Securing containers is a complex task. The problem space is broad, vendors are on fire, there are tons of checklists and best practices and it’s hard to prioritize solutions. So if you had to implement a container security strategy from where would you start?
Ron Perris from Snyk this checklist of React security best practices to help you and your team find and fix security issues in your React applications. I’ll show you how to automatically test your React code for security-related errors and automatically fix them.
I am a fan of Ubuntu, so I would like to help make it as secure as possible. I have recently spent quite a bit of time looking for security vulnerabilities in Ubuntu’s system services, and it has mostly been an exercise in frustration…
This blog post is about an astonishingly straightforward way to escalate privileges on Ubuntu. With a few simple commands in the terminal, and a few mouse clicks, a standard user can create an administrator account for themselves. I have made a short demo video, to show how easy it is.
This particular vulnerability is regarding the GUI, so your Ubuntu servers are unaffected. Still, 👀
Troy Hunt on just how easy it is to fool us humans with sneaky URLs that look like our most common and trusted domains, why a bunch of proposed solutions to this problem fall short, and what he believes are some actual solutions we can put in practice today.
Avoid the hassle of following security best practices each time you need a web server or reverse proxy. Bunkerized-nginx provides generic security configs, settings and tools so you don’t need to do it yourself.
What’s not to love?
8 common security issues when using Docker and how to avoid them. Here’s a sampler:
Avoid curl bashing
Pulling stuff from internet and piping it into a shell is as bad as it could be. Unfortunately it’s a widespread solution to streamline installations of software.
The risk is the same framed for supply chain attacks and it boils down to trust. If you really have to curl bash, do it right…
We recently talked with Josh Aas on The Changelog #389 about securing the web with Let’s Encrypt. At the tail end of the conversation Josh shared his passion for memory safety, saying “we need to rewrite all the software that we already wrote in C and C++, and replace it. “ My guess is that this move with Daniel and curl takes us several steps further in this direction.
Memory safety vulnerabilities represent one of the biggest threats to Internet security. As such, we at ISRG are interested in finding ways to make the most heavily relied-upon software on the Internet memory safe. Today we’re excited to announce that we’re working with Daniel Stenberg, author of ubiquitous curl software, and WolfSSL, to make critical parts of the curl codebase memory safe. … ISRG is funding Daniel to work on adding support for Hyper as an HTTP back-end for curl. Hyper is a fast and safe HTTP implementation written in Rust.
Six white-hat hackers spent a few months on Apple’s bug bounty program:
There were a total of 55 vulnerabilities discovered with 11 critical severity, 29 high severity, 13 medium severity, and 2 low severity reports. These severities were assessed by us for summarization purposes and are dependent on a mix of CVSS and our understanding of the business related impact.
This is a report of their findings: how they did it, vulnerabilities found, and how Apple responded to each one.
In the information security field, we have developed lots of thoughts that can’t be discussed (or rarely discussed):
- Never roll your own crypto
- Always use TLS
- Security by obscurity is bad
I certainly learned these in my Infosec classes in college. Back then I didn’t really question it much, because what did I know? But I definitely remember thinking, “Okay security by obscurity is bad, but maybe why not do it anyway? Defense in depth, right?” Back to Utku:
Most of them are very generally correct. However, I started to think that people are telling those because everyone is telling them. And, most of the people are actually not thinking about exceptional cases. In this post, I will raise my objection against the idea of “Security by obscurity is bad”.
The idea here is you put your real SSH server on a different port and let Endlessh lock up the script kiddies for hours and even days.
Since the tarpit is in the banner before any cryptographic exchange occurs, this program doesn’t depend on any cryptographic libraries. It’s a simple, single-threaded, standalone C program. It uses
poll()to trap multiple clients at a time.
I’m not sure if this is actually a good idea or just fun to put into practice like those people who dedicate their precious free time scambaiting.
Let me just cut straight to it: I’m going to open source the Have I Been Pwned code base. The decision has been a while coming and it took a failed M&A process to get here, but the code will be turned over to the public for the betterment of the project and frankly, for the betterment of everyone who uses it. Let me explain why and how.
It’s not open source yet, but it will be and Troy lays out his thinking and the process in this excellent write-up. Since HIBP’s data is both sensitive and the entire point of the software, there will be special consideration taken with it:
I need to really clearly break this part of the discussion out because whilst open sourcing the code base is one thing, how the data is handled is quite another. There’s no way to sugar coat this so I’ll just lay it out bluntly: HIBP only exists due to a whole bunch of criminal activity resulting in data that’s ultimately ended up in my possession.
Then there’s the privacy side of it all: my own personal data is in those breaches and your data almost certainly is too because there are literally billions of people that have been impacted by data breaches. Regardless of how broadly that information is circling, I still need to ensure the same privacy controls prevail across the breach data itself even as the code base becomes more transparent. That’s non-trivial. Doable, but non-trivial.
You’re still gonna want Nmap, but RustScan drastically speeds up the first step (scans all 65k ports in less than a minute) and then pipes its data to Nmap.
This is a 5-part series about the zero-trust networking paradigm:
- Encryption Everywhere (linked above)
- A Primer On Public-Key Cryptography
- Certificate Authorities & Chains Of Trust
- Bootstrapping Trust
The process and thinking described in this series are the direct output of developing the same system for the Ziti open source project.
This is under heavy development but is available publicly as a ‘pre-alpha’ developer preview. Tsunami itself is a general purpose network security scanner, but it has a plugin system for detecting specific vulnerabilities. The plugins themselves are hosted in their own repo.
Guy Podjarny is the Founder of Snyk, a security platform that empowers software-driven businesses to develop fast and stay secure. Prior to Snyk, Guy founded Blaze which was acquired by Akamai and became CTO. We talked through the topic of acquisition — the sale, the merge, the learnings, and why Guy might not be planning for Snyk to be acquired anytime soon. We started the conversation with Snyk’s recent raise of $150 million dollars.
The linked post is Tanya Janca advising on where (and how) you can learn threat modelling for yourself. What’s threat modelling?
… a process by which potential threats, such as structural vulnerabilities or the absence of appropriate safeguards, can be identified, enumerated, and mitigations can be prioritized.
See also: Matrin Fowler’s guide to threat modelling for developers.
The most common setup for SSH keys is just keeping them on disk, guarded by proper permissions. This is fine in most cases, but it’s not super hard for malicious users or malware to copy your private key. If you store your keys in the Secure Enclave, it’s impossible to export them, by design.
Did you know Feross taught Web Security at Stanford last Fall? On this episode, Divya and Nick enroll in his security school to learn about XSS, CSP, ambient authority, and a whole lot more.
No matter how much investment software companies may put into tooling and training their developers, “C++, at its core, is not a safe language,” said Ryan Levick, Microsoft cloud developer advocate, during the AllThingsOpen virtual conference last month, explaining, in a virtual talk, why Microsoft is gradually switching to Rust to build its infrastructure software, away from C/C++. And it is encouraging other software industry giants to consider the same.
We certainly should not be writing any new code in C and C++. The opportunity for vulnerabilities – I mean, it absolutely will have vulnerabilities, and we need to get that type of code away from our networks to start with, and then probably away from most other things, too… So I would hope that in 10-20 years we think it’s crazy to be deploying major (or maybe even minor) pieces of software that are written in languages that are not memory-safe.
So we’re trying to remove code written in C and C++ from our infrastructure at Let’s Encrypt. I think that’s just a basic part of diligence applied to secure infrastructure. If your stack is some giant pile of C++ or C at the network edge, followed by OpenSSL written in C, followed by a Linux kernel written in C, glibc - your whole pathway has got all this code that you just know is full of security holes. It absolutely is. You just can’t claim that those are even close to secure systems. They’re absolutely not. We’re gonna look back on this and say “That was crazy. We have better options today.”
Definitely Secure Bank® returns, this time with a big Cross-Site Scripting (XSS) vulnerability:
To get in character, let’s have you open up your online banking portal and look around. Click here to open Definitely Secure Bank’s website and login. Use any username and any password you want (don’t worry - it’s definitely secure). Keep that tab open for the rest of this post.
Victor is killing it with this Web Security 101 series.
Cryptomator works with Dropbox, Google Drive, OneDrive, ownCloud, Nextcloud and any other cloud storage service which synchronizes with a local directory. Since it’s open source, you can check for backdoors. Since it’s entirely client-side, you don’t have to trust anybody else’s machines.
A unique take on explaining Cross-Site Request Forgery (CSRF).
You’re a responsible, hardworking person. You’ve saved up your money over the years at Definitely Secure Bank®. You love Definitely Secure Bank - they’ve always been good to you, plus they make it easy to transfer money via their website. Sweet, right?
You can probably guess where this is headed…
Tanya Janca with an evergreen list of tips and notes on the ins and outs of securely, safely, and legally reporting vulns.
Tip: Do not demand or ask for money in exchange for the vulnerability. That is extortion, and generally illegal. Plus, it will start the conversation on the wrong foot.
This was a great question asked this week on Hacker News – 232 comments and counting…
We just had an interesting data loss at work, that was due to data being encrypted at rest. We somehow managed to delete the encryption keys (still figuring out how), which became an obvious problem once our main database instance was rebooted.
Luckily we were able to restore the data, but now I (we) really want to learn what a proper setup would look like.