Briefly after finishing the Cloud Resume Challenge I discovered a few "Extensions" to the challenge were now provided. The extension which piqued my interest was the terraform one, due to the popularity of the Hashicorp technology among the community. The goal was simple: Convert your Infrastructure as Code (IaC) definition to terraform.
In my case, this meant porting the AWS Serverless Application Model (SAM) Template to terraform configuration, so that it could be deployed using just
terraform init && terraform apply instead of the AWS-specific
sam build && sam deploy workflow.
In late November, I was booked on a client assessment which included a terraform code review component, so what better opportunity to familiarise myself ahead of the job? So after just over a month and moments before 2022 waved goodbye, I completed the challenge extension and as part of step 15 I wrote a blog post to document what I learnt. The terraform clone of my Cloud Resume application can be found at https://resume.tf.laripping.com.
I strongly believe that to learn is to do. And having the longing itch to cover my deficiency in cloud security and cloud in general, it came as a big A-Ha moment when I read about the Cloud Resume Challenge in Nick Jones' awesome "Breaking Into Cloud" checklist.
Essentially, the Cloud Resume Challenge is to create a simple web application, but fully cloud-native and using modern DevOps practices. The app will be a statically hosted website showing your Resumé (or just Resume from here onwards, might also use the term CV interchangeably) and will include some backend functionality in the form of a visitor counter. All of this will be created through 15 well-defined tasks.
A mantra I've always followed is that if a certain problem has come up twice, you probably need to write the solution down somewhere. Scripta manent, as they say.
After delivering a few conference talks in the age of the pandemic, I found myself bumping over the same challenges again and again. While at the same time, I can recall being asked at least twice about the software I used or how to approach the overall workflow. This short article will therefore serve as a braindump of all the tips and tricks worth noting, to skip the hustle next time or maybe help others figure their way out.
Recently, while doing some Android reverse engineering, I bumped into the following problem: After digging into the decompiled Java code, my analysis for the functionality of interest led me to a native function... which was nowhere to be found in the disassembly of the respective .so library. What sorcery is this? And where on god's green earth is my native function in that massive ELF blob?
In this blog post I will therefore:
OSEP is a new cert. It was introduced by Offsec in November 2020 and it immediately felt like they would finally address the gap in their certs for the netsec area, while simultaneously throwing Offsec in the market of Red Team related certs/courses.
- Explain why sometimes JNI functions don't pop up in the Function Listing, and most importantly
- Present a novel technique to 'enrich' the disassembly with these functions' signatures ...wait for it... using Frida!