Building an effective vulnerability management process, K8s/AWS tips, network & code scanning tools, privacy preserving VA, and the Siege of Gondor.
How to get faster, more complete external attack surface coverage by automatically clustering exposed web apps by visual similarity.
Summary of an AppSec Cali 2019 talk on more efficient network penetration tests via clustering similar screenshots, fuzzing tools and articles, Bugcrowd/Bitdiscovery asset inventory partnership.
DevSecCon Tel Aviv 2019 talk notes, Slack releases Nebula, AWS instance metadata hardening, OSINT tips, struct padding can leak heap memory, deadlock challenges, formal methods.
Gusto's Nathan Yee on being impacful as an IC without a senior title in a start-up, intentionally vulnerable AWS infrastructure for training, and even more asset inventory offerings.
Browser default *SameSite* cookie settings will mostly kill CSRF, and a malicious header can block any web resource served by a CDN or proxy cache.
Some ShellCon talk summaries, Dropbox and Twilio on detection and response automation, updates from the Chrome security team.
Cloudflare's CTO on how they think about security, Salesforce's tool to make IAM least privilege policy generation easier, and finding XSS in Firefox's UI using AST matching.
Fuzzing is finding security bugs faster than CVEs can be issued, HTTP desync attacks advance, China's censorship power is felt around the world.
DevSecCon Seattle 2019 Round Up
![[tl;dr sec] #16 - Art of Vulnerability Management, Cloud Security, Flan Scan, SCORE Bot](https://media.beehiiv.com/cdn-cgi/image/format=auto,width=800,height=421,fit=scale-down,onerror=redirect/uploads/publication/thumbnail/080a561f-2435-4477-a549-ab9f115e047c/landscape_Screenshot_2024-11-21_at_10.48.21_AM.png)
