🗡️ Head of Security Research @semgrep 📚 Creator of tl;dr sec newsletter
Deliberately vulnerable MCP to practice your hacking chops, how Figma's balances usability & security, a new tool to put a leash on naughty AWS permissions
More MCP links than you can shake a stick at, GHA runtime monitoring & why pinning is hard, scan S3 buckets for misconfigs and ransomware prevention
MCPs for Ghidra, Semgrep, and SecOps, a CodeQL supply chain issue, using ServiceNow offensively
Agent authentication & Model Context Protocol Security, k8s for pentesters, a critical look at "state of cloud security" reports
Threat modeling (with) LLMs, tj-actions woes, reading a threat actor's Telegram C2
Repo for simulating Russia, China, DPRK APTs, getting phished by CloudFormation or SSM, 7 flywheels for amplifying your security program
AI-powered web vuln scanner agent and Baby Naptime, 2 tools + guides on preventing ransomware in AWS, detailed guide on hacking AI agents/apps
How Burp Suite is adding AI-powered features, understanding and mitigating OAuth vulns, a PoC to subtly backdoor an LLM
Insights from Chinese intel reports on the NSA's TTPs, understanding and testing passkeys, how Databricks leverages AI to focus on business critical CVEs
NVIDIA's Agentic CVE investigation workflow, compromising the Internet via abandoned S3 buckets, do more in AppSec by doing less
![[tl;dr sec] #275 - Damn Vulnerable MCP, Figma's Modern Endpoint Strategy, BloodHound for AWS IAM](https://media.beehiiv.com/cdn-cgi/image/format=auto,width=800,height=421,fit=scale-down,onerror=redirect/uploads/publication/thumbnail/080a561f-2435-4477-a549-ab9f115e047c/landscape_Screenshot_2024-11-21_at_10.48.21_AM.png)
