It’s now easy to run custom Rego policies against your live AWS account(s) with Trivy, as of version v0.33.0. In this post I’ll run through several example policies to demonstrate how it works and...
Scanning for AWS Security Issues With Trivy
What is Trivy? Trivy is a multifunctional, open-source security scanner. It can scan various targets (filesystems, containers, git repositories and more) in order to discover security issues (vuln...
Writing Go Linters
Recently I looked into writing a custom linter for an open-source project called defsec. We had a fairly unique problem with an all-too-frequent bug. We decided if we could catch this type of bug a...
Write-up: Intigriti 0722 (July 2022) XSS Challenge
It’s been a while since I’ve done an XSS write-up, and the latest Intigriti challenge was fun, so here goes… 0x00: Initial Recon The site provided by Intigriti is a single-page application that s...
5 Ways To Speed Up Go Tests
A slow test-suite/build is one of the most frustrating hurdles to productivity for software engineers. Here are a few tips to speed things up with Go… 1. Run Tests in Parallel Go runs each test i...
Malicious Rego: OPA Supply Chain Attacks
I’ve been using Rego a lot lately and have been very pleased with it. Like any technology though, it can be abused - especially if used irresponsibly. I was inspired by this post about IaC supply-c...
OPA Rego + tfsec: Custom security policies for your infrastructure
Recently, tfsec added support for applying Rego policies to your Terraform code. Clear rules can be written against simple data structures, whilst providing the developer with a wealth of informati...
Escalating Privileges with Dirty Pipe (CVE-2022-0847)
The Dirty Pipe vulnerability allows users to write to files for which they should only have read access. I recommend reading Max Kellermann’s vulnerability abstract to get a good grounding in how i...
Configuring Google Authenticator on Ubiquity EdgeOS OpenVPN
The following guide will help you to set up Google Authenticator based 2FA for OpenVPN on EdgeOS 2.0+ devices. It’s recommended to ensure you have another method to access your device in case you a...
Write-up: Intigriti March 2021 XSS Challenge
The following is my write-up for the March 2021 Intigriti XSS challenge. Let’s Get Started… The challenge takes place on a single web page, though this one appears more dynamic than those I’ve ...