Hey there,
I hope youâve been doing well!
Trying Something New
Usually this newsletter is a series of links and quick blurbs.
This issue has some longer blurbs and almost a mini essay.
Feel free to reply directly and let me know you think, I value your feedback! đ
BSidesSF and RSA
Seeing so many people in person in a short amount of time has been quite the
change from my hermitage over the past few decades years.
But itâs been awesome catching up with friends from all over the world, and meeting Internet friends for the first time.
One thing thatâs meant a lot to me is getting fist bumps and kind words from a number of people about how much they find tl;dr sec useful.
Hearing that someone looks forward to it every week, or that it helped them get
into security (and they recommend it to others to get into security), is so wonderful, and keeps me going when Iâm writing late into the *checks issue number*
136th Wednesday night Iâve sacrificed spent writing it.
tl;dr sec is my only connection to the technical world. -Caleb Sima, Robinhood CSO
Iâm humbled by all of your kind words, they truly do make a big impact on me, and Iâll do my utmost best every week to entertain you and share useful stuff.
OK too much emotion, quick! A meme from the backlog:
Sponsor
đ˘ JupiterOne: Context and visibility into your entire cyber asset attack surface
As companies expand to the cloud, cyber asset visibility worsens. Resources are deployed and access granted without a full understanding of how it impacts a companyâs vulnerability to attack, and legacy solutions like a SIEM or CSPM canât touch every asset necessary to contextualize the entire cyber asset attack surface.
Thatâs where the JupiterOne Cyber Asset Management Platform comes in. We answer the complex security and infrastructure questions you werenât able to before. Understand the contextual relationships between cyber assets and build the foundation for your cloud security program.
Get started with your free account todayCongrats to the JupiterOne team on closing a $70M Series C funding round and achieving a $1B+ valuation. And it was founded in 2020 đ¤Ż
đ In this newsletter...
- BSidesSF Summaries: Quick summaries of 2 keynotes and 3 talks
- AppSec: tool to get updates from a TUF repo, deserialization exploit playground, scaling AppSec at Netflix
- Web Security: NahamCon2022 Youtube Playlist
- Cloud Security: When and where to use IAM permissions boundaries
- Container Security: Dockerfile best practices
- Blue Team: Simple app whitelisting daemon for Linux, everything you need to know about SOC 2, Apple's new Rapid Security Response
- Program Analysis: Dependently-typed proof language to make provable correct bare metal code possible for normal devs
- Politics / Privacy: Chinese state media propaganda is in your search engine results, a list of tracking domains you might want to block
- Misc: Debugging module for AWS Lambda timeouts, FriendDA sample contract
- Career: Cyber Threat Intelligence self-study plan, breaking into cloud security, study plan for a number of security areas, career and professional development advice, the uncomfortable truth about security certs
BSidesSF Summaries
I had the privilege of being asked to write a few quick tweet thread summaries of BSidesSF talks and share them from the official BSidesSF Twitter handle (thanks Reed!). You can read them here:
- Keynote: We Need More Mediocre Security Engineers by Asanaâs Jackie Bow.
- Keynote: Building sustainable security programs by Netflixâs Astha Singhal.
- Buying Security: A Clientâs Guide by Cedarâs Rami McCarthy.
- Redefining Threat Modeling: Security team goes on vacation by Segmentâs Jeevan Singh.
- The power of guardrails: How to slash your risk of XSS in half by r2câs Colleen Dai and Grayson Hardaway.
AppSec
werf/trdl
By @werf_io: an open source solution providing a
secure channel for delivering updates from a trusted The Update Framework (TUF)
repository.
NotSoCereal-Lab: A Deserialization exploit playground
NotSoSecure has released a new VM to hone
your deserialization skills. Labs in Java, PHP, Python, and Node.
Scaling Appsec at Netflix (Part 2)
Netflixâs Astha Singhal, Lakshmi Sudheer, and Julia Knecht share an honest take on the advantages of their historical approach as well as challenges theyâve encountered.
- The bespoke nature of each partnership means that there isnât consistency and redundancy built into the operating model and the related partnership artifacts (e.g., Security Strategy and Roadmap, Threat Model, Deliverable Tracking, Residual Risk Criteria, etc).
- Theyâve discovered, through interviews with engineers, that self-service guidance doesnât stand on its own. Moving forward, the team is investing in understanding their customer use cases better, and shifting their self-service story toward higher-context, more opinionated automated guidance to ensure developers have everything they need to make truly informed decisions about the security of their applications (similar to how they might make resiliency or other product decisions).
Web Security
NahamCon2022 Youtube Playlist
Vidoes on a variety of topics, including hacking CI systems, finding 0days in
enterprise web apps, hacking crypto web apps, finding vulnerabilities by
debugging source code, and more.
Cloud Security
When and where to use IAM permissions boundaries
AWSâs Umair Rehmat covers common use
cases for permissions boundaries, some best practices to consider, and a few
things to avoid.

Container Security
hexops/dockerfile
Dockerfile best-practices for writing production-worthy Docker images, by
Sourcegraphâs Stephen Gutekanst.
Blue Team
linux-application-whitelisting/fapolicyd
A simple application whitelisting daemon for Linux.
Everything and Anything You Need To Know About SOC 2
ByteChekâs AJ Yawn provides an overview of what
SOC 2 is and why it matters, key terms, types of SOC 2 reports, and more.
iOS 16 and macOS Ventura include Appleâs new Rapid Security Response
At WWDC 2022 Apple announced âRapid Security Response,â which appears to get
important security updates to your iOS or macOS devices faster (not just rolled
in with full system patches), and may not require a device restart to be
applied. If done well, this could be a huge win, nice!
Program Analysis
magmide/magmide
A dependently-typed proof language intended to make provably correct bare metal
code possible for working software engineers. âThis is why Iâm building Magmide,
which is intended to be to both Coq and LLVM what Rust has been to C.â
Politics / Privacy
Chinese state media propaganda found in 88% of Google, Bing news searches
âA think tank study says Chinese state media have proven very effective at
influencing search engine results for users seeking information on Xinjiang, a
region of China where the Uyghur ethnic minority has been subjected to what the
State Department calls genocide.â As well as COVID-19 related searches.
At least one Chinese state-backed news outlet appeared in the top 10 results in 88% of news searches, the researchers found. On YouTube, state media appeared even more often, showing up in 98% of searches.
jmdugan/blocklists
Shared lists of problem domains people may want to block with hosts files, for
example, domains associated with Facebook, Google, Twitter, and more.
Sponsor
đ˘ FIND, FOCUS, and FIX the Cloud Threats that Matter
How do you identify and prioritize the ârealâ risks in the cloud? Traditional tools lack visibility, and cloud providersâ tools are not enough. Getting security right starts with a âfirst principlesâ approach to finding, focusing, and fixing risks across the cloud and containers.
Learn HowMisc
rpgeeganage/ifto
A simple debugging module for AWS Lambda timeouts, by Ruwan
Geeganage.
FriendDA
Oftentimes semi private info is shared in friendly terms over drinks or in
hallwaycon under a friend NDA, or âFriendDA.â This page takes a stab at what
that means in a humorous, and I think mostly accurate way.
Career
A Cyber Threat Intelligence Self-Study Plan: Part 1
Red Canaryâs Katie Nickels shares free resources and questions to consider for key topics in CTI.
Breaking Into Cloud Security
Great post by WithSecureâs Nick Jones covering
general advice (people skills > technical skills, basic tech skills still
matter, security doesnât exist in a vacuum), keeping up to date, and building
your technical skills (understand engineering before security, cloud and cloud
security fundamentals, and specializing).
jassics/security-study-plan
A complete practical study plan to become a successful security professional in
pen testing, AppSec, Cloud Security, DevSecOps and more, by Sanjeev
Jaiswal.
Career Advice and Professional Development
Googleâs Phil Venables has an outstanding
blog, and this post is no exception.
Showing up and working hard doesnât always mean long hours, rather, it means paying attention to what needs to be done and putting in the effort to do that irrespective of your job role.
Some people think these types of [prestigious positions] are just magically bestowed on relatively well known professionals. They can be, but a lot of the time itâs the result of a whole bunch of less well known contributions over decades.
Key points: Be persistent, actually take feedback, place your bets on some âbig
moves,â dealing well with career set-backs actually defines your career,
constantly look for and apply the 80/20 rule, donât buy into the trite advice
that you should âdo what you loveâ, notice the best part, you always
underestimate your impact (positive and negative) on others, know when something
requires A-grade effort vs. Pass/Fail, you get way more air cover and management
support than you will ever know or believe, be ambitious for the team - but stay
humble individually.
Security Certificates: The Uncomfortable Truth
Asanaâs Jackie Bowâs đś take on certs is that theyâre not that useful for breaking into a technical security engineering role, and that most companies look for a Computer Science degree instead.
My personal experience largely agrees with Jackie, though I would caveat that by saying this is in the Bay Area, which has different culture and expectations from other places. Iâve heard in other parts of the U.S. or in Europe certs are viewed more positively. OSCP is generally considered pretty positively in my experience.
Lastly, I think credentials matter most for your first job. Once you have one or more jobs on your resume with âsecurityâ in your title and youâve proven you can do the work, it matters less (I think).
For your first job, if you donât have a CS background, getting into pen testing/security consulting can be great, as youâll learn a ton and consulting firms tend to more willing to take bets on smart, hard working people with non traditional backgrounds.
Also, follow my friend Tanya Janca who, along with others, do a #CyberMentoringMonday hashtag every Monday to pair people up. And of course the We Hack Purple community is a warm and welcoming place to learn and meet people as well.
Good luck out there my friend! â
âď¸ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them đ
Thanks for reading!
Cheers,Clint
@clintgibler @tldrsec