[tl;dr sec] #185 - Artisanal to Industrial Security, Securing the EC2 Instance Metadata Service, 12 Threat Modeling Methods
How to deliver security at scale, the security properties of IMDSv2, a summary of many threat modeling approaches.
This page lists prior tl;dr sec issues.
To get these artisanally crafted emails straight to your inbox, sign up here đ
How to deliver security at scale, the security properties of IMDSv2, a summary of many threat modeling approaches.
Compendium of cloud security incidents and breaches that have affected customers, top risks for software leveraging Large Language Models, a library of macOS...
If you can only choose 3 metrics, what to choose? How to build a Kubernetes purple teaming lab, vulnerable Android and iOS apps to learn on.
Video playlists and abstracts from CloudNativeSecurityCon and KubeCon, overview of attacking AI assistants and agents, attack vectors to pivot from an EKS cl...
Free cloud-native security learning labs, the essential components for modern robust red teaming infra, how to privesc from a compromised EKS pod and defeat ...
Riot Games and Segment on Scaling AppSec, help me decide what tl;dr sec swag to make, resources and techniques to do an effective GCP pentest.
I wrote quick summaries of four BSidesSF presentations, common Kubernetes attack vectors and vulnerable lab, Burp Suite extension that uses OpenAI for recon.
Microsoft techniques and attack vectors for DevOps environments, applications of LLMs in security, the deps.dev API and Golang supply chain security.
Threat model and attack tree for AWS Key Management Service, Gareth Heyes on how to use the DOM Invader Burp extension, doing cloud forensics when a containe...
A searchable database of real-world attacks, vulns, and misconfigurations in cloud environments, Semgrep Assistant supports auto-triaging and fix suggestions...
The power of open source, flexible tooling, k8s detection resources, ChatGPT just got a whole lot more powerful.
The challenges in mitigating SSRF and the best way to do it, how Linux namespaces provide isolation properties for containers, resources on attacking AI mode...
The AI-based architecture thatâll replace most existing software, overview of cybersecurity companies and acquisitions, how to lock down instance creds and r...
Certs and getting into security, reinforcement learning for security, join Jim and Iâs webinar on broken access control.
Building an effective AppSec and CloudSec program, vendors that donât prioritize high quality audit logs, tactics to go from a compromised cloud resource to ...
Black-box prototype pollution without the DoS, fuzzing curl and gaining coverage with LLMs, and useful metrics to build an effective SOC.
Portswigger released a curated list of awesome web security research from last year, some approaches to finding malicious dependencies + open source tools, a...
Detailed threat models for Google Cloud Storage and Azure Storage, Mac malware of 2022 and emerging payload obfuscation techniques, reverse engineering Rust ...
Generating SBOMs and evaluating their quality, how Brex manages and automates security alerts at scale, how popular k8s platforms hardened themselves.
Predictions for offense, from security leaders, and AWS, high signal vuln finding from application runtime exceptions, how Pinterest enforces managed and com...
How to detect malicious persistence in AWS, GCP, and Azure, leaking GitHub Action secrets and improving OIDC security posture, will ChatGPT degrade communica...
How a number of companies adopted WebAuthN and/or hard keys, neat new things in ML, the impact of Rust and memory safety in general in Android 13.
How LinkedIn scaled detection and minimized toil, why ReDoS CVEs are mostly noise, and reflecting on security in 2022 and predicting what 2023 has in store.
How to justify the value of your security teamâs investments and prioritize, how to build an Inbox Zero vulnerability management approach, Magooâs detailed b...
Many varied examples of using ChatGPT, how Lyft precisely fixes OS and OS-package level vulnerabilities across ~1,000 services, Sigstore and dangerous subtle...
Notes from the WeHackPurple courses, a wide variety of applications of machine learning, bypassing validatoins and normalizations in web apps using regex fuz...
Twitter internals and Mastodon benefits/challenges, blue and red team attack trees for attacking GitHub, ThinkstScapes Quarterly covering AI/ML, clever crypt...
Open jobs from over 35 companies, great career advice from a variety of people, how Lyft achieved egress filtering on all services.
Tanya Janca on building a security champions program, highly turned osquery detections, gaining GitHub Runner persistence and how to detect compromises.
Devâs hilarious and useful history of the Internet and browser security, new toolkit from Brex to easily normalize and enrich security event data, additional...
Understanding AWS permission boundaries and IAM policy evaluation, use ML to create art for your blog post based on its text, taking over your infrastructure...
Insights from the security posture of 600+ orgs, security career pathways mindmap and security communities overview, a number of resources about authorization.
How PostgreSQL server and client TLS defaults will make you sad, SBOM tools and reflections, walkthroughs to learn how prototype pollution works.
Detailed IaC security guide with ~90 references, new Linux with default security measures for the software supply chain, securing and attacking SCM and CI sy...
Why security products can be ineffective, cloud pen testing exercises, review CVEs to learn vulnerability discovery.
Building an effective and scalable AppSec program by leaning into secure defaults, leadership tips, proxy that enables least privilege use of GitHub API toke...
How to prep for and handle an incident in AWS well, detailed PDF guide by NSA and CISA on software supply chain security, various OSINT and recon tools.
Top 10 Kubernetes ecosystem risks to consider, more effective GraphQL brute forcing woth Turbo Intruder, running arbitrary JavaScript in Electron apps.
Mudgeâs accusations of Twitterâs security posture, identity management risks in GitHub orgs, comparing 6 CI providers and examining GH workflows at scale, Ry...
Lessons learned compromising real world CI/CD pipelines, how to implement a lightweight SSDLC, new framework to ensure your threat detection rules work, from...
Cloudflareâs write-up on a sophisticated phishing campaign, examining Meta appsâ privacy implications and iOS16âs Lockdown Mode, be yourself and find your tr...
How to stay healthy and get the most out of Vegas this year, how to build a ProdSec program from scratch, tool to mitigate privilege escalation risks in AWS.
How to get into AppSec, getting a raise, and other career advice, SBOM tools, how to build your own ASM with ProjectDiscovery tools
OAuth bugs that lead to single-click account takeovers, crypto wallet exploits and Ethereum smart contract best practices, the importance of being able to co...
New CIS software supply chain security whitepaper and tool, finding vulnerabilities in binaries using static analysis, impressive ML tools and attacking ML s...
Security at start-ups and SAST program building, preventing classes of cloud vulnerabilities with guardrails, a Linux eBPF rootkit with a backdoor, C2, libra...
A presentation with many real world RCE examples, new free course on using Sigstore for supply chain security, list of 1,200+ cloud security risks.
Finding cybersecurity jobs and adding value, secrets from front end web apps and Docker Hub, fuzzing VirtualBox, contributing to OSS-Fuzz, tool to improve fu...
How to defend against malicious Terraform, great tips from GitHub on effectively rolling out security tooling, and Palantir on building a scalable detection ...
Many career resources, lessons learned scaling AppSec at Netflix, 5 mini summaries I wrote of BSidesSF talks.
Letâs hang out at BSidesSF, Googleâs Python library to do DFIR across major clouds, Braze and GitHub on running bug bounty programs.
Useful ways to think about modern security teams, how to scale honeytokens while maintaining server level attribution, and how to harden your AWS environment...
James Kettle on finding subtle bugs and bug classes, eBPF-related tools and backdoors, fuzzing Golang, malware, and getting higher coverage.
Jason Haddixâs new Bug Hunterâs Methodology for apps, write-up of a series of Cloudflare Pages bugs, Jack Rhysider on the power of blogging.
A walkthrough of how to attack read-only containers, Shubham Shah on taking apart complex proprietary software, how your shellcode can evade top EDR products.
Maddie Stone on 2021 0day trends, Thinkstâs excellent research round-up, Mark Dowd OffensiveCon keynote on security research
How Flipkart gets the most value from every vulnerability, setting up a SLSA 3 GitHub Action build process, the power of being vulnerable.
How Chime empowers developers to own security via internal tools, purposefully vulnerable CI/CD exercises, a microservices-based framework for learning netwo...
The revamped secret scanner now is faster and finds more secrets, future projecting where the industry is headed, and security scanning infrastructure as code.
How to review the security architecture of a multi-cloud environment and find the most critical components, responding to incidents in k8s, advice for start-...
Rachel and Evan Tobac vs. Jeffrey Katzenberg, a framework for automatically isolating an EC2 instance and gathering what you need, attacking and hardening Gi...
Tool to test GraphQL APIs, learn to exploit and pivot a target GitLab instance, PDF by NSA on hardening your network.
60 page PDF on using AWS security services in multi-account environment, how to introduce DevSecOps in your company, tools to examine malicious Office docs.
Why DevX is so important for security, 50+ examples of Foo as Code, ingest all of your assets and query them in Neo4J.
A dense checklist of container hardening steps, Cloud Security Alliance whitepaper on automating compliance and better relating it to security requirements, ...
A thoughtful redesign of CI to mitigate harm from malicious dependencies, how to automate your IR playbooks, tool to eliminate dangling Elastic IP takeovers.
Bake-off of multiple Terraform static analysis tools, tool to identify privilege escalation paths within and across different clouds, collection of security ...
Tool to test your cloud detections, how to build and scale a security program, OWASP project to teach you how not to manage secrets.
Great talk on WebSocket security + tool release, understanding your dependencies and the power of lockfiles, enforcing authz at compile time and authz in mic...
A masterclass in building a modern, scalable security program by Phil Venables, GitHub Action to check your supply chain security posture, Chrome feature to ...
Patrick Wardleâs analysis of a year of Mac malware, library to safely make HTTP requests, and Moxie experiments with distributed apps.
CSRF, web cache poisoning, and SSRF, detecting/fixing container drift at runtime, and three frequent sources of cloud security breaches and vulnerabilities i...
Resources for the vuln thatâs keeping you away from your family, how to do security metrics effectively, how Netflix scales cloud detections using Snare.
Round-up articles about re:Invent, examining Python package security, Scott Piperâs repo of AWS, GCP, and Azure mistakes and vulnerabilities.
An impactful bug in heavily tested C/C++, great security books for cheap, technical and economic reasons why NFTs are bad and donât work.
Jason Chan BSidesRDU keynote, detecting privilege escalation in Kubernetes, network fuzzing and fuzzing DRAM to discover rowhammer vulns.
A tool to detect misconfigured session implementations, scanning Docker Hub for secrets and determining the impact of leaked secrets, Semgrep rule for the Tr...
What SolarWinds did after the attack their new high assurance build system, how to succeed as the only cloud security practitioner in your company, how Netfl...
Securing build pipelines and ATT&CK for CI/CD, threat modeling in Terraform, using ML to break pseudorandom number generators.
Designing least privilege AWS IAM policies for people, fuzzing 5G and CPUs by proxy, the first security scanner for Istio.
Effectively shifting left, protecting your S3 buckets from ransomware, exercises to learn Falco in your browser.
New issue of Phrack, 10 often missed web vulnerabilities, Facebook whistleblower comes forward about the dangers of its products.
Setting up strong AWS security guardrails, tool to explore lateral movement and privilege escalation in GitHub orgs, dank AWS memes from Corey Quinn.
Detailed breakdown of why authorization is hard, how we should approach vendor security going forward, a Chrome extension to find secrets.
How to build security tooling developers love, a playground to practice privilege escalation in AWS, career advice from @lcamtuf and Corey Quinn.
Infosec infographics, GraphQL guide and server fingerprinting tool, a survey of the trade-offs of various API token types.
How to mentor and grow employees, Mark Dowd on how and why defense is gaining the advantage, and a plugin to bridge Ghidra and Frida.
New guest blog post on rapidly understanding and securing your cloud env, a thorough threat model of S3, burning out in tech during the pandemic.
Deep dive into HTTP/2 flaws, continuously enforce GitHub security best practices, phishing, persistence, bypassing protective measures, and more in G Suite.
Free workshops to learn reverse engineering, how to rapidly familiarize yourself in a new cloud environment, eBPF deep dive.
Tool to enforce IMDSv2, test authentication flows by modeling them as a finite state machine, detecting malicious dependencies and solving dependency confusi...
Google whitepaper on how to scale your SOC, 3 free platforms to learn cryptography, Luke Stephensâ guide on rolling your own attack surface monitoring using ...
Gustoâs CSO Fredrick Lee sends his review to the entire company, fuzzing Android native, macOS and libafl, NSO Group data leak and detecting Pegasus.
Securing AWS EKS and lessons from a k8s security report, inside the ransomware economy, and building fine-grained authorization that works at scale.
Burp extension for finding DOM XSS, CISAâs tool for orgs to understand how equipped they are to defend and recover from ransomware, examples and guide to use...
Open source tool to continuously scan for subdomain takeover vulnerabilities, GitHubâs Copilot can suggest whole functions within VS Code, resources for asse...
MITRE releases the defensive countermeasures counterpart to ATT&CK, how IAM wildcard expansion can bite you, Googleâs 4-level supply chain maturity frame...
Potential bugs to test in 2FA implementations, tools for cloud visibility and enforcement, and how we all conform to please the algorithms around us.
Empowering developersâ cloud access while improving security, big tech throwing their weight around, 97+ ways data can be shared across AWS accounts.
20 Dockerfile best practices, free mobile security course, and trade-offs, collusion rings, and more in academia.
Attacking ML models, deep learning side-channel attacks, CSRF and batch GraphQL attacks, how modern static analysis should work.
A roadmap for establishing a cloud security program + a task list, thoughts on measuring security, the legal implications of Signalâs Cellebrite hack.
Benchmarking infra as code scanning tools, offense-focused Jenkins tools, and principles that can help scale security.
Detecting dependency confusion across many ecosystems, getting started in tech or security, the middle of VCs and products are dying.
Requirements of modern security tooling, graphing your dependencies and their vulnerabilities in Neo4J, and remembering a man who helped so many.
Signal creator finds bugs in Cellebrite, recommendations on hardening CI, using Okta to secure access to AWS accounts at scale.
Moar evidence against memory unsafe languages, the power of secure reference architectures, and leveraging OpenAPI specs to more effectively detect attack su...
How Segment democratized threat modeling, the trade-offs of taking money vs not, how security can be more than minimizing risk.
Three new OAuth2 and OpenID Connect vulnerabilities, great intro/overview of networking concepts, security manager interviews & advancing your career in ...
An argument for why secure design + threat modeling is higher ROI than patching, making code signing easy, finding regex bugs with regexploit or fuzzing.
How Netflix enables development velocity + security with ConsoleMe, Spectre PoC and proposed defenses, and why speed is a superpower.
AWS security for small teams & Well-Architected resources, NFT overview, tools for creating and detecting deepfakes.
JSON libraries parse differently and that can lead to bugs, a number of career advice resources, and how to become compoundingly more effective.
Tips + a Burp extension for finding access control issues, tools and reflections on supply chain security, an architecture for multi-account security logging...
Tips and best practices for securing your CI/CD pipeline, Electron tooling and dangerous APIs, what to focus on instead of virality to grow your userbase.
How Jacob Salassi scaled threat modeling at Snowflake, typosquatting company internal package names, automatically determine the versions of open source pack...
Valuable cloud security scenarios to think through, leveraging the Handlebars templating engine for local file read or RCE, check your GKE cluster against CIS.
How AWS secures Lambda, Daniel Miesslerâs overview of @TomNomNomâs recon tools, how to demonstrate high impact when you canât see the SSRF response.
Effectively rolling out IaC scanning, auto-healing your cloud environment, and when sticking it to the man hurts the bottom line.
A tool to create IaC from an existing AWS environment, container defense-in-depth with user namespaces, rewriting things in Rust.
Scott Piper shares how heâd attack AWS, a survey of infra as code scanning tools, free workshop on server-side template injection.
How to do a risk analysis on your Kubernetes cluster, pwning PDFs, and a devastating supply chain attack.
New OWASP security testing guide and GraphQL cheat sheet, new fuzzing research, and a tool to ease administration of complex AWS environments.
A tool to sneakily enumerate all IAM users and roles in a target AWS account, recent events in AI, and how to attack server-side renderers.
How to create effective security OKRs, scaling threat modeling in hypergrowth, engineering-driven orgs, and a browser-based internal network scanner.
Use Cartography to understand AWS permissions, tool to grok the risk of open source libraries, developers taking security into their own hands.
Attackerâs can remotely access any TCP/UDP service on your machine, serious bugs in many GitHub Actions, and the security value of creating easily greppable ...
Iâve joined r2c as Head of Security Research, tool to sync multiple Burp instances, free book on chaos engineering to help you build reliable distributed sys...
1 year of a private bug bounty program, how to create high value content, and a great resource for cloud-native technologies.
Stats on vulnerability discovery, CVE publication, and patches, lengthy write-up of 3 month Apple bug bounty hackathon, and flaws.cloud logs published.
Why we should embrace Detection as Code, write-up of two complex AuthN bugs in Vault, tracking exploit developers by their work.
I contributed to an article in Forbes, how to communicate when youâve been hacked, Terraform to spin up offensive infrastructure.
Microsoft releases self-hosted fuzzing-as-a-service platform, several solid program analysis resources, detailed teardown of Ringâs hardware and attack surfa...
How to prioritize vulnerabilities in your dependencies, some history and context around LangSec, and a set of common controls across 10+ standards.
Monitor your cloud environment and automatically detect drift, a scriptable browser and bending JavaScript to your will, GitHubâs threat modeling process.
Applying engineering lessons learned to AppSec teams, common Golang bugs, and medieval covers of modern pop songs take the Internet by storm.
New cache research by James Kettle, how to effectively reach out and build mentor relationships, tools should support workflows, not vice versa.
My summary of Daniel Miesslerâs talk on automating recon, 2 tools to help with testing GraphQL, quick notes for ~20 DEF CON talks.
Daniel Miessler on automating your recon workflow, I was on a few podcasts, how to compromise GCP orgs via cloud API lateral movement & privilege escalat...
How to go from no CSP to a solid CSP, automatically creating baseline security tests from a threat model, tools to automagically decode random blobs.
Protecting your public S3 buckets, how to find, prevent, and fix regular expression DoS, and walk step-by-step through the OAuth flow.
Using lightweight formal methods in the real world, new web mitigations for injection vulns and isolation capabilities, GPT-3 is magic.
How to continuously discover, monitor, and assess your web assets, threat modeling + agile, Richard Feynman on the problems you choose to tackle.
tl;dr sec now supports search, snapshotting VMs at scale in a way malware canât evade, reflections on why we procrastinate.
Overview of current work threat modeling Kubernetes, a repo to test your secret scanning, and v1 of OWASPâs standard on identifying/reducing supply chain risk.
Uber continuous AWS monitoring tool and process, how AWS does safe, fast, continuous deployment, tool to auto-delete no longer needed feature flags.
Measuring the effectiveness of your security controls, web security tools and slides, auto-converting between Java/C++/Python and integrating formal methods.
Effectively teaching devs threat modeling, forging and cracking JWTs, and some radical transparency about our process of deciding to accept sponsors.
Using Kubernetes + OPA, Twitter SAST snark & lessons learned, malware discovered on GitHub targeting the open source supply chain.
An AWS Security Maturity Roadmap for 2020, fuzzing the Windows kernel & differential crypto fuzzing, easily spin up a cloud env for security testing
Building a successful career in security and how to specialize, testing OAuth implementations, and a Burp plugin for handling session management.
Game theory applied to finding and disclosing 0days, Kubernetes training labs, rightsize your AWS IAM policies to Terraform.
Set up your own range to practice attacking & detection, detection strategies for compromised cloud creds, intro to Azure AD for red teamers.
Gusto CISO Flee on building a positive security culture, protecting from/attacking with Chrome extensions, pivot through Azure AD.
Use Frida from a Burp extension or web interface, continuous cloud security, fighting misinformation at scale.
How to secure your home WiFi network, Microsoft releases ATT&CK matrix for Kubernetes, free 550+ page book by Googleâs SREs on building secure systems.
Tool for testing GraphQL endpoints, how to run a great bug bounty program, restricting your AWS account with Service Control Policies, hardening Linux.
Some history and overview of fuzzing, preventing/detecting/remediating leaked secrets, static analysis, macOS security, reflections on privacy post COVID-19.
I was on Application Security Weekly #100, a no-nonsense guide to becoming SOC2 compliant, fight a bill that may kill encryption, compensation resources.
Jon Oberheide on Duo, self-healing AWS environments, Googleâs fuzzer benchmarking and CIFuzz, securing Windows & MS accounts at scale.
Round-up of BSidesSF and RSA + my updated slides, overview of container security, pen testing K8s walkthrough, maintaining privacy online.
Iâm speaking at BSidesSF and RSA 2020, tl;dr sec stickers, stateful fuzzing of Swagger APIs, auto-remediate AWS issues, canary pro-tips, red team cheatsheets.
OSINT tools, tips, & tricks, presentations on automatically find and exploiting bugs, a code-aware grep, how to assess another companyâs security posture.
DevSecOps talks & tools from AppSec Cali, PoCs to decrypt WhatsApp messages, Kubernetes monitoring and CTF, Python static analysis tools.
Iâm speaking at AppSec Cali 2020, details on Bezosâs phone being hacked, fuzzing talks and tools, Java deserialization, K8s and GraphQL tools.
Googleâs BeyondProd and code provenance whitepapers, tools to scan Terraform scripts / CloudFormation templates, getting into security resources.
Blue teams can become highly leveraged by sharing knowledge effectively, Ringâs partnerships with the police, viewing ransomware through an economic lens.
A number of interesting new AWS services, backdoors on PyPI, I had a blast on the Absolute AppSec podcast, and tl;dr sec hits 500 subscribers! đ
Building an effective vulnerability management process, K8s/AWS tips, network & code scanning tools, privacy preserving VA, and the Siege of Gondor.
Summary of an AppSec Cali 2019 talk on more efficient network penetration tests via clustering similar screenshots, fuzzing tools and articles, Bugcrowd/Bitd...
DevSecCon Tel Aviv 2019 talk notes, Slack releases Nebula, AWS instance metadata hardening, OSINT tips, struct padding can leak heap memory, deadlock challen...
Gustoâs Nathan Yee on being impacful as an IC without a senior title in a start-up, intentionally vulnerable AWS infrastructure for training, and even more a...
Browser default SameSite cookie settings will mostly kill CSRF, and a malicious header can block any web resource served by a CDN or proxy cache.
Some ShellCon talk summaries, Dropbox and Twilio on detection and response automation, updates from the Chrome security team.
Cloudflareâs CTO on how they think about security, Salesforceâs tool to make IAM least privilege policy generation easier, and finding XSS in Firefoxâs UI us...
Fuzzing is finding security bugs faster than CVEs can be issued, HTTP desync attacks advance, Chinaâs censorship power is felt around the world.
Notes from an AppSec Cali 2019 panel, AWS security tools, fuzzing with grammars and Gitlab, and Google P0âs iOS exploit chain discovery.
Neat talks from Hacker Summer Camp on email -> phone number, DNS rebinding, automated C++ reverse engineering, and publicly exposed AWS EBS volumes.