[tl;dr sec] #136 - Career Advice, Scaling AppSec at Netflix, BSidesSF Summaries

Hey there,

I hope you’ve been doing well!

Trying Something New

Usually this newsletter is a series of links and quick blurbs.

This issue has some longer blurbs and almost a mini essay.

Feel free to reply directly and let me know you think, I value your feedback! 🙏

BSidesSF and RSA

Seeing so many people in person in a short amount of time has been quite the change from my hermitage over the past few ~~decades~~ years.

But it’s been awesome catching up with friends from all over the world, and meeting Internet friends for the first time.

One thing that’s meant a lot to me is getting fist bumps and kind words from a number of people about how much they find tl;dr sec useful.

Hearing that someone looks forward to it every week, or that it helped them get into security (and they recommend it to others to get into security), is so wonderful, and keeps me going when I’m writing late into the *checks issue number* 136th Wednesday night I’ve ~~sacrificed~~ spent writing it.

tl;dr sec is my only connection to the technical world. -Caleb Sima, Robinhood CSO

I’m humbled by all of your kind words, they truly do make a big impact on me, and I’ll do my utmost best every week to entertain you and share useful stuff.

OK too much emotion, quick! A meme from the backlog:

Most Insecure Network Youve Seen So Far

Sponsor

📢 JupiterOne: Context and visibility into your entire cyber asset attack surface

As companies expand to the cloud, cyber asset visibility worsens. Resources are deployed and access granted without a full understanding of how it impacts a company’s vulnerability to attack, and legacy solutions like a SIEM or CSPM can’t touch every asset necessary to contextualize the entire cyber asset attack surface.

That’s where the JupiterOne Cyber Asset Management Platform comes in. We answer the complex security and infrastructure questions you weren’t able to before. Understand the contextual relationships between cyber assets and build the foundation for your cloud security program.

Get started with your free account today

Congrats to the JupiterOne team on closing a $70M Series C funding round and achieving a $1B+ valuation. And it was founded in 2020 🤯

📜 In this newsletter...

BSidesSF Summaries: Quick summaries of 2 keynotes and 3 talks
AppSec: tool to get updates from a TUF repo, deserialization exploit playground, scaling AppSec at Netflix
Web Security: NahamCon2022 Youtube Playlist
Cloud Security: When and where to use IAM permissions boundaries
Container Security: Dockerfile best practices
Blue Team: Simple app whitelisting daemon for Linux, everything you need to know about SOC 2, Apple's new Rapid Security Response
Program Analysis: Dependently-typed proof language to make provable correct bare metal code possible for normal devs
Politics / Privacy: Chinese state media propaganda is in your search engine results, a list of tracking domains you might want to block
Misc: Debugging module for AWS Lambda timeouts, FriendDA sample contract
Career: Cyber Threat Intelligence self-study plan, breaking into cloud security, study plan for a number of security areas, career and professional development advice, the uncomfortable truth about security certs

BSidesSF Summaries

I had the privilege of being asked to write a few quick tweet thread summaries of BSidesSF talks and share them from the official BSidesSF Twitter handle (thanks Reed!). You can read them here:

Keynote: We Need More Mediocre Security Engineers by Asana’s Jackie Bow.
Keynote: Building sustainable security programs by Netflix’s Astha Singhal.
Buying Security: A Client’s Guide by Cedar’s Rami McCarthy.
Redefining Threat Modeling: Security team goes on vacation by Segment’s Jeevan Singh.
The power of guardrails: How to slash your risk of XSS in half by r2c’s Colleen Dai and Grayson Hardaway.

AppSec

werf/trdl
By @werf_io: an open source solution providing a secure channel for delivering updates from a trusted The Update Framework (TUF) repository.

NotSoCereal-Lab: A Deserialization exploit playground
NotSoSecure has released a new VM to hone your deserialization skills. Labs in Java, PHP, Python, and Node.

Scaling Appsec at Netflix (Part 2)
Netflix’s Astha Singhal, Lakshmi Sudheer, and Julia Knecht share an honest take on the advantages of their historical approach as well as challenges they’ve encountered.

The bespoke nature of each partnership means that there isn’t consistency and redundancy built into the operating model and the related partnership artifacts (e.g., Security Strategy and Roadmap, Threat Model, Deliverable Tracking, Residual Risk Criteria, etc).
They’ve discovered, through interviews with engineers, that self-service guidance doesn’t stand on its own. Moving forward, the team is investing in understanding their customer use cases better, and shifting their self-service story toward higher-context, more opinionated automated guidance to ensure developers have everything they need to make truly informed decisions about the security of their applications (similar to how they might make resiliency or other product decisions).

Netflix Appsec Teams 1

Netflix Appsec Teams2

Web Security

NahamCon2022 Youtube Playlist
Vidoes on a variety of topics, including hacking CI systems, finding 0days in enterprise web apps, hacking crypto web apps, finding vulnerabilities by debugging source code, and more.

Cloud Security

When and where to use IAM permissions boundaries
AWS’s Umair Rehmat covers common use cases for permissions boundaries, some best practices to consider, and a few things to avoid.

Iam Permission Boundaries Multiple Org Functions

Container Security

hexops/dockerfile
Dockerfile best-practices for writing production-worthy Docker images, by Sourcegraph’s Stephen Gutekanst.

Blue Team

linux-application-whitelisting/fapolicyd
A simple application whitelisting daemon for Linux.

Everything and Anything You Need To Know About SOC 2
ByteChek’s AJ Yawn provides an overview of what SOC 2 is and why it matters, key terms, types of SOC 2 reports, and more.

iOS 16 and macOS Ventura include Apple’s new Rapid Security Response
At WWDC 2022 Apple announced “Rapid Security Response,” which appears to get important security updates to your iOS or macOS devices faster (not just rolled in with full system patches), and may not require a device restart to be applied. If done well, this could be a huge win, nice!

Program Analysis

magmide/magmide
A dependently-typed proof language intended to make provably correct bare metal code possible for working software engineers. “This is why I’m building Magmide, which is intended to be to both Coq and LLVM what Rust has been to C.”

Politics / Privacy

Chinese state media propaganda found in 88% of Google, Bing news searches
“A think tank study says Chinese state media have proven very effective at influencing search engine results for users seeking information on Xinjiang, a region of China where the Uyghur ethnic minority has been subjected to what the State Department calls genocide.” As well as COVID-19 related searches.

At least one Chinese state-backed news outlet appeared in the top 10 results in 88% of news searches, the researchers found. On YouTube, state media appeared even more often, showing up in 98% of searches.

This Is Fine

jmdugan/blocklists
Shared lists of problem domains people may want to block with hosts files, for example, domains associated with Facebook, Google, Twitter, and more.

Sponsor

📢 FIND, FOCUS, and FIX the Cloud Threats that Matter

How do you identify and prioritize the ‘real’ risks in the cloud? Traditional tools lack visibility, and cloud providers’ tools are not enough. Getting security right starts with a “first principles” approach to finding, focusing, and fixing risks across the cloud and containers.

Learn How

Misc

rpgeeganage/ifto
A simple debugging module for AWS Lambda timeouts, by Ruwan Geeganage.

FriendDA
Oftentimes semi private info is shared in friendly terms over drinks or in hallwaycon under a friend NDA, or “FriendDA.” This page takes a stab at what that means in a humorous, and I think mostly accurate way.

Career

A Cyber Threat Intelligence Self-Study Plan: Part 1
Red Canary’s Katie Nickels shares free resources and questions to consider for key topics in CTI.

Breaking Into Cloud Security
Great post by WithSecure’s Nick Jones covering general advice (people skills > technical skills, basic tech skills still matter, security doesn’t exist in a vacuum), keeping up to date, and building your technical skills (understand engineering before security, cloud and cloud security fundamentals, and specializing).

jassics/security-study-plan
A complete practical study plan to become a successful security professional in pen testing, AppSec, Cloud Security, DevSecOps and more, by Sanjeev Jaiswal.

Career Advice and Professional Development
Google’s Phil Venables has an outstanding blog, and this post is no exception.

Showing up and working hard doesn’t always mean long hours, rather, it means paying attention to what needs to be done and putting in the effort to do that irrespective of your job role.

Some people think these types of [prestigious positions] are just magically bestowed on relatively well known professionals. They can be, but a lot of the time it’s the result of a whole bunch of less well known contributions over decades.

Key points: Be persistent, actually take feedback, place your bets on some “big moves,” dealing well with career set-backs actually defines your career, constantly look for and apply the 80/20 rule, don’t buy into the trite advice that you should “do what you love”, notice the best part, you always underestimate your impact (positive and negative) on others, know when something requires A-grade effort vs. Pass/Fail, you get way more air cover and management support than you will ever know or believe, be ambitious for the team - but stay humble individually.

Security Certificates: The Uncomfortable Truth
Asana’s Jackie Bow’s 🌶 take on certs is that they’re not that useful for breaking into a technical security engineering role, and that most companies look for a Computer Science degree instead.

My personal experience largely agrees with Jackie, though I would caveat that by saying this is in the Bay Area, which has different culture and expectations from other places. I’ve heard in other parts of the U.S. or in Europe certs are viewed more positively. OSCP is generally considered pretty positively in my experience.

Lastly, I think credentials matter most for your first job. Once you have one or more jobs on your resume with “security” in your title and you’ve proven you can do the work, it matters less (I think).

For your first job, if you don’t have a CS background, getting into pen testing/security consulting can be great, as you’ll learn a ton and consulting firms tend to more willing to take bets on smart, hard working people with non traditional backgrounds.

Also, follow my friend Tanya Janca who, along with others, do a #CyberMentoringMonday hashtag every Monday to pair people up. And of course the We Hack Purple community is a warm and welcoming place to learn and meet people as well.

Good luck out there my friend! ✊

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler @tldrsec