AppSec
Why NOT To Pin TLS Certificates | Tanner Prynn TODO
[What’s the right UX for an expired certificate? | Emily M. Stark](https://emilymstark.com/2023/01/16/whats-the-right-ux-for-an-expired-certificate.html) |
On the left, on the right and wiggle in the middle
The 6 Fundamental Forces of Information Security Risk
Cheat Engine: Introduction (tutorial 1-4) - Game Hacking Series - YouTube
Force 1: Information wants to be Free
#NahamCon2022EU: Command-Line Data-Wrangling by Tomnomnom - YouTube
emtunc/SlackPirate: Slack Enumeration and Extraction Tool - extract sensitive information from a Slack Workspace Mikail Tunç
FAST, CHEAP, GOOD: LIGHTWEIGHT METHODS ARE UNDERVALUED
Ceremonial Security and Cargo Cults
[Exploiting Application Logic to Phish Internal Mailing Lists | by Tanner | Jan, 2023 | Medium](https://medium.com/@cachemoney/exploiting-application-logic-to-phish-internal-mailing-lists-486b94fc2ef1) |
Praetorian ‘open-sources’ its Nosey Parker secret scanning tool | SC Media Praetorian Open Sources Regular Expression-Based Scanning Capabilities Meet Nosey Parker - An Artificial Intelligence Based Scanner That Sniffs Out Secrets - Praetorian Mining for Secrets: Repos, firmware, and more - Black Hat Europe 2022 | Arsenal Schedule praetorian-inc/noseyparker: Nosey Parker is a command-line program that finds secrets and sensitive information in textual data and Git history. Six Months of Finding Secrets with Nosey Parker - Praetorian
[Security Drone: Scaling Continuous Security at Revolut | by Krzysztof Pranczk | Revolut Tech | Jan, 2023 | Medium](https://medium.com/revolut/security-drone-scaling-continuous-security-at-revolut-862bcd55956e) |
In the future, can you have your appsec cake and eat it as well ?
[How we’re creating a threat model framework that works for GitLab | GitLab](https://about.gitlab.com/blog/2021/07/09/creating-a-threat-model-that-works-for-gitlab/) |
[CISA’s Take on Vulnerability Prioritization and Management | by Chris Hughes | Nov, 2022 | Medium](https://medium.com/@chris.hughes_11070/cisas-take-on-vulnerability-prioritization-and-management-766089d8b535) |
yeswehack/vulnerable-code-snippets: Twitter vulnerable snippets
[The immutable laws of security | Microsoft Learn](https://learn.microsoft.com/en-us/security/compass/ten-laws-of-security) |
[Expanding on UUIDv1 Security Issues | by Chaim Sanders | Oct, 2022 | ITNEXT](https://itnext.io/expanding-on-uuidv1-security-issues-751a02460f81) |
Exploit Prediction Scoring System (EPSS) - Tributary Chris Hughes
This one covers the Exploit Prediction Scoring System (EPSS) which is emerging to replace/compliment CVSS in organizations maturing their Vulnerability Management practices. It is run by the same group that runs CVSS( FIRST).
What I Learned About Information Security From Academia
The AppSec letter bomb problem
The mindset shift from security to trust & safety
[Why we use Terraform and not Chef, Puppet, Ansible, Pulumi, or CloudFormation | by Yevgeniy Brikman | Gruntwork](https://blog.gruntwork.io/why-we-use-terraform-and-not-chef-puppet-ansible-saltstack-or-cloudformation-7989dad2865c) |
How We Use Terraform At Slack - Slack Engineering
Terraform Gains Visibility, Self-Service, and Compliance Upgrades
r2c blog — Fully loaded: testing vulnerable PyYAML versions TODO
Comparing Semgrep and CodeQL · Doyensec’s Blog TODO
Google & Apache Found Vulnerable to GitHub Environment Injection
Introducing OpenCRE - Spyros Gasteratos - YouTube
Crucial Questions from Governments and Regulators
Born-left security: The new approach taking over shift-left | LeadDev TODO Adam Berman, Bain “you merely adopted shift left, I was born into it” meme
GF - Climbing the Production Mountain: Practical CI/CD Attacks Using CI/CD Goat - YouTube
Crucial Questions from CISOs and Security Teams
Security Roadmap, Strategies and Challenges — My Learnings - Part-1 » Whiskey Tango Foxtrot https://twitter.com/avicoder - from Twitter DM
[DORA 2022 Accelerate State of DevOps Report now out | Google Cloud Blog](https://cloud.google.com/blog/products/devops-sre/dora-2022-accelerate-state-of-devops-report-now-out) |
Why SCA for Security is Really Hard TODO
r2c blog — Need for speed: static analysis version Brandon Wu
Crucial Questions from CIOs and CTOs
Process injection: breaking all macOS security layers with a single vulnerability · Sector 7
- https://www.work-bench.com/post/security-dashboards-for-everyone-else
Load external data into OPA: The Good, The Bad, and The Ugly - DEV Community
Permify/permify: Permify is an open-source authorization service & policy engine based on Google Zanzibar. We have built an open-source authorization service & policy engine based on Google Zanzibar https://twitter.com/firatcand TODO
[Introducing Entitlements: GitHub’s open source Identity and Access Management solution | The GitHub Blog](https://github.blog/2022-06-09-introducing-entitlements-githubs-open-source-identity-and-access-management-solution/) |
- Maybe already included in tl;dr sec
(1) Jason Chan - Building a Glass House - YouTube
[Security Model - Terraform Cloud | Terraform by HashiCorp](https://www.terraform.io/cloud-docs/architectural-details/security-model) |
open-policy-agent/setup-opa: Sets up Open Policy Agent CLI in your GitHub Actions workflow.
[Why You Should Avoid Sealed Secrets in Your GitOps Deployment | by Denilson N. | Better Programming](https://betterprogramming.pub/why-you-should-avoid-sealed-secrets-in-your-gitops-deployment-e50131d360dd) |
Crucial Questions from CEOs and Boards
I ended up baking it into “the book” https://scrty.io/foundations which has already been published. The “What does a security team do” section is new, and mostly clarifies how decision making happens to a newcomer. TODO
Lure attackers with ggcanary, the GitGuardian Canary Tokens
TODO Venables security metrics
How do JavaScript frameworks impact the security of applications? - Ksenia Peguero - YouTube
It’s impossible to find every vulnerability, so we don’t try to
[Insights from Hashicorp: Securing the software they ship | GitHub InFocus · Virtual 2022· Starting April 26](https://infocus.github.com/sessions/insights-from-hashicorp-securing-the-software-they-ship/) |
[Shipping multi-tenant SaaS using Postgres Row-Level Security | Nile](https://www.thenile.dev/blog/multi-tenant-rls) |
harmj0y (@Will Schroeder) Tweeted: Hey, do you like tokens? Have you always wanted to “harvest” tokens for offensive purposes? If so check out my new post https://t.co/5Tr9UxYuh1 where I show I can (finally) write a technical post without memes, and then check out the Koh toolset at https://t.co/l77vlPDQrj https://twitter.com/harmj0y/status/1545108510047969282?s=27&t=oufcsDOeziBdjrRK_ZG2Qw TODO
[Arbitrary File Upload Tricks In Java | ](https://pyn3rd.github.io/2022/05/07/Arbitrary-File-Upload-Tricks-In-Java/?utm_medium=email&utm_campaign=bug_bytes_173_jdbc_attacks_reloaded_rce_via_email_benchmarking_port_scanners&utm_term=2022-06-08) |
[Security Code Audit - For Fun and Fails | Frycos Security Diary](https://frycos.github.io/vulns4free/2022/05/24/security-code-audit-fails.html?utm_medium=email&utm_campaign=bug_bytes_171_new_android_web_views_attacks_arbitrary_file_theft_on_android_scanning_for_pii_in_images&utm_term=2022-05-25) |
[Command Injection in the GitHub Pages Build Pipeline | Blog by Joren Vrancken](https://blog.nietaanraken.nl/posts/github-pages-command-injection/) |
TODO: checklist tool/blog from Julian Berton
-
Also add to BSidesSF slides
- https://medium.com/@knownsec404team/java-deserialization-tool-gadgetinspector-first-glimpse-74e99e493649
- https://know.bishopfox.com/research/gadgetprobe
The State of the State of Application Exploits in Security Incidents From Ryan Nairraine’s list: This study is an attempt to stitch together a more complete view of the application security elephant. We examine published industry reports from multiple sources to develop a better understanding of the frequency and role of application exploits in security incidents. Along the way, we’ll demonstrate the challenges of multi-source analysis and offer recommendations on how research producers can make it easier for those who want to piece together the bigger picture.
[Language Agnostic Security Code Review | flawed.net.nz](https://flawed.net.nz/2021/02/11/Language-Agnostic-Code-Review/) |
(74) Spreading security across the SDLC (with semgrep and other tools) - YouTube
- Referenced by RSA slides *
- You can’t just copy what a FAANG company is doing - they have a whole ecosystem of internal tools, culture, processes, and other things that affect what they do and how they do it.
mario-platt/ASVS-Agile-Delivery-Guide
By Mario Platt
Measuring Security: An OWASP Panel
Measuring security is important, but it can be hard in practice and unintuitive or at least non obvious in a number of ways. Which is why I was so excited to read Tad Whitaker’s excellent (and funny) summary of
a Bay Area OWASP meet-up panel he moderated on measuring security metrics
(video), consisting of a
solid crew of Charles Nwatu, Rich
Seiersen (co-author of “How To Measure
Anything In Cybersecurity Risk”), and Caroline
Wong. I liked Tad’s post so much that I
pulled out some of the key points I wanted to make sure to remember into this mini post.
https://www.fordfoundation.org/work/our-grants/building-institutions-and-networks/cybersecurity-assessment-tool/#use-the-tool
https://twitter.com/philvenables/status/1317798256315932673
Cybersecurity Budget Benchmarks are a Waste of Time
Budget is an input not an outcome. Security needs to be centered on outcomes.
No taxonomy of comparison - not comparing apples to apples.
Misaligned incentives. Good security reduces unit cost.
HackerOne_HPSR_2020 pdf from Marten
TODO: Chris Schneider tool, threagile, listo tool
Security along the Container-based SDLC by Chilcano

Also, it’s interesting how there seems to be general industry consensus on what sort of security checks and processes you should do at which points in the SDLC, though they’re sometimes portrayed differently visually. Here’s another I saw on Denis Yakimov’s DevSecOps: Principles and Comparison of SCA post:

https://www.ironshare.co.uk/security-guidance/cyber-basics-identify-assess-your-risks/
C4 threat modelling this website
Another one you might be interested in, from a colleague of mine, who combines C4 architecture, STRIDE and LINDDUN, and introduces the concepts of Trust:Value ratio and Aggregated Risks for threat modeling -> https://daniel.spilsbury.io/2020/04/29/c4-threat-model.html - something we do internally here. https://daniel.spilsbury.io/2020/04/29/c4-modelling.html H/T @HazanaSec
https://c4model.com/ - Context, Containers, Components and Code
https://www.linkedin.com/feed/update/urn:li:activity:6666110076333494272/
https://github.com/s0md3v/hardcodes
TODO Julian Berton blog post / tool
- Also reference goSDL talk
- Potentially create
threat-modeling
blog post with talks/tools, don’t worry about having things perfect - https://medium.com/seek-blog/listo-failing-safely-with-checklists-and-rfc-s-d14b6fa34b2f
- https://github.com/seek-oss/listo
7 years at Mozilla
I met Julien Vehent when we were both speaking at
DevSecCon Seattle 2019, and he quickly became one of my favorite people whose
work I follow in building a modern AppSec program, security automation, etc.
[Building well-architected serverless applications: Managing application security boundaries – part 1 | AWS Compute Blog](https://aws.amazon.com/blogs/compute/building-well-architected-serverless-applications-managing-application-security-boundaries-part-1/) |
[Serverless Land | Resources for learning about AWS serverless technology](https://serverlessland.com/) |
AWS Access Analyzer Policy Checks Explained
K9 Security’s Stephen Kuenzli
https://twitter.com/bjohnso5y/status/1371959538488803331 Authoring secure and functional policies just got a lot easier with over 100 policy checks from Access Analyzer. Here is why this launch 🚀is a game changer (1/12)
https://twitter.com/zoph/status/1373931891989041152?s=20 Following the release of AWS Access Analyzer - Policy Validation. I wanted to follow the principle of “Eating your own dog food”. So, I’ve analyzed all 837 AWS Managed Policies provided by AWS themself.
https://aws.amazon.com/blogs/aws/iam-access-analyzer-update-policy-validation/
TODO
ScaleSec/terraform_aws_scp: AWS Organizations Service Control Policies (SCPs) written in HashiCorp Terraform. ScaleSec/project_lockdown: GCP Auto Remediation Suite for High Risk Events ScaleSec/gcp_threat_detection_auto_remediation: This repo contains all you need to begin automating Event Threat Detection findings. Automate Security on GCP with Event Threat Detection | ScaleSec https://darkbit.io/blog/announcing-opencspm
[Indeni Cloudrail Case Study: Eating Dogfood and Enjoying it | Indeni](https://indeni.com/blog/indeni-cloudrail-case-study-eating-dogfood-and-enjoying-it/) |
Building a Data-driven AppSec Programme with Kiln
https://github.com/simplybusiness/Kiln