Security Journey's hi/5

Long Live SBOMs, Application Risk Profiling, Software Supply Chain, and more

“SBOM” should not exist! Long live the SBOM. [https://medium.com/@steve_springett/sbom-should-not-exist-long-live-the-sbom-4554d5c31ff9?utm_campaign=hi%2F5%20Newsletters&utm_source=hs_email&utm_medium=email&_hsenc=p2ANqtz-_5Tf5_gl6qOAzP2fja6Eg2fpSlbnJtY783VEwnfcYAnVARVchoV3qV_NNCR4AK-fjIYlI1] This article by Steve Springett, who is at the center of the software bill of materials universe, explains what an SBOM is and why they should exist. In defense of simple architectures [https://danluu.com/simple-architectures/?utm_campaign=hi%2F5%20Newsletters&utm_source=hs_email&utm_medium=email&_hsenc=p2ANqtz-_5Tf5_gl6qOAzP2fja6Eg2fpSlbnJtY783VEwnfcYAnVARVchoV3qV_NNCR4AK-fjIYlI1] As security professionals, we love simple because complex is hard to secure. This article is about a 1.7 billion dollar company that runs its web app as a Python monolith on top of Postgres and how this simplified architecture runs a successful application. Alex Mor -- Application Risk Profiling at Scale [https://www.securityjourney.com/podcast-episode/alex-mor-application-risk-profiling-at-scale?utm_campaign=hi%2F5%20Newsletters&utm_source=hs_email&utm_medium=email&_hsenc=p2ANqtz-_5Tf5_gl6qOAzP2fja6Eg2fpSlbnJtY783VEwnfcYAnVARVchoV3qV_NNCR4AK-fjIYlI1] How do you manage appsec when you have thousands of applications in an enterprise? Alex Mor joined the Application Security Podcast to talk about application risk profiling. He defines what it is, then walks through how to scale across an organization. HOW INFRASTRUCTURE AS CODE SHOULD FEEL [https://www.scalefactory.com/blog/2022/01/27/how-infrastructure-as-code-should-feel/?utm_campaign=hi%2F5%20Newsletters&utm_source=hs_email&utm_medium=email&_hsenc=p2ANqtz-_5Tf5_gl6qOAzP2fja6Eg2fpSlbnJtY783VEwnfcYAnVARVchoV3qV_NNCR4AK-fjIYlI1] This article is all about feelings...infrastructure feeling. It dives into how your infrastructurous code should feel; it should feel safe, better, etc. Check it out to understand this new way of thinking. Improving software supply chain security with tamper-proof builds [https://security.googleblog.com/2022/04/improving-software-supply-chain.html?utm_campaign=hi%2F5%20Newsletters&utm_source=hs_email&utm_medium=email&_hsenc=p2ANqtz-_5Tf5_gl6qOAzP2fja6Eg2fpSlbnJtY783VEwnfcYAnVARVchoV3qV_NNCR4AK-fjIYlI1] We all still, to this day, struggle with the software supply chain. This article, showing how to better create tamper-proof builds, dives into SLSA and the principles you can apply to your software supply chain to make it more secure.

Implementation of DevSevOps, Product Security Leads, GO Mitigations, and more

3 Cultural Obstacles to Successful DevSecOps Implementation [https://www.infosecurity-magazine.com/next-gen-infosec/cultural-obstacles-devsecops/] When our goal is to change security culture we must consider how to influence our developers while still caring for their needs. This article shares helpful insight into implementing successful security culture change within an organization. Brenna Leath -- Product Security Leads: A different way of approaching Security Champions [https://www.securityjourney.com/podcast-episode/brenna-leath-product-security-leads-a-different-way-of-approaching-security-champions] Brenna Leath, head of product security at SAS, visited the Application Security Podcast to share her insight on security champions and how she approaches this role in her organization with product security leads. We hope you enjoy this conversation with...Brenna Leath. How GO Mitigates Supply Chain Attacks [https://go.dev/blog/supply-chain] This post, from the GO blog, dives into how this coding language mitigates supply chain attacks. GitHub can now auto-block commits containing API keys, auth tokens [https://www.bleepingcomputer.com/news/security/github-can-now-auto-block-commits-containing-api-keys-auth-tokens/] It is vital to keep private information, such as API keys, passwords and authentication tokens, secure. GitHub recently released a new update that scans code for this sensitive information before committing the code to a repository. If you're not using SSH certificates you're doing SSH wrong [https://smallstep.com/blog/use-ssh-certificates/] If you use SSH without certificates, this story may make you uneasy. The author argues why we shouldn't be using SSH with anything other than certificates in the modern day.

Hi/5: Automated Threat Modeling; In depth research; GitHub 99 designs/aws-vault; Nginx

1. An Analysis of Open-source Automated Threat Modeling Tools and Their Extensibility from Security into Privacy -https://www.usenix.org/publications/l... [https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqa0hhTTA3Tl9lUEZRWmJONG5iRmlPNVJaQmtEZ3xBQ3Jtc0ttYl9aMWVrdFY0UkJINWtoMHF0RlpKemFsSXlaOUx2cmhrbTBhU2N5d0t2YkczWV9ldmhBSmg2czc2eW4yd1VRemJjTFlQX2ZDWEFPXzZ1N2JOR0xwTjdSbEZvZmQ2OTFORXB4Y1FWb2g2VGNVNW5fZw&q=https%3A%2F%2Fwww.usenix.org%2Fpublications%2Floginonline%2Fanalysis-open-source-automated-threat-modeling-tools-and-their&v=P4SHop1YwaI] We conducted our review of threat modeling tools in three main phases: Tool Discovery, Evaluation Criteria Selection, and Application of Evaluation Criteria. 2. In-depth research and trends analyzed from 50+ different concepts as code -https://www.jedi.be/blog/2022/02/23/t... [https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbW5yckxMTDNCVm52VFJZbUczSjdnd2tPQXR3d3xBQ3Jtc0tuM1YteC1DVlcxemo3X05uYm44VVl6VE9zR2c1XzFYMkx2Q1p0STRsQVZ2ZE5RMUpfQ1JjdUdmZG84RXZSbWpkb09JMTRzbmhGakNzZ3NwWWFUdDQzWThSUURITWExTjV5clhtWkZndHhrS2RhVzBLUQ&q=https%3A%2F%2Fwww.jedi.be%2Fblog%2F2022%2F02%2F23%2Ftrends-and-inventory-of-50-as-code-concepts%2F&v=P4SHop1YwaI] •DevSecOps as code explosion •Data as code •Capturing knowledge as code 3. Security Journey Provides Free Application Security Training Environment for OWASP® Members -https://www.securityjourney.com/post/... [https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbHZwVHA5cmllcWFpeG1PMDFqd2tHRlFLd2pMQXxBQ3Jtc0trbmY0NHRmUzFsV0JTdkcyektGSFF6eDFzdXZfYVlDUXNleFAyQ3VTaDRBcnp0a3ZrTWZKa2FJU3F5OGQwbnM4RW5oTnNEVzRtQ2t4bGF4WHlQOWpob0NJVkVYdXZsWGRvZThRWDJ5eDRZLTMtbm9jVQ&q=https%3A%2F%2Fwww.securityjourney.com%2Fpost%2Fnews-update-security-journey-provides-free-application-security-training-environment-for-owasp-r-members&v=P4SHop1YwaI] Security Journey’s OWASP dojo will be open and available to all OWASP members starting April 1st. Members can access it in their member portal. 4. GitHub - 99designs/aws-vault: A vault for securely storing and accessing AWS credentials in development environments -https://github.com/99designs/aws-vault [https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbTBrNmljdzgyN3lQeXNiWk5WaUh0QzFXaVFGQXxBQ3Jtc0ttRWJDaEExbmNzV3pmQ19IUi03N0tLbkZwUEJNdmhoUmN1WHdXbFNJUGotV0t2VE9OMmdlTVo4dk1qUlZVX09VVTFXZFZCeWIwUWhWd0I5dmdqdXozamw5ZDhHQVpOTmNzN3ZXVVFLRGNEZlNPWXplaw&q=https%3A%2F%2Fgithub.com%2F99designs%2Faws-vault&v=P4SHop1YwaI] AWS Vault is a tool to securely store and access AWS credentials in a development environment. 5. Avoiding the top Nginx configuration mistakes (nginx.com) -https://www.nginx.com/blog/avoiding-t... [https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbGs5TkJiSEhmMU9SYndHTkN1aE92VmlZN3VYUXxBQ3Jtc0trVWl0Nm9jQ2Zrcjk3U1dJbGplZllvSUtqSlRVOTJlNDVveDRVcEk1RDd3cDVZSFV6TXBJTy1IMlZMT1JOUGJBNVZPOG4ydjg4Um5ld2hpSUEzU2cyTGtQWjlQVUZHV19oaXpJNEdja0w4ZlZKZU5Wbw&q=https%3A%2F%2Fwww.nginx.com%2Fblog%2Favoiding-top-10-nginx-configuration-mistakes%2F&v=P4SHop1YwaI] This blog takes a deep look at the 10 of the most common errors, sometimes even committed by NGINX engineers. The article will explain what are the 10 most common mistakes and how to fix them.

Internal Secrets; SHA-256; 28,000 Vulnerabilities disclosed in 2021; Threat Modeling.

1. Is it safe to use SECRETS_INTERNALS_DO_NOT_USE_OR_YOU_WILL_BE_FIRED? - https://datasociety.net/wp-content/up... [https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbjRGS2N5cnhfUlAzVjlNNU01bjV2dFhkSGFEQXxBQ3Jtc0tsR3MydGRpQ2M4V3ItYWxOcnc4MmRROUx3VjdVUHoyZ1JyZXZKSWltRFR2eXY0Y1JiU1RpZE16dEFEaHN6dy1GbUIzUllFSU9DR3Z0YmYyd05EMm4yek5JcFpudXBlVFZINk5SOG5ObHd3OXdZU2tUcw&q=https%3A%2F%2Fdatasociety.net%2Fwp-content%2Fuploads%2F2022%2F01%2FBountyEverythingFinal01052022.pdf&v=8Vhw5srs5J0] This first story is a react development issue. A developer was asking if a specific property was safe to use. This shows the importance of naming in understanding the security risks when using specific properties. 2. Adam Shostack -- Fast, cheap, and good threat models -https://www.securityjourney.com/podca... [https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbUZzeXFiVEVjM3BJbTRhTGV2b2tCLVl6a0lPQXxBQ3Jtc0tsekJOdUR4clpMZGc1MW94cmdXMUZ3VmFIa28zNmR4bFhqZ2Y5ZzJZS2RhU3JiM3RBTzJxUEl0QkNhNlNlS2daQVJNZ2NIc3RVUi1DZUxJdFk5NXVXN0dGT1RSYVMwUmNiY3dGQVZNbU1vWDFXdlpqSQ&q=https%3A%2F%2Fwww.securityjourney.com%2Fpodcast-episode%2Fadam-shostack-fast-cheap-and-good-threat-model&v=8Vhw5srs5J0] Adam is very well known in the world of threat modeling as a thought leader. This is his take on some new approaches he wants everyone in the industry to understand. 3. SHA-256 explained step-by-step visually - https://sha256algorithm.com/ [https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqa2dZMmJ2T3dZNEpabDRBZTNxLWczek0wOElKQXxBQ3Jtc0trMFRmbFlaeWM5YWJMV2NDNURGNVlYbGN6VHM0VUtqNW1ST3VCV1BRT1oxQ1VMZDlWNlB6YjlQTERjRGZST0NEQ2lnZkJoOUVlY1JSR0Q2WEI5UGpjOHU1Z0VsbHQ4cFp3YWhYMWNfLWtUbXdrUzNaYw&q=https%3A%2F%2Fsha256algorithm.com%2F&v=8Vhw5srs5J0] This is a website that will describe how SHA-256 works. Hashing algorithms are a critical part of how we protect information whether it is at rest or in transit. This is a fascinating way to go through the steps and understand how they work. 4. Over 28,000 Vulnerabilities Disclosed in 2021: Report - https://sha256algorithm.com/ [https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbGthLU5wVU5UNHp4VFhBblJMYlVTZ19hdXduZ3xBQ3Jtc0trV1BteUtaWEF6OVBCcEIwb0RUU2luVFVwaUtxX2lnR3NsMGVCM1ZNSFVUQ3ZFa1ZscXNCWHlERWppWHV1ZVJVeW5KR1FIWjdyRFk3TDllU2R5QUlYUHcyUW8wYVBTajY4ODhRSi1WSUpMWVhGVldRNA&q=https%3A%2F%2Fsha256algorithm.com%2F&v=8Vhw5srs5J0] This article is describing a report published by Risk Based Security highlighting the 28,000 vulnerabilities that were disclosed in 2021. It shows that not much has changed since 2020, but check it out to see all the details. 5. Known exploited vulnerabilities catalog - https://www.cisa.gov/known-exploited-... [https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbllzUzhrNXFzS0ZYc3FVRUxDYkRTM1ZvYlUzUXxBQ3Jtc0tsR1NuVEZkOTNpd0xKbUtFcVlNcEw4bGJaWnNxeUNyQUFSX2dONk82N2ljcmp0djY5aEhTNUJKaDliWms4UnVDd1Fqd0ZCc0x0NkFMWUdHVExYZWxDOXdoRlhocVZ3VWtTWVduR25MWWxubEZtWElPYw&q=https%3A%2F%2Fwww.cisa.gov%2Fknown-exploited-vulnerabilities-catalog%23main-content&v=8Vhw5srs5J0] This is the Know Exploited Vulnerabilities Catalog from CISA. There was a pointer in the previous story to the site as a resource to search and stay up to date on different exploitable vulnerabilities and their remediations.

Terraform, CI/CD, Bug Bounties and more

Bounty Everything [https://datasociety.net/wp-content/uploads/2022/01/BountyEverythingFinal01052022.pdf] This ebook has in-depth explanations of how bug bounties work, how the economy works within the bug bounty, and how the researchers are paid and treated. Understanding Website SQL Injections [https://blog.sucuri.net/2022/01/understanding-website-sql-injections.html] A high-level deep dive into SQL injection, so even those that have no understanding of what an injection attack is can learn how they work. Mazin Ahmed -- Terraform Security [https://www.securityjourney.com/podcast-episode/mazin-ahmed-terraform-security] Terraform is all the rage in the infrastructurous code world. Mazin walks through all things you need to understand about terraform, the security challenges and where to learn more in this episode of the Application Security Podcast. 10 real-world stories of how we've compromised CI/CD pipeline [https://research.nccgroup.com/2022/01/13/10-real-world-stories-of-how-weve-compromised-ci-cd-pipelines/] We all have CI/CD pipelines that we are using in a DevOps world to build our production software; those pipelines have vulnerabilities. Check out these real-world examples to become more educated about the security issues you need to care about. Cryptocurrencies: Tracing the evolution of criminal finances [https://www.europol.europa.eu/publications-events/publications/cryptocurrencies-tracing-evolution-of-criminal-finances] This Intelligence Notification provides an overview of the illicit use of cryptocurrencies, including those services that facilitate their illicit use, illustrating relevant modi opzerandi using case examples.