• tl;dr sec
  • Posts
  • [tl;dr sec] #300 - Security Headcount Ratios + Hiring Plan, MCP Security, Compliance

[tl;dr sec] #300 - Security Headcount Ratios + Hiring Plan, MCP Security, Compliance

Plus my reflections on writing 300 issues and seeing Semgrep growing up

Hey there,

I hope you’ve been doing well!

🤯 Episode 300

Imagine this issue kicking open your inbox like: this… is… tl;dr sec!!

This issue will be a bit shorter as I’ve been in Tahoe all week with my Semgrep colleagues. (I’m actually writing this from my hotel room while my colleagues are having dinner and bowling 😅 )

I always want to write a reflection around various milestones (end of year, birthday, subscriber counts, etc.) but it seems I often end up starting and not finishing them, as there’s no deadline and other work is more pressing.

So here are some straight from the hip thoughts:

  • Over ~6 years I’ve spent 10-20 hours per issue x 300 issues = 3,000 - 6,000 hours writing tl;dr sec, which is 75-150 forty hour work weeks.

    • Assuming 50 work weeks per year that’s an extra 1.5 - 3 work years 😅 Honestly this surprises me, I’m just finding this out literally as I type it.

  • tl;dr sec has both been more helpful in my career and building connections, and more work, than I could have expected.

  • One of my favorite parts of writing it is giving shout-outs to people doing great work, which is not something I planned when I started.

  • I’ve seen Semgrep’s employees grow from a tiny team you could fit in one WeWork room to a (still small) company where you don’t know everyone. Seeing all of us in one conference room is crazy.

  • I’ve seen Semgrep the tool go from “no one has heard of this” to what new AppSec vendors primarily position against. Wild.

To be a bit vulnerable, here are some challenges that I’ve had literally for years, that I feel like I still haven't addressed well:

  • I like both Semgrep and tl;dr sec, and I feel like I can’t do my best at either while doing both, but I also don’t want to stop either.

  • In some ways I have to plan my life around tl;dr sec. For conference weeks, off-sites, vacations, etc. I have to carve out time to write, which generally makes those periods more stressful and has negatively impacted partners in the past.

    • In theory I could “write ahead,” but I feel like my weekly workload is such that I haven’t been able to do this effectively (so far).

  • As my “surface area” expands (newsletter, LinkedIn, etc.), I have more people reaching out and sharing awesome things, which I love. But it’s also tough to respond to everyone and engage in the way that I want to, which I find stressful. It’s a very privileged position to be in, but it does weigh on me sometimes (read: most times).

All in all I feel incredibly fortunate and lucky to get to write this newsletter every week, and I couldn’t be more grateful to you, when you take the time to read it and/or share kind words (and click on sponsor links 😉).

The encouragement always means a lot, and motivates me to keep going.

I hope you have an excellent day, and here’s to another 300! 🤘

Sponsor

📣 Early Access Offer: MCP Gateway with Intelligent Data Controls

Agentic AI is moving fast and most teams have no visibility into what’s actually happening. Harmonic Security is building something to fix that: Harmonic MCP Gateway. It’s a lightweight, developer-friendly gateway that gives security teams visibility into MCP usage and the ability to set real controls, blocking risky clients or data flows before something slips through.

Launching soon! Sign up to get notified when it drops 👇

👉 Be First to Know 👈

Nice! It seems like MCP Gateways are going to be a thing, and Harmonic can build on their existing “understand your employees’ AI usage” functionality. See also my interview with Harmonic’s CEO Alastair Paterson here.

AppSec

mike-engel/jwt-cli
By Mike Engel: A fast CLI tool to decode and encode JWTs built in Rust.

Broken Authorization in APIs: Introducing Autoswagger
Intruder’s Daniel Andrew announces Autoswagger, an OSS tool that automatically scans APIs for authorization vulnerabilities by parsing OpenAPI schemas to identify endpoints lacking proper authentication checks. They discovered critical issues in major organizations, including exposed credentials and API keys for several Microsoft Partner Program data stores, 60,000+ Salesforce records with PII at a multinational tech company, and an SQL injection at a multinational beverage company.

Startup Security: Ratios and a 24-Month Hiring Plan
Tad Whitaker shares the results of his research in how companies staff security teams, based on interviews with CISOs at companies like Datadog, HashiCorp, Github, Segment, Optimizely, etc. In general, he recommends a 1:40 security:Full Time Employee (FTE) ratio and 1:100 IT:FTE. GitHub had a 1:40 ratio, GitLab 1:24.

Tad recommends adjusting the ratio based on how critical your company is as a vendor within your customer’s supply chain attack thread model (Critical: 1:29, High: 1:40, Medium: 1:75, Low: 1:100).

Tad describes the purpose of the core types of security teams (IT, Security Operations, GRC, and Product Security) and provides a comprehensive 24-month hiring plan broken down by quarters and teams, with specific job titles and levels for each role.

💡 This is a great post, super useful to see a survey (+ tactical details) of how companies build their security programs. Love it!

Sponsor

📣 Retire “Version Theater”; What it REALLY means to test for exploitability

It’s time to modernize vulnerability management by measuring real risk, not version strings. Most vuln scanners equate “out of date version” with “vulnerable,” flooding organizations with noisy, false‑positive alerts. Instead, test exploitability at runtime: validate reachability, trigger safely, and return proof. In our CrushFTP example, a Nuclei template encodes the real attack flow and returns evidence, turning “maybe” into yes/no. The result? Fewer tickets, prioritized fixes, happier engineers, and a backlog you can trust.

👉 Dive in 👈

Nuclei seems to be the de facto best tool in this space, and I love the focus on validating exploitability 👌 

Cloud Security

zeroday.cloud
Wiz is hosting a competition, in partnership with AWS, Google Cloud, and Microsoft, for researchers to find zero-day vulnerabilities in core open-source software powering the cloud, with a $4.5M prize pool. Accepted submissions will be invited to demonstrate their exploit, live on stage, at BlackHat EU in London on Dec 10-11.

💡 Awesome to see big players funding the security of widely used software. More of this please! 🙌 

Introducing tokenex: an open source Go library for fetching and refreshing cloud credentials
Riptides’ Toader Sebastian announces tokenex, a modular Go library for fetching and refreshing cloud credentials and tokens through a consistent API. It abstracts credential acquisition, refresh, and configuration for AWS, GCP, Azure, OCI, OAuth2, and generic tokens from identity token providers.

Ghost in the Cloud: Weaponizing AWS X-Ray for Command & Control
Dhiraj Mishra describes how AWS X-Ray, Amazon’s distributed application tracing service, can be repurposed to establish a hidden command and control channel. This enables a C2 channel using only “expected” AWS domains and IPs. X-Ray annotations can store arbitrary key-value data, which can be used to pass commands (controller → implant) and return the result (implant → controller). Dhiraj has released a proof of concept implementation: XRayC2.

Do you feel in control? Analysis of AWS CloudControl API as an attack tool
Exaforce’s Bleon Proko examines AWS CloudControl API as both a legitimate management tool and potential attack vector. CloudControl simplifies resource management by providing unified CRUD-L operations across 1,220 resource types, but also has limitations as an attack tool: it often requires multiple permissions for each underlying API call, generates multiple logged events, and fails completely if any single permission is missing.

They’ve released the tool CloudConqueror, with functionality including resource listing, resource name bruteforcing, listing CloudControl events, and and creating "admin-like" persistence through policies that only allow access via CloudControl.

Compliance

gjyoung1974/soc2-policy-templates
Some templates aimed at helping organizations comply with SOC 2 requirements.

💡 Repo doesn’t seem to be actively maintained and I cannot vouch for the quality of the policies, but sharing in case useful.

guardian-nexus/auditkit
An open source compliance scanner for AWS and Azure with auditor-ready evidence collection guides. “Alternative to $20k/year tools.” 😂 Assesses 64 SOC2 controls, 30 PCI-DSS controls, 17 CMMC Level 1 controls. It generates remediation scripts with specific AWS CLI commands, and creates comprehensive PDF reports with step-by-step screenshot guides that auditors will accept.

SOC 2 is dead, long live SOC 2!
Justin Pagano discusses the fundamental flaws in SOC 2 and other security compliance frameworks, arguing that they've never provided sufficient security assurance due to vague control requirements, outdated audit methodologies, and static reporting artifacts. Justin proposes ALCOVE (Assurance Levels for Control Operating Viability & Effectiveness), a framework inspired by SLSA that would implement threat-informed control requirements, comprehensive auditing methodologies, and dynamic reporting artifacts showing real-time and historical control effectiveness.

He also suggests realigning incentives by integrating cyber insurance providers who could offer premium discounts for continuous control monitoring, motivating vendors to maintain effective controls while providing stronger assurance to customers.

AI + Security

tuananh/hyper-mcp
By Tuan Anh Tran: A fast, secure MCP server that extends its capabilities through WebAssembly plugins. Write plugins in any language that compile to WebAssembly, distribute plugins via standard OCI registries (like Docker Hub), sandboxing with WASM (can limit network, filesystem, memory access).

riseandignite/mcp-shield
By Nikita Kryzhanouski: Scans your installed MCP servers and detects vulnerabilities like tool poisoning attacks, exfiltration channels and cross-origin escalations. Note: does not appear to be actively maintained.

NQUIRELAB/mcp-bridge-api
A lightweight, fast, and LLM-agnostic proxy for connecting to multiple MCP servers through a unified REST API. It enables secure tool execution across diverse environments like mobile, web, and edge devices. See also the paper on MCP Bridge by Arash Ahmadi, Sarah S. Sharif, and Yaser M. Banad.

HTTP to MCP Bridge
NCC Group’s Jose Selvi announces the release of an HTTP to MCP Bridge, which is an HTTP server that establishes an SSE (Server-Sent Events) communication with the target and, at the same time, provides a pure HTTP interface that can be used with Burp or your favorite HTTP tool, to assess MCP remote servers. Nice!

💡 Note: this is completely unrelated to the above MCP Bridge tool.

Agentity-com/mcp-audit-extension
By Agentity: A VS Code extension to audit and log all GitHub Copilot MCP tool calls, transparently intercepting and logging them, and forwarding them to your preferred SIEM, centralized logging platform, or a local file.

💡 Seems to require a free API key from them.

Misc

Feelz

Misc

  • Deedy - “If you join an overvalued startup, you can actually LOSE money instead of getting paid unless you avoid this mistake.”

  • Gal Nagli accidentally got access to every Academy Award nominee's home address and phone number 🤯 

Music

Politics

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint

P.S. Feel free to connect with me on LinkedIn 👋