Hello, World!Hello, World!

Let's get this party started!

Hi everyone, I'm Felix, imaginary mascot and also a security engineer.

My colleagues, who work in infosec, often complain that building secure and reliable systems is hard tradecraft. Most of the security news feed focus on exciting vulnerability research or the results of its successes–breaches, fines, millions of database rows leaked.

However, the unexciting world of blue team engineering—understanding causes for security vulnerabilities, designing defences, inventing and implementing security controls—is not covered for both professional defenders and regular devs, who often carry the weight of implementing security in their products.

I decided to cherry-pick the most interesting bits from the internal discussions with my colleagues for this biweekly newsletter. I will share bits on application security, secure architecture, DevSecOps, cryptography, incidents, and more, keeping it useful for builders and (to a lesser extent) for breakers.

Let's go!

Secure Architecture

Defense in Depth

Heard about "defense in depth"?
Sure, but do you really understand the principle? Defence in depth is not just multiple layers of controls to mitigate one or more risks, but rather multiple layers of inter-locking or inter-linked controls. Here’s a good overview by Google Cloud's CISO.

philvenables.com

Cryptography

Practical bruteforce of "AES-1024 military grade encryption"

If you are interested in practical cryptanalysis, read this story. A researcher from Kudelski Security got a USB stick encrypted with SanDisk Secure Access software with a custom cryptographic algorithm. They found that encryption uses "AES-1024", which appeared to be a curious construction. Long story short: now the world has a John the Ripper plugin to brute force "AES-1024", and we, once again, repeat the "Don't roll your own crypto" mantra.

kudelskisecurity.com

DevOps

10 real-world stories of how we’ve compromised CI/CD pipelines

Dev teams of any scale often lack the time, knowledge, and people needed to avoid security challenges with their CI/CD. Learn from the NCC Group assessments about what can go wrong with CI/CD pipelines security and how to prevent it.

nccgroup.com

Incidents

The math prodigy whose hack upended DeFi won’t give back his millions

Underestimated attacks vector can cause lots of trouble. Dillon Kellar, a co-founder of a cryptocurrency platform Indexed Finance, was aware of one possible pathway for attacks but decided that was not a real attack vector. An 18-year-old graduate student wrote a program that took out a “flash loan” and in 7 steps took millions out from the platform. Then he disappeared.

bloomberg.com

Tools

Hotspots and how to deal with them using semgrep

Hotspots are parts of the code that have higher probabilities of mistakes and vulnerabilities. Many static analysers highlight hotspots and suggest reviewing them manually to find if it's a bug or false positive. Examples of hotspots are: hardcoded secrets, skipped verification steps, usage of non-cryptographic functions for cryptography, weird regex, missing returns, and so on.

parsiya.net

P.S.

See you in two weeks. Stay tuned, spread the word about my newsletter with your friends, and keep your pen tested.

Hugs, Felix.

No spam, ever. We'll never share your email address and you can opt out at any time.