Hey there,

I hope you’ve been doing well!

Into the Woods

Outside: it’s pitch black and silent except for the steady patter of the rain.

Inside: a cacophony. A series of serial snorers creating a snorechestra surrounding me.

I blearily look at my phone– 3am. I pick up my blanket and pillow, and trudge through the rain to the common room where I attempt to sleep on the couch in front of the fire until I’m joined by early morning coffee drinkers at 7am.

And that was literally my first night at r2c’s offsite this week, which has been a blast 😀

We’ve flown in people from all over the U.S., UK, Italy, France, Philippines, and more to bond in the woods with basically no WiFi. We’ve relaxed, planned, and did activities like archery, lock picking, capture the flag, and getting choked out Brazilian Jiu-Jitsu.

If this sounds fun, we’re hiring, including on my Security Research team (JD to be posted soon, email clint AT r2c.dev if you’re interested).

Webinar with Jim Manico: Broken Access Control

Jim and I will walk through some access control best practices and how to continuously check for access control bugs and prevent them from entering in CI.

Hope to see you there next Wednesday March 15, 10am PT.


📢 Drata’s Compliance Trends Report 2023

Companies are spending an average of 4,300 hours on compliance per year, and many of them see compliance as a burden. But 3 in 4 companies who shift from point-in-time to continuous compliance report benefits beyond audit readiness including shortened sales cycles.

Get more insights on the shift to continuous compliance from Drata's 2023 Compliance Trends Report.

Download Now

📜 In this newsletter...

  • AppSec: Navigating the Sandbox Buffet, DevSecOps Roadmap, secrets finder tool
  • Cloud Security: The benefits of a customer-centric cloud security mindset, Five Things You Need to Know About Malware on Storage Buckets, Operation leveraging Terraform, Kubernetes, and AWS for data theft
  • Container Security: Temporary policy exceptions in Kubernetes with Kyverno
  • Blue Team: CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks, Best Practices For Securing Your Home Network
  • Politics / Privacy: Deconstructing the National Cybersecurity Strategy, Ransomware as a service: Understanding the cybercrime gig economy
  • Machine Learning: Last Week Tonight on AI, companies trying to keep up with ChatGPT, awesome reinforcement learning for security, An ML Framework for Alert Prioritization, CoPilot Thoughts After 6 Months
  • Misc: All Timelines, Neal Stephenson AMA, Big Tech job-switching stats, Popular education in Sweden
  • Career: Dropbox Engineering Career Framework, So want to be a SOC Analyst?, Creating a cert plan, Demystifying Security Research, The InfoSec community needs you, Security Cert Roadmap, What are two skillsets you need transitioning from pentester to Product Security?, Reflections on the CS academic and industry job markets, IppSec on Launching your cybersecurity career, 2022 Cybersecurity roadmap: How to get started?, The best Hacking Courses & Certs? Your roadmap to Pentester success, Update on being Independent [3 years later], A sensible approach to compensation for remote teams


USENIX Enigma 2023 - Navigating the Sandbox Buffet
Figma’s Maxime Serrano presents challenges of running potentially risky software within organizational infrastructure and how sandboxing can be an effective defense mechanism to run untrusted code, covering the pros/cons of approaches like a virtual machine, namespaces, and containers.

A collection and roadmap for learning DevSecOps, covering resources and tools for every step of the development process, by Hahwul.

Devsecops Overview

CLI tool by Praetorian for finding secrets and sensitive information in textual data. ~90 high signal regexes, supports scanning files, directories, and git history, and can scan 100’s of MB/sec on a single core.


📢 Tailscale, now with more SSH

Stop managing SSH keys manually, setting up bastion jump boxes, and unnecessarily exposing private production resources to the internet.

Tailscale SSH is a new way to SSH into devices in your tailnet. Simply enable it for the host and source devices, and we’ll take care of the rest — from distributing keys to authenticating connections.

Tailscale SSH works everywhere Tailscale does, so your team can code from an iPad or answer on-call emergencies from wherever they are.

Use Tailscale for free

Cloud Security

The benefits of a customer-centric cloud security mindset
Wiz blog post covering some of the key takeaways of my CloudSec 360 talk, including four initial steps towards a customer-centric security function. You can also watch the recording of talk, if you’d like 🙂

Five Things You Need to Know About Malware on Storage Buckets
Orca Security’s Bar Kaduri and Deborah Galea debunk the myth that malware on storage buckets is less dangerous than on other assets and describe what needs to be done to protect against this risk.

SCARLETEEL: Operation leveraging Terraform, Kubernetes, and AWS for data theft
Sysdig’s Alberto Pellitteri describes a sophisticated cloud operation in which an attacker exploited a containerized workload and leveraged it to escalate privileges into an AWS account to steal proprietary software and credentials. They also attempted to pivot using a Terraform state file to other connected AWS accounts to spread their reach.


Container Security

Temporary policy exceptions in Kubernetes with Kyverno
Nirmata’s Chip Zoller describes Policy Exceptions, a new feature that lets you temporarily bypass a Kyverno policy, for example, to troubleshoot a service. Chip describes how to combine policy exceptions with other Kyverno features such as the new cleanup policies to make exceptions automatically expire after a short period of time.

Blue Team

CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks
CISA shares a report of a red team assessment of a large critical infrastructure organization, in which the CISA red team obtained persistent access to the organization’s network, moved laterally across multiple geographically separated sites, and gained access to systems adjacent to the organization’s sensitive business systems. The report details the red team’s tactics, techniques, and procedures (TTPs) and key findings to inform blue team detections.

Best Practices For Securing Your Home Network
New guide by the NSA including recommendations for securing routing devices, implementing wireless network segmentation, ensuring confidentiality during telework, and more.

Nsa Secure Home Network

Politics / Privacy

Deconstructing the National Cybersecurity Strategy
Great overview of the Biden Administration’s National Cybersecurity Strategy (NCS) doc by Walter Haydock.

Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself
Microsoft describes several of the ransomware ecosystems using the RaaS model, the importance of cross-domain visibility in finding and evicting these actors, and best practices organizations can use to protect themselves. They also offer security best practices on credential hygiene and cloud hardening, how to address security blind spots, harden internet-facing assets to understand your perimeter, and more.

Raas Affiliate Model
Handover Between Operators

Machine Learning

Artificial Intelligence: Last Week Tonight with John Oliver
Nice video overview, good for people without a technical background.

Meet the companies trying to keep up with ChatGPT
Microsoft, Google, Meta, Anthropic, You.com, Alibaba, Baidu, and others.

A curated list of resources dedicated to reinforcement learning applied to cyber security, by Kim Hammar.

That Escalated Quickly: An ML Framework for Alert Prioritization

We present That Escalated Quickly (TEQ), a machine learning framework that reduces alert fatigue with minimal changes to SOC workflows by predicting alert-level and incident-level actionability. On real-world data, the system is able to reduce the time it takes to respond to actionable incidents by 22.9%, suppress 54% of false positives with a 95.1% detection rate, and reduce the number of alerts an analyst needs to investigate within singular incidents by 14%.

CoPilot Review: My Thoughts After 6 Months
The Primeagen, a senior engineer from Netflix shares his thoughts:

  • CoPilot tends to introduce bugs if you have it fill out a whole function or non trivial logic.
  • Can be great for boilerplate, types, or other simple situations that you can hint strongly at what you want.


All Timelines
Logs the timelines of various fictional universes, such as Star Wars, the Marvel Cinematic Universe, Lord of the Rings, and more.

I am Neal Stephenson, sci-fi author, geek, and [now] sword maker - AMA
Reddit AMA from a legend.

Big Tech job-switching stats
Gergely Orosz and an anonymous tech recruiter share a number of interesting stats, including the changes in the number of software engineers by company, which companies have more/less SWEs open to new opportunities, and more.

Popular education in Sweden: much more than you wanted to know

Folkbildningsrörelsen: that is the name we have for this movement of self-organized study groups, resource centers, maker spaces, public lectures, and free retreats for personal development.

Experientially, the spaces I have been part of have felt more like niche internet forums than schools. …we were able to sustain a depth of conversation which was out of scope at school. When I entered university, seminars often felt like play-acting in comparison. In our often quite dilapidated buildings (as in internet communities), we hadn’t thought about what we were doing as learning.

We were just obsessing about things.


Dropbox Engineering Career Framework - Security Engineer
Dropbox’s documentation that outlines the scope, impact, and other expectations from junior individual contributor through Principal Security Engineer. H/T Jonathan Werrett. Figma’s Devdatta Akhawe

So you want to be a SOC Analyst?
Blog series by Eric Capuano on how to land your first entry-level SOC analyst job. Set up a small VM environment, put on your adversary hat and start making some noise, emulate an adversary and craft detections, and more.

Creating a certification plan
Rohit Hegde shares his opinions on the pros/cons of certifications, how one can go about it, developing a plan, and more.

Personally, I don’t have any certs nor do I look for them when hiring, I prefer hands-on experience. However, some people seem to find them useful and recommend them, and potentially they can be useful for breaking into the field.

Demystifying Security Research - Part 1
NCC Group’s Alex Plaskett covers topic selection, brainstorming and collaboration, motivation and mindset, note taking, surveying related work, and more.

See also, Mark Dowd’s Offensivecon 2022 keynote: Rules to Hack By.

The InfoSec community needs you (yes, you)!
Excellent post by Segment’s Leif Dreizler on why you should be writing blogs, appearing on podcasts, and presenting at conferences… and how to get started! This post is super detailed and great, highly recommend checking it out.

See also Leif’s follow-up post Share the Spotlight on how to encourage others at your company to write blogs, appear on podcasts, and speak at conferences and meetups.

Security Certification Roadmap
By Paul Jerimy: 473 certifications broken down by skill level across communication and network security, IAM, security architecture and engineering, asset security, security and risk management, security assessment and testing, software security, and security operations.

Security Certification Roadmap

What are two skillsets you need transitioning from pentester to Product Security?
Thread by Anant Shrivastava with lots of people weighing in, including both technical and soft skills.

Reflections on the CS academic and industry job markets (part 1)
Candid reflections by Rowan Zellers. See also his Part 2: Why I chose OpenAI over academia.

Launch your cybersecurity career: IppSec’s advice on how to become a skilled professional
ippsec on technical tips, keeping a positive mindset, and life being what you make it.

Hacking Is An Art Web Flow Chart

2022 Cybersecurity roadmap: How to get started?
John Hammond joins David Bombal and shares the first thing to learn, recommended resources, if you should do CTFs, if you should pursue degrees and certs (and if so, which ones), and more.

The best Hacking Courses & Certs? Your roadmap to Pentester success
Rana Khalil joins David Bombal to discuss the best courses and best cert to become a pentester in 2023, as well as skills you need, how to get pentesting experience and land a job, bug bounty, and other resources.

Update on being Independent [3 years later]
Victor Grenu shares his reflections and lessons learned after being an independent AWS consultant for several years.

A sensible approach to compensation for remote teams
Ockam’s Glenn Gillen’s frank discussion of how compensation and promotions work at companies is a must read. If you don’t read this you are doing yourself a disservice, and I don’t say that lightly.

He also shares how to effectively make the case for higher pay if you’re a key contributor working in a lower cost of living region. Lastly, I like his principles.

The inescapable truth is that at any point in time your company has only got so much they can afford to pay people. They’ve either raised investment, and the more they pay people the shorter their runway will be. They’ve taken on debt and the more they draw down on it the higher the interest costs are and the more they ultimately have to repay.

Time to be blunt: compensation is an entirely commercial transaction. Your company might talk about it in terms of paying you fairly, individuals (especially in smaller companies) might genuinely believe that. It’s not what actually happens in the aggregate though. Paying you “fairly” is about paying you enough to reduce the probability you’ll leave. Compensation efficiency is a more serious sounding way of saying “pay them as little as possible”.

The “company’s” interests are in ensuring the company survives as long as possible. It’s not about paying you as much as you think you deserve. Those two things are usually at odds with each other. The sooner you accept that it’s all just business and nothing personal the better. Ironically, realising it’s not personal should make it easier to advocate for your own interests. The pushback you receive isn’t necessarily about you specifically, so don’t take it to heart. You absolutely should still maximise for getting paid what you feel you’re worth as soon as possible.

I’ve got news for you: if you’re getting promoted to a new level it’s got nothing to do with the documentation you spent two weeks writing to make your case. Or the half dozen paragraphs of supporting text collected from a handful of peers. It’s the year or two of work preceeding all of that. The paperwork is to make your bosses’ case easier to support a decision that is already made. Though it wont necessarily be clear to your boss either in that moment what exactly that decision is.

Because months prior a bunch of accountants would have run the numbers and come up with… a budget.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!