Excellent thread by @lcamtuf: friendships last longer than jobs, it’s a volatile industry, focus on the long term, the power of writing.
Travis McPeak recommends
Why patching in the real world is hard, and what to do about it.
Stanford Internet Observatory Research Scholar Riana Pfefferkorn shares her thoughts on legal implications of the Cellebrite hack.
In the wake of SolarWinds, Dino Dai Zovi describes how he recommends hardening your CI environment.
Ben Thompson describes how properties of the Internet enable companies providing the best user experience to win, which leads to a virtuous but anti-competit...
This paper lays out a framework for how organizations should communicate after a security incident.
Lessons from Adobe in how building reusable, secure-by-default services and infrastructure improves your security and reduces compliance burden.
Daniel Miessler describes how to automate your OSINT and recon processes so you can find more and better bugs with less manual effort.
GitHub security engineer Neil Matatall gives an overview of CSP: how it works, how to go from no CSP to a solid CSP, and how GitHub implements CSP.
Jean Yang, Hongyi Hu, and Hillel Wayne discuss making programming languages/model checking more accessible, give an overview of TLA+ and Alloy, and successfu...
Uber describes their continuous cloud monitoring service and the workflows and process design that makes it successfully adopted by engineering teams.
Richard Johnson describes the history of fuzzing, the primary types of fuzzing, modern tools and advancements, SDLC integration, and more.
Jon Oberheide on Duo’s story, from conception through acquisition, and the important lessons he learned along the way.
Detailed summaries of ~32 hours of talks, searchable and grouped by category, to supercharge your security program 🚀
How to be successful as the first security hire at a startup, what should inform your priorities, where to focus to make an immediate impact, and time sinks ...
Alexandra Nassar of Medallia describes how to create a positive vulnerability management culture and process that works for engineers and the security team.
How to get faster, more complete external attack surface coverage by automatically clustering exposed web apps by visual similarity.
Practical steps to start managing your secrets properly, continuous threat modeling, container security stats and best practices, and my thoughts on the futu...
Gusto security engineer Nathan Yee describes his experiences and lessons learned on how to be effective as the only AppSec engineer at a start-up, without a ...
Learn how Netflix, Dropbox, Datadog, Snap, and DocuSign think about security. A masterclass in DevSecOps and modern AppSec best practices.
The transcript for this AppSec Cali 2019 DevSecOps panel featuring security leaders from Netflix, Dropbox, Datadog, Snap, and DocuSign.
Stepping Up Our Game: Re-focusing the Security Community on Defense and Making Security Work for Everyone
In this Black Hat USA 2017 keynote, Alex Stamos discusses how the world has changed around the security community, some ways we’re focusing on the wrong thin...
Arkadiy Tetelman describes how to effectively launch a bug bounty program and how tracking vulnerability metrics can make an AppSec team more impactful.
Koen Hendrix describes analyzing the security maturity of Riot product teams, measuring that maturity’s impact quantitatively using bug bounty data, and disc...
Vidhu Jayabalan and Laksh Raghavan present SCORE-Bot, PayPal’s light-weight, continuous code scanning tool that hooks into their CI/CD pipeline.