Another neat tool by Samy Kamkar: “A browser-based internal network scanner that detects victim’s LAN IP (loops back via WebRTC) & other network hosts just by visiting a page. Can be chained with NAT Slipstreaming + other attacks; works on mobile; no TURN/STUN/ICE needed.”
10 React security best practices
Great cheatsheet by Ron Perris.
Announcing Curiefense: An Open-Source Security Platform
Reblaze has open sourced Curiefense, a free, open-source web security platform that extends Envoy Proxy to include WAF, Bot Management, application-layer DDoS, and more.
Threat Modeling Manifesto
Some well known threat modeling folks wrote a manifesto, sort of like the Agile Manifesto, on what they believe are the core values, principles, etc. of threat modeling.
Absolute AppSec Ep. #113 - Jacob Salassi - Modeling Threats, Risk Assessments
This discussion with Jacob Salassi is probably one of the better resources I’ve encountered on threat modeling recently 👍 Jacob discusses the practical realities and lessons learned of scaling threat modeling in a engineering-drive, hypergrowth company (Snowflake). I won’t be able to list all the great stuff here, but:
- You’re never going to scale if the security team needs to be involved in threat modeling, it has to be developer-lead.
- Engineers don’t know what “threat modeling” is. But they’re great at modeling the systems they’re building, so Jacob instead has them “model threats.”
- In order to get widespread threat modeling adoption, ask yourself: how can we make it as easy and frictionless for developers as possible?
- Threat modeling is often referred to as “more art than science.” That doesn’t work when you’re trying to get consistent threat modeling quality across many engineers in a large org. Instead, you need to build guardrails, document the process, and streamline it as much as possible so it’s repeatable.
- Snowflake’s security team has done some neat work in automating parts of threat modeling. As referenced in tl;dr sec 46, they have automation to go from draw.io diagram ➡️ to a set of standard risks you need to handle ➡️ to recommended security controls to ➡️ recommended security unit tests, and more.
- Jacob has removed as many references to “secure coding standards” internally as possible. Security is not a separate thing, security is inherently a part of building secure, quality software.
“You need to dissolve security into development, not bolt it into various places.”
Writing a container in a few lines of Go code, using a few Linux syscalls. Rewanth Cool’s version of Liz Rice’s original implementation allows running the containers without giving them
Comodo has open sourced their EDR Windows agent and seemingly some adjacent components.
A quine is a program that takes no input and produces a copy of its own source code as its output. This quine by Yusuke Endoh is a Ruby program that generates a Rust program that generates a Scala program that generates … (through 128 languages in total)… REXX program that generates the original Ruby code again 🤯
Have a nice flight — without COVID-19
One Medical’s advice on safely flying.
Organizing Feedly by Tags
It’s always neat to hear how voracious readers like Daniel Miessler structure their information intake. We’ve chatted a few times about it, and it’s been cool to see how our processes overlap and differ. I’ll try to write about my process soon if you’re curious. It may or may not involve multiple tools and custom glue code 😅
This post is an abridged version of Alex Smolen’s LocoMocoSec 2020 talk. 💯 article, here are some things that especially stood out:
- Define the mission with high-level security objectives: Make sure security objectives make sense outside the security team and make it clear how security supports the organizational mission.
- Create balanced security objectives: Balance things like reducing actual risk vs perceived risk, improving security posture vs reducing development velocity, etc.
- Think of your security team as a product: Can you ship an MVP of a new security process or tool, and then rapidly learn and iterate based on feedback? Consider developer UX in process and tool changes. Consider sending out Net Promoter Score surveys after threat modeling exercises. Would dev teams recommend your security team to other devs?
- LaunchDarkly uses Jira as the single source of tracking vulnerability information, and they use custom issue types with: type (CWE), severity (CVSS), service and team involved, source, and time introduced, identified, and mitigated.
- Example metrics: time to detection of vulnerabilities, time to remediation, and average vulnerabilities over time. These can all be done by vulnerability type, source, team, etc.
- Having a well-defined key result makes the impacts of initiatives much clearer. For example, will adding a new SAST or DAST tool reduce time to detection?
- Recommends Ryan McGeehan’s simple risk analysis, “a quantitative, probabilistic risk measurement method.”
- Oh hey, he had his team watch my AppSec Cali talk 🥰
- Prioritize projects based on impact and effort as well as confidence - how likely is this to result in impact? Also consider the cost of delay- a risk that exposes the organization today is higher priority than something that prevents a future problem.
Thanks for reading!