Global AppSec SF Memories

An excellent keynote by Anna Westelius

Andrew datadog - they track internally whether their blog post or new tool gets called out in tl;dr sec as a metric for if it did well.

Meeting legends like Steve Springett and Simon Bennetts

Quoting specific vim versions, well in vim 8.0 they finally…

Leif recommended I get frosted tips

Someone on my team asking me to hold their drink so they could get another drink before last call

Nathaniel doing all the regexes on stack overflow

When I say inter you say sectionality

Behind These Hazel Eyes

A Woman I didn’t know asking if I had done screen or stage acting because I had “shiny eyes” and a face that “seemed like I was an actor.” Similar to many aspiring actors and actresses in L.A. waiting tables before their big break, security is just my bridge job before my acting career takes off.

Or I’m playing the really long game:

INT. NONDESCRIPT OFFICE BUILDING IN L.A.

A casting director with slightly vacant eyes due to years of the harsh realities of the screen industry sits across from GLINT CLIBLER, a watery eyed hopeful.

DEAD-EYED CASTING AGENT

So it says here you have a graduate degree in Computer Science and you spent over a decade working in Silicon Valley. Why?

GLINT CLIBLER

I’m a method actor. That’s why I think I’d be perfect for “Background Nerd #3.”

Ironically, I did actually play a bootcamp instructor in a random indie TV pilot episode :laugh:

As long time readers will know, security is just cough call me Netflix cough.

I keep making jokes like this because I feel like if I keep throwing it out there, it will happen one day.

After all, as Accel’s Casey Aylward recently advised me, “You just have to put your energy out there and manifest what you want.” #startupadvice #lifehacks

Inexcusable / Unforgiveable

I’ve sent a lot of tough sights in the Bay Area.

People peeing on the streets, a single block with both human and dog poop on the street, people riding an electric unicycle.

But recently I saw something so jarring, so unexpected, it shook me to my core…

Someone bought a Greek frozen yogurt cup with baklava from Souvla and left it on the street to melt. LIKE A MONSTER.

picture from phone about Souvla.

What is the world coming to?

Magoo risk quant Susan dog photo prediction

TODO CUT DO NOT USE!!! ^^

I’m not a ‘grammer…. So I have 4 separate Instagram accounts

Artisanal Receptacles

Lots of people gave positive feedback about the trash cans.

Including multiple people wanting to know which the winners are.

SimpleHuman, though to be honest they’re more expensive than I think a rational person could justify spending on, but I chose the 2 part trash/recycling + compost bin, and then the small cylindrical one for the bathroom.

I’ve included a direct link to their pages in HTML comments on the blog page if you want to find it, but I’m not going to directly link to them inline here.

Call for most ridiculous story or photo from Vegas

Pictures from Susan/stories

Mocha Swolatte | Mocha Swole-atte | Swolcha Latte

A familiar scene: it’s early afternoon on a week day and you’re starting to drag, as you were up late hacking on something cool.

So you work out to get some energy and endorphins flowing.

But you need the right recovery drink after.

You want some energy, something gainz-friendly, and caffeinated. You’re not a coffee aficionado, but you like coffee-flavored things.

Enter my recent creation: the mocha swole-atte.

Microwave some milk to get it piping hot.
Then mix in some ground coffee.
Finally, add 1-2 scoops of chocolate protein powder.

Now you’ve got a chocolate-y mocha latte with low sugar, high protein, caffeine, and it’s nice and warm.

Like mug cakes, the mocha swole-atte will be in the upcoming tl;dr sec cookbook.

r2c

r2c [Finding bugs generically in over 28 languages using Semgrep

by Brandon Wu

Medium](https://medium.com/@brandon_60174/3371b713e338)

[(23) Post

LinkedIn](https://www.linkedin.com/posts/arnav-singh-work_appsecurity-semgrep-sast-activity-7009590238842871808-CHxh/?utm_medium=member_ios)

r2c blog — Shoulda, Woulda…Coulda

(20) Parsia on Twitter: “@jrozner @SecureThisNow @TheParanoids Semgrep in the job description @r2cdev.” / Twitter

Semgrep Office Hours - YouTube

r2c blog — Introducing DeepSemgrep

r2c blog — Semgrep’s May 2022 updates: Introducing DeepSemgrep, plus new Playground, and self managed GitHub + GitLab support!

Lightning Talks - Day 2 PM - YouTube - Bence supersemgrep

r2c blog — Tips and tricks for writing fixes

(14) Shreya Pohekar on Twitter: “@beingsheerazali and I will be speaking on “Raining CVEs on wordpress plugins with Semgrep” at @nullcon 🤩🤩. Very much excited for this talk😀 https://t.co/8kgWkPTXQT” / Twitter

(14) Sheeraz Ali on Twitter: “@shreyapohekar and I will be speaking on “Raining CVEs on wordpress plugins with Semgrep” at @nullcon 🤩🤩. Very much excited for this talk. #security https://t.co/mb2BdbPQ6u” / Twitter

(14) NULLCON on Twitter: “👩‍💻Developer Track Alert! 👾Shreya & Sheeraz will present their research on finding WordPress plugin #vulnerabilities like SQLi, XSS & LFI in bulk by using an open-source tool Semgrep 💡Find out more➡️https://t.co/dA2kJf8xkf #NullconGoa2022 #infosec #developers #cybersecurity https://t.co/XCpWAGHPjx” / Twitter

(33) d0nut on Twitter: “If you haven’t tried Semgrep out yet you really need to. Also really deep dive with it. Despite some of its rougher edges, it’s an insanely powerful code exploration tool. Just found something that would’ve taken me a day or two to chase down in two minutes.” / Twitter

(21) Kumar Ashwin 🍥 on Twitter: “Super cool talk by @shreyapohekar and @beingsheerazali 🚀 on Semgrep and how it helped in getting lots of CVEs 😉 in @nullcon 🎉🎉🎉 https://t.co/c8kfzkuHwJ” / Twitter

(22) Sheeraz Ali on Twitter: “So as promised the slides for our talk “Raining CVEs on WordPress plugins with Semgrep” that @shreyapohekar and I presented at @nullcon can be found below. We welcome any questions you might have. #NullconGoa2022 #Nullcon https://t.co/hMmz91Ogyd” / Twitter

https://sheerazali.com/raining-cves-on-wordpress-plugins-using-semgrep-slide-deck

48 CVEs

I was chatting with my bud David Scrobonia recently, and he gave me some really interesting feedback on how he used tl;dr sec and what might make it more useful.

If you’d be done to have a quick chat, I’d love to ask you a few informal questions about tl;dr sec.

We can also chat about security in general, cool stuff your company is working on or you want to brainstorm about, or just to hear another human being breathing, an act of defiance against this cold, cruel world.

Email me directly and we’ll find a time.

Job Openings

I know now is a tough time for a lot of people– many great security professionals are looking for their next role, by choice or not.

Here are a couple of openings people have told me about:

Head of Product Security for two medium-sized companies
A “Security Architect” for a medium-sized company
A Principal+ “lead IC for all of InfoSec. Design, direction, vision, IC SME for all sub-teams with a focus on AppSec” at a medium-sized company
A senior AppSec engineer at a medium-sized company, an AppSec engineer at a small company
SOC/IR and ProdSec roles at Moonpig (London) - TODO job link from Tash
https://jobs.hiretual.com/hiretual/security-architect-enterprise-data-and-service-integration-mountain-view-ca-us-dOOaGnaR
an experienced consulting senior manager/director to lead research, methodologies, and consultant management. If you have anybody you recommend in the 8 to 15yrs - include security

If these sound interestingt to you, I’m happy to make an intro, send me a link to your LinkedIn and attach your resume. Best of luck out there my friends, you got this!

Also, feel free to email me a link to a job description at your company.