[tl;dr sec] #234 - Awesome CI/CD Attacks, STRIDE GPT, Non Production AWS Attack Surface

Practical resources for offensive CI/CD research, AI threat modeling tool, bypassing CloudTrail through non-prod endpoints

The Race to Make a Business of Secure Defaults

[tl;dr sec] #233 - Awesome Detection Engineering, Security GPTs, How to Build a Cybersecurity Start-up

Repo of detection engineering resources, Jason Haddix's security GPTs, 3 successful founders on building a security company

Don’t Security Engineer Asymmetric Workloads

[tl;dr sec] #232 - GitHub Actions Cache Poisoning, Rust Red Team Tools, Prioritizing Detections

Subtly tamper with GHA builds, repo with offense-focused Rust PoCs, how to prioritize a detection backlog

[tl;dr sec] #231 - XZ Utils Backdoor Scanner, CISA's Enriched CVEs, SOC 2 Compliant CI/CD

Understanding & detecting the XZ Utils backdoor, CISA's repo of enriched CVEs, an example SOC 2 compliant GitHub CI/CD pipeline

Wiring a Winning Security Organization

[tl;dr sec] #230 - BSidesSF & RSA Summaries, Cloud-Native Threat Modeling GPT, STS for GitHub

My BSidesSF summaries and RSA announcement overview, custom GPT with CloudSec knowledge, Security Token Service GitHub App

[tl;dr sec] #229 - Prompt Injection Defenses, Security @ OpenAI, Microsoft's Deception Infrastructure

New repo surveying prompt injection defenses, how OpenAI uses LLMs for internal security, insights on MS's honeypot infra

[tl;dr sec] #228 - OpenAI's Security Bots, Slack's IMDSv1 ➡️ 2 Journey, the Kubenomicon

OpenAI's open sourced Slackbots, migrating to IMDSv2 at scale, a collection of offensive Kubernetes security techniques

Security is a Team Sport

A call to action, with practical advice

[tl;dr sec] #227 - Securing GitHub Actions, State of DevSecOps, Paved Road Webinar

Tools to scan build piplines & remove short-lived tokens, study by Datadog, join Jason Chan and I on the origin of Netflix's Paved Road