Are you oversharing (in Salesforce)? Our new tool could sniff it out!
NCC Group’s Jerome Smith has released raccoon, an open source tool to identify potential misconfigurations that could expose sensitive data within Salesforce. It establishes which Profiles and Permissions Sets (with active users) have some combination of read/edit/delete permissions to ALL records for a given set of objects, based on their effective sharing and objects settings.
Is a Bug Bounty Program Right for You?
Chapter 2 from the Bug Bounty Community of Interest is probably one of the most detailed, practical guides about real world concerns and best practices of running a bug bounty program at your company. Factors to consider, vulnerability management details, leadership buy-in, communications, internal processes, operationalizing, and more.
Great work by Sean Poris, Johnathan Kuskos, Joshua Dembling, Katie Trimble-Noble, Deana Shick, and Christopher Robinson.
AuthZ: Carta’s highly scalable permissions system
Carta’s Aaron Tainter describes how they went from JWT-based authorization, decided against OPA, to building their own system inspired by Google’s Zanzibar. Great example of building an MVP and iterating quickly based on internal customer feedback (your engineering colleagues).
The HN discussion contains some interesting anecdotes from other companies and links to a number of open source and commercial authz tool options.
Code Patterns for API Authorization: Designing for Security
NCC Group’s Tanner Prynn describes four different common patterns when implementing authorization for web apps and APIs, and compares their security trade-offs: ad hoc, route-based, centralized, and object-based.
I saw many different authorization schemes as a security consultant, including many legacy ones that companies were struggling with or revamping after it was making new development painful. This is tough to do well, and I appreciated seeing this overview of different approaches in one place.
Layering authorization into a web application
Gusto’s Flora Jin discusses introducing granular authorization into their app and API (2019). They used the CanCanCan authorization gem, and their authorization specification (in a separate file) looks like:
subject(Payroll, company_id: params(:company_id)) do
can [:read], with: Permissions::READ_PAYROLLS
can [:create, :update, :destroy], with: Permissions::MANAGE_PAYROLLS
# Route annotation
authorize :read, resource
# raises 401 if you don’t have access to the resource
Getting Partial AWS Account IDs for any Cloudfront Website
Chime’s Arkadiy Tetelman describes how using a new Cloudfront API and a crypto trick.
If we want to find the partial AWS account ID for some domain, we can fetch the real public certificate for that domain, generate a random private key, and update the precomputed public key parameters on our private key to be the same as the public key on the certificate we want to impersonate. ACM has a bug in that it does not validate the private key truly corresponds to the public key - it only checks the precomputed values on the private key, which are under our control.
How to defend against DNS exfiltration in AWS?
By SoftServe’s Pawel Rzepa.
- VPCs by default use the Amazon-provided DNS which can be used to bypass some network-level protection mechanisms (e.g. NACLs or SGs) or monitoring (e.g. VPC Flow Logs)
- Recently a new service has been released: the Route 53 Resolver DNS Firewall which allows for blocking and monitoring DNS queries to Amazon DNS.
- GuardDuty can also detect malicious DNS traffic, but only in a limited manner.
Build an end-to-end attribute-based access control strategy with AWS SSO and Okta
By AWS’ Louay Shaat: “This blog post discusses the benefits of using an attribute-based access control (ABAC) strategy and how to use ABAC with AWS SSO when you’re using Okta as an identity provider. With ABAC, you can simplify your access control strategy by granting access to groups of resources, which are specified by tags, instead of managing long lists of individual resources.”
Behind the scenes, AWS Lambda
Deep dive by Bruno Schaatsbergen on how Lambda and load balancing/scaling works under the hood. H/T Caleb Sima.
Hardening AWS EKS security with RBAC, secure IMDS, and audit logging
Snyk’s Kamil Potrec provides a nice overview of how to harden default AWS EKS settings: authentication/authorization, restricting access to the Kubernetes API and the instance metadata service, and enabling logging.
Guide to Designing EKS Clusters for Better Security
Excellently detailed guide by StackRox’s Karen Bruner including: VPC layout, dedicated IAM role for cluster creation, managed vs self-managed node groups, controlling SSH access, EC2 Security Groups for nodes, and more.
Red Hat: State of Kubernetes Security Report 2021
A few of the things that stuck out to me:
- 94% of respondents experienced at least one security incident in their Kubernetes environments in the last 12 months (Kubernetes, so easy to use! 😂).
- 88% of respondents use Kubernetes as their container orchestrator, with 74% in production.
- Six different open source security tools are used by at least 20% of respondents, with KubeLinter and OPA as the top two.
Ming Zhao: Inside the Ransomware Economy
Fascinating thread, highly recommend reading.
This crowdsourced payments tracker wants to solve the ransomware visibility problem
Krebs Stamos Group’s Jack Cable has built Ransomwhe.re, a site keeps a running tally of ransoms paid out to cybercriminals in Bitcoin, made possible thanks to the public record-keeping of transactions on the blockchain and self-reported incidents. Filter by time, ransomware group, and more.
Biden Weighs a Response to Ransomware Attacks
If Moscow wanted to stop Russia’s cybercriminals from hacking American targets, experts say, it would. That is why, some Russia experts argue, the United States needs take aim at Russia’s kleptocracy, either by leaking details of Mr. Putin’s financials or by freezing oligarchs’ bank accounts.
“The only language that Putin understands is power, and his power is his money,” said Garry Kasparov, the Russian chess grandmaster and a Putin critic. “It’s not about tanks; it’s about banks. The U.S. should wipe out oligarchs’ accounts, one by one, until the message is delivered.”