[tl;dr sec] #7 - AppSec Cali 2019 DevSecOps Panel Summary
Notes from an AppSec Cali 2019 panel, AWS security tools, fuzzing with grammars and Gitlab, and Google P0's iOS exploit chain discovery.
I hope you've been doing well and enjoyed the long weekend!
I used it to
work on this blog post and continue moving to a new apartment. Some people think I take the latter half of "work hard, play hard" too seriously. What can I say, no one's perfect.
⭐️ New Summary
I'm excited for an upcoming panel I'm on at DevSecCon Seattle (come say "hi" if you're around!), so I decided to revisit this panel from AppSec Cali 2019.
I've spent hundreds of hours reviewing blog posts, books, and con talks about scaling security/DevSecOps, and I can honestly say this is one of the single best resources I know of. It's like years of insights condensed into 50min.
If you're interested in modern AppSec best practices and DevSecOps, I highly encourage you to read the summary
Fortinet potentially accidentally shipped a release with a backdoor-- "Lol sorry, that was meant for just one customer."
toniblyx/my-arsenal-of-aws-security-tools is probably the longest list of AWS tools (offensive, defensive, auditing, DFIR, S3 bucket auditing, training, and more) I've ever seen.
An article on how to integrate fuzzing using AFL into your CI/CD pipeline using Gitlab. Gitlab is apparently planning to add fuzzing capabilities into the DAST offerings of Gitlab Enterprise and here's the list of fuzzers they're considering. Very early stages at this point, but neat that it's on their radar.
I enjoyed Marco Rogers’ thoughts on being an effective manager in tech without burning out.
Google Project Zero uncovered some iOS exploit chains being sent to any visitor to several sites (with thousands of visitors/week) that was live for ~2 years. This is interesting because for pretty much all prior cases I know of, exploit chains of this quality tend to be highly targeted.
5 iOS exploit chains using 14 unique vulns, providing functionality including stealing private messages (iMessage, Telegram, etc.), photos, and real-time GPS location data.
The malware didn't persist - rebooting would remove it.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
Also, if there's anyone you think who would find this newsletter interesting or useful, I'd really appreciate if you'd forward it to them. 🙏
Thanks for reading!