In 2022, we started Datadog Security Labs, a dedicated place for us to publish security content for the practitioner community. In this post, we look at the highlights from Security Labs’ first year, which included releasing several new open source tools and sharing original security research.
Open source security tools
We are committed to releasing open source projects that help expand the toolkit available to all security practitioners. Here’s a recap of the open source efforts we focused on this year.
Stratus Red Team
In early 2022, we released Stratus Red Team, which allows to emulate offensive attack techniques in a granular and self-contained manner. While initially focused on AWS, we soon added support for Azure, GCP and Kubernetes, with help from the community.
Stratus Red Team has quickly become one of Datadog's most popular open source projects. Over the past year, the project has seen:
- 1,200 GitHub stars
- 2,000 unique downloads through Homebrew
- 19 pull requests merged from 10 external contributors
- 47 releases
We presented Stratus Red Team at the Cloud-Native SecurityCon, BlackHat Arsenal USA, and the DEFCON Cloud Village. But it's not only about us—we were happy to find out that the wider community also picked up on the project, presenting it at BSides Portland, SANS HackFest, and our very own Dash.
Partially building on Stratus Red Team, we created Threatest, a Go framework for end-to-end testing of threat detection rules. We released it during DEFCON Cloud Village, in August 2022.
Since then, we’ve added support for detonating custom attacks using the AWS SDK. We’ve also built a CLI version of Threatest to make it accessible to a wider audience.
In November, we released GuardDog, a project that helps identify malicious PyPI packages.
We’ve already used GuardDog to find more than 250 malicious packages in the wild, which we regularly publish on GitHub. In particular, we used it to uncover a malicious package attempting to backdoor FastAPI applications.
Reusable proofs of concept
We released several reusable proof-of-concept environments to allow security teams to reproduce detection and exploitation of common vulnerabilities. Proof-of-concept exploits currently available include Dirty Pipe, Spring4Shell, and the JWT Null Signature vulnerability.
In 2022, we released our first security study, analyzing the security posture of over 600 AWS environments: The State of AWS Security. Through our findings, we were able to identify some of the common challenges that practitioners face with AWS security—e.g., scaling IAM and managing its complexities. We also highlighted several best-practice recommendations to help security teams overcome these hurdles.
As a community, we're eager to learn from trends, not just individual incidents. That's why we also released an analysis of over 50 cloud data breaches and exposures of 2022, along with community heroes Houston Hopkins and Rami McCarthy.
We also discovered a cross-tenant vulnerability in AWS AppSync that resulted in one of the 10 security bulletins AWS released in 2022, AWS-2022-09. Nick Frichette will be discussing his findings in greater depth on an upcoming episode of the "Datadog On" video talk series.
Finally, we released actionable analysis for several emerging vulnerabilities, the most popular of which was our post covering the OpenSSL punycode vulnerability.
2022 was the inaugural year for Datadog Security Labs, and we’re just getting started. In 2023, we plan to release exciting open source security projects, research, and write-ups about vulnerabilities we’ve identified in cloud providers' environments—as well as those we’ve yet to discover. Stay tuned! You can subscribe to our RSS feed here, or use this direct Feedly link.
We're also eager to onboard new contributors to our open-source projects. Feel free to check issues that are a good fit for first-time contributors, and do reach out for any idea or feature request!