DevSec Selection #8 – SAST with AI, Git RCE, Semgrep for K8s

May 22, 2024

Intro

Hi!
I will start this edition with the following quote:

“In a 2023 GitHub survey, developers reported that their top task, second only to writing code (32%), was finding and fixing security vulnerabilities (31%).”

    ~Nicole Choi (GitHub)

In the newsletter you will find how Canva implemented Endpoint Vulnerability Management at scale, ideas for enhancing SAST with AI from GitHub, Semgrep rules for K8s and technical articles about a recent RCE in git and SSRF exploitation techniques oriented on NodeJS. You can also read about a recent Dell data breach where 49 million customer records were affected – unofficially, records were exfiltrated through an API security issue.


Materials

The article presents how Canva manages endpoint vulnerabilities at scale to ensure the security of their systems and customer data. They define responsibilities, set SLAs, visualize data flow, update applications, and prioritize vulnerable software. Their approach includes using MDM, deploying osquery, and relying on statistical risk assessment. Testing the process and measuring success through data analysis are key components. They share graphs showing vulnerabilities over time, top widespread vulnerable applications, vulnerability age trends, and managed vulnerable applications out of SLA. Despite challenges like patching and software quirks, Canva’s systematic approach enhances their endpoint security significantly.


It discusses how AI enhances static application security testing (SAST) tools by combining generative AI with code scanning. It highlights developers’ frustrations with security practices, the value of using AI-powered tools, and how AI improves vulnerability detection and remediation. By integrating AI, SAST tools can detect vulnerabilities more efficiently, provide contextualized alerts in workspaces, and help developers remediate vulnerabilities faster, resulting in a more secure software development lifecycle (SDLC).


The article introduces a Semgrep-based Policy Controller for Kubernetes, allowing validation of resources against Semgrep rules before deployment. It’s in a proof of concept state – not for production yet. Setup takes minutes using git, yq, Kubernetes cluster, and optional Helm. Customize rules easily. Use Helm to install and test resources for compliance. Cleanup with Helm uninstall.


This great article details the discovery of an RCE vulnerability in Git, where cloning repositories can lead to code execution. The article explains the vulnerability chain, patch details, and provides a working exploit script. It emphasizes the importance of understanding the underlying concepts such as submodules, symlinks, and file systems in exploiting the vulnerability. The author successfully demonstrates the RCE execution on both Windows and Mac systems using a local repository setup and then remote GitHub repositories. The complete PoC repository is available on GitHub for further exploration.


This article presents potential security risks in NextJS websites due to misconfigurations and vulnerabilities. It discusses how attackers can exploit SSRF through image optimization and server actions. By manipulating headers, attackers can trigger blind SSRF attacks and achieve full read access to internal resources. The article emphasizes the importance of testing modern frameworks for security vulnerabilities.


A threat actor named Menelik exploited a partner portal API in Dell’s system to steal 49 million customer records by generating requests without rate limiting. Dell was informed but didn’t respond until after data was posted for sale. APIs have become a vulnerability for scraping data in recent breaches.

Interesting Article?

Join DevSec Selection!

DevSec Selection is a bi-weekly Newsletter with the latest outstanding articles related with DevSecOps and application security.


Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments