Predictions for offense, from security leaders, and AWS, high signal vuln finding from application runtime exceptions, how Pinterest enforces managed and com...
How to detect malicious persistence in AWS, GCP, and Azure, leaking GitHub Action secrets and improving OIDC security posture, will ChatGPT degrade communica...
How LinkedIn scaled detection and minimized toil, why ReDoS CVEs are mostly noise, and reflecting on security in 2022 and predicting what 2023 has in store.
How to justify the value of your security teamâs investments and prioritize, how to build an Inbox Zero vulnerability management approach, Magooâs detailed b...
Many varied examples of using ChatGPT, how Lyft precisely fixes OS and OS-package level vulnerabilities across ~1,000 services, Sigstore and dangerous subtle...
Notes from the WeHackPurple courses, a wide variety of applications of machine learning, bypassing validatoins and normalizations in web apps using regex fuz...
Twitter internals and Mastodon benefits/challenges, blue and red team attack trees for attacking GitHub, ThinkstScapes Quarterly covering AI/ML, clever crypt...
Tanya Janca on building a security champions program, highly turned osquery detections, gaining GitHub Runner persistence and how to detect compromises.
Devâs hilarious and useful history of the Internet and browser security, new toolkit from Brex to easily normalize and enrich security event data, additional...
Understanding AWS permission boundaries and IAM policy evaluation, use ML to create art for your blog post based on its text, taking over your infrastructure...
Insights from the security posture of 600+ orgs, security career pathways mindmap and security communities overview, a number of resources about authorization.
Detailed IaC security guide with ~90 references, new Linux with default security measures for the software supply chain, securing and attacking SCM and CI sy...
Building an effective and scalable AppSec program by leaning into secure defaults, leadership tips, proxy that enables least privilege use of GitHub API toke...
How to prep for and handle an incident in AWS well, detailed PDF guide by NSA and CISA on software supply chain security, various OSINT and recon tools.
Top 10 Kubernetes ecosystem risks to consider, more effective GraphQL brute forcing woth Turbo Intruder, running arbitrary JavaScript in Electron apps.
Mudgeâs accusations of Twitterâs security posture, identity management risks in GitHub orgs, comparing 6 CI providers and examining GH workflows at scale, Ry...
Lessons learned compromising real world CI/CD pipelines, how to implement a lightweight SSDLC, new framework to ensure your threat detection rules work, from...
Cloudflareâs write-up on a sophisticated phishing campaign, examining Meta appsâ privacy implications and iOS16âs Lockdown Mode, be yourself and find your tr...
How to stay healthy and get the most out of Vegas this year, how to build a ProdSec program from scratch, tool to mitigate privilege escalation risks in AWS.
OAuth bugs that lead to single-click account takeovers, crypto wallet exploits and Ethereum smart contract best practices, the importance of being able to co...
New CIS software supply chain security whitepaper and tool, finding vulnerabilities in binaries using static analysis, impressive ML tools and attacking ML s...
Security at start-ups and SAST program building, preventing classes of cloud vulnerabilities with guardrails, a Linux eBPF rootkit with a backdoor, C2, libra...
Finding cybersecurity jobs and adding value, secrets from front end web apps and Docker Hub, fuzzing VirtualBox, contributing to OSS-Fuzz, tool to improve fu...
How to defend against malicious Terraform, great tips from GitHub on effectively rolling out security tooling, and Palantir on building a scalable detection ...
Useful ways to think about modern security teams, how to scale honeytokens while maintaining server level attribution, and how to harden your AWS environment...
A walkthrough of how to attack read-only containers, Shubham Shah on taking apart complex proprietary software, how your shellcode can evade top EDR products.
How Chime empowers developers to own security via internal tools, purposefully vulnerable CI/CD exercises, a microservices-based framework for learning netwo...
The revamped secret scanner now is faster and finds more secrets, future projecting where the industry is headed, and security scanning infrastructure as code.
How to review the security architecture of a multi-cloud environment and find the most critical components, responding to incidents in k8s, advice for start-...
Rachel and Evan Tobac vs. Jeffrey Katzenberg, a framework for automatically isolating an EC2 instance and gathering what you need, attacking and hardening Gi...
60 page PDF on using AWS security services in multi-account environment, how to introduce DevSecOps in your company, tools to examine malicious Office docs.
A dense checklist of container hardening steps, Cloud Security Alliance whitepaper on automating compliance and better relating it to security requirements, ...
A thoughtful redesign of CI to mitigate harm from malicious dependencies, how to automate your IR playbooks, tool to eliminate dangling Elastic IP takeovers.
Bake-off of multiple Terraform static analysis tools, tool to identify privilege escalation paths within and across different clouds, collection of security ...
Great talk on WebSocket security + tool release, understanding your dependencies and the power of lockfiles, enforcing authz at compile time and authz in mic...
A masterclass in building a modern, scalable security program by Phil Venables, GitHub Action to check your supply chain security posture, Chrome feature to ...
CSRF, web cache poisoning, and SSRF, detecting/fixing container drift at runtime, and three frequent sources of cloud security breaches and vulnerabilities i...
Resources for the vuln thatâs keeping you away from your family, how to do security metrics effectively, how Netflix scales cloud detections using Snare.
A tool to detect misconfigured session implementations, scanning Docker Hub for secrets and determining the impact of leaked secrets, Semgrep rule for the Tr...
What SolarWinds did after the attack their new high assurance build system, how to succeed as the only cloud security practitioner in your company, how Netfl...
Deep dive into HTTP/2 flaws, continuously enforce GitHub security best practices, phishing, persistence, bypassing protective measures, and more in G Suite.
Tool to enforce IMDSv2, test authentication flows by modeling them as a finite state machine, detecting malicious dependencies and solving dependency confusi...
Google whitepaper on how to scale your SOC, 3 free platforms to learn cryptography, Luke Stephensâ guide on rolling your own attack surface monitoring using ...
Gustoâs CSO Fredrick Lee sends his review to the entire company, fuzzing Android native, macOS and libafl, NSO Group data leak and detecting Pegasus.
Burp extension for finding DOM XSS, CISAâs tool for orgs to understand how equipped they are to defend and recover from ransomware, examples and guide to use...
Open source tool to continuously scan for subdomain takeover vulnerabilities, GitHubâs Copilot can suggest whole functions within VS Code, resources for asse...
MITRE releases the defensive countermeasures counterpart to ATT&CK, how IAM wildcard expansion can bite you, Googleâs 4-level supply chain maturity frame...
Empowering developersâ cloud access while improving security, big tech throwing their weight around, 97+ ways data can be shared across AWS accounts.
A roadmap for establishing a cloud security program + a task list, thoughts on measuring security, the legal implications of Signalâs Cellebrite hack.
Moar evidence against memory unsafe languages, the power of secure reference architectures, and leveraging OpenAPI specs to more effectively detect attack su...
Three new OAuth2 and OpenID Connect vulnerabilities, great intro/overview of networking concepts, security manager interviews & advancing your career in ...
An argument for why secure design + threat modeling is higher ROI than patching, making code signing easy, finding regex bugs with regexploit or fuzzing.
Tips + a Burp extension for finding access control issues, tools and reflections on supply chain security, an architecture for multi-account security logging...
Tips and best practices for securing your CI/CD pipeline, Electron tooling and dangerous APIs, what to focus on instead of virality to grow your userbase.
How Jacob Salassi scaled threat modeling at Snowflake, typosquatting company internal package names, automatically determine the versions of open source pack...
Valuable cloud security scenarios to think through, leveraging the Handlebars templating engine for local file read or RCE, check your GKE cluster against CIS.
How AWS secures Lambda, Daniel Miesslerâs overview of @TomNomNomâs recon tools, how to demonstrate high impact when you canât see the SSRF response.
Attackerâs can remotely access any TCP/UDP service on your machine, serious bugs in many GitHub Actions, and the security value of creating easily greppable ...
Iâve joined r2c as Head of Security Research, tool to sync multiple Burp instances, free book on chaos engineering to help you build reliable distributed sys...
Stats on vulnerability discovery, CVE publication, and patches, lengthy write-up of 3 month Apple bug bounty hackathon, and flaws.cloud logs published.
Microsoft releases self-hosted fuzzing-as-a-service platform, several solid program analysis resources, detailed teardown of Ringâs hardware and attack surfa...
Monitor your cloud environment and automatically detect drift, a scriptable browser and bending JavaScript to your will, GitHubâs threat modeling process.
Daniel Miessler on automating your recon workflow, I was on a few podcasts, how to compromise GCP orgs via cloud API lateral movement & privilege escalat...
Overview of current work threat modeling Kubernetes, a repo to test your secret scanning, and v1 of OWASPâs standard on identifying/reducing supply chain risk.
Measuring the effectiveness of your security controls, web security tools and slides, auto-converting between Java/C++/Python and integrating formal methods.
How to secure your home WiFi network, Microsoft releases ATT&CK matrix for Kubernetes, free 550+ page book by Googleâs SREs on building secure systems.
Tool for testing GraphQL endpoints, how to run a great bug bounty program, restricting your AWS account with Service Control Policies, hardening Linux.
Some history and overview of fuzzing, preventing/detecting/remediating leaked secrets, static analysis, macOS security, reflections on privacy post COVID-19.
I was on Application Security Weekly #100, a no-nonsense guide to becoming SOC2 compliant, fight a bill that may kill encryption, compensation resources.
Iâm speaking at BSidesSF and RSA 2020, tl;dr sec stickers, stateful fuzzing of Swagger APIs, auto-remediate AWS issues, canary pro-tips, red team cheatsheets.
OSINT tools, tips, & tricks, presentations on automatically find and exploiting bugs, a code-aware grep, how to assess another companyâs security posture.
Blue teams can become highly leveraged by sharing knowledge effectively, Ringâs partnerships with the police, viewing ransomware through an economic lens.
Summary of an AppSec Cali 2019 talk on more efficient network penetration tests via clustering similar screenshots, fuzzing tools and articles, Bugcrowd/Bitd...
Gustoâs Nathan Yee on being impacful as an IC without a senior title in a start-up, intentionally vulnerable AWS infrastructure for training, and even more a...
Cloudflareâs CTO on how they think about security, Salesforceâs tool to make IAM least privilege policy generation easier, and finding XSS in Firefoxâs UI us...