[tl;dr sec] #61 - Effective Security OKRs, Scaling Threat Modeling, Webscan
How to create effective security OKRs, scaling threat modeling in hypergrowth, engineering-driven orgs, and a browser-based internal network scanner.
Posts by Year
2020
[tl;dr sec] #60 - Cartography + IAM, Security Scorecard, Self-service Security
Use Cartography to understand AWS permissions, tool to grok the risk of open source libraries, developers taking security into their own hands.
[tl;dr sec] #59 - NAT Slipstreaming, Widespread Injection in GitHub Actions, Greppable Secrets
Attacker’s can remotely access any TCP/UDP service on your machine, serious bugs in many GitHub Actions, and the security value of creating easily greppable ...
[tl;dr sec] #58 - New Job 🎉, Burp Multiplayer, Chaos Engineering Book
I’ve joined r2c as Head of Security Research, tool to sync multiple Burp instances, free book on chaos engineering to help you build reliable distributed sys...
[tl;dr sec] #57 - Bug Bounty Lessons Learned, Content Value Hierarchy, CloudSecDocs
1 year of a private bug bounty program, how to create high value content, and a great resource for cloud-native technologies.
Stratechery: Aggregation Theory
Ben Thompson describes how properties of the Internet enable companies providing the best user experience to win, which leads to a virtuous but anti-competit...
[tl;dr sec] #56 - State of Exploit Development, Hacking Apple, flaws.cloud dataset
Stats on vulnerability discovery, CVE publication, and patches, lengthy write-up of 3 month Apple bug bounty hackathon, and flaws.cloud logs published.
[tl;dr sec] #55 - Detection as Code, Vault Authentication Bugs, Fingerprinting Exploit Developers
Why we should embrace Detection as Code, write-up of two complex AuthN bugs in Vault, tracking exploit developers by their work.
[tl;dr sec] #54 - Complexity in Capital, Communicating a Breach, Offensive Terraform
I contributed to an article in Forbes, how to communicate when you’ve been hacked, Terraform to spin up offensive infrastructure.
A framework for effective corporate communication after cyber security incidents
This paper lays out a framework for how organizations should communicate after a security incident.
[tl;dr sec] #53 - OneFuzz, Program Analysis, Ring Alarm Teardown
Microsoft releases self-hosted fuzzing-as-a-service platform, several solid program analysis resources, detailed teardown of Ring’s hardware and attack surfa...
[tl;dr sec] #52 - Prioritizing 3rd Party Vulnerabilities to Fix, LangSec History, Distilled Compliance Controls
How to prioritize vulnerabilities in your dependencies, some history and context around LangSec, and a set of common controls across 10+ standards.
Peeling the Web Application Security Onion Without Tears
Lessons from Adobe in how building reusable, secure-by-default services and infrastructure improves your security and reduces compliance burden.
[tl;dr sec] #51 - Continuous Cloud Monitoring, Web Browser for Hackers, How GitHub Threat Models
Monitor your cloud environment and automatically detect drift, a scriptable browser and bending JavaScript to your will, GitHub’s threat modeling process.
[tl;dr sec] #50 - Engineering Empathy, Golang Security, Bardcore
Applying engineering lessons learned to AppSec teams, common Golang bugs, and medieval covers of modern pop songs take the Internet by storm.
[tl;dr sec] #49 - Web Cache Entanglement, Finding a Mentor, Build Tools Around Workflows
New cache research by James Kettle, how to effectively reach out and build mentor relationships, tools should support workflows, not vice versa.
[tl;dr sec] #48 - Automating Recon Summary, GraphQL Tools, DEF CON 2020 Live Notes
My summary of Daniel Miessler’s talk on automating recon, 2 tools to help with testing GraphQL, quick notes for ~20 DEF CON talks.
Mechanizing the Methodology: How to find vulnerabilities while you’re doing other things
Daniel Miessler describes how to automate your OSINT and recon processes so you can find more and better bugs with less manual effort.
[tl;dr sec] #47 - Automating Recon, Podcasts, and Lateral Movement / Privilege Escalation in GCP
Daniel Miessler on automating your recon workflow, I was on a few podcasts, how to compromise GCP orgs via cloud API lateral movement & privilege escalat...
[tl;dr sec] #46 - Grokking CSP, Automating Threat Model ➡️ Security Tests, Unknown Blob ➡️ Plaintext
How to go from no CSP to a solid CSP, automatically creating baseline security tests from a threat model, tools to automagically decode random blobs.
Content Security Policy: Going From Idea to Afterthought
GitHub security engineer Neil Matatall gives an overview of CSP: how it works, how to go from no CSP to a solid CSP, and how GitHub implements CSP.
[tl;dr sec] #45 - Bucket Brigade, ReDoS Cheat-sheet, Understanding OAuth
Protecting your public S3 buckets, how to find, prevent, and fix regular expression DoS, and walk step-by-step through the OAuth flow.
[tl;dr sec] #44 - Formal Methods, New Web Security Mechanisms, Have GPT-3 Code for You
Using lightweight formal methods in the real world, new web mitigations for injection vulns and isolation capabilities, GPT-3 is magic.
Container Security
A collection of container security resources and tools, organized by category.
PLTalk: Practical Formal Methods with Hillel Wayne
Jean Yang, Hongyi Hu, and Hillel Wayne discuss making programming languages/model checking more accessible, give an overview of TLA+ and Alloy, and successfu...
[tl;dr sec] #43 - Continuous AppSec Scanning, Threat Modeling, Career Advice from Feynman
How to continuously discover, monitor, and assess your web assets, threat modeling + agile, Richard Feynman on the problems you choose to tackle.
[tl;dr sec] #42 - tl;dr sec Search, Towards Trusted Sensing, Root Causes of Procrastination
tl;dr sec now supports search, snapshotting VMs at scale in a way malware can’t evade, reflections on why we procrastinate.
[tl;dr sec] #41 - Threat Modeling Kubernetes, Secret Scanner Benchmark, OWASP Software Component Verification Standard
Overview of current work threat modeling Kubernetes, a repo to test your secret scanning, and v1 of OWASP’s standard on identifying/reducing supply chain risk.
How Uber Continuously Monitors the Security of its AWS Environment
Uber describes their continuous cloud monitoring service and the workflows and process design that makes it successfully adopted by engineering teams.
[tl;dr sec] #40 - Uber’s Continuous AWS Monitoring, AWS’s Hands-off Deployments, Auto-remove Unneeded Feature Flags
Uber continuous AWS monitoring tool and process, how AWS does safe, fast, continuous deployment, tool to auto-delete no longer needed feature flags.
[tl;dr sec] #39 - Evidence Based Security, Web Security, and Program Analysis
Measuring the effectiveness of your security controls, web security tools and slides, auto-converting between Java/C++/Python and integrating formal methods.
[tl;dr sec] #38 - Threat Modeling for Devs, Attacking JWTs, On Accepting Ads
Effectively teaching devs threat modeling, forging and cracking JWTs, and some radical transparency about our process of deciding to accept sponsors.
On Accepting Sponsors
tl;dr sec’s goals, values, and our thought process behind accepting sponsors. Sponsors will be clearly demarcated and will not affect the rest of the content.
[tl;dr sec] #37 - Kubernetes, SAST Snark, and Malware Targeting Open Source Supply Chain
Using Kubernetes + OPA, Twitter SAST snark & lessons learned, malware discovered on GitHub targeting the open source supply chain.
[tl;dr sec] #36 - AWS Security Maturity Roadmap, Fuzzing, Dynamic Infra for Security Testing
An AWS Security Maturity Roadmap for 2020, fuzzing the Windows kernel & differential crypto fuzzing, easily spin up a cloud env for security testing
[tl;dr sec] #35 - Careers in Security, Testing OAuth, Session Management with Burp
Building a successful career in security and how to specialize, testing OAuth implementations, and a Burp plugin for handling session management.
[tl;dr sec] #34 - Game Theory + 0days, Kubernetes Hacking Practice, AWS Least Privilege
Game theory applied to finding and disclosing 0days, Kubernetes training labs, rightsize your AWS IAM policies to Terraform.
[tl;dr sec] #33 - Splunk’s Attack Range, Detecting Compromised Cloud Creds, Azure AD for Red Teamers
Set up your own range to practice attacking & detection, detection strategies for compromised cloud creds, intro to Azure AD for red teamers.
[tl;dr sec] #32 - Security + Empathy, Chrome Extension Security, Attacking Azure AD
Gusto CISO Flee on building a positive security culture, protecting from/attacking with Chrome extensions, pivot through Azure AD.
[tl;dr sec] #31 - Instrument with Frida, Free Course on Attacking Apps in AWS/Azure, VM with 8 C&C Frameworks
Use Frida from a Burp extension or web interface, continuous cloud security, fighting misinformation at scale.
[tl;dr sec] #30 - Securing Your Home Network, ATT&CK for Kubernetes, Google on Building Secure Systems
How to secure your home WiFi network, Microsoft releases ATT&CK matrix for Kubernetes, free 550+ page book by Google’s SREs on building secure systems.
[tl;dr sec] #29 - Testing GraphQL, Bug Bounty Programs, & AWS Service Control Policy Best Practices
Tool for testing GraphQL endpoints, how to run a great bug bounty program, restricting your AWS account with Service Control Policies, hardening Linux.
[tl;dr sec] #28 - 25 Years of Fuzzing, Secrets Management, Security Questionnaires
Some history and overview of fuzzing, preventing/detecting/remediating leaked secrets, static analysis, macOS security, reflections on privacy post COVID-19.
Lightning in a Bottle: 25 Years of Fuzzing
Richard Johnson describes the history of fuzzing, the primary types of fuzzing, modern tools and advancements, SDLC integration, and more.
[tl;dr sec] #27 - AppSec Weekly, SOC2 Starting Seven, Save Encryption
I was on Application Security Weekly #100, a no-nonsense guide to becoming SOC2 compliant, fight a bill that may kill encryption, compensation resources.
[tl;dr sec] #26 - Learnings from Duo, Auto-healing Clouds, Fuzzing
Jon Oberheide on Duo, self-healing AWS environments, Google’s fuzzer benchmarking and CIFuzz, securing Windows & MS accounts at scale.
Learnings from Duo
Jon Oberheide on Duo’s story, from conception through acquisition, and the important lessons he learned along the way.
[tl;dr sec] #25 - BSidesSF and RSA, Demystifying Container Security, Your Privacy Online
Round-up of BSidesSF and RSA + my updated slides, overview of container security, pen testing K8s walkthrough, maintaining privacy online.
[tl;dr sec] #24 - BSidesSF/RSA, tl;dr sec Mascot, REST API Fuzzing, AWS Auto-remediation
I’m speaking at BSidesSF and RSA 2020, tl;dr sec stickers, stateful fuzzing of Swagger APIs, auto-remediate AWS issues, canary pro-tips, red team cheatsheets.
[tl;dr sec] #23 - OSINT, Automatic Exploit Generation, Cloud Security
OSINT tools, tips, & tricks, presentations on automatically find and exploiting bugs, a code-aware grep, how to assess another company’s security posture.
[tl;dr sec] #22 - Post AppSec Cali, K8s Security Monitoring at Scale
DevSecOps talks & tools from AppSec Cali, PoCs to decrypt WhatsApp messages, Kubernetes monitoring and CTF, Python static analysis tools.
[tl;dr sec] #21 - AppSec Cali, Bezos’s Phone, Fuzzing
I’m speaking at AppSec Cali 2020, details on Bezos’s phone being hacked, fuzzing talks and tools, Java deserialization, K8s and GraphQL tools.
What I Learned Watching All 44 AppSec Cali 2019 Talks
Detailed summaries of ~32 hours of talks, searchable and grouped by category, to supercharge your security program 🚀
Startup Security: Starting a Security Program at a Startup
How to be successful as the first security hire at a startup, what should inform your priorities, where to focus to make an immediate impact, and time sinks ...
[tl;dr sec] #19 - Epic Post Next Week, Beyond Beyond Corp, Cloud Security Tools
Google’s BeyondProd and code provenance whitepapers, tools to scan Terraform scripts / CloudFormation templates, getting into security resources.
2019
[tl;dr sec] #18 - “GitHubification” of Infosec, Ring Privacy, Ransomware Economics
Blue teams can become highly leveraged by sharing knowledge effectively, Ring’s partnerships with the police, viewing ransomware through an economic lens.
[tl;dr sec] #17 - AWS Re:Invent, Supply Chain Security, Absolute AppSec
A number of interesting new AWS services, backdoors on PyPI, I had a blast on the Absolute AppSec podcast, and tl;dr sec hits 500 subscribers! 🚀
[tl;dr sec] #16 - Art of Vulnerability Management, Cloud Security, Flan Scan, SCORE Bot
Building an effective vulnerability management process, K8s/AWS tips, network & code scanning tools, privacy preserving VA, and the Siege of Gondor.
The Art of Vulnerability Management
Alexandra Nassar of Medallia describes how to create a positive vulnerability management culture and process that works for engineers and the security team.
[tl;dr sec] #15 - OSINT + Screenshots, Fuzzing, and 2 Fast 2 Discoverious
Summary of an AppSec Cali 2019 talk on more efficient network penetration tests via clustering similar screenshots, fuzzing tools and articles, Bugcrowd/Bitd...
Pose a Threat: How Perceptual Analysis Helps Bug Hunters
How to get faster, more complete external attack surface coverage by automatically clustering exposed web apps by visual similarity.
[tl;dr sec] #14 - DevSecCon TLV, Slack’s Secure Overlay Network, Dangers of Struct Padding
DevSecCon Tel Aviv 2019 talk notes, Slack releases Nebula, AWS instance metadata hardening, OSINT tips, struct padding can leak heap memory, deadlock challen...
DevSecCon Tel Aviv 2019 Roundup
Practical steps to start managing your secrets properly, continuous threat modeling, container security stats and best practices, and my thoughts on the futu...
[tl;dr sec] #13 - Being Powerful While Powerless, Sadcloud, and Bugcrowd’s Asset Inventory Service
Gusto’s Nathan Yee on being impacful as an IC without a senior title in a start-up, intentionally vulnerable AWS infrastructure for training, and even more a...
Being Powerful While Powerless: Elevating Security By Leading Without Authority
Gusto security engineer Nathan Yee describes his experiences and lessons learned on how to be effective as the only AppSec engineer at a start-up, without a ...
[tl;dr sec] #12 - Killing CSRF, MITRE ATT&CK Cloud, Cache Poisoned DoS
Browser default SameSite cookie settings will mostly kill CSRF, and a malicious header can block any web resource served by a CDN or proxy cache.
[tl;dr sec] #11 - ShellCon 2019 Roundup
Some ShellCon talk summaries, Dropbox and Twilio on detection and response automation, updates from the Chrome security team.
[tl;dr sec] #10 - Cloudflare on Security, IAM Least Privilege, & Finding XSS in Firefox’s UI
Cloudflare’s CTO on how they think about security, Salesforce’s tool to make IAM least privilege policy generation easier, and finding XSS in Firefox’s UI us...
[tl;dr sec] #9 - Autonomous Bug Reporting, HTTP Desync Attacks, & Censorship
Fuzzing is finding security bugs faster than CVEs can be issued, HTTP desync attacks advance, China’s censorship power is felt around the world.
[tl;dr sec] #8 - DevSecCon Seattle 2019 Round Up
Notes from DevSecCon Seattle 2019, featuring insights on dev/security organizational structure, secure wrapper libraries, and continuous compliance.
[tl;dr sec] #7 - AppSec Cali 2019 DevSecOps Panel Summary
Notes from an AppSec Cali 2019 panel, AWS security tools, fuzzing with grammars and Gitlab, and Google P0’s iOS exploit chain discovery.
Lessons Learned from the DevSecOps Trenches
Learn how Netflix, Dropbox, Datadog, Snap, and DocuSign think about security. A masterclass in DevSecOps and modern AppSec best practices.
(Transcript) Lessons Learned from the DevSecOps Trenches
The transcript for this AppSec Cali 2019 DevSecOps panel featuring security leaders from Netflix, Dropbox, Datadog, Snap, and DocuSign.
[tl;dr sec] #6 - Post Hacker Summer Camp
Neat talks from Hacker Summer Camp on email -> phone number, DNS rebinding, automated C++ reverse engineering, and publicly exposed AWS EBS volumes.
Stepping Up Our Game: Re-focusing the Security Community on Defense and Making Security Work for Everyone
In this Black Hat USA 2017 keynote, Alex Stamos discusses how the world has changed around the security community, some ways we’re focusing on the wrong thin...
Data Driven Bug Bounty
Arkadiy Tetelman describes how to effectively launch a bug bounty program and how tracking vulnerability metrics can make an AppSec team more impactful.
(in)Secure Development - Why some product teams are great and others aren’t…
Koen Hendrix describes analyzing the security maturity of Riot product teams, measuring that maturity’s impact quantitatively using bug bounty data, and disc...
SCORE Bot: Shift Left, at Scale!
Vidhu Jayabalan and Laksh Raghavan present SCORE-Bot, PayPal’s light-weight, continuous code scanning tool that hooks into their CI/CD pipeline.
BSidesSF 2019: DevSecOps State of the Union
There’s been a lot of great research in SecDevOps over the past few years. This talk organizes and references around 40 useful talks in the space.