AppSec

Why NOT To Pin TLS Certificates | Tanner Prynn TODO

[What’s the right UX for an expired certificate? Emily M. Stark](https://emilymstark.com/2023/01/16/whats-the-right-ux-for-an-expired-certificate.html)

On the left, on the right and wiggle in the middle

The 6 Fundamental Forces of Information Security Risk

Cheat Engine: Introduction (tutorial 1-4) - Game Hacking Series - YouTube

Force 1: Information wants to be Free

#NahamCon2022EU: Command-Line Data-Wrangling by Tomnomnom - YouTube

emtunc/SlackPirate: Slack Enumeration and Extraction Tool - extract sensitive information from a Slack Workspace Mikail Tunç

FAST, CHEAP, GOOD: LIGHTWEIGHT METHODS ARE UNDERVALUED

Ceremonial Security and Cargo Cults

[Exploiting Application Logic to Phish Internal Mailing Lists by Tanner Jan, 2023 Medium](https://medium.com/@cachemoney/exploiting-application-logic-to-phish-internal-mailing-lists-486b94fc2ef1)

Praetorian ‘open-sources’ its Nosey Parker secret scanning tool | SC Media Praetorian Open Sources Regular Expression-Based Scanning Capabilities Meet Nosey Parker - An Artificial Intelligence Based Scanner That Sniffs Out Secrets - Praetorian Mining for Secrets: Repos, firmware, and more - Black Hat Europe 2022 | Arsenal Schedule praetorian-inc/noseyparker: Nosey Parker is a command-line program that finds secrets and sensitive information in textual data and Git history. Six Months of Finding Secrets with Nosey Parker - Praetorian

(18) SLNT MISSION TV on Twitter: “Just streamed Semgrep rule writing 101 for the Crystal/Marten web framework. I cover going from playground rule writing to using the tool to find issues in a codebase. Also created a CLI and web server on Replit, check it out! https://t.co/uQleb6YVnN” / Twitter

[Security Drone: Scaling Continuous Security at Revolut by Krzysztof Pranczk Revolut Tech Jan, 2023 Medium](https://medium.com/revolut/security-drone-scaling-continuous-security-at-revolut-862bcd55956e)

In the future, can you have your appsec cake and eat it as well ?

[How we’re creating a threat model framework that works for GitLab GitLab](https://about.gitlab.com/blog/2021/07/09/creating-a-threat-model-that-works-for-gitlab/)
[CISA’s Take on Vulnerability Prioritization and Management by Chris Hughes Nov, 2022 Medium](https://medium.com/@chris.hughes_11070/cisas-take-on-vulnerability-prioritization-and-management-766089d8b535)

yeswehack/vulnerable-code-snippets: Twitter vulnerable snippets

[The immutable laws of security Microsoft Learn](https://learn.microsoft.com/en-us/security/compass/ten-laws-of-security)
[Expanding on UUIDv1 Security Issues by Chaim Sanders Oct, 2022 ITNEXT](https://itnext.io/expanding-on-uuidv1-security-issues-751a02460f81)

Exploit Prediction Scoring System (EPSS) - Tributary Chris Hughes

This one covers the Exploit Prediction Scoring System (EPSS) which is emerging to replace/compliment CVSS in organizations maturing their Vulnerability Management practices. It is run by the same group that runs CVSS( FIRST).

What I Learned About Information Security From Academia

The AppSec letter bomb problem

DEF CON 30 - Eugene Lim- You Have 1 New Appwntment - Hacking Proprietary iCalendar Properties - YouTube

The mindset shift from security to trust & safety

[Why we use Terraform and not Chef, Puppet, Ansible, Pulumi, or CloudFormation by Yevgeniy Brikman Gruntwork](https://blog.gruntwork.io/why-we-use-terraform-and-not-chef-puppet-ansible-saltstack-or-cloudformation-7989dad2865c)

How We Use Terraform At Slack - Slack Engineering

Terraform Gains Visibility, Self-Service, and Compliance Upgrades

(2) Sherrod DeGrippo 📬 on Twitter: “A lot of talk about threat modeling lately. Let me give you some idea of why I hate it and think threat modeling is bullshit. I’ll also tell you what I think is better. I’m going to use $BIGCO as my example. Here’s a long thread. #infosec #blueteam #malware #skincare 🔜🧵” / Twitter

(19) Lari Huttunen 🇫🇮 🌻 🇺🇦 on Twitter: “1/ This time, my write-up on Public Exposure focuses on #WordPress releases and is filled with famous Jazz cats and #vulnerabilities. https://t.co/mM5xRhFfra https://t.co/L1OWW7pQGJ” / Twitter

(19) Federico Maggi on Twitter: “Given that Intel Alder Lake related code has been (allegedly) leaked, I thought it may be useful to have some simple @semgrep patterns ready to support manual code review. 🤯 Take them with grain of salt! https://t.co/iE5LJVaPnw Largely inspired by @binarly_io FwHunt Scanner.” / Twitter TODO

r2c blog — Fully loaded: testing vulnerable PyYAML versions TODO

Comparing Semgrep and CodeQL · Doyensec’s Blog TODO

akabe1/akabe1-semgrep-rules: My collection of Semgrep rules for vulnerability detection on source code (swift, java)

mrnfrancesco/GreedyForSQLi: Ricerca che mostra come scrivere regole per SemGrep per cercare SQL Injection nei plugin di Wordpress che usano action AJAX

(29) Francesco Marano on Twitter: “After presenting it at #ComeToCode and #LinuxDay, all the details on how we found 71 SQL Injection on 13 #Wordpress plugins is now open source! GitHub repository: https://t.co/gpU83qixr3 #opensource #sqlinjection #sqli #cve #codereview #semgrep #cybersecurity #vulnerability https://t.co/Lb39HkzacE” / Twitter

logto-io/logto: 🧑‍🚀 Logto helps you build the sign-in, auth, and user identity within minutes. We provide an OIDC-based identity service and the end-user experience with username, phone number, email, and social sign-in, for web and native apps.

Google & Apache Found Vulnerable to GitHub Environment Injection

Introducing OpenCRE - Spyros Gasteratos - YouTube

Crucial Questions from Governments and Regulators

Born-left security: The new approach taking over shift-left | LeadDev TODO Adam Berman, Bain “you merely adopted shift left, I was born into it” meme

GF - Climbing the Production Mountain: Practical CI/CD Attacks Using CI/CD Goat - YouTube

Crucial Questions from CISOs and Security Teams

Security Roadmap, Strategies and Challenges — My Learnings - Part-1 » Whiskey Tango Foxtrot https://twitter.com/avicoder - from Twitter DM

[DORA 2022 Accelerate State of DevOps Report now out Google Cloud Blog](https://cloud.google.com/blog/products/devops-sre/dora-2022-accelerate-state-of-devops-report-now-out)

Why SCA for Security is Really Hard TODO

r2c blog — Need for speed: static analysis version Brandon Wu

Product Security Roadmap
TODO

Crucial Questions from CIOs and CTOs

Process injection: breaking all macOS security layers with a single vulnerability · Sector 7

(16) Kelley Mak on Twitter: “The most challenging part of security isn’t convincing people they need it, but providing actionable guidance on how to be secure To do that, everyone, not only the security team, needs context and data about how to make the right decisions. Security teams can help 1/” / Twitter

  • https://www.work-bench.com/post/security-dashboards-for-everyone-else

Load external data into OPA: The Good, The Bad, and The Ugly - DEV Community

Permify/permify: Permify is an open-source authorization service & policy engine based on Google Zanzibar. We have built an open-source authorization service & policy engine based on Google Zanzibar https://twitter.com/firatcand TODO

[Introducing Entitlements: GitHub’s open source Identity and Access Management solution The GitHub Blog](https://github.blog/2022-06-09-introducing-entitlements-githubs-open-source-identity-and-access-management-solution/)

Minimum Viable Secure Product

  • Maybe already included in tl;dr sec

(1) Jason Chan - Building a Glass House - YouTube

[Security Model - Terraform Cloud Terraform by HashiCorp](https://www.terraform.io/cloud-docs/architectural-details/security-model)

open-policy-agent/setup-opa: Sets up Open Policy Agent CLI in your GitHub Actions workflow.

[Why You Should Avoid Sealed Secrets in Your GitOps Deployment by Denilson N. Better Programming](https://betterprogramming.pub/why-you-should-avoid-sealed-secrets-in-your-gitops-deployment-e50131d360dd)

Product Security Roadmap

Crucial Questions from CEOs and Boards

Foundations

I ended up baking it into “the book” https://scrty.io/foundations which has already been published. The “What does a security team do” section is new, and mostly clarifies how decision making happens to a newcomer. TODO

Thinkstscapes 2022.Q2 TODO

(20) Ryan Naraine on Twitter: “Meta (Facebook) has a paper out describing its core security principles - https://t.co/LMnzqgXEs2 <- direct PDF https://t.co/RYfPrezBit” / Twitter

Lure attackers with ggcanary, the GitGuardian Canary Tokens

TODO Venables security metrics

How do JavaScript frameworks impact the security of applications? - Ksenia Peguero - YouTube

Belenux Relive the conference

It’s impossible to find every vulnerability, so we don’t try to

[Insights from Hashicorp: Securing the software they ship GitHub InFocus · Virtual 2022· Starting April 26](https://infocus.github.com/sessions/insights-from-hashicorp-securing-the-software-they-ship/)

We5ter/Scanners-Box: A powerful and open-source toolkit for hackers and security automation - 安全行业从业者自研开源扫描器合辑

[Shipping multi-tenant SaaS using Postgres Row-Level Security Nile](https://www.thenile.dev/blog/multi-tenant-rls)

(20) Snowflake on Twitter: “Learn from Devdatta Akhawe and Max Burkhardt how the #DataCloud and security tools such as @runpanther, have enabled them to build a unique security program to protect the ideas, designs & plans of orgs around the world ⤵ https://t.co/yBtG4dIk0r #CyberSecurity cc @Figma” / Twitter

harmj0y (@Will Schroeder) Tweeted: Hey, do you like tokens? Have you always wanted to “harvest” tokens for offensive purposes? If so check out my new post https://t.co/5Tr9UxYuh1 where I show I can (finally) write a technical post without memes, and then check out the Koh toolset at https://t.co/l77vlPDQrj https://twitter.com/harmj0y/status/1545108510047969282?s=27&t=oufcsDOeziBdjrRK_ZG2Qw TODO

[Arbitrary File Upload Tricks In Java ](https://pyn3rd.github.io/2022/05/07/Arbitrary-File-Upload-Tricks-In-Java/?utm_medium=email&utm_campaign=bug_bytes_173_jdbc_attacks_reloaded_rce_via_email_benchmarking_port_scanners&utm_term=2022-06-08)
[Security Code Audit - For Fun and Fails Frycos Security Diary](https://frycos.github.io/vulns4free/2022/05/24/security-code-audit-fails.html?utm_medium=email&utm_campaign=bug_bytes_171_new_android_web_views_attacks_arbitrary_file_theft_on_android_scanning_for_pii_in_images&utm_term=2022-05-25)
[Command Injection in the GitHub Pages Build Pipeline Blog by Joren Vrancken](https://blog.nietaanraken.nl/posts/github-pages-command-injection/)

TODO: checklist tool/blog from Julian Berton

  • Also add to BSidesSF slides

  • https://medium.com/@knownsec404team/java-deserialization-tool-gadgetinspector-first-glimpse-74e99e493649
  • https://know.bishopfox.com/research/gadgetprobe

The State of the State of Application Exploits in Security Incidents From Ryan Nairraine’s list: This study is an attempt to stitch together a more complete view of the application security elephant. We examine published industry reports from multiple sources to develop a better understanding of the frequency and role of application exploits in security incidents. Along the way, we’ll demonstrate the challenges of multi-source analysis and offer recommendations on how research producers can make it easier for those who want to piece together the bigger picture.

Just 2.6% of 2019’s 18,000 tracked vulnerabilities were actively exploited in the wild • The Register

[Language Agnostic Security Code Review flawed.net.nz](https://flawed.net.nz/2021/02/11/Language-Agnostic-Code-Review/)

(74) Spreading security across the SDLC (with semgrep and other tools) - YouTube

  • Referenced by RSA slides *
  • You can’t just copy what a FAANG company is doing - they have a whole ecosystem of internal tools, culture, processes, and other things that affect what they do and how they do it.

mario-platt/ASVS-Agile-Delivery-Guide
By Mario Platt

Measuring Security: An OWASP Panel
Measuring security is important, but it can be hard in practice and unintuitive or at least non obvious in a number of ways. Which is why I was so excited to read Tad Whitaker’s excellent (and funny) summary of a Bay Area OWASP meet-up panel he moderated on measuring security metrics (video), consisting of a solid crew of Charles Nwatu, Rich Seiersen (co-author of “How To Measure Anything In Cybersecurity Risk”), and Caroline Wong. I liked Tad’s post so much that I pulled out some of the key points I wanted to make sure to remember into this mini post.

https://www.fordfoundation.org/work/our-grants/building-institutions-and-networks/cybersecurity-assessment-tool/#use-the-tool

https://twitter.com/philvenables/status/1317798256315932673

Cybersecurity Budget Benchmarks are a Waste of Time

  • Budget is an input not an outcome. Security needs to be centered on outcomes.

  • No taxonomy of comparison - not comparing apples to apples.

  • Misaligned incentives. Good security reduces unit cost.

HackerOne_HPSR_2020 pdf from Marten

TODO: Chris Schneider tool, threagile, listo tool

Security along the Container-based SDLC by Chilcano

SSDLC

Also, it’s interesting how there seems to be general industry consensus on what sort of security checks and processes you should do at which points in the SDLC, though they’re sometimes portrayed differently visually. Here’s another I saw on Denis Yakimov’s DevSecOps: Principles and Comparison of SCA post:

DevOps Pipeline Diagram

https://www.ironshare.co.uk/security-guidance/cyber-basics-identify-assess-your-risks/

C4 threat modelling this website

Another one you might be interested in, from a colleague of mine, who combines C4 architecture, STRIDE and LINDDUN, and introduces the concepts of Trust:Value ratio and Aggregated Risks for threat modeling -> https://daniel.spilsbury.io/2020/04/29/c4-threat-model.html - something we do internally here. https://daniel.spilsbury.io/2020/04/29/c4-modelling.html H/T @HazanaSec

https://c4model.com/ - Context, Containers, Components and Code

https://www.linkedin.com/feed/update/urn:li:activity:6666110076333494272/

https://github.com/s0md3v/hardcodes

TODO Julian Berton blog post / tool

  • Also reference goSDL talk
  • Potentially create threat-modeling blog post with talks/tools, don’t worry about having things perfect
  • https://medium.com/seek-blog/listo-failing-safely-with-checklists-and-rfc-s-d14b6fa34b2f
  • https://github.com/seek-oss/listo

7 years at Mozilla
I met Julien Vehent when we were both speaking at DevSecCon Seattle 2019, and he quickly became one of my favorite people whose work I follow in building a modern AppSec program, security automation, etc.

[Building well-architected serverless applications: Managing application security boundaries – part 1 AWS Compute Blog](https://aws.amazon.com/blogs/compute/building-well-architected-serverless-applications-managing-application-security-boundaries-part-1/)
[Serverless Land Resources for learning about AWS serverless technology](https://serverlessland.com/)

AWS Access Analyzer Policy Checks Explained
K9 Security’s Stephen Kuenzli

https://twitter.com/bjohnso5y/status/1371959538488803331 Authoring secure and functional policies just got a lot easier with over 100 policy checks from Access Analyzer. Here is why this launch 🚀is a game changer (1/12)

https://twitter.com/zoph/status/1373931891989041152?s=20 Following the release of AWS Access Analyzer - Policy Validation. I wanted to follow the principle of “Eating your own dog food”. So, I’ve analyzed all 837 AWS Managed Policies provided by AWS themself.

https://aws.amazon.com/blogs/aws/iam-access-analyzer-update-policy-validation/

TODO

ScaleSec/terraform_aws_scp: AWS Organizations Service Control Policies (SCPs) written in HashiCorp Terraform. ScaleSec/project_lockdown: GCP Auto Remediation Suite for High Risk Events ScaleSec/gcp_threat_detection_auto_remediation: This repo contains all you need to begin automating Event Threat Detection findings. Automate Security on GCP with Event Threat Detection | ScaleSec https://darkbit.io/blog/announcing-opencspm

[Indeni Cloudrail Case Study: Eating Dogfood and Enjoying it Indeni](https://indeni.com/blog/indeni-cloudrail-case-study-eating-dogfood-and-enjoying-it/)

Building a Data-driven AppSec Programme with Kiln

BSidesLeeds talk Dan Murphy

https://github.com/simplybusiness/Kiln