all your repositories and apply sweeping changes.
From What to How in Cybersecurity: Self Care, Culture, and Strategy
Great BSidesRDU 2021 keynote by former Netflix VP of Security Jason Chan on self care, security being an infinite game, making strategic bets, and more. I highly recommend watching, it’s now on my (evergrowing 😅) list of talks to summarize.
Also check out Laksh Raghavan’s thoughts on it here:
…from John May’s blogpost “… we are betting on developing easy-to-use, secure-by-default design patterns for our engineers to use versus putting resources into extensive security reviews.”
Dissolve, don’t solve!
With the right engineering investments made in “secure building blocks”, everyone can go fast! Security and velocity don’t have to be zero-sum games.
Instead of “solving” for better SLAs for security reviews, they dissolved the problem. Keeps your developers focused on building great products rather than worrying about security!
“No need for IAM users when we have Yubikeys.” Tool by Aidan Steele that uses the “card authentication” slot on a Yubikey to store a TLS certificate and private key. See Aidan’s thread on why there’s no need for AWS IAM users today.
Do not use AWS CloudFormation
Greg Swallow argues that CloudFormation is strictly worse than Terraform: it has extra indirection and is harder to debug, Terraform has a rich set of data sources and makes transforming data is a breeze, Terraform is much faster, CloudFormation’s async nature requires polling logic, Terraform is portable across providers, and more.
Well, That Escalated Quickly
AfterPay’s Dorien Koelemeijer describes Cloud Cover, a tool they built to enable developers to move quickly but also with least IAM privilege, using Okta, permissions defined in a git repo, and more. Neat approach.
Scanning Millions of Publicly Exposed Docker Containers
RedHunt Labs scanned over 6 million unique public repos on Docker Hub and found:
- 6/10 of the top base images were built more than a year ago. Thus, any vulnerability that got patched since then won’t be in the base image.
- The most common secret type was username/password to clone git repos.
- Top 5 exposures in Docker images: hard-coded secrets, copying sensitive config files to the Docker image, adding the entire
git repo, including paid/proprietary software licenses, setting default credentials for apps.
Entry Level Kubernetes Certification to Help Advance Cloud Careers
New certification exam from CNCF and The Linux Foundation will test basic knowledge of Kubernetes and cloud native architectures.
Detection Engineering for Kubernetes clusters
NCC Group’s Ben Lister and Kane Ryans discuss the novel detection rules they have created around how privilege escalation is achieved within a Kubernetes cluster, to better enable security operations teams to monitor security-related events on Kubernetes clusters and defend them in real-world use.
The other concept that is useful when approaching detection engineering is “knowing where we can win”. This is the idea that for any given environment/system/technology there will be areas where defenders have a natural advantage. This may be because the logging is better, the attacker is forced into doing something, or there is a limited number of options for an attacker.
Nyx-Net: Network Fuzzing with Incremental Snapshots
A fast full-VM snapshot fuzzer for complex network based targets, by Sergej Schumilo and Cornelius Aschermann. Nyx-Net can fuzz a wide range of targets spanning servers, clients, games, and even Firefox’s IPC interface. It’s built upon kAFL, Redqueen and Nyx. The source code has been released, academic paper with more details here, and see this fuzzer speed run Super Mario here.
BLACKSMITH: Scalable Rowhammering in the Frequency Domain
H/T Marcel Böhme: “Fuzzing DRAM to discover rowhammer vulns. Works on 100% of today’s PC-DDR4 devices they tested, even when the Target Row Refresh (TRR) mitigation was enabled.” IEEE S&P 2022 paper.
SupplyChainSecurityCon - Talk Recordings Now Available
By the Continuous Delivery Foundation (CDF). Talks covering SBOMs, digital signatures, SLSA, getting started with supply chain security, and more.
By Probot: A GitHub App that enforces the Developer Certificate of Origin (DCO) on Pull Requests, requiring all commit messages to contain the
Signed-off-by line with an email address that matches the commit author.
A consolidation of Secure Software Supply Chain resources, such as talks, whitepapers, conferences and more, by Chris Hughes.
Practical Security Recommendations for Start-ups with Limited Budgets
By Alex Chapman: use a password manager and 2FA, develop with modern frameworks, configure an edge security service, enable HTTP security headers, apply security patches, backup user data and source code, centralize all logging, have a bug bounty program, service containerization, and deploy canary tokens.
Cybersecurity Incident & Vulnerability Response Playbooks
By CISA. Includes an incident response (preparation) checklist in the appendices.
Simple SSH Security
Harm Aarts describes several quick steps to harden your SSH config: disable logging in via password, remove weak prime numbers, and allow only strong cyphers.
An SSH server & client auditing tool: banner, key exchange, encryption, mac, compression, compatibility, security, etc., by Positron Security’s Joe Testa.
Hardening your client SSH config file
.ssh/config with modern sane defaults by Ben Montour.
LOTS Project - Living Off Trusted Sites
By @mrd0x: Attackers are using popular legitimate domains when conducting phishing, C&C, exfiltration and downloading tools to evade detection. This list of websites allow attackers to use their domain or subdomain.
How to estimate legal costs from a data breach
Interesting overview by Ryan McGeehan, based on 150 data breach settlements he reviewed. Areas: disclosure complexity, multiple litigators, litigation probability, discovery costs, settlement costs, trial costs, regulation, and indemnification. H/T Ryan Naraine.
A visual overview of useful skills to learn as a web developer, by Andreas Mehlsen.
Merriam-Webster: Time Traveler
See when a word was first used in print.