Recommended Content

An Opinionated Guide to Scaling Your Company's Security

An Opinionated Guide to Scaling Your Company's Security

I spent 100s (1000s?) of hours over the past few years studying how companies have scaled their security.

This talk distills the big, scalable, systematic wins that measurably improve a company’s security posture, aggregated from dozens of conference talks, blog posts, and in person conversations I’ve had with security engineers at tens of companies.

Slides

What I Learned Watching All 44 AppSec Cali 2019 Talks

What I Learned Watching All 44 AppSec Cali 2019 Talks

Detailed summaries of ~32 hours of talks, searchable and grouped by category, to supercharge your security program 🚀

Detailed Summaries

Lessons Learned from the DevSecOps Trenches

Lessons Learned from the DevSecOps Trenches

Clint moderated a panel of AppSec professionals experienced in security automation discussing their lessons learned, best practices, mistakes they’ve made, and more. Panel members included senior security leaders from Dropbox, Netflix, Datadog, DocuSign, and Snap.

Key Takeaways

Rolling Your Own: How to Write Custom, Lightweight Static Analysis Tools

Rolling Your Own: How to Write Custom, Lightweight Static Analysis Tools

We describe how to use open source tools to create custom checks for interesting code patterns, for example, to detect bugs or anti-patterns.

We also show how abstract syntax tree (AST) matching can be used to iteratively explore Rails code bases as well as find command injection bugs in ExpressJS web apps across all of GitHub.

Slides

Automated Bug Finding in Practice

Automated Bug Finding in Practice

A nice introduction and overview of automated bug finding techniques, covering the strengths, weaknesses and best use cases for leveraging several approaches. We discuss static and dynamic taint analysis, symbolic execution, fuzzing, and combining symbolic execution and fuzzing.

Slides and Video

About Us

Clint Gibler

Clint Gibler

Clint is the CEO and co-founder of tl;dr sec. By day, Clint is the Head of Security Research at r2c, a San Francisco-based startup building Semgrep, an open source, light-weight static analysis tool built for modern development practices.

Before r2c, Clint was a Technical Director at NCC Group, a global information assurance specialist providing organizations with security consulting services. He’s helped companies implement security automation and DevSecOps best practices as well as performed penetration tests for companies ranging from large enterprises to new startups.

Clint has previously spoken at conferences including BlackHat USA, AppSec USA, and AppSec EU. Clint holds a Ph.D. in Computer Science from the University of California, Davis.

Daniel DeFreez

Daniel DeFreez

Daniel is the Chief Scientist and co-founder of tl;dr sec. By day, Daniel is an Assistant Professor of Computer Science at Southern Oregon University. His research interests are in program analysis, security, and machine learning on code. He has built automated tools that have found bugs in the Linux kernel and OpenSSL.

Daniel holds a Ph.D. in Computer Science from the University of California, Davis.

Our Philosophy

We believe that security professionals have a moral obligation to build systems that are safe by default, respect privacy by default, and cannot be used for surveillance or censorship.

We share our research publicly, because that’s the best way for the industry to move forward. Together.

We believe that security tools can be fast, intuitive to use, and make intelligent security professionals vastly more productive.

We believe that security tools should be accessible to a broad audience, not prohibitively expensive, and should be designed with extensibility and customizability in mind.

Finally, we find joy in understanding the core of how and why things work, prototyping whacky tool ideas simply because we can, and doing our best to leave a positive mark on the world.

Keep in Touch

We write about:

  • Application security, scaling security and DevSecOps.
  • Automated bug finding (static and dynamic analysis, fuzzing, etc.)
  • Summaries of current security research, from industry and academic conferences.
  • Evaluating open source and commercial security tools - tips and tricks on using them, how they work, and potential gotchas.
  • How to build your own custom security tools.

Enter your email below and we’ll let you know when we publish something new.

You can read our prior newsletters here.