Announcing the Google Workspace Provider for HashiCorp Terraform Tech Preview
A new Terraform provider allows you to manage users, groups, and domains in your Google Workspace (formerly G Suite).
Seven years of the GitHub Security Bug Bounty program GitHub’s Greg Ose shares their favorite bug and a number of 2020 highlights. Emphasis in the quote below is mine.
Internally at GitHub we have helper methods,
safe_redirect_to, to prevent these types of vulnerabilities by filtering out untrusted redirect locations, protocols and other risky arguments. To mitigate the open redirect vulnerability, we refactored the vulnerable code to use these safe variants and prevent the user-control of certain arguments to
Additionally, we added a check to our continuous static analysis tooling to detect when
url_for is added to new code with user-controlled arguments.
By putting these safeguards in place to capture this type of vulnerability, we moved towards eliminating this class of vulnerabilities as a whole across our codebase.
Announcing a unified vulnerability schema for open source
Google’s Oliver Chang and Russ Cox announce a unified JSON schema for vulnerability data, and a web UI for searching the aggregated results: https://osv.dev/list. Access vulnerability data with a single
curl, no sign-ups/API keys needed.
Naively, SCA seems to be largely a data problem, so I wonder if Google (or someone else) will build a Snyk competitor on top of all of these useful data sources and primitives 🤔
A simple tool to help apply changes across many GitHub repositories simultaneously (forking, cloning, committing, and raising PRs en-masse), so that you can focus on the substance of the change). Some tips:
- If you need to make a change to a large number of repositories, we’ve found that it’s generally better to raise PRs to a small subset at first and collect feedback.
- For complicated or potentially contentious changes, think about ways to validate them before raising PRs. This could range from working in a pair, through writing a peer-reviewed script, all the way to preparing a design document for the planned changes.
- Raising draft PRs can be a good way to collect feedback, especially CI test results, with less pressure on reviewers.
By @barracud4_: A repository of various media files for known attacks on web applications processing media files (DoS attacks, GhostScript, MemoryLeaks, etc.). Useful for penetration tests and bug bounty.
HackTricks: File Upload
By @carlospolop, @HolyBugx et al. Covers bypassing file extension checks, content-type checks, polyglot files, and more.
OWASP Cheat Sheet Series: File Upload and Unrestricted File Upload
Additional offense-oriented and protection bypass tips, as well as defensive recommendations. H/T Soroush Dalili for the links.
Automated Github Backups with ECS and S3
How Marco Lancini automatically backs up his GitHub account, like private repos, using ECS (Fargate) and S3 Glacier. Detailed write-up + code release.
Using Yor for ownership mapping using YAML tag groups
By Bridgecrew’s Naor David: “Yor is an open source tool that supports auto-tagging of infrastructure from code to cloud by adding metadata such as repository, commit and path, and the last modifier of the code based on git log data. You can expand those out-of-the-box tags into additional common tags such as Operation team, cost center, and environment.”
How we prevented subdomain takeovers and saved $000s
OVO’s Paul Schwarzenberger describes Domain Protect, a new open source tool they’ve released that leverages AWS Lambdas and SNS to proactively, continuously scan for subdomain takeover vulnerabilities.
And note their thought process behind it, which I strongly agree with: they started a private bug bounty program -> over half of the identified issues were subdomain takeovers -> build tooling to address this entire vulnerability class.
Find all unused resources in Kubernetes, by Yogesh Kunjir. Secrets, ConfigMaps, Services, ServiceAccounts, Ingress, etc.
Tech Preview: Docker Dev Environments
By Docker’s Ben De St Paer-Gotch.
With Dev Environments developers can now easily set up repeatable and reproducible development environments by keeping the environment details versioned in their SCM along with their code. Once a developer is working in a Development Environment, they can share their work-in-progress code and dependencies in one click via the Docker Hub.
A curated list of resources for security Governance, Risk Management, Compliance and Audit professionals, by Ayoub Fandi, including a nice overview, relevant frameworks and regulations, books, talks/videos, podcasts, and more.
Jimi is an automation first no-code platform designed and developed originally for Security Orchestration and Response. Over 50 open source integrations that include alerting and monitoring, asset management, software packaging and deployment, security playbooks, SIEM and XDR.
Politics / Privacy
App Taps Unwitting Users Abroad to Gather Open-Source Intelligence
Typical assignments involve snapping photos, filling out surveys or doing other basic data collection or observational reporting such as counting ATMs or reporting on the price of consumer goods like food.
Premise is one of a growing number of companies that straddle the divide between consumer services and government surveillance and rely on the proliferation of mobile phones as a way to turn billions of devices into sensors that gather open-source information useful to government security services around the world.
Negotiating Ransoms: When to Play and When to Fold
Kim Zetter interviews Bill Siegel, CEO and co-founder of Coveware, a company that negotiates ransomware payments for victims.
- It boils down to: what is the financial impact to the business that could be averted by hastening the recovery? (e.g. “This is costing us X per day in lost business, and paying will shave a week off of recovery time.”)
- Often it takes several days to determine the quality of your backups, so you proceed in the negotiation, then before paying you’ve determined if you need to.
- Having proper backups isn’t sufficient. Say you have 50 PB of data in a facility 30 miles away. You start restoring from backup and realize it’s going to take 70 years.
- Rebuild an entirely new network, don’t use the ransomed systems again. Re-image all servers, re-install all applications, and load data from backups onto these green-network machines.
Tech Company News
Google Executives See Cracks in Their Company’s Success
A restive class of Google executives worry that the company is showing cracks. They say Google’s work force is increasingly outspoken. Personnel problems are spilling into the public. Decisive leadership and big ideas have given way to risk aversion and incrementalism.
Inside Airbnb’s ‘Black Box’ Safety Team: Company Spends Millions on Payouts
An inside glimpse into all of the bad things that can happen when you’re building a platform that relies on trusting strangers at scale, and what Airbnb has done to keep a positive reputation.
Interestingly, over time Airbnb has hired various ex-CIA / ex-military people to lead their crisis management teams, including Nick Shapiro, the former deputy chief of staff at the Central Intelligence Agency and National Security Council adviser in the Obama White House. Trigger warning, the article references some bad stuff.
The way Airbnb has handled crimes such as the New York attack, which occurred during a bitter regulatory fight, shows how critical the safety team has been to the company’s growth. Airbnb’s business model rests on the idea that strangers can trust one another. If that premise is undermined, it can mean fewer users and more lawsuits, not to mention tighter regulation.
Type in a repo’s name and get a list of useful forks; that is, forks that have additional activity beyond the original fork, sorted by number of stars.
How I Saved Enough to Buy a House With My Parents’ Money
Tongue-in-cheek article by McSweeney’s.
🔥 Introducing GitHub Copilot: your AI pair programmer
Mind the telemetry terms though, which seem to say basically that they’ll see all the snippets you generate or approve, and potentially any file in any VS Code workspace you have open.
Also, @eevee raises an interesting point regarding copyright:
Thanks for reading!