Posts

Securing an AWS CodePipeline End-to-End: SAST, SCA, Dynamic Testing, and a Hard Security Gate

A walkthrough of the planetary-api pipeline — 10 stages of AWS CodePipeline with Semgrep, Snyk, Postman, and Security Hub doing the heavy lifting. I built planetary-api as a security training tool. It's a Flask API that deliberately contains vulnerable code — SQL injection, command injection, path traversal, SSRF — right alongside secure implementations of the same endpoints. The idea is to show the contrast in a realistic environment. One side effect of that design is it makes a good test case for a security pipeline. The pipeline has to detect real vulnerabilities, report them centrally, and block the deployment — while also giving me a way to override the gate when the vulnerabilities are intentional. Here's how that works. Planetary API — AWS CodePipeline (10 Stages) Stage 1 Source GitHub (master) Stage 2 Build Docker → ECR Stage 3 — SecurityScan Semgrep SAST Snyk SCA Post...
Post a Comment
Read more

Building a Flask API for security training — planetary-api

Building a Flask API for security training — planetary-api I spend a lot of time explaining API vulnerabilities to engineers, and nothing lands better than a live target they can actually break. Slide decks about SQL injection are forgettable. Firing off a crafted request and watching a database dump appear on screen? That sticks. So I built planetary-api — a Flask REST API backed by Star Trek planet data, with deliberately vulnerable endpoints sitting right next to their secure counterparts. Show the problem, show the fix, let people poke at both. This post walks through the project, how to spin it up, and what each vulnerability looks like in practice. Why Star Trek planets? Because nobody cares about losing fake planet data. When you're running a workshop and you want people to feel free to break things, obviously fictional data removes the anxiety about causing real damage. Vulcan, Qo'noS, Bajor — mess with it guilt-free. The API is a standard Flask REST A...
Post a Comment
Read more

Azure Policy - Subnets should have an Network Security Group

Image
 I often find it useful to create a proof for a security control and demonstrate how it works and pick up some useful techniques on the way.  Download the Postman export here . The issue with this fine policy is in the way the latest Terraform works. It creates the subnet prior to associating the NSG which means it is blocked from creating the subnet. Use the Terraform in the initial_env directory to create the starting point for the lab work. Attach the Policy to the Resource Group Obtain the 'Subnets should have a Network Security Group' policy definition from here  and add to your subscription. The name may conflict with a built-in policy so add something to the end - I added Andy on the end to differentiate it.  Attach the policy to a resource group. In this example the resource group 'az-900'. Azure Policy Definition Assigned to the Resource Group az-900 Azure Policy Assignment Postman Create Subnet Use the HTTP API to create a subnet and associate an NSG in a ...
Post a Comment
Read more

CI/CD Pipeline Security & Shifting Left Part 2

Image
 A follow-up to my previous post I wanted to go back and remove the vulnerable code from  and update the included libraries to fix any dependencies that were vulnerable.  First, let's have a look at what has changed simply with the passage of time... Dependency-Track has not had a new SBOM for quite some time as the pipeline hasn't been run.  However, it has continued to track vulnerabilities in the included components. Dependency-Track Apr 23 The summary view shows the included versions with the number of vulnerabilities by severity. Not only has Dependency-Track continued to do it's job quietly in the background but it has also been updating Defect Dojo as new vulnerabilities have been notified through it's vulnerability database feeds.  Defect Dojo Apr 23 All of this happens based on the last SBOM ingested by Dependency-Track. Even if the pipeline has not been run in years and no new SBOM produced, it will continue to surface new vulnerabilities in the softwa...
Post a Comment
Read more

My favourite podcasts

Image
 Keeping up with industry news, and the latest research and developments from Information Security is no small task. Over the years I listened to many InfoSec podcasts. Some are great and I have stuck with them for many years, others have come and gone. In this post, I'm going list my personal favourites. Daily News Read all about it. Get the latest, up to date InfoSec news from around the world.  ISC Stormcast If you only have 5-10 mins to listen during your morning coffee then this is the one. I try to listen to this one every day. Chances are if something big is breaking you're going to hear about it here first.  Often the shows point the way to further information for interesting research and features the latest malware techniques you should be aware of.    Presented by the  Dr. Johannes Ullrich Dean of Research for SANS Technology Institute and SANS Faculty Fellow, and founder of the SANS Internet Storm Center (ISC),  with frequent contributions ...
Post a Comment
Read more