[tl;dr sec] #136 - Career Advice, Scaling AppSec at Netflix, BSidesSF Summaries

Hey there,

I hope you’ve been doing well!

Trying Something New

Usually this newsletter is a series of links and quick blurbs.

This issue has some longer blurbs and almost a mini essay.

Feel free to reply directly and let me know you think, I value your feedback! 🙏

BSidesSF and RSA

Seeing so many people in person in a short amount of time has been quite the change from my hermitage over the past few decades years.

But it’s been awesome catching up with friends from all over the world, and meeting Internet friends for the first time.

One thing that’s meant a lot to me is getting fist bumps and kind words from a number of people about how much they find tl;dr sec useful.

Hearing that someone looks forward to it every week, or that it helped them get into security (and they recommend it to others to get into security), is so wonderful, and keeps me going when I’m writing late into the *checks issue number* 136th Wednesday night I’ve sacrificed spent writing it.

I’m humbled by all of your kind words, they truly do make a big impact on me, and I’ll do my utmost best every week to entertain you and share useful stuff.

OK too much emotion, quick! A meme from the backlog:

Congrats to the JupiterOne team on closing a $70M Series C funding round and achieving a $1B+ valuation. And it was founded in 2020 🤯

BSidesSF Summaries

I had the privilege of being asked to write a few quick tweet thread summaries of BSidesSF talks and share them from the official BSidesSF Twitter handle (thanks Reed!). You can read them here:

• Keynote: We Need More Mediocre Security Engineers by Asana’s Jackie Bow.

• Keynote: Building sustainable security programs by Netflix’s Astha Singhal.

• Buying Security: A Client’s Guide by Cedar’s Rami McCarthy.

• Redefining Threat Modeling: Security team goes on vacation by Segment’s Jeevan Singh.

• The power of guardrails: How to slash your risk of XSS in half by r2c’s Colleen Dai and Grayson Hardaway.

AppSec

werf/trdl
By @werf_io: an open source solution providing a secure channel for delivering updates from a trusted The Update Framework (TUF) repository.

NotSoCereal-Lab: A Deserialization exploit playground
NotSoSecure has released a new VM to hone your deserialization skills. Labs in Java, PHP, Python, and Node.

Scaling Appsec at Netflix (Part 2)
Netflix’s Astha Singhal, Lakshmi Sudheer, and Julia Knecht share an honest take on the advantages of their historical approach as well as challenges they’ve encountered.

• The bespoke nature of each partnership means that there isn’t consistency and redundancy built into the operating model and the related partnership artifacts (e.g., Security Strategy and Roadmap, Threat Model, Deliverable Tracking, Residual Risk Criteria, etc).

• They’ve discovered, through interviews with engineers, that self-service guidance doesn’t stand on its own. Moving forward, the team is investing in understanding their customer use cases better, and shifting their self-service story toward higher-context, more opinionated automated guidance to ensure developers have everything they need to make truly informed decisions about the security of their applications (similar to how they might make resiliency or other product decisions).

Web Security

NahamCon2022 Youtube Playlist
Vidoes on a variety of topics, including hacking CI systems, finding 0days in enterprise web apps, hacking crypto web apps, finding vulnerabilities by debugging source code, and more.

Cloud Security

When and where to use IAM permissions boundaries
AWS’s Umair Rehmat covers common use cases for permissions boundaries, some best practices to consider, and a few things to avoid.

Container Security

hexops/dockerfile
Dockerfile best-practices for writing production-worthy Docker images, by Sourcegraph’s Stephen Gutekanst.

Blue Team

linux-application-whitelisting/fapolicyd
A simple application whitelisting daemon for Linux.

Everything and Anything You Need To Know About SOC 2
ByteChek’s AJ Yawn provides an overview of what SOC 2 is and why it matters, key terms, types of SOC 2 reports, and more.

iOS 16 and macOS Ventura include Apple’s new Rapid Security Response
At WWDC 2022 Apple announced “Rapid Security Response,” which appears to get important security updates to your iOS or macOS devices faster (not just rolled in with full system patches), and may not require a device restart to be applied. If done well, this could be a huge win, nice!

Program Analysis

magmide/magmide
A dependently-typed proof language intended to make provably correct bare metal code possible for working software engineers. “This is why I’m building Magmide, which is intended to be to both Coq and LLVM what Rust has been to C.”

Politics / Privacy

Chinese state media propaganda found in 88% of Google, Bing news searches
“A think tank study says Chinese state media have proven very effective at influencing search engine results for users seeking information on Xinjiang, a region of China where the Uyghur ethnic minority has been subjected to what the State Department calls genocide.” As well as COVID-19 related searches.

jmdugan/blocklists
Shared lists of problem domains people may want to block with hosts files, for example, domains associated with Facebook, Google, Twitter, and more.

Misc

rpgeeganage/ifto
A simple debugging module for AWS Lambda timeouts, by Ruwan Geeganage.

FriendDA
Oftentimes semi private info is shared in friendly terms over drinks or in hallwaycon under a friend NDA, or “FriendDA.” This page takes a stab at what that means in a humorous, and I think mostly accurate way.

Career

A Cyber Threat Intelligence Self-Study Plan: Part 1
Red Canary’s Katie Nickels shares free resources and questions to consider for key topics in CTI.

Breaking Into Cloud Security
Great post by WithSecure’s Nick Jones covering general advice (people skills > technical skills, basic tech skills still matter, security doesn’t exist in a vacuum), keeping up to date, and building your technical skills (understand engineering before security, cloud and cloud security fundamentals, and specializing).

jassics/security-study-plan
A complete practical study plan to become a successful security professional in pen testing, AppSec, Cloud Security, DevSecOps and more, by Sanjeev Jaiswal.

Career Advice and Professional Development
Google’s Phil Venables has an outstanding blog, and this post is no exception.

Key points: Be persistent, actually take feedback, place your bets on some “big moves,” dealing well with career set-backs actually defines your career, constantly look for and apply the 80/20 rule, don’t buy into the trite advice that you should “do what you love”, notice the best part, you always underestimate your impact (positive and negative) on others, know when something requires A-grade effort vs. Pass/Fail, you get way more air cover and management support than you will ever know or believe, be ambitious for the team - but stay humble individually.

Security Certificates: The Uncomfortable Truth
Asana’s Jackie Bow’s 🌶 take on certs it that they’re not that useful for breaking into a technical security engineering role, and that most companies look for a Computer Science degree instead.

My personal experience largely agrees with Jackie, though I would caveat that by saying this is in the Bay Area, which has different culture and expectations from other places. I’ve heard in other parts of the U.S. or in Europe certs are viewed more positively. OSCP is generally considered pretty positively in my experience.

Lastly, I think credentials matter most for your first job. Once you have one or more jobs on your resume with “security” in your title and you’ve proven you can do the work, it matters less (I think).

For your first job, if you don’t have a CS background, getting into pen testing/security consulting can be great, as you’ll learn a ton and consulting firms tend to more willing to take bets on smart, hard working people with non traditional backgrounds.

Also, follow my friend Tanya Janca who, along with others, do a #CyberMentoringMonday hashtag every Monday to pair people up. And of course the We Hack Purple community is a warm and welcoming place to learn and meet people as well.

Good luck out there my friend! ✊

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint