tl;dr sec
Posts
[tl;dr sec] 2019-05-19 - Hello World (final)

[tl;dr sec] 2019-05-19 - Hello World (final)

[tl;dr sec] Hello World!

Hey there,

You're receiving this email because you either saw my BSidesSF 2019 talk "

DevSecOps State of the Union

" and supplied your email on the page or you're a kind friend of mine and I asked you to join my newsletter.

Either way, thanks!

What is tl;dr sec?

tl;dr sec

is a newsletter my colleague, Daniel DeFreez, and I are starting where we write about AppSec and scaling security, automated bug finding (static and dynamic analysis, fuzzing, etc.), summarize security talks and papers we like, and share useful security links we come across.

This is the first issue! Congrats, you're in on the ground floor.

New Blog Post: "SCORE Bot: Shift Left, at Scale!"

We wrote a summary of the AppSec USA 2018 talk "

SCORE Bot: Shift Left, at Scale!

", which describes the security automation PayPal has built to scan every commit for PayPal-specific bugs.

It's neat to see the similarities with approaches other companies have taken, and there's definitely a handful of unique, valuable bits that I think you'll find useful.

Any feedback you have on this post regarding tone, amount of detail, length, or anything else would be much appreciated!

Links

Google's Project Zero

released a spreadsheet

where they're tracking cases of zero-days being used "in the wild."

If you'd like to like to read about more 0day-related stats, see Lillian Ablon of RAND's 2017 BlackHat USA talk "Zero Days, Thousands of Nights: The Life & Times of Zero-Day Vulns and Their Exploits" (video, slides, 133 page technical report).

Ross Anderson, a famous computer security professor at the University of Cambridge, has starting writing the third edition of his book

Security Engineering.

You can also download the 1st edition from the link for free.

streaak/keyhacks

is a nice cheat sheet for determining if a discovered API token is valid, its permissions, etc.

> 30 services currently represented, including DataDog, Facebook, GitHub, Slack, Twitter, Twilio, Salesforce, ...

Wrapping Up

That's all for now! Thanks again for subscribing, we really appreciate it.

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

Cheers,Clint@clintgibler | @programanalysis