Blog

Software Supply Chain Vendor Landscape

An analysis of over 20 supply chain security vendors, from securing source code access and CI/CD pipelines to SCA, malicious dependencies, container security, SBOMs, code provenance, and more

Clint Gibler, Francis Odum / a day ago

An Overview of Software Supply Chain Security

A breakdown of what constitutes the software supply chain and how to secure each stage

Clint Gibler, Francis Odum / 22 days ago

How to securely build product features using AI APIs

A Practitioner’s Guide to Consuming AI

Rami McCarthy / 3 months ago

AI and Machine Learning in Cybersecurity

An overview of current applications of AI/ML to cybersecurity with relevant links and a vision of where things are headed.

Clint Gibler / 3 months ago

[tl;dr sec] #178 - DevOps Threat Matrix, LLMs in Security, Supply Chain Security

Microsoft techniques and attack vectors for DevOps environments, applications of LLMs in security, the deps.dev API and Golang supply chain security.

Clint Gibler / 6 months ago

[tl;dr sec] #177 AWS KMS Threat Model, DOM Invader, Forensics in the Cloud

Threat model and attack tree for AWS Key Management Service, Gareth Heyes on how to use the DOM Invader Burp extension, doing cloud forensics when a container is compromised.

Clint Gibler / 6 months ago

[tl;dr sec] #175 The Future of Security Engineering, Awesome Kubernetes Threat Detection, ChatGPT Plugins

The power of open source, flexible tooling, k8s detection resources, ChatGPT just got a whole lot more powerful.

Clint Gibler / 6 months ago

[tl;dr sec] #174 - Mitigating SSRF in 2023, Isolation & Container Namespaces, Offensive AI Compilation

The challenges in mitigating SSRF and the best way to do it, how Linux namespaces provide isolation properties for containers, resources on attacking AI models / using it for offensive purposes.

Clint Gibler / 6 months ago

[tl;dr sec] #27 - AppSec Weekly, SOC2 Starting Seven, Save Encryption

I was on Application Security Weekly #100, a no-nonsense guide to becoming SOC2 compliant, fight a bill that may kill encryption, compensation resources.

Clint Gibler / 7 months ago

[tl;dr sec] #168 - GCP and Azure Storage Threat Models, macOS Security, Red Team Resources

Detailed threat models for Google Cloud Storage and Azure Storage, Mac malware of 2022 and emerging payload obfuscation techniques, reverse engineering Rust binaries, offensive security and RE course, and more.

Clint Gibler / 8 months ago

[tl;dr sec] #167 - SBOM, Scaling Security Alert Management, Mitigating RBAC-Based PrivEsc in Kubernetes

Generating SBOMs and evaluating their quality, how Brex manages and automates security alerts at scale, how popular k8s platforms hardened themselves.

Clint Gibler / 8 months ago

[tl;dr sec] #166 - 2023 Security Predictions, Vuln Hunting with App Server Logs, Enforcing Device AuthN

Predictions for offense, from security leaders, and AWS, high signal vuln finding from application runtime exceptions, how Pinterest enforces managed and compliant devices in their Okta flow.

Clint Gibler / 8 months ago

[tl;dr sec] #165 - Hunting for Malicious Persistence in the Cloud, GitHub Action Security, Dark Sides of Machine Learning

How to detect malicious persistence in AWS, GCP, and Azure, leaking GitHub Action secrets and improving OIDC security posture, will ChatGPT degrade communication online?

Clint Gibler / 9 months ago

[tl;dr sec] #164 - Becoming Phishless, Machine Learning, Memory Safe Languages in Android 13

How a number of companies adopted WebAuthN and/or hard keys, neat new things in ML, the impact of Rust and memory safety in general in Android 13.

Clint Gibler / 9 months ago

[tl;dr sec] #163 - Rebuilding Detection and IR at LinkedIn, CVEs and Misaligned Incentives, 2022 in Review and 2023 Predictions

How LinkedIn scaled detection and minimized toil, why ReDoS CVEs are mostly noise, and reflecting on security in 2022 and predicting what 2023 has in store.

Clint Gibler / 9 months ago

[tl;dr sec] #161 - ChatGPT, Scaling Vulnerability Management in Microservices, Supply Chain

Many varied examples of using ChatGPT, how Lyft precisely fixes OS and OS-package level vulnerabilities across ~1,000 services, Sigstore and dangerous subtleties in the GitHub download artifacts API.

Clint Gibler / 10 months ago

[tl;dr sec] #162 - Meaningful Security Product Metrics, Vulnerability Inbox Zero, Joe Sullivan Trial Deep Dive

How to justify the value of your security team's investments and prioritize, how to build an Inbox Zero vulnerability management approach, Magoo's detailed blameless post-mortem of USA vs Joe Sullivan.

Clint Gibler / 10 months ago

[tl;dr sec] #160 - Application Security Foundations, Machine Learning Uses, Blackbox Regex Fuzzing

Notes from the WeHackPurple courses, a wide variety of applications of machine learning, bypassing validatoins and normalizations in web apps using regex fuzzing.

Clint Gibler / 10 months ago

[tl;dr sec] #159 - Twitter vs Mastodon, GitHub Attack Trees, ThinkstScapes

Twitter internals and Mastodon benefits/challenges, blue and red team attack trees for attacking GitHub, ThinkstScapes Quarterly covering AI/ML, clever cryptography, and software analysis at scale.

Clint Gibler / a year ago

[tl;dr sec] #158 - Open Security Jobs, Career Advice, Internet Egress Filtering at Lyft

Open jobs from over 35 companies, great career advice from a variety of people, how Lyft achieved egress filtering on all services.

Clint Gibler / a year ago

[tl;dr sec] #157 - Transforming Security Champions, Production-ready osquery, Compromising Self-hosted GitHub Runners

Tanya Janca on building a security champions program, highly turned osquery detections, gaining GitHub Runner persistence and how to detect compromises.

Clint Gibler / a year ago

[tl;dr sec] #156 - Hipster History of CORS, Serverless Security Event Data Pipelines, Evaluating Container Attack Detection

Dev's hilarious and useful history of the Internet and browser security, new toolkit from Brex to easily normalize and enrich security event data, additional Kubernetes attack methods and evaluating Falco.

Clint Gibler / a year ago

[tl;dr sec] #155 - Understanding IAM, Autogenerate Art from Blog Post, Attacking Closed DNS Resolvers

Understanding AWS permission boundaries and IAM policy evaluation, use ML to create art for your blog post based on its text, taking over your infrastructure Kaminsky style.

Clint Gibler / a year ago

[tl;dr sec] #154 - The State of AWS Security, Career Resources, Authorization

Insights from the security posture of 600+ orgs, security career pathways mindmap and security communities overview, a number of resources about authorization.

Clint Gibler / a year ago

[tl;dr sec] #153 - Postgres' Insecure Defaults, SBOM, Prototype Pollution

How PostgreSQL server and client TLS defaults will make you sad, SBOM tools and reflections, walkthroughs to learn how prototype pollution works.

Clint Gibler / a year ago