Dev Akhawe’s Follow-up on Figma’s Experience Switching to WebAuthN
The good, the bad, and the lessons learned.
2022
2021
@lcamtuf on Building a Successful Career in Infosec
Excellent thread by @lcamtuf: friendships last longer than jobs, it’s a volatile industry, focus on the long term, the power of writing.
Grow Your Best Employees or Lose Them
Travis McPeak recommends
Travis McPeak: Why Companies don’t ‘Just Patch’
Why patching in the real world is hard, and what to do about it.
Riana Pfefferkorn: I Have a Lot to Say About Signal’s Cellebrite Hack
Stanford Internet Observatory Research Scholar Riana Pfefferkorn shares her thoughts on legal implications of the Cellebrite hack.
How Figma Switched Their Okta to Only Allow Phish-proof WebAuthn/FIDO Multi-factor Authentication
An excellent Twitter thread by Dev Akhawe on the value of making this switch, and challenges and lessons learned along the way.
Dino Dai Zovi on Hardening CI Infrastructure
In the wake of SolarWinds, Dino Dai Zovi describes how he recommends hardening your CI environment.
2020
Stratechery: Aggregation Theory
Ben Thompson describes how properties of the Internet enable companies providing the best user experience to win, which leads to a virtuous but anti-competit...
A framework for effective corporate communication after cyber security incidents
This paper lays out a framework for how organizations should communicate after a security incident.
Peeling the Web Application Security Onion Without Tears
Lessons from Adobe in how building reusable, secure-by-default services and infrastructure improves your security and reduces compliance burden.
Mechanizing the Methodology: How to find vulnerabilities while you’re doing other things
Daniel Miessler describes how to automate your OSINT and recon processes so you can find more and better bugs with less manual effort.
Content Security Policy: Going From Idea to Afterthought
GitHub security engineer Neil Matatall gives an overview of CSP: how it works, how to go from no CSP to a solid CSP, and how GitHub implements CSP.
PLTalk: Practical Formal Methods with Hillel Wayne
Jean Yang, Hongyi Hu, and Hillel Wayne discuss making programming languages/model checking more accessible, give an overview of TLA+ and Alloy, and successfu...
How Uber Continuously Monitors the Security of its AWS Environment
Uber describes their continuous cloud monitoring service and the workflows and process design that makes it successfully adopted by engineering teams.
Lightning in a Bottle: 25 Years of Fuzzing
Richard Johnson describes the history of fuzzing, the primary types of fuzzing, modern tools and advancements, SDLC integration, and more.
Learnings from Duo
Jon Oberheide on Duo’s story, from conception through acquisition, and the important lessons he learned along the way.
What I Learned Watching All 44 AppSec Cali 2019 Talks
Detailed summaries of ~32 hours of talks, searchable and grouped by category, to supercharge your security program 🚀
Startup Security: Starting a Security Program at a Startup
How to be successful as the first security hire at a startup, what should inform your priorities, where to focus to make an immediate impact, and time sinks ...
2019
The Art of Vulnerability Management
Alexandra Nassar of Medallia describes how to create a positive vulnerability management culture and process that works for engineers and the security team.
Pose a Threat: How Perceptual Analysis Helps Bug Hunters
How to get faster, more complete external attack surface coverage by automatically clustering exposed web apps by visual similarity.
DevSecCon Tel Aviv 2019 Roundup
Practical steps to start managing your secrets properly, continuous threat modeling, container security stats and best practices, and my thoughts on the futu...
Being Powerful While Powerless: Elevating Security By Leading Without Authority
Gusto security engineer Nathan Yee describes his experiences and lessons learned on how to be effective as the only AppSec engineer at a start-up, without a ...
Lessons Learned from the DevSecOps Trenches
Learn how Netflix, Dropbox, Datadog, Snap, and DocuSign think about security. A masterclass in DevSecOps and modern AppSec best practices.
(Transcript) Lessons Learned from the DevSecOps Trenches
The transcript for this AppSec Cali 2019 DevSecOps panel featuring security leaders from Netflix, Dropbox, Datadog, Snap, and DocuSign.
Stepping Up Our Game: Re-focusing the Security Community on Defense and Making Security Work for Everyone
In this Black Hat USA 2017 keynote, Alex Stamos discusses how the world has changed around the security community, some ways we’re focusing on the wrong thin...
Data Driven Bug Bounty
Arkadiy Tetelman describes how to effectively launch a bug bounty program and how tracking vulnerability metrics can make an AppSec team more impactful.
(in)Secure Development - Why some product teams are great and others aren’t…
Koen Hendrix describes analyzing the security maturity of Riot product teams, measuring that maturity’s impact quantitatively using bug bounty data, and disc...
SCORE Bot: Shift Left, at Scale!
Vidhu Jayabalan and Laksh Raghavan present SCORE-Bot, PayPal’s light-weight, continuous code scanning tool that hooks into their CI/CD pipeline.