- tl;dr sec
- [tl;dr sec] #172 - Career Resources, Machine Learning, Jim Manico Webinar
[tl;dr sec] #172 - Career Resources, Machine Learning, Jim Manico Webinar
Certs and getting into security, reinforcement learning for security, join Jim and I's webinar on broken access control.
I hope you’ve been doing well!
Into the Woods
Outside: it’s pitch black and silent except for the steady patter of the rain.
Inside: a cacophony. A series of serial snorers creating a snorechestra surrounding me.
I blearily look at my phone– 3am. I pick up my blanket and pillow, and trudge through the rain to the common room where I attempt to sleep on the couch in front of the fire until I’m joined by early morning coffee drinkers at 7am.
And that was literally my first night at r2c’s offsite this week, which has been a blast 😀
We’ve flown in people from all over the U.S., UK, Italy, France, Philippines, and more to bond in the woods with basically no WiFi. We’ve relaxed, planned, and did activities like archery, lock picking, capture the flag, and getting choked out Brazilian Jiu-Jitsu.
If this sounds fun, we’re hiring, including on my Security Research team (JD to be posted soon, email clint AT r2c.dev if you’re interested).
Webinar with Jim Manico: Broken Access Control
Jim and I will walk through some access control best practices and how to continuously check for access control bugs and prevent them from entering in CI.
Hope to see you there next Wednesday March 15, 10am PT.
📢 Drata’s Compliance Trends Report 2023
Companies are spending an average of 4,300 hours on compliance per year, and many of them see compliance as a burden. But 3 in 4 companies who shift from point-in-time to continuous compliance report benefits beyond audit readiness including shortened sales cycles.
Get more insights on the shift to continuous compliance from Drata's 2023 Compliance Trends Report.
📜 In this newsletter...
AppSec: Navigating the Sandbox Buffet, DevSecOps Roadmap, secrets finder tool
Cloud Security: The benefits of a customer-centric cloud security mindset, Five Things You Need to Know About Malware on Storage Buckets, Operation leveraging Terraform, Kubernetes, and AWS for data theft
Container Security: Temporary policy exceptions in Kubernetes with Kyverno
Blue Team: CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks, Best Practices For Securing Your Home Network
Politics / Privacy: Deconstructing the National Cybersecurity Strategy, Ransomware as a service: Understanding the cybercrime gig economy
Machine Learning: Last Week Tonight on AI, companies trying to keep up with ChatGPT, awesome reinforcement learning for security, An ML Framework for Alert Prioritization, CoPilot Thoughts After 6 Months
Misc: All Timelines, Neal Stephenson AMA, Big Tech job-switching stats, Popular education in Sweden
Career: Dropbox Engineering Career Framework, So want to be a SOC Analyst?, Creating a cert plan, Demystifying Security Research, The InfoSec community needs you, Security Cert Roadmap, What are two skillsets you need transitioning from pentester to Product Security?, Reflections on the CS academic and industry job markets, IppSec on Launching your cybersecurity career, 2022 Cybersecurity roadmap: How to get started?, The best Hacking Courses & Certs? Your roadmap to Pentester success, Update on being Independent [3 years later], A sensible approach to compensation for remote teams
USENIX Enigma 2023 - Navigating the Sandbox Buffet
Figma’s Maxime Serrano presents challenges of running potentially risky software within organizational infrastructure and how sandboxing can be an effective defense mechanism to run untrusted code, covering the pros/cons of approaches like a virtual machine, namespaces, and containers.
CLI tool by Praetorian for finding secrets and sensitive information in textual data. ~90 high signal regexes, supports scanning files, directories, and git history, and can scan 100’s of MB/sec on a single core.
📢 Tailscale, now with more SSH
Stop managing SSH keys manually, setting up bastion jump boxes, and unnecessarily exposing private production resources to the internet.
Tailscale SSH is a new way to SSH into devices in your tailnet. Simply enable it for the host and source devices, and we’ll take care of the rest — from distributing keys to authenticating connections.
Tailscale SSH works everywhere Tailscale does, so your team can code from an iPad or answer on-call emergencies from wherever they are.
The benefits of a customer-centric cloud security mindset
Wiz blog post covering some of the key takeaways of my CloudSec 360 talk, including four initial steps towards a customer-centric security function. You can also watch the recording of talk, if you’d like 🙂
Five Things You Need to Know About Malware on Storage Buckets
Orca Security’s Bar Kaduri and Deborah Galea debunk the myth that malware on storage buckets is less dangerous than on other assets and describe what needs to be done to protect against this risk.
SCARLETEEL: Operation leveraging Terraform, Kubernetes, and AWS for data theft
Sysdig’s Alberto Pellitteri describes a sophisticated cloud operation in which an attacker exploited a containerized workload and leveraged it to escalate privileges into an AWS account to steal proprietary software and credentials. They also attempted to pivot using a Terraform state file to other connected AWS accounts to spread their reach.
Temporary policy exceptions in Kubernetes with Kyverno
Nirmata’s Chip Zoller describes Policy Exceptions, a new feature that lets you temporarily bypass a Kyverno policy, for example, to troubleshoot a service. Chip describes how to combine policy exceptions with other Kyverno features such as the new cleanup policies to make exceptions automatically expire after a short period of time.
CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks
CISA shares a report of a red team assessment of a large critical infrastructure organization, in which the CISA red team obtained persistent access to the organization’s network, moved laterally across multiple geographically separated sites, and gained access to systems adjacent to the organization’s sensitive business systems. The report details the red team’s tactics, techniques, and procedures (TTPs) and key findings to inform blue team detections.
Best Practices For Securing Your Home NetworkNew guide by the NSA including recommendations for securing routing devices, implementing wireless network segmentation, ensuring confidentiality during telework, and more.
Politics / Privacy
Deconstructing the National Cybersecurity Strategy
Great overview of the Biden Administration’s National Cybersecurity Strategy (NCS) doc by Walter Haydock.
Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself
Microsoft describes several of the ransomware ecosystems using the RaaS model, the importance of cross-domain visibility in finding and evicting these actors, and best practices organizations can use to protect themselves. They also offer security best practices on credential hygiene and cloud hardening, how to address security blind spots, harden internet-facing assets to understand your perimeter, and more.
Artificial Intelligence: Last Week Tonight with John Oliver
Nice video overview, good for people without a technical background.
Meet the companies trying to keep up with ChatGPT
Microsoft, Google, Meta, Anthropic, You.com, Alibaba, Baidu, and others.
CoPilot tends to introduce bugs if you have it fill out a whole function or non trivial logic.
Can be great for boilerplate, types, or other simple situations that you can hint strongly at what you want.
Logs the timelines of various fictional universes, such as Star Wars, the Marvel Cinematic Universe, Lord of the Rings, and more.
I am Neal Stephenson, sci-fi author, geek, and [now] sword maker - AMA
Reddit AMA from a legend.
Big Tech job-switching stats
Gergely Orosz and an anonymous tech recruiter share a number of interesting stats, including the changes in the number of software engineers by company, which companies have more/less SWEs open to new opportunities, and more.
Dropbox Engineering Career Framework - Security Engineer
Dropbox’s documentation that outlines the scope, impact, and other expectations from junior individual contributor through Principal Security Engineer. H/T Jonathan Werrett. Figma’s Devdatta Akhawe
So you want to be a SOC Analyst?
Blog series by Eric Capuano on how to land your first entry-level SOC analyst job. Set up a small VM environment, put on your adversary hat and start making some noise, emulate an adversary and craft detections, and more.
Personally, I don’t have any certs nor do I look for them when hiring, I prefer hands-on experience. However, some people seem to find them useful and recommend them, and potentially they can be useful for breaking into the field.
The InfoSec community needs you (yes, you)!
Excellent post by Segment’s Leif Dreizler on why you should be writing blogs, appearing on podcasts, and presenting at conferences… and how to get started! This post is super detailed and great, highly recommend checking it out.
See also Leif’s follow-up post Share the Spotlight on how to encourage others at your company to write blogs, appear on podcasts, and speak at conferences and meetups.
Security Certification Roadmap
By Paul Jerimy: 473 certifications broken down by skill level across communication and network security, IAM, security architecture and engineering, asset security, security and risk management, security assessment and testing, software security, and security operations.
What are two skillsets you need transitioning from pentester to Product Security?
Thread by Anant Shrivastava with lots of people weighing in, including both technical and soft skills.
Reflections on the CS academic and industry job markets (part 1)
Candid reflections by Rowan Zellers. See also his Part 2: Why I chose OpenAI over academia.
Launch your cybersecurity career: IppSec’s advice on how to become a skilled professional
ippsec on technical tips, keeping a positive mindset, and life being what you make it.
2022 Cybersecurity roadmap: How to get started?
John Hammond joins David Bombal and shares the first thing to learn, recommended resources, if you should do CTFs, if you should pursue degrees and certs (and if so, which ones), and more.
The best Hacking Courses & Certs? Your roadmap to Pentester success
Rana Khalil joins David Bombal to discuss the best courses and best cert to become a pentester in 2023, as well as skills you need, how to get pentesting experience and land a job, bug bounty, and other resources.
A sensible approach to compensation for remote teams
Ockam’s Glenn Gillen’s frank discussion of how compensation and promotions work at companies is a must read. If you don’t read this you are doing yourself a disservice, and I don’t say that lightly.
He also shares how to effectively make the case for higher pay if you’re a key contributor working in a lower cost of living region. Lastly, I like his principles.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!