Mastouille

0 message0 participant0 message aujourd’hui

Paco Hope #resistFunny way to evade a lot of <a href="https://infosec.exchange/tags/AWS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#AWS</a> <a href="https://infosec.exchange/tags/SAST" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SAST</a> checkers that try to check your terraform or CDK or CloudFormation. They often look for open security groups (i.e., <code>0.0.0.0/0</code>). Sadly, most of these tools are looking for THAT string. They don't evaluate it as a CIDR. You might really want a rule that says "anything bigger than /16 is suspicious". But that's not how they work.So a couple rules like <code>0.0.0.0/1</code> and <code>128.0.0.0/1</code> will pretty much get you the whole Internet, but probably slip right past most of the "open-to-the-internet" checkers. Likewise they will catch <code>::/0</code> but will not catch <code>::/1</code> or <code>1000::/1</code>.One thing I did notice is that security groups normalize their CIDR ranges. So you could get a string like <code>8.8.8.8/0</code> through a static code analyzer (because it's not the string <code>0.0.0.0/0</code>) but EC2 will normalize that to <code>0.0.0.0/0</code> when it stores it. So if you do a dynamic check by asking for the security group's ingress rules, it will report back <code>0.0.0.0/0</code> even though you had sent <code>8.8.8.8/0</code> originally.I can't wait to see how AI will handle this.

Arthur Lutz (Zenika)🎉 J'ai fini le "Learning Path" DevSecOps sur TryHackMe ! 🏆 Une certification de plus ! <a href="https://tryhackme.com/path/outline/devsecops" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://tryhackme.com/path/outline/devsecops</a>Super ateliers et contenus sur la supply chain, la sécurité dans la CI/CD, les outils de detection de failles, le hardening de conteneurs, docker, kubernetes, et même sur du terraform. <a href="https://pouet.chapril.org/tags/DevSecOps" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DevSecOps</a> <a href="https://pouet.chapril.org/tags/DevOps" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DevOps</a> <a href="https://pouet.chapril.org/tags/TryHackMe" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#TryHackMe</a> <a href="https://pouet.chapril.org/tags/Gitlab" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Gitlab</a> <a href="https://pouet.chapril.org/tags/Jenkins" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Jenkins</a> <a href="https://pouet.chapril.org/tags/CICD" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CICD</a> <a href="https://pouet.chapril.org/tags/SAST" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SAST</a> <a href="https://pouet.chapril.org/tags/DAST" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DAST</a>

Paco Hope #resistYou might wonder what kinds of tools <a href="https://infosec.exchange/tags/AWS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#AWS</a> consultants use to automate <a href="https://infosec.exchange/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#security</a> <a href="https://infosec.exchange/tags/code" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#code</a> <a href="https://infosec.exchange/tags/scanning" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#scanning</a>. One of the internal teams has just open-sourced one of our tools that was internal-only for a long time. It basically dockerises and runs a whole pile of free <a href="https://infosec.exchange/tags/sast" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#sast</a> tools. I know the folks that write this and we leverage it pretty heavily in our business. <a href="https://github.com/awslabs/automated-security-helper" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://github.com/awslabs/automated-security-helper</a>

Melinda MarksIt's taken me almost a year to write (and edit) my rant about categories and acronyms in cybersecurity. Which acronyms or categories annoy you the most? Security teams don't need more tools, they need efficient ways to mitigate risk and respond quickly to threats or attacks - especially now to keep up with faster development cycles. <a href="https://www.techtarget.com/searchsecurity/opinion/Cloud-native-app-security-Ignore-acronyms-solve-problems" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.techtarget.com/searchsecurity/opinion/Cloud-native-app-security-Ignore-acronyms-solve-problems</a> <a href="https://infosec.exchange/tags/cloudsecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cloudsecurity</a> <a href="https://infosec.exchange/tags/applicationsecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#applicationsecurity</a> <a href="https://infosec.exchange/tags/appsec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#appsec</a> <a href="https://infosec.exchange/tags/cspm" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cspm</a> <a href="https://infosec.exchange/tags/sast" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#sast</a> <a href="https://infosec.exchange/tags/dast" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dast</a> <a href="https://infosec.exchange/tags/iast" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#iast</a> <a href="https://infosec.exchange/tags/sca" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#sca</a> <a href="https://infosec.exchange/tags/sbom" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#sbom</a> <a href="https://infosec.exchange/tags/ciem" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ciem</a> <a href="https://infosec.exchange/tags/asoc" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#asoc</a> <a href="https://infosec.exchange/tags/dspm" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dspm</a> <a href="https://infosec.exchange/tags/aspm" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#aspm</a> <a href="https://infosec.exchange/tags/cnapp" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cnapp</a> <a href="https://infosec.exchange/tags/cdr" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cdr</a> <a href="https://infosec.exchange/tags/mdr" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#mdr</a> <a href="https://infosec.exchange/tags/itdr" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#itdr</a> <a href="https://infosec.exchange/tags/ndr" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ndr</a> <a href="https://infosec.exchange/tags/mdr" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#mdr</a> <a href="https://infosec.exchange/tags/xdr" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#xdr</a> <a href="https://infosec.exchange/tags/edr" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#edr</a> <a href="https://infosec.exchange/tags/cnapp" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cnapp</a> <a href="https://infosec.exchange/tags/wapp" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#wapp</a> <a href="https://infosec.exchange/tags/devsecops" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#devsecops</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/ciso" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ciso</a> <a href="https://infosec.exchange/tags/cso" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cso</a>

Tanya Janca | SheHacksPurple :verified: :verified:Let's talk about static analysis - a term that might sound super complex, but it's really just a fancy way of saying: "Hey, let's check your code and make sure it's secure!" 🔐 How do YOU feel about static analysis? 😅 Share your thoughts! <a href="https://infosec.exchange/tags/StaticAnalysis" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#StaticAnalysis</a> <a href="https://infosec.exchange/tags/CodeSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CodeSecurity</a> <a href="https://infosec.exchange/tags/SAST" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SAST</a>💻

Markus Eisele<a href="https://mastodon.online/tags/bearer" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#bearer</a>: Code security scanning tool (<a href="https://mastodon.online/tags/SAST" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SAST</a>) that discover, filter and prioritize security risks and vulnerabilities leading to sensitive data exposures (PII, PHI, PD). <a href="https://github.com/Bearer/bearer" rel="nofollow noopener noreferrer" target="_blank">https://github.com/Bearer/bearer</a> <a href="https://mastodon.online/tags/JavaScript" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#JavaScript</a> <a href="https://mastodon.online/tags/Python" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Python</a> <a href="https://mastodon.online/tags/Security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Security</a>

jeffluszczI propose that source generated by AI code generators should have a short human and machine readable comment tag to allow better <a href="https://mastodon.social/tags/SCA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SCA</a> & <a href="https://mastodon.social/tags/SAST" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SAST</a> scanning due to the IP and <a href="https://mastodon.social/tags/aiart" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#aiart</a> related static analysis needs. I welcome thoughts, feedback and especially tag suggestions! More in my blog: <a href="https://zebracatzebra.com/blog/a-proposal-for-comment-tagging-ai-generated-source-code/" rel="nofollow noopener noreferrer" target="_blank">https://zebracatzebra.com/blog/a-proposal-for-comment-tagging-ai-generated-source-code/</a>

Max Maass :donor:And, just so that the <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a> people following me don't think that I will never post about these topics here: I recently wrote about the security implications of <a href="https://infosec.exchange/tags/Java" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Java</a> <a href="https://infosec.exchange/tags/Spring" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Spring</a> Actuators, and how having too many of them turned on can be a serious security risk: <a href="https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators" rel="nofollow noopener noreferrer" target="_blank">https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators</a>. May be a helpful for your <a href="https://infosec.exchange/tags/pentest" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#pentest</a>'s and <a href="https://infosec.exchange/tags/bugbounty" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#bugbounty</a> hunting - I like to keep a few ffuf inputs around for this purpose.And if you are on the <a href="https://infosec.exchange/tags/blueteam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#blueteam</a>, I also wrote about how you can construct <a href="https://infosec.exchange/tags/semgrep" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#semgrep</a> <a href="https://infosec.exchange/tags/SAST" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SAST</a> rules to find dangerous configurations: <a href="https://blog.maass.xyz/spring-actuator-security-part-2-finding-actuators-using-static-code-analysis-with-semgrep" rel="nofollow noopener noreferrer" target="_blank">https://blog.maass.xyz/spring-actuator-security-part-2-finding-actuators-using-static-code-analysis-with-semgrep</a> (the rules don't cover all possible ways of doing this, simply because the config files offer way too many options of doing the same thing - but I still think it's a worthwhile introduction to writing your own semgrep rules, which is one of my favourite things to do)Really hope that I'll find the time to finish off that series of posts soon, because there's a different post I've been itching to write for months now, which involves a really neat exploit based on incorrect use of cryptography that I found in a recent engagement...

Recherches récentes

Options de recherche

Administré par :

Statistiques du serveur :

#SAST