[tl;dr sec] #106 - Least Privilege IAM, Fuzzing, Istio Scanner
Designing least privilege AWS IAM policies for people, fuzzing 5G and CPUs by proxy, the first security scanner for Istio.
This page lists prior tl;dr sec issues.
To get these artisanally crafted emails straight to your inbox, sign up here đ
2021
[tl;dr sec] #105 - DevSecOps, Ransomware & S3, Falco Labs
Effectively shifting left, protecting your S3 buckets from ransomware, exercises to learn Falco in your browser.
[tl;dr sec] #104 - New Phrack, Often Missed Web Vulnerabilities, Facebook Whistleblower
New issue of Phrack, 10 often missed web vulnerabilities, Facebook whistleblower comes forward about the dangers of its products.
[tl;dr sec] #103 - Cloud Security Guardrails, Lateral Movement in GitHub Orgs, AWS Memes
Setting up strong AWS security guardrails, tool to explore lateral movement and privilege escalation in GitHub orgs, dank AWS memes from Corey Quinn.
[tl;dr sec] #102 - Why AuthZ is Hard, Vendor Security 2.0, TruffleHog Chrome Extension
Detailed breakdown of why authorization is hard, how we should approach vendor security going forward, a Chrome extension to find secrets.
[tl;dr sec] #101 - Securing Netflix at Scale, AWS PrivEsc Playground, Career Advice
How to build security tooling developers love, a playground to practice privilege escalation in AWS, career advice from @lcamtuf and Corey Quinn.
[tl;dr sec] #100 - Visualizing Security, GraphQL, API Token Survey
Infosec infographics, GraphQL guide and server fingerprinting tool, a survey of the trade-offs of various API token types.
[tl;dr sec] #99 - Grow Employees or Lose Them, Advantage: Defense, Ghidra <> Frida
How to mentor and grow employees, Mark Dowd on how and why defense is gaining the advantage, and a plugin to bridge Ghidra and Frida.
[tl;dr sec] 98 - Cloud Security Orienteering, Last S3 Document Youâll Need, Burnout
New guest blog post on rapidly understanding and securing your cloud env, a thorough threat model of S3, burning out in tech during the pandemic.
[tl;dr sec] #97 - Attacking HTTP/2, Securing GitHub Projects, Hacking G Suite
Deep dive into HTTP/2 flaws, continuously enforce GitHub security best practices, phishing, persistence, bypassing protective measures, and more in G Suite.
[tl;dr sec] #96 - Learn Reverse Engineering, Cloud Security Orienteering, Kernel Pwning with eBPF
Free workshops to learn reverse engineering, how to rapidly familiarize yourself in a new cloud environment, eBPF deep dive.
[tl;dr sec] #95 - Preventing SSRF in AWS, Testing AuthN Flows, Hardening Your Supply Chain
Tool to enforce IMDSv2, test authentication flows by modeling them as a finite state machine, detecting malicious dependencies and solving dependency confusi...
[tl;dr sec] #94 - 10X Your SOC, Learn Crypto, Enterprise-grade Attack-surface Monitoring with Open Source
Google whitepaper on how to scale your SOC, 3 free platforms to learn cryptography, Luke Stephensâ guide on rolling your own attack surface monitoring using ...
[tl;dr sec] #93 - Reading Your CSOâs Performance Review, Fuzzing, NSO Group
Gustoâs CSO Fredrick Lee sends his review to the entire company, fuzzing Android native, macOS and libafl, NSO Group data leak and detecting Pegasus.
[tl;dr sec] #92 - Hardening Kubernetes, Ransomware, Authz at Scale
Securing AWS EKS and lessons from a k8s security report, inside the ransomware economy, and building fine-grained authorization that works at scale.
[tl;dr sec] #91 - DOM Invader, Ransomware self-assessment tool, AWS Security Reference Architecture
Burp extension for finding DOM XSS, CISAâs tool for orgs to understand how equipped they are to defend and recover from ransomware, examples and guide to use...
[tl;dr sec] #90 - Eradicating Subdomain Takeovers, GitHubâs AI Pair Programmer, Testing File Upload Functionality
Open source tool to continuously scan for subdomain takeover vulnerabilities, GitHubâs Copilot can suggest whole functions within VS Code, resources for asse...
[tl;dr sec] #89 - MITRE D3FEND, Lambda Authorizer Gotchas, Googleâs Supply Chain Integrity Framework
MITRE releases the defensive countermeasures counterpart to ATT&CK, how IAM wildcard expansion can bite you, Googleâs 4-level supply chain maturity frame...
[tl;dr sec] #88 - Testing 2FA Implementations, Cloud Visibility/Enforcement, Altar of the Algorithm
Potential bugs to test in 2FA implementations, tools for cloud visibility and enforcement, and how we all conform to please the algorithms around us.
[tl;dr sec] #87 - Easy Temporary Cloud Access, Monopol-easy Money, AWS Account Boundaries can be Porous
Empowering developersâ cloud access while improving security, big tech throwing their weight around, 97+ ways data can be shared across AWS accounts.
[tl;dr sec] #86 - Dockerfile Best Practices, Mobile Security, and Collusion in Academia
20 Dockerfile best practices, free mobile security course, and trade-offs, collusion rings, and more in academia.
[tl;dr sec] #85 - Machine Learning, GraphQL, and Modern Static Analysis
Attacking ML models, deep learning side-channel attacks, CSRF and batch GraphQL attacks, how modern static analysis should work.
[tl;dr sec] #84 - Establishing a Cloud Security Program, Measuring Security, On Signalâs Cellebrite Hack
A roadmap for establishing a cloud security program + a task list, thoughts on measuring security, the legal implications of Signalâs Cellebrite hack.
[tl;dr sec] #83 - Comparing Infrastructure as Code Scanners, Jenkins Attack Framework, Good Design Principles
Benchmarking infra as code scanning tools, offense-focused Jenkins tools, and principles that can help scale security.
[tl;dr sec] #82 - Supply Chain Security, Career Resources, Differentiate or Die
Detecting dependency confusion across many ecosystems, getting started in tech or security, the middle of VCs and products are dying.
[tl;dr sec] #81 - Modern Security Tooling, Visualizing Dependencies, Remembering Dan Kaminsky
Requirements of modern security tooling, graphing your dependencies and their vulnerabilities in Neo4J, and remembering a man who helped so many.
[tl;dr sec] #80 - Celleb-fight me, Hardening CI Infrastructure, Secure Access to 100 AWS Accounts
Signal creator finds bugs in Cellebrite, recommendations on hardening CI, using Okta to secure access to AWS accounts at scale.
[tl;dr sec] #79 - Memory Safety FTW, Reference Architectures, Content Discovery++ with OpenAPI Specs
Moar evidence against memory unsafe languages, the power of secure reference architectures, and leveraging OpenAPI specs to more effectively detect attack su...
[tl;dr sec] #78 - Scaling Threat Modeling at Segment, Bootstrapping vs VCs, Security as Value Unlocker
How Segment democratized threat modeling, the trade-offs of taking money vs not, how security can be more than minimizing risk.
[tl;dr sec] #77 - Hidden OAuth attack vectors, Networking Fundamentals, Career Advice
Three new OAuth2 and OpenID Connect vulnerabilities, great intro/overview of networking concepts, security manager interviews & advancing your career in ...
[tl;dr sec] #76 - Is Secure Design > Patching? and Supply Chain, Breaking Regexes
An argument for why secure design + threat modeling is higher ROI than patching, making code signing easy, finding regex bugs with regexploit or fuzzing.
[tl;dr sec] #75 - IAM Least Privilege at Speed, Spectre, and How to Beat a Grandmaster at Chess
How Netflix enables development velocity + security with ConsoleMe, Spectre PoC and proposed defenses, and why speed is a superpower.
[tl;dr sec] #74 - Building Securely on AWS, Non-fungible Tokens, Deepfake tools
AWS security for small teams & Well-Architected resources, NFT overview, tools for creating and detecting deepfakes.
[tl;dr sec] #73 - JSON Woes, Career Advice, and Blub Studies
JSON libraries parse differently and that can lead to bugs, a number of career advice resources, and how to become compoundingly more effective.
[tl;dr sec] #72 - Finding Access Control Bugs, Supply Chain Security, Security Logging in AWS
Tips + a Burp extension for finding access control issues, tools and reflections on supply chain security, an architecture for multi-account security logging...
[tl;dr sec] #71 - Securing CI/CD, Electron Security, Growing Your Userbase by Ignoring âViralityâ
Tips and best practices for securing your CI/CD pipeline, Electron tooling and dangerous APIs, what to focus on instead of virality to grow your userbase.
[tl;dr sec] #70 - Scaling Threat Modeling, Dependency Confusion, Automating Open Source Vulnerability Triage
How Jacob Salassi scaled threat modeling at Snowflake, typosquatting company internal package names, automatically determine the versions of open source pack...
[tl;dr sec] #69 - Cloud Security Table Top Exercises, Finding RCE in ExpressJS, InSpec for GKE
Valuable cloud security scenarios to think through, leveraging the Handlebars templating engine for local file read or RCE, check your GKE cluster against CIS.
[tl;dr sec] #68 - Securing Lambda, Recon Tool Primer, Blind SSRF Chains
How AWS secures Lambda, Daniel Miesslerâs overview of @TomNomNomâs recon tools, how to demonstrate high impact when you canât see the SSRF response.
[tl;dr sec] #67 - Infra as Code, Cloud Auto-remediation, C.R.E.A.M
Effectively rolling out IaC scanning, auto-healing your cloud environment, and when sticking it to the man hurts the bottom line.
[tl;dr sec] #66 - Automating Infra as Code Creation, Container Security++ with User Namespaces, #RustLyfe
A tool to create IaC from an existing AWS environment, container defense-in-depth with user namespaces, rewriting things in Rust.
[tl;dr sec] #65 - Lesser Known AWS Attacks, Infra as Code Scanning, Template Injection Workshop
Scott Piper shares how heâd attack AWS, a survey of infra as code scanning tools, free workshop on server-side template injection.
2020
[tl;dr sec] #64 - Kubernetes Guide, XSS for PDFs, SolarWinds FTL
How to do a risk analysis on your Kubernetes cluster, pwning PDFs, and a devastating supply chain attack.
[tl;dr sec] #63 - OWASP, Fuzzing, and a New âAWS Swiss Army Knifeâ Tool by Netflix
New OWASP security testing guide and GraphQL cheat sheet, new fuzzing research, and a tool to ease administration of complex AWS environments.
[tl;dr sec] #62 - Leaking IAM Users and Roles, AI, and Exploiting Dynamic Renderers
A tool to sneakily enumerate all IAM users and roles in a target AWS account, recent events in AI, and how to attack server-side renderers.
[tl;dr sec] #61 - Effective Security OKRs, Scaling Threat Modeling, Webscan
How to create effective security OKRs, scaling threat modeling in hypergrowth, engineering-driven orgs, and a browser-based internal network scanner.
[tl;dr sec] #60 - Cartography + IAM, Security Scorecard, Self-service Security
Use Cartography to understand AWS permissions, tool to grok the risk of open source libraries, developers taking security into their own hands.
[tl;dr sec] #59 - NAT Slipstreaming, Widespread Injection in GitHub Actions, Greppable Secrets
Attackerâs can remotely access any TCP/UDP service on your machine, serious bugs in many GitHub Actions, and the security value of creating easily greppable ...
[tl;dr sec] #58 - New Job đ, Burp Multiplayer, Chaos Engineering Book
Iâve joined r2c as Head of Security Research, tool to sync multiple Burp instances, free book on chaos engineering to help you build reliable distributed sys...
[tl;dr sec] #57 - Bug Bounty Lessons Learned, Content Value Hierarchy, CloudSecDocs
1 year of a private bug bounty program, how to create high value content, and a great resource for cloud-native technologies.
[tl;dr sec] #56 - State of Exploit Development, Hacking Apple, flaws.cloud dataset
Stats on vulnerability discovery, CVE publication, and patches, lengthy write-up of 3 month Apple bug bounty hackathon, and flaws.cloud logs published.
[tl;dr sec] #55 - Detection as Code, Vault Authentication Bugs, Fingerprinting Exploit Developers
Why we should embrace Detection as Code, write-up of two complex AuthN bugs in Vault, tracking exploit developers by their work.
[tl;dr sec] #54 - Complexity in Capital, Communicating a Breach, Offensive Terraform
I contributed to an article in Forbes, how to communicate when youâve been hacked, Terraform to spin up offensive infrastructure.
[tl;dr sec] #53 - OneFuzz, Program Analysis, Ring Alarm Teardown
Microsoft releases self-hosted fuzzing-as-a-service platform, several solid program analysis resources, detailed teardown of Ringâs hardware and attack surfa...
[tl;dr sec] #52 - Prioritizing 3rd Party Vulnerabilities to Fix, LangSec History, Distilled Compliance Controls
How to prioritize vulnerabilities in your dependencies, some history and context around LangSec, and a set of common controls across 10+ standards.
[tl;dr sec] #51 - Continuous Cloud Monitoring, Web Browser for Hackers, How GitHub Threat Models
Monitor your cloud environment and automatically detect drift, a scriptable browser and bending JavaScript to your will, GitHubâs threat modeling process.
[tl;dr sec] #50 - Engineering Empathy, Golang Security, Bardcore
Applying engineering lessons learned to AppSec teams, common Golang bugs, and medieval covers of modern pop songs take the Internet by storm.
[tl;dr sec] #49 - Web Cache Entanglement, Finding a Mentor, Build Tools Around Workflows
New cache research by James Kettle, how to effectively reach out and build mentor relationships, tools should support workflows, not vice versa.
[tl;dr sec] #48 - Automating Recon Summary, GraphQL Tools, DEF CON 2020 Live Notes
My summary of Daniel Miesslerâs talk on automating recon, 2 tools to help with testing GraphQL, quick notes for ~20 DEF CON talks.
[tl;dr sec] #47 - Automating Recon, Podcasts, and Lateral Movement / Privilege Escalation in GCP
Daniel Miessler on automating your recon workflow, I was on a few podcasts, how to compromise GCP orgs via cloud API lateral movement & privilege escalat...
[tl;dr sec] #46 - Grokking CSP, Automating Threat Model âĄď¸ Security Tests, Unknown Blob âĄď¸ Plaintext
How to go from no CSP to a solid CSP, automatically creating baseline security tests from a threat model, tools to automagically decode random blobs.
[tl;dr sec] #45 - Bucket Brigade, ReDoS Cheat-sheet, Understanding OAuth
Protecting your public S3 buckets, how to find, prevent, and fix regular expression DoS, and walk step-by-step through the OAuth flow.
[tl;dr sec] #44 - Formal Methods, New Web Security Mechanisms, Have GPT-3 Code for You
Using lightweight formal methods in the real world, new web mitigations for injection vulns and isolation capabilities, GPT-3 is magic.
[tl;dr sec] #43 - Continuous AppSec Scanning, Threat Modeling, Career Advice from Feynman
How to continuously discover, monitor, and assess your web assets, threat modeling + agile, Richard Feynman on the problems you choose to tackle.
[tl;dr sec] #42 - tl;dr sec Search, Towards Trusted Sensing, Root Causes of Procrastination
tl;dr sec now supports search, snapshotting VMs at scale in a way malware canât evade, reflections on why we procrastinate.
[tl;dr sec] #41 - Threat Modeling Kubernetes, Secret Scanner Benchmark, OWASP Software Component Verification Standard
Overview of current work threat modeling Kubernetes, a repo to test your secret scanning, and v1 of OWASPâs standard on identifying/reducing supply chain risk.
[tl;dr sec] #40 - Uberâs Continuous AWS Monitoring, AWSâs Hands-off Deployments, Auto-remove Unneeded Feature Flags
Uber continuous AWS monitoring tool and process, how AWS does safe, fast, continuous deployment, tool to auto-delete no longer needed feature flags.
[tl;dr sec] #39 - Evidence Based Security, Web Security, and Program Analysis
Measuring the effectiveness of your security controls, web security tools and slides, auto-converting between Java/C++/Python and integrating formal methods.
[tl;dr sec] #38 - Threat Modeling for Devs, Attacking JWTs, On Accepting Ads
Effectively teaching devs threat modeling, forging and cracking JWTs, and some radical transparency about our process of deciding to accept sponsors.
[tl;dr sec] #37 - Kubernetes, SAST Snark, and Malware Targeting Open Source Supply Chain
Using Kubernetes + OPA, Twitter SAST snark & lessons learned, malware discovered on GitHub targeting the open source supply chain.
[tl;dr sec] #36 - AWS Security Maturity Roadmap, Fuzzing, Dynamic Infra for Security Testing
An AWS Security Maturity Roadmap for 2020, fuzzing the Windows kernel & differential crypto fuzzing, easily spin up a cloud env for security testing
[tl;dr sec] #35 - Careers in Security, Testing OAuth, Session Management with Burp
Building a successful career in security and how to specialize, testing OAuth implementations, and a Burp plugin for handling session management.
[tl;dr sec] #34 - Game Theory + 0days, Kubernetes Hacking Practice, AWS Least Privilege
Game theory applied to finding and disclosing 0days, Kubernetes training labs, rightsize your AWS IAM policies to Terraform.
[tl;dr sec] #33 - Splunkâs Attack Range, Detecting Compromised Cloud Creds, Azure AD for Red Teamers
Set up your own range to practice attacking & detection, detection strategies for compromised cloud creds, intro to Azure AD for red teamers.
[tl;dr sec] #32 - Security + Empathy, Chrome Extension Security, Attacking Azure AD
Gusto CISO Flee on building a positive security culture, protecting from/attacking with Chrome extensions, pivot through Azure AD.
[tl;dr sec] #31 - Instrument with Frida, Free Course on Attacking Apps in AWS/Azure, VM with 8 C&C Frameworks
Use Frida from a Burp extension or web interface, continuous cloud security, fighting misinformation at scale.
[tl;dr sec] #30 - Securing Your Home Network, ATT&CK for Kubernetes, Google on Building Secure Systems
How to secure your home WiFi network, Microsoft releases ATT&CK matrix for Kubernetes, free 550+ page book by Googleâs SREs on building secure systems.
[tl;dr sec] #29 - Testing GraphQL, Bug Bounty Programs, & AWS Service Control Policy Best Practices
Tool for testing GraphQL endpoints, how to run a great bug bounty program, restricting your AWS account with Service Control Policies, hardening Linux.
[tl;dr sec] #28 - 25 Years of Fuzzing, Secrets Management, Security Questionnaires
Some history and overview of fuzzing, preventing/detecting/remediating leaked secrets, static analysis, macOS security, reflections on privacy post COVID-19.
[tl;dr sec] #27 - AppSec Weekly, SOC2 Starting Seven, Save Encryption
I was on Application Security Weekly #100, a no-nonsense guide to becoming SOC2 compliant, fight a bill that may kill encryption, compensation resources.
[tl;dr sec] #26 - Learnings from Duo, Auto-healing Clouds, Fuzzing
Jon Oberheide on Duo, self-healing AWS environments, Googleâs fuzzer benchmarking and CIFuzz, securing Windows & MS accounts at scale.
[tl;dr sec] #25 - BSidesSF and RSA, Demystifying Container Security, Your Privacy Online
Round-up of BSidesSF and RSA + my updated slides, overview of container security, pen testing K8s walkthrough, maintaining privacy online.
[tl;dr sec] #24 - BSidesSF/RSA, tl;dr sec Mascot, REST API Fuzzing, AWS Auto-remediation
Iâm speaking at BSidesSF and RSA 2020, tl;dr sec stickers, stateful fuzzing of Swagger APIs, auto-remediate AWS issues, canary pro-tips, red team cheatsheets.
[tl;dr sec] #23 - OSINT, Automatic Exploit Generation, Cloud Security
OSINT tools, tips, & tricks, presentations on automatically find and exploiting bugs, a code-aware grep, how to assess another companyâs security posture.
[tl;dr sec] #22 - Post AppSec Cali, K8s Security Monitoring at Scale
DevSecOps talks & tools from AppSec Cali, PoCs to decrypt WhatsApp messages, Kubernetes monitoring and CTF, Python static analysis tools.
[tl;dr sec] #21 - AppSec Cali, Bezosâs Phone, Fuzzing
Iâm speaking at AppSec Cali 2020, details on Bezosâs phone being hacked, fuzzing talks and tools, Java deserialization, K8s and GraphQL tools.
[tl;dr sec] #19 - Epic Post Next Week, Beyond Beyond Corp, Cloud Security Tools
Googleâs BeyondProd and code provenance whitepapers, tools to scan Terraform scripts / CloudFormation templates, getting into security resources.
2019
[tl;dr sec] #18 - âGitHubificationâ of Infosec, Ring Privacy, Ransomware Economics
Blue teams can become highly leveraged by sharing knowledge effectively, Ringâs partnerships with the police, viewing ransomware through an economic lens.
[tl;dr sec] #17 - AWS Re:Invent, Supply Chain Security, Absolute AppSec
A number of interesting new AWS services, backdoors on PyPI, I had a blast on the Absolute AppSec podcast, and tl;dr sec hits 500 subscribers! đ
[tl;dr sec] #16 - Art of Vulnerability Management, Cloud Security, Flan Scan, SCORE Bot
Building an effective vulnerability management process, K8s/AWS tips, network & code scanning tools, privacy preserving VA, and the Siege of Gondor.
[tl;dr sec] #15 - OSINT + Screenshots, Fuzzing, and 2 Fast 2 Discoverious
Summary of an AppSec Cali 2019 talk on more efficient network penetration tests via clustering similar screenshots, fuzzing tools and articles, Bugcrowd/Bitd...
[tl;dr sec] #14 - DevSecCon TLV, Slackâs Secure Overlay Network, Dangers of Struct Padding
DevSecCon Tel Aviv 2019 talk notes, Slack releases Nebula, AWS instance metadata hardening, OSINT tips, struct padding can leak heap memory, deadlock challen...
[tl;dr sec] #13 - Being Powerful While Powerless, Sadcloud, and Bugcrowdâs Asset Inventory Service
Gustoâs Nathan Yee on being impacful as an IC without a senior title in a start-up, intentionally vulnerable AWS infrastructure for training, and even more a...
[tl;dr sec] #12 - Killing CSRF, MITRE ATT&CK Cloud, Cache Poisoned DoS
Browser default SameSite cookie settings will mostly kill CSRF, and a malicious header can block any web resource served by a CDN or proxy cache.
[tl;dr sec] #11 - ShellCon 2019 Roundup
Some ShellCon talk summaries, Dropbox and Twilio on detection and response automation, updates from the Chrome security team.
[tl;dr sec] #10 - Cloudflare on Security, IAM Least Privilege, & Finding XSS in Firefoxâs UI
Cloudflareâs CTO on how they think about security, Salesforceâs tool to make IAM least privilege policy generation easier, and finding XSS in Firefoxâs UI us...
[tl;dr sec] #9 - Autonomous Bug Reporting, HTTP Desync Attacks, & Censorship
Fuzzing is finding security bugs faster than CVEs can be issued, HTTP desync attacks advance, Chinaâs censorship power is felt around the world.
[tl;dr sec] #7 - AppSec Cali 2019 DevSecOps Panel Summary
Notes from an AppSec Cali 2019 panel, AWS security tools, fuzzing with grammars and Gitlab, and Google P0âs iOS exploit chain discovery.
[tl;dr sec] #6 - Post Hacker Summer Camp
Neat talks from Hacker Summer Camp on email -> phone number, DNS rebinding, automated C++ reverse engineering, and publicly exposed AWS EBS volumes.