• tl;dr sec
  • Posts
  • [tl;dr sec] #158 - Open Security Jobs, Career Advice, Internet Egress Filtering at Lyft

[tl;dr sec] #158 - Open Security Jobs, Career Advice, Internet Egress Filtering at Lyft

Open jobs from over 35 companies, great career advice from a variety of people, how Lyft achieved egress filtering on all services.

Author

Clint Gibler
November 09, 2022

Hey there,

I hope you’ve been doing well!

See you at Global AppSec SF?

I’ll be there next week!

If you are too, I hope we cross paths.

Happy to give you some tl;dr sec and Semgrep stickers, as well as high fives, fist bumps, or silent but knowing nods.

Semgrep Happy Hour

Come hang out with me, some of the r2c founders, the security research team, and product folks!

  • Wednesday, November 16 from 4:30pm-6:30pm

  • Cholita Linda - 1 Ferry Building, San Francisco, CA

Currently Open Security Roles

Last week I invited you to send me open jobs, so we can help support our colleagues who may be looking now due to recent company restructurings.

And you did not disappoint!

I’ve collected a ton of open job descriptions from over 35 companies onto one page for easy reference.

Feel free to let me know if there are any more I should add!

Sponsor

📢 Take on the Burp challenge before 31 Dec 22 to prove your skills and win swag

The Burp challenge, launched by PortSwigger on 7 November, is a brand new way to test and prove your web security skills, with Burp Suite Professional - the world's number one web penetration testing toolkit. Comprising four core challenges - designed to test the breadth and depth of your web security knowledge - as well as weekly mini challenges, there are opportunities to win swag and Burp Suite Certified Practitioner exam credits. The challenge runs until December 31 2022, so what are you waiting for...

Portswigger has some awesome web security training (in my opinion, probably one of the best). Worth checking out ☝️

📜 In this newsletter...

  • Global AppSec SF Talks: Some talks that look especially interesting

  • AppSec: A dive into web application authentication, Semgrep now supoprts AST-based autofixes

  • Web Security: Things to look for when testing a web application

  • Cloud Security: What AWS security scanners are missing, distribute tasks dynamically across thousands of serverless functions

  • Container Security: All-in-one Kubernetes access manager, Trivy now supports NSA Kubernetes compliance, troubleshoot containers lacking a shell or debugging tools, diff Kubernetes running state vs version controlled config

  • Blue Team: Google's Cloud Workstations released, CISA's guide to implementing phishing-resistant MFA, GraphQL-based asset inventory tools, Internet egress filtering of services at Lyft

  • Politics / Privacy: NSA's director is dropping dank memes on Twitter, why content moderation is hard

  • Misc: Everything you need to know about monorepos, Spiderfoot acquired, do a virtual tour of the great pyramid of Giza, Oregon Trail but you don't die of dysentery, preferring meaning to happiness

  • Career: Phillip Wylie on favorite tools/career/pentesting, 5 magic questions for leaders to ask their teams, resources for dealing with a sudden job loss, Twitter thread of salaries, resume tips, the fastest way to get promoted in your career, going from junior to senior engineer, hacking your offensive security career

Global AppSec SF Talks

There are a bunch of talks in the program that look cool.

I was going to list all of the ones I was most looking forward to, but then there’d be like 20. Here’s my painfully incomplete shortlist:

AppSec

A Dive Into Web Application Authentication
James Chiappetta discusses the difference between authentication and authorization, why we need MFA, how “sign in with” works, SSO, passwordless authentication, API authentication, and deep links.

Powerfully autofixing code with Semgrep’s new AST-based approach
r2c’s Nat Mote describes Semgrep engine improvements: the new autofix engine can now operate on source code as ASTs instead of text. With this change, Semgrep can now be considered not just semantic grep, but also semantic sed. The new AST-based autofix is currently available for Python, JavaScript, and TypeScript.

Web Security

Justin Gardner: A couple things I always check when looking at a web application
How is CSRF implemented, is caching implemented, how is info passed between various parts of the system, how do all the pieces of authentication work, is there documentation?

Cloud Security

AWS security assessment: what scanners are missing and how threat modeling may help you?
SoftServe’s Pawel Rzepa discusses what scanners are missing and why he think tools cannot fully replace a human assessor in performing an effective AWS security assessment. Key points: scanners lack context, more findings don’t mean a better result, scanners may have security check gaps, skipped data flows and relations. Address these gaps via threat modeling.

fyoorer/ShadowClone
By @fyoorer: Distribute your long running tasks dynamically across thousands of serverless functions and get the results within seconds.

Container Security

paralus/paralusBy Paralus:
All-in-one Kubernetes access manager. User-level credentials, RBAC, SSO, audit logs.

Trivy Now Supports NSA Kubernetes Compliance
Aqua Security’s Anaïs Urlichs describes how you can see how well your Kubernetes cluster aligns with NSA hardening guidance with: 

trivy k8s cluster --compliance=nsa –-report summary


iximiuz/cdebug
A handy way to troubleshoot containers lacking a shell and/or debugging tools (e.g, scratch, slim, or distroless), by Ivan Velichko.

weaveworks/kubediff
A tool for Kubernetes to show differences between running state and version controlled configuration, by Weaveworks.

Sponsor

📢 Best practices for securing workloads on AWS

Security and compliance are a shared responsibility between AWS and modern organizations around the world that build and deploy applications in the cloud. AWS is committed to protecting the hardware, software, networking, and facilities that run its cloud services, but what about everything else?

Check out the 5 Best Practices for Securing Workloads on AWS and get useful insights on how to:

  • Detect and remediate security vulnerabilities early on

  • Reduce open source attack vector for serverless deployments

  • And also, prevent misconfigured IaC resources from introducing risk

Blue Team

Announcement - Cloud Workstations remote IDE solution in preview
Google announces Cloud Workstations, which provides fully managed and integrated development environments on Google Cloud. Fast developer onboarding via consistent environments, supports many IDEs (like JetBrains), security controls and policy support (no source code or data is stored on local machines, fully private ingress/egress supported, etc.).

Implementing Phishing-Resistant MFA
CISA guide covering forms of MFA from strongest to weakest, phishing-resistant MFA implementations, areas of focus for implementing phishing-resistant MFA, and common issues and paths forward.

New OSS Security Projects: cnquery and cnspec
Mondoo’s Dominik Richter announces their newly released, real-time, GraphQL-based asset inventory and security assessment tools: cnquery and cnspec.

Cnquery’s GraphQL approach lets you walk the graph of interconnected resources instead of writing complicated joins. Query AWS, Azure, GCP, Kubernetes, or other APIs (complete list of resources). Cnspec then lets you assert security properties over the data cnquery provides, like: all listening ports are started only by the sshd executable.

Internet Egress Filtering of Services at Lyft
Lyft’s Dean Liu describes how they achieved egress filtering on all services, using Envoy as an explicit CONNECT and transparent proxy. Gaining observability of egress traffic lets you write detection rules based on anomalous traffic, perform network forensics, and conduct proactive threat hunting exercises.

Using this approach, they were able to create a mapping of services to a list of upstream Internet hosts that they spoke with: {service_a: [lyft.com, example.com], service_b:[eng.lyft.com], …}.

A driving principle of the Security team at Lyft is to make security easy for engineers. Security at Lyft focuses on building and providing secure infrastructure and services for our engineers so that engineers can focus on shipping features for our customers.

Politics / Privacy

Spy agency embraces meme culture and the internet is here for it
Apparently the cybersecurity director of the NSA has been posting a number of memes recently. I’m about this.

Hey Elon: Let Me Help You Speed Run The Content Moderation Learning Curve
Nice playful overview of the nuances and challenges of running a platform that requires content moderation.

Misc

Monorepo Explained
Everything you need to know about monorepos, and the tools to build them.

Intel 471 Acquires SpiderFoot
Congrats to Steve Micallef! I believe this is now the 6th tl;dr sec sponsor who has been acquired.

Go Inside the Great Pyramid of Giza
For the first time ever, do a virtual tour of the full interior of Khufu’s Pyramid at Giza, Egypt.

You Have Not Died Of Dysentery
The Oregon Trail game, but this time dysentery can’t kill you. It can just make the trip a real mess.

I prefer meaning to happiness: Peter Thiel
Some questions from Clayton Christensen:

• How can I be sure that I will be happy in my career?

• How can I be sure that my relationships become an enduring source of happiness?

Peter’s response:

“We have meaningful lives… when we do things that are important that otherwise would not get done. You don’t want to be a cog in a machine, you don’t want to be doing a thing that if you didn’t do it, a thousand other people would take your place. And so it’s always but for you, but for this venture or this company that you’re working on, this important thing would not get done. That tends to be extremely meaningful, and I think you should always aim for that.”

Career

@phillipwylie Talks About His Favorite Tools, Switching Careers, And Pentesting!
Phillip Wylie joins Ben Sadeghipour, Jason Haddix, and Farah Hawa to discuss the evolution of pentesting, certifications, favorite tools, work/life balance, burnout, and more.

  1. How are you feeling about your life at work?

  2. How are you feeling about your work-from-home set up?

  3. How are we performing as a company?

  4. What is it like to work with the rest of the team?

  5. What is it like to work with me?

After each question:

What would get it to the next level?

When considering what to work on, recognize that some work will be easy for you, and some work will be hard. Some work will be valuable to your leadership (high-impact, supports a pet-project of theirs, etc.), and some work won’t be (low-impact, low-visibility, etc).

Look for work that is both easy for you and valuable to your leadership. Easier said than done, but this will allow you to deliver many things quickly (either serially or in parallel) that are valuable to your manager, your manager’s manager, etc.

 

As a junior engineer, I found it valuable to focus on my craft and get better at executing, doing things more quickly so I could focus my time on more important things.

As a senior engineer, I found it very helpful to keep asking questions, making sure I’m working on the right things, and ensure my projects always had a learning component.

Hacking Your Offensive Security Career
Some great career advice from NCC Group’s Lawrence Munro. Too much good stuff to concisely summarize here, but some notes:

  • Hard work and capability development should always be prioritized ahead of career engineering.

  • Don’t get stuck in the ‘teacher-student mind-set’: thinking anyone else has responsibility or accountability for your learning.

  • Finding a cheerleader and/or mentor often often happens organically when you demonstrate the right aptitude and attitude.

The most important thing (in my humble opinion) for personal development is the ownership of it and the acceptance that you will need to drive this throughout your career.

Make the business case for you getting training

To get your employer to fund training, make a strong the business case for it. Remember that what you want is the outcome and not a win for your ego.

The harsh reality is, you are not entitled to expensive external training (unless you were smart enough to negotiate this into your contract when you joined).

If you can’t get a shell on a job, would you complain it’s being unfair? You’d look for the solution.

Don’t focus on disparities in what you perceive as fairness, focus on what you want and why you should get it. You don’t know other people’s situations and the business will not want to discuss this with you.

Being a top performer

The first thing that differentiates the very top performers is their cadence and their ability to find and process new information. This normally takes the form of being well-organised and having a set-up that allows them to process new information (normally TTPs) fast.

Another common trait of high performers is openness to different approaches and new ways of working. It’s important that you try to stay technology agnostic in your approach.

Go broad, then deep

When you look at high performers who’re specialist, they normally have a background with broad experiences. They’ve been a generalist before they’ve become a specialist, in fact, that generalism has likely allowed them to become the ninja they are today.

From speaking to people who have made this mistake, it’s MUCH harder to spend time later in your career building these foundations or filling gaps. This can be because you’re now expected to deliver and have less dedicated time from your employer, you’re a bit older and have greater responsibilities in your personal life or you may feel generally burnt out.

5 dimensions to getting promoted

Generally speaking, there are five dimensions to getting promoted within your organisation: capability (skills and performance), attitude, potential, promotion appetite of your employer (created by growth or attrition) and perception. Like any good hacker, you need to figure out how the current process works within your organisation and plan your tact. The best way to find out the process and criteria is to ask.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint

Hey there,

I hope you’ve been doing well!

See you at Global AppSec SF?

I’ll be there next week!

If you are too, I hope we cross paths.

Happy to give you some tl;dr sec and Semgrep stickers, as well as high fives, fist bumps, or silent but knowing nods.

Semgrep Happy Hour

Come hang out with me, some of the r2c founders, the security research team, and product folks!

  • Wednesday, November 16 from 4:30pm-6:30pm

  • Cholita Linda - 1 Ferry Building, San Francisco, CA

Currently Open Security Roles

Last week I invited you to send me open jobs, so we can help support our colleagues who may be looking now due to recent company restructurings.

And you did not disappoint!

I’ve collected a ton of open job descriptions from over 35 companies onto one page for easy reference.

Feel free to let me know if there are any more I should add!

Sponsor

📢 Take on the Burp challenge before 31 Dec 22 to prove your skills and win swag

The Burp challenge, launched by PortSwigger on 7 November, is a brand new way to test and prove your web security skills, with Burp Suite Professional - the world's number one web penetration testing toolkit. Comprising four core challenges - designed to test the breadth and depth of your web security knowledge - as well as weekly mini challenges, there are opportunities to win swag and Burp Suite Certified Practitioner exam credits. The challenge runs until December 31 2022, so what are you waiting for...

Portswigger has some awesome web security training (in my opinion, probably one of the best). Worth checking out ☝️

📜 In this newsletter...

  • Global AppSec SF Talks: Some talks that look especially interesting

  • AppSec: A dive into web application authentication, Semgrep now supoprts AST-based autofixes

  • Web Security: Things to look for when testing a web application

  • Cloud Security: What AWS security scanners are missing, distribute tasks dynamically across thousands of serverless functions

  • Container Security: All-in-one Kubernetes access manager, Trivy now supports NSA Kubernetes compliance, troubleshoot containers lacking a shell or debugging tools, diff Kubernetes running state vs version controlled config

  • Blue Team: Google's Cloud Workstations released, CISA's guide to implementing phishing-resistant MFA, GraphQL-based asset inventory tools, Internet egress filtering of services at Lyft

  • Politics / Privacy: NSA's director is dropping dank memes on Twitter, why content moderation is hard

  • Misc: Everything you need to know about monorepos, Spiderfoot acquired, do a virtual tour of the great pyramid of Giza, Oregon Trail but you don't die of dysentery, preferring meaning to happiness

  • Career: Phillip Wylie on favorite tools/career/pentesting, 5 magic questions for leaders to ask their teams, resources for dealing with a sudden job loss, Twitter thread of salaries, resume tips, the fastest way to get promoted in your career, going from junior to senior engineer, hacking your offensive security career

Global AppSec SF Talks

There are a bunch of talks in the program that look cool.

I was going to list all of the ones I was most looking forward to, but then there’d be like 20. Here’s my painfully incomplete shortlist:

AppSec

A Dive Into Web Application Authentication
James Chiappetta discusses the difference between authentication and authorization, why we need MFA, how “sign in with” works, SSO, passwordless authentication, API authentication, and deep links.

Powerfully autofixing code with Semgrep’s new AST-based approach
r2c’s Nat Mote describes Semgrep engine improvements: the new autofix engine can now operate on source code as ASTs instead of text. With this change, Semgrep can now be considered not just semantic grep, but also semantic sed. The new AST-based autofix is currently available for Python, JavaScript, and TypeScript.

Web Security

Justin Gardner: A couple things I always check when looking at a web application
How is CSRF implemented, is caching implemented, how is info passed between various parts of the system, how do all the pieces of authentication work, is there documentation?

Cloud Security

AWS security assessment: what scanners are missing and how threat modeling may help you?
SoftServe’s Pawel Rzepa discusses what scanners are missing and why he think tools cannot fully replace a human assessor in performing an effective AWS security assessment. Key points: scanners lack context, more findings don’t mean a better result, scanners may have security check gaps, skipped data flows and relations. Address these gaps via threat modeling.

fyoorer/ShadowClone
By @fyoorer: Distribute your long running tasks dynamically across thousands of serverless functions and get the results within seconds.

Container Security

paralus/paralusBy Paralus:
All-in-one Kubernetes access manager. User-level credentials, RBAC, SSO, audit logs.

Trivy Now Supports NSA Kubernetes Compliance
Aqua Security’s Anaïs Urlichs describes how you can see how well your Kubernetes cluster aligns with NSA hardening guidance with: 

trivy k8s cluster --compliance=nsa –-report summary


iximiuz/cdebug
A handy way to troubleshoot containers lacking a shell and/or debugging tools (e.g, scratch, slim, or distroless), by Ivan Velichko.

weaveworks/kubediff
A tool for Kubernetes to show differences between running state and version controlled configuration, by Weaveworks.

Sponsor

📢 Best practices for securing workloads on AWS

Security and compliance are a shared responsibility between AWS and modern organizations around the world that build and deploy applications in the cloud. AWS is committed to protecting the hardware, software, networking, and facilities that run its cloud services, but what about everything else?

Check out the 5 Best Practices for Securing Workloads on AWS and get useful insights on how to:

  • Detect and remediate security vulnerabilities early on

  • Reduce open source attack vector for serverless deployments

  • And also, prevent misconfigured IaC resources from introducing risk

Blue Team

Announcement - Cloud Workstations remote IDE solution in preview
Google announces Cloud Workstations, which provides fully managed and integrated development environments on Google Cloud. Fast developer onboarding via consistent environments, supports many IDEs (like JetBrains), security controls and policy support (no source code or data is stored on local machines, fully private ingress/egress supported, etc.).

Implementing Phishing-Resistant MFA
CISA guide covering forms of MFA from strongest to weakest, phishing-resistant MFA implementations, areas of focus for implementing phishing-resistant MFA, and common issues and paths forward.

New OSS Security Projects: cnquery and cnspec
Mondoo’s Dominik Richter announces their newly released, real-time, GraphQL-based asset inventory and security assessment tools: cnquery and cnspec.

Cnquery’s GraphQL approach lets you walk the graph of interconnected resources instead of writing complicated joins. Query AWS, Azure, GCP, Kubernetes, or other APIs (complete list of resources). Cnspec then lets you assert security properties over the data cnquery provides, like: all listening ports are started only by the sshd executable.

Internet Egress Filtering of Services at Lyft
Lyft’s Dean Liu describes how they achieved egress filtering on all services, using Envoy as an explicit CONNECT and transparent proxy. Gaining observability of egress traffic lets you write detection rules based on anomalous traffic, perform network forensics, and conduct proactive threat hunting exercises.

Using this approach, they were able to create a mapping of services to a list of upstream Internet hosts that they spoke with: {service_a: [lyft.com, example.com], service_b:[eng.lyft.com], …}.

A driving principle of the Security team at Lyft is to make security easy for engineers. Security at Lyft focuses on building and providing secure infrastructure and services for our engineers so that engineers can focus on shipping features for our customers.

Politics / Privacy

Spy agency embraces meme culture and the internet is here for it
Apparently the cybersecurity director of the NSA has been posting a number of memes recently. I’m about this.

Hey Elon: Let Me Help You Speed Run The Content Moderation Learning Curve
Nice playful overview of the nuances and challenges of running a platform that requires content moderation.

Misc

Monorepo Explained
Everything you need to know about monorepos, and the tools to build them.

Intel 471 Acquires SpiderFoot
Congrats to Steve Micallef! I believe this is now the 6th tl;dr sec sponsor who has been acquired.

Go Inside the Great Pyramid of Giza
For the first time ever, do a virtual tour of the full interior of Khufu’s Pyramid at Giza, Egypt.

You Have Not Died Of Dysentery
The Oregon Trail game, but this time dysentery can’t kill you. It can just make the trip a real mess.

I prefer meaning to happiness: Peter Thiel
Some questions from Clayton Christensen:

• How can I be sure that I will be happy in my career?

• How can I be sure that my relationships become an enduring source of happiness?

Peter’s response:

“We have meaningful lives… when we do things that are important that otherwise would not get done. You don’t want to be a cog in a machine, you don’t want to be doing a thing that if you didn’t do it, a thousand other people would take your place. And so it’s always but for you, but for this venture or this company that you’re working on, this important thing would not get done. That tends to be extremely meaningful, and I think you should always aim for that.”

Career

@phillipwylie Talks About His Favorite Tools, Switching Careers, And Pentesting!
Phillip Wylie joins Ben Sadeghipour, Jason Haddix, and Farah Hawa to discuss the evolution of pentesting, certifications, favorite tools, work/life balance, burnout, and more.

  1. How are you feeling about your life at work?

  2. How are you feeling about your work-from-home set up?

  3. How are we performing as a company?

  4. What is it like to work with the rest of the team?

  5. What is it like to work with me?

After each question:

What would get it to the next level?

When considering what to work on, recognize that some work will be easy for you, and some work will be hard. Some work will be valuable to your leadership (high-impact, supports a pet-project of theirs, etc.), and some work won’t be (low-impact, low-visibility, etc).

Look for work that is both easy for you and valuable to your leadership. Easier said than done, but this will allow you to deliver many things quickly (either serially or in parallel) that are valuable to your manager, your manager’s manager, etc.

 

As a junior engineer, I found it valuable to focus on my craft and get better at executing, doing things more quickly so I could focus my time on more important things.

As a senior engineer, I found it very helpful to keep asking questions, making sure I’m working on the right things, and ensure my projects always had a learning component.

Hacking Your Offensive Security Career
Some great career advice from NCC Group’s Lawrence Munro. Too much good stuff to concisely summarize here, but some notes:

  • Hard work and capability development should always be prioritized ahead of career engineering.

  • Don’t get stuck in the ‘teacher-student mind-set’: thinking anyone else has responsibility or accountability for your learning.

  • Finding a cheerleader and/or mentor often often happens organically when you demonstrate the right aptitude and attitude.

The most important thing (in my humble opinion) for personal development is the ownership of it and the acceptance that you will need to drive this throughout your career.

Make the business case for you getting training

To get your employer to fund training, make a strong the business case for it. Remember that what you want is the outcome and not a win for your ego.

The harsh reality is, you are not entitled to expensive external training (unless you were smart enough to negotiate this into your contract when you joined).

If you can’t get a shell on a job, would you complain it’s being unfair? You’d look for the solution.

Don’t focus on disparities in what you perceive as fairness, focus on what you want and why you should get it. You don’t know other people’s situations and the business will not want to discuss this with you.

Being a top performer

The first thing that differentiates the very top performers is their cadence and their ability to find and process new information. This normally takes the form of being well-organised and having a set-up that allows them to process new information (normally TTPs) fast.

Another common trait of high performers is openness to different approaches and new ways of working. It’s important that you try to stay technology agnostic in your approach.

Go broad, then deep

When you look at high performers who’re specialist, they normally have a background with broad experiences. They’ve been a generalist before they’ve become a specialist, in fact, that generalism has likely allowed them to become the ninja they are today.

From speaking to people who have made this mistake, it’s MUCH harder to spend time later in your career building these foundations or filling gaps. This can be because you’re now expected to deliver and have less dedicated time from your employer, you’re a bit older and have greater responsibilities in your personal life or you may feel generally burnt out.

5 dimensions to getting promoted

Generally speaking, there are five dimensions to getting promoted within your organisation: capability (skills and performance), attitude, potential, promotion appetite of your employer (created by growth or attrition) and perception. Like any good hacker, you need to figure out how the current process works within your organisation and plan your tact. The best way to find out the process and criteria is to ask.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint