[tl;dr sec] #24 - BSidesSF/RSA, tl;dr sec Mascot, REST API Fuzzing, AWS Auto-remediation
I’m speaking at BSidesSF and RSA 2020, tl;dr sec stickers, stateful fuzzing of Swagger APIs, auto-remediate AWS issues, canary pro-tips, red team cheatsheets.
Posts by Tag
- tldr_sec 18
- 2019 12
- industry 11
- devsecops 10
- summary 10
- aws 10
- static_analysis 9
- security_culture 8
- con_appsec_cali 7
- fuzzing 7
- cloud_security 7
- threat_modeling 4
- osint 4
- web_app_security 4
- web_security 4
- program_analysis 3
- sdlc 3
- privacy 3
- blue_team 3
- bug_bounty 2
- con_devseccon 2
- asset_inventory 2
- kubernetes 2
- our_research 1
- con_bsides_sf 1
- con_appsec_usa 1
- 2018 1
- con_bsidessf 1
- security_metrics 1
- con_blackhat_usa 1
- 2017 1
- keynote 1
- reverse_engineering 1
- dns_rebinding 1
- responsible_disclosure 1
- ai 1
- xss 1
- compliance 1
- censorship 1
- firefox 1
- con_shellcon 1
- detection_response 1
- con_global_appsec_amsterdam 1
- secrets_management 1
- c 1
- pen_testing 1
- machine_learning 1
- metrics 1
- vuln_management 1
- con_appsec_ali 1
- podcast 1
- absolute_appsec 1
- supply_chain_security 1
- humor 1
- twitter 1
- economics 1
- ransomware 1
- con_blackhat 1
- google 1
- beyond_corp 1
- terraform 1
- startup_security 1
- culture 1
- graphql 1
- deserialization 1
- containers 1
- politics 1
- azure 1
- automatic_exploit_generation 1
- red_team 1
- career 1
- writing 1
- side_channels 1
tldr_sec
[tl;dr sec] #23 - OSINT, Automatic Exploit Generation, Cloud Security
OSINT tools, tips, & tricks, presentations on automatically find and exploiting bugs, a code-aware grep, how to assess another company’s security posture.
[tl;dr sec] #22 - Post AppSec Cali, K8s Security Monitoring at Scale
DevSecOps talks & tools from AppSec Cali, PoCs to decrypt WhatsApp messages, Kubernetes monitoring and CTF, Python static analysis tools.
[tl;dr sec] #21 - AppSec Cali, Bezos’s Phone, Fuzzing
I’m speaking at AppSec Cali 2020, details on Bezos’s phone being hacked, fuzzing talks and tools, Java deserialization, K8s and GraphQL tools.
[tl;dr sec] #19 - Epic Post Next Week, Beyond Beyond Corp, Cloud Security Tools
Google’s BeyondProd and code provenance whitepapers, tools to scan Terraform scripts / CloudFormation templates, getting into security resources.
[tl;dr sec] #18 - “GitHubification” of Infosec, Ring Privacy, Ransomware Economics
Blue teams can become highly leveraged by sharing knowledge effectively, Ring’s partnerships with the police, viewing ransomware through an economic lens.
[tl;dr sec] #17 - AWS Re:Invent, Supply Chain Security, Absolute AppSec
A number of interesting new AWS services, backdoors on PyPI, I had a blast on the Absolute AppSec podcast, and tl;dr sec hits 500 subscribers! 🚀
[tl;dr sec] #16 - Art of Vulnerability Management, Cloud Security, Flan Scan, SCORE Bot
Building an effective vulnerability management process, K8s/AWS tips, network & code scanning tools, privacy preserving VA, and the Siege of Gondor.
[tl;dr sec] #15 - OSINT + Screenshots, Fuzzing, and 2 Fast 2 Discoverious
Summary of an AppSec Cali 2019 talk on more efficient network penetration tests via clustering similar screenshots, fuzzing tools and articles, Bugcrowd/Bitd...
[tl;dr sec] #14 - DevSecCon TLV, Slack’s Secure Overlay Network, Dangers of Struct Padding
DevSecCon Tel Aviv 2019 talk notes, Slack releases Nebula, AWS instance metadata hardening, OSINT tips, struct padding can leak heap memory, deadlock challen...
[tl;dr sec] #13 - Being Powerful While Powerless, Sadcloud, and Bugcrowd’s Asset Inventory Service
Gusto’s Nathan Yee on being impacful as an IC without a senior title in a start-up, intentionally vulnerable AWS infrastructure for training, and even more a...
[tl;dr sec] #12 - Killing CSRF, MITRE ATT&CK Cloud, Cache Poisoned DoS
Browser default SameSite cookie settings will mostly kill CSRF, and a malicious header can block any web resource served by a CDN or proxy cache.
[tl;dr sec] #11 - ShellCon 2019 Roundup
Some ShellCon talk summaries, Dropbox and Twilio on detection and response automation, updates from the Chrome security team.
[tl;dr sec] #10 - Cloudflare on Security, IAM Least Privilege, & Finding XSS in Firefox’s UI
Cloudflare’s CTO on how they think about security, Salesforce’s tool to make IAM least privilege policy generation easier, and finding XSS in Firefox’s UI us...
[tl;dr sec] #9 - Autonomous Bug Reporting, HTTP Desync Attacks, & Censorship
Fuzzing is finding security bugs faster than CVEs can be issued, HTTP desync attacks advance, China’s censorship power is felt around the world.
[tl;dr sec] #8 - DevSecCon Seattle 2019 Round Up
Notes from DevSecCon Seattle 2019, featuring insights on dev/security organizational structure, secure wrapper libraries, and continuous compliance.
[tl;dr sec] #7 - AppSec Cali 2019 DevSecOps Panel Summary
Notes from an AppSec Cali 2019 panel, AWS security tools, fuzzing with grammars and Gitlab, and Google P0’s iOS exploit chain discovery.
[tl;dr sec] #6 - Post Hacker Summer Camp
Neat talks from Hacker Summer Camp on email -> phone number, DNS rebinding, automated C++ reverse engineering, and publicly exposed AWS EBS volumes.
2019
What I Learned Watching All 44 AppSec Cali 2019 Talks
Detailed summaries of ~32 hours of talks, searchable and grouped by category, to supercharge your security program 🚀
Startup Security: Starting a Security Program at a Startup
How to be successful as the first security hire at a startup, what should inform your priorities, where to focus to make an immediate impact, and time sinks ...
The Art of Vulnerability Management
Alexandra Nassar of Medallia describes how to create a positive vulnerability management culture and process that works for engineers and the security team.
Pose a Threat: How Perceptual Analysis Helps Bug Hunters
How to get faster, more complete external attack surface coverage by automatically clustering exposed web apps by visual similarity.
DevSecCon Tel Aviv 2019 Roundup
Practical steps to start managing your secrets properly, continuous threat modeling, container security stats and best practices, and my thoughts on the futu...
Being Powerful While Powerless: Elevating Security By Leading Without Authority
Gusto security engineer Nathan Yee describes his experiences and lessons learned on how to be effective as the only AppSec engineer at a start-up, without a ...
[tl;dr sec] #8 - DevSecCon Seattle 2019 Round Up
Notes from DevSecCon Seattle 2019, featuring insights on dev/security organizational structure, secure wrapper libraries, and continuous compliance.
Lessons Learned from the DevSecOps Trenches
Learn how Netflix, Dropbox, Datadog, Snap, and DocuSign think about security. A masterclass in DevSecOps and modern AppSec best practices.
(Transcript) Lessons Learned from the DevSecOps Trenches
The transcript for this AppSec Cali 2019 DevSecOps panel featuring security leaders from Netflix, Dropbox, Datadog, Snap, and DocuSign.
Data Driven Bug Bounty
Arkadiy Tetelman describes how to effectively launch a bug bounty program and how tracking vulnerability metrics can make an AppSec team more impactful.
(in)Secure Development - Why some product teams are great and others aren’t…
Koen Hendrix describes analyzing the security maturity of Riot product teams, measuring that maturity’s impact quantitatively using bug bounty data, and disc...
BSidesSF 2019: DevSecOps State of the Union
There’s been a lot of great research in SecDevOps over the past few years. This talk organizes and references around 40 useful talks in the space.
industry
What I Learned Watching All 44 AppSec Cali 2019 Talks
Detailed summaries of ~32 hours of talks, searchable and grouped by category, to supercharge your security program 🚀
The Art of Vulnerability Management
Alexandra Nassar of Medallia describes how to create a positive vulnerability management culture and process that works for engineers and the security team.
Pose a Threat: How Perceptual Analysis Helps Bug Hunters
How to get faster, more complete external attack surface coverage by automatically clustering exposed web apps by visual similarity.
Being Powerful While Powerless: Elevating Security By Leading Without Authority
Gusto security engineer Nathan Yee describes his experiences and lessons learned on how to be effective as the only AppSec engineer at a start-up, without a ...
Lessons Learned from the DevSecOps Trenches
Learn how Netflix, Dropbox, Datadog, Snap, and DocuSign think about security. A masterclass in DevSecOps and modern AppSec best practices.
(Transcript) Lessons Learned from the DevSecOps Trenches
The transcript for this AppSec Cali 2019 DevSecOps panel featuring security leaders from Netflix, Dropbox, Datadog, Snap, and DocuSign.
Stepping Up Our Game: Re-focusing the Security Community on Defense and Making Security Work for Everyone
In this Black Hat USA 2017 keynote, Alex Stamos discusses how the world has changed around the security community, some ways we’re focusing on the wrong thin...
Data Driven Bug Bounty
Arkadiy Tetelman describes how to effectively launch a bug bounty program and how tracking vulnerability metrics can make an AppSec team more impactful.
(in)Secure Development - Why some product teams are great and others aren’t…
Koen Hendrix describes analyzing the security maturity of Riot product teams, measuring that maturity’s impact quantitatively using bug bounty data, and disc...
SCORE Bot: Shift Left, at Scale!
Vidhu Jayabalan and Laksh Raghavan present SCORE-Bot, PayPal’s light-weight, continuous code scanning tool that hooks into their CI/CD pipeline.
BSidesSF 2019: DevSecOps State of the Union
There’s been a lot of great research in SecDevOps over the past few years. This talk organizes and references around 40 useful talks in the space.
devsecops
[tl;dr sec] #22 - Post AppSec Cali, K8s Security Monitoring at Scale
DevSecOps talks & tools from AppSec Cali, PoCs to decrypt WhatsApp messages, Kubernetes monitoring and CTF, Python static analysis tools.
DevSecCon Tel Aviv 2019 Roundup
Practical steps to start managing your secrets properly, continuous threat modeling, container security stats and best practices, and my thoughts on the futu...
[tl;dr sec] #12 - Killing CSRF, MITRE ATT&CK Cloud, Cache Poisoned DoS
Browser default SameSite cookie settings will mostly kill CSRF, and a malicious header can block any web resource served by a CDN or proxy cache.
[tl;dr sec] #11 - ShellCon 2019 Roundup
Some ShellCon talk summaries, Dropbox and Twilio on detection and response automation, updates from the Chrome security team.
[tl;dr sec] #8 - DevSecCon Seattle 2019 Round Up
Notes from DevSecCon Seattle 2019, featuring insights on dev/security organizational structure, secure wrapper libraries, and continuous compliance.
[tl;dr sec] #7 - AppSec Cali 2019 DevSecOps Panel Summary
Notes from an AppSec Cali 2019 panel, AWS security tools, fuzzing with grammars and Gitlab, and Google P0’s iOS exploit chain discovery.
Lessons Learned from the DevSecOps Trenches
Learn how Netflix, Dropbox, Datadog, Snap, and DocuSign think about security. A masterclass in DevSecOps and modern AppSec best practices.
(Transcript) Lessons Learned from the DevSecOps Trenches
The transcript for this AppSec Cali 2019 DevSecOps panel featuring security leaders from Netflix, Dropbox, Datadog, Snap, and DocuSign.
SCORE Bot: Shift Left, at Scale!
Vidhu Jayabalan and Laksh Raghavan present SCORE-Bot, PayPal’s light-weight, continuous code scanning tool that hooks into their CI/CD pipeline.
BSidesSF 2019: DevSecOps State of the Union
There’s been a lot of great research in SecDevOps over the past few years. This talk organizes and references around 40 useful talks in the space.
summary
What I Learned Watching All 44 AppSec Cali 2019 Talks
Detailed summaries of ~32 hours of talks, searchable and grouped by category, to supercharge your security program 🚀
The Art of Vulnerability Management
Alexandra Nassar of Medallia describes how to create a positive vulnerability management culture and process that works for engineers and the security team.
Pose a Threat: How Perceptual Analysis Helps Bug Hunters
How to get faster, more complete external attack surface coverage by automatically clustering exposed web apps by visual similarity.
Being Powerful While Powerless: Elevating Security By Leading Without Authority
Gusto security engineer Nathan Yee describes his experiences and lessons learned on how to be effective as the only AppSec engineer at a start-up, without a ...
Lessons Learned from the DevSecOps Trenches
Learn how Netflix, Dropbox, Datadog, Snap, and DocuSign think about security. A masterclass in DevSecOps and modern AppSec best practices.
(Transcript) Lessons Learned from the DevSecOps Trenches
The transcript for this AppSec Cali 2019 DevSecOps panel featuring security leaders from Netflix, Dropbox, Datadog, Snap, and DocuSign.
Stepping Up Our Game: Re-focusing the Security Community on Defense and Making Security Work for Everyone
In this Black Hat USA 2017 keynote, Alex Stamos discusses how the world has changed around the security community, some ways we’re focusing on the wrong thin...
Data Driven Bug Bounty
Arkadiy Tetelman describes how to effectively launch a bug bounty program and how tracking vulnerability metrics can make an AppSec team more impactful.
(in)Secure Development - Why some product teams are great and others aren’t…
Koen Hendrix describes analyzing the security maturity of Riot product teams, measuring that maturity’s impact quantitatively using bug bounty data, and disc...
SCORE Bot: Shift Left, at Scale!
Vidhu Jayabalan and Laksh Raghavan present SCORE-Bot, PayPal’s light-weight, continuous code scanning tool that hooks into their CI/CD pipeline.
aws
[tl;dr sec] #24 - BSidesSF/RSA, tl;dr sec Mascot, REST API Fuzzing, AWS Auto-remediation
I’m speaking at BSidesSF and RSA 2020, tl;dr sec stickers, stateful fuzzing of Swagger APIs, auto-remediate AWS issues, canary pro-tips, red team cheatsheets.
[tl;dr sec] #23 - OSINT, Automatic Exploit Generation, Cloud Security
OSINT tools, tips, & tricks, presentations on automatically find and exploiting bugs, a code-aware grep, how to assess another company’s security posture.
[tl;dr sec] #22 - Post AppSec Cali, K8s Security Monitoring at Scale
DevSecOps talks & tools from AppSec Cali, PoCs to decrypt WhatsApp messages, Kubernetes monitoring and CTF, Python static analysis tools.
[tl;dr sec] #19 - Epic Post Next Week, Beyond Beyond Corp, Cloud Security Tools
Google’s BeyondProd and code provenance whitepapers, tools to scan Terraform scripts / CloudFormation templates, getting into security resources.
[tl;dr sec] #17 - AWS Re:Invent, Supply Chain Security, Absolute AppSec
A number of interesting new AWS services, backdoors on PyPI, I had a blast on the Absolute AppSec podcast, and tl;dr sec hits 500 subscribers! 🚀
[tl;dr sec] #14 - DevSecCon TLV, Slack’s Secure Overlay Network, Dangers of Struct Padding
DevSecCon Tel Aviv 2019 talk notes, Slack releases Nebula, AWS instance metadata hardening, OSINT tips, struct padding can leak heap memory, deadlock challen...
[tl;dr sec] #10 - Cloudflare on Security, IAM Least Privilege, & Finding XSS in Firefox’s UI
Cloudflare’s CTO on how they think about security, Salesforce’s tool to make IAM least privilege policy generation easier, and finding XSS in Firefox’s UI us...
[tl;dr sec] #8 - DevSecCon Seattle 2019 Round Up
Notes from DevSecCon Seattle 2019, featuring insights on dev/security organizational structure, secure wrapper libraries, and continuous compliance.
[tl;dr sec] #7 - AppSec Cali 2019 DevSecOps Panel Summary
Notes from an AppSec Cali 2019 panel, AWS security tools, fuzzing with grammars and Gitlab, and Google P0’s iOS exploit chain discovery.
[tl;dr sec] #6 - Post Hacker Summer Camp
Neat talks from Hacker Summer Camp on email -> phone number, DNS rebinding, automated C++ reverse engineering, and publicly exposed AWS EBS volumes.
static_analysis
[tl;dr sec] #23 - OSINT, Automatic Exploit Generation, Cloud Security
OSINT tools, tips, & tricks, presentations on automatically find and exploiting bugs, a code-aware grep, how to assess another company’s security posture.
[tl;dr sec] #22 - Post AppSec Cali, K8s Security Monitoring at Scale
DevSecOps talks & tools from AppSec Cali, PoCs to decrypt WhatsApp messages, Kubernetes monitoring and CTF, Python static analysis tools.
[tl;dr sec] #18 - “GitHubification” of Infosec, Ring Privacy, Ransomware Economics
Blue teams can become highly leveraged by sharing knowledge effectively, Ring’s partnerships with the police, viewing ransomware through an economic lens.
[tl;dr sec] #11 - ShellCon 2019 Roundup
Some ShellCon talk summaries, Dropbox and Twilio on detection and response automation, updates from the Chrome security team.
[tl;dr sec] #10 - Cloudflare on Security, IAM Least Privilege, & Finding XSS in Firefox’s UI
Cloudflare’s CTO on how they think about security, Salesforce’s tool to make IAM least privilege policy generation easier, and finding XSS in Firefox’s UI us...
[tl;dr sec] #8 - DevSecCon Seattle 2019 Round Up
Notes from DevSecCon Seattle 2019, featuring insights on dev/security organizational structure, secure wrapper libraries, and continuous compliance.
[tl;dr sec] #6 - Post Hacker Summer Camp
Neat talks from Hacker Summer Camp on email -> phone number, DNS rebinding, automated C++ reverse engineering, and publicly exposed AWS EBS volumes.
SCORE Bot: Shift Left, at Scale!
Vidhu Jayabalan and Laksh Raghavan present SCORE-Bot, PayPal’s light-weight, continuous code scanning tool that hooks into their CI/CD pipeline.
BSidesSF 2019: DevSecOps State of the Union
There’s been a lot of great research in SecDevOps over the past few years. This talk organizes and references around 40 useful talks in the space.
security_culture
[tl;dr sec] #13 - Being Powerful While Powerless, Sadcloud, and Bugcrowd’s Asset Inventory Service
Gusto’s Nathan Yee on being impacful as an IC without a senior title in a start-up, intentionally vulnerable AWS infrastructure for training, and even more a...
Being Powerful While Powerless: Elevating Security By Leading Without Authority
Gusto security engineer Nathan Yee describes his experiences and lessons learned on how to be effective as the only AppSec engineer at a start-up, without a ...
[tl;dr sec] #12 - Killing CSRF, MITRE ATT&CK Cloud, Cache Poisoned DoS
Browser default SameSite cookie settings will mostly kill CSRF, and a malicious header can block any web resource served by a CDN or proxy cache.
[tl;dr sec] #11 - ShellCon 2019 Roundup
Some ShellCon talk summaries, Dropbox and Twilio on detection and response automation, updates from the Chrome security team.
[tl;dr sec] #10 - Cloudflare on Security, IAM Least Privilege, & Finding XSS in Firefox’s UI
Cloudflare’s CTO on how they think about security, Salesforce’s tool to make IAM least privilege policy generation easier, and finding XSS in Firefox’s UI us...
Lessons Learned from the DevSecOps Trenches
Learn how Netflix, Dropbox, Datadog, Snap, and DocuSign think about security. A masterclass in DevSecOps and modern AppSec best practices.
(Transcript) Lessons Learned from the DevSecOps Trenches
The transcript for this AppSec Cali 2019 DevSecOps panel featuring security leaders from Netflix, Dropbox, Datadog, Snap, and DocuSign.
(in)Secure Development - Why some product teams are great and others aren’t…
Koen Hendrix describes analyzing the security maturity of Riot product teams, measuring that maturity’s impact quantitatively using bug bounty data, and disc...
con_appsec_cali
[tl;dr sec] #22 - Post AppSec Cali, K8s Security Monitoring at Scale
DevSecOps talks & tools from AppSec Cali, PoCs to decrypt WhatsApp messages, Kubernetes monitoring and CTF, Python static analysis tools.
What I Learned Watching All 44 AppSec Cali 2019 Talks
Detailed summaries of ~32 hours of talks, searchable and grouped by category, to supercharge your security program 🚀
Startup Security: Starting a Security Program at a Startup
How to be successful as the first security hire at a startup, what should inform your priorities, where to focus to make an immediate impact, and time sinks ...
Pose a Threat: How Perceptual Analysis Helps Bug Hunters
How to get faster, more complete external attack surface coverage by automatically clustering exposed web apps by visual similarity.
Lessons Learned from the DevSecOps Trenches
Learn how Netflix, Dropbox, Datadog, Snap, and DocuSign think about security. A masterclass in DevSecOps and modern AppSec best practices.
(Transcript) Lessons Learned from the DevSecOps Trenches
The transcript for this AppSec Cali 2019 DevSecOps panel featuring security leaders from Netflix, Dropbox, Datadog, Snap, and DocuSign.
(in)Secure Development - Why some product teams are great and others aren’t…
Koen Hendrix describes analyzing the security maturity of Riot product teams, measuring that maturity’s impact quantitatively using bug bounty data, and disc...
fuzzing
[tl;dr sec] #24 - BSidesSF/RSA, tl;dr sec Mascot, REST API Fuzzing, AWS Auto-remediation
I’m speaking at BSidesSF and RSA 2020, tl;dr sec stickers, stateful fuzzing of Swagger APIs, auto-remediate AWS issues, canary pro-tips, red team cheatsheets.
[tl;dr sec] #21 - AppSec Cali, Bezos’s Phone, Fuzzing
I’m speaking at AppSec Cali 2020, details on Bezos’s phone being hacked, fuzzing talks and tools, Java deserialization, K8s and GraphQL tools.
[tl;dr sec] #15 - OSINT + Screenshots, Fuzzing, and 2 Fast 2 Discoverious
Summary of an AppSec Cali 2019 talk on more efficient network penetration tests via clustering similar screenshots, fuzzing tools and articles, Bugcrowd/Bitd...
[tl;dr sec] #12 - Killing CSRF, MITRE ATT&CK Cloud, Cache Poisoned DoS
Browser default SameSite cookie settings will mostly kill CSRF, and a malicious header can block any web resource served by a CDN or proxy cache.
[tl;dr sec] #11 - ShellCon 2019 Roundup
Some ShellCon talk summaries, Dropbox and Twilio on detection and response automation, updates from the Chrome security team.
[tl;dr sec] #9 - Autonomous Bug Reporting, HTTP Desync Attacks, & Censorship
Fuzzing is finding security bugs faster than CVEs can be issued, HTTP desync attacks advance, China’s censorship power is felt around the world.
[tl;dr sec] #7 - AppSec Cali 2019 DevSecOps Panel Summary
Notes from an AppSec Cali 2019 panel, AWS security tools, fuzzing with grammars and Gitlab, and Google P0’s iOS exploit chain discovery.
cloud_security
[tl;dr sec] #24 - BSidesSF/RSA, tl;dr sec Mascot, REST API Fuzzing, AWS Auto-remediation
I’m speaking at BSidesSF and RSA 2020, tl;dr sec stickers, stateful fuzzing of Swagger APIs, auto-remediate AWS issues, canary pro-tips, red team cheatsheets.
[tl;dr sec] #23 - OSINT, Automatic Exploit Generation, Cloud Security
OSINT tools, tips, & tricks, presentations on automatically find and exploiting bugs, a code-aware grep, how to assess another company’s security posture.
[tl;dr sec] #19 - Epic Post Next Week, Beyond Beyond Corp, Cloud Security Tools
Google’s BeyondProd and code provenance whitepapers, tools to scan Terraform scripts / CloudFormation templates, getting into security resources.
[tl;dr sec] #17 - AWS Re:Invent, Supply Chain Security, Absolute AppSec
A number of interesting new AWS services, backdoors on PyPI, I had a blast on the Absolute AppSec podcast, and tl;dr sec hits 500 subscribers! 🚀
[tl;dr sec] #14 - DevSecCon TLV, Slack’s Secure Overlay Network, Dangers of Struct Padding
DevSecCon Tel Aviv 2019 talk notes, Slack releases Nebula, AWS instance metadata hardening, OSINT tips, struct padding can leak heap memory, deadlock challen...
[tl;dr sec] #13 - Being Powerful While Powerless, Sadcloud, and Bugcrowd’s Asset Inventory Service
Gusto’s Nathan Yee on being impacful as an IC without a senior title in a start-up, intentionally vulnerable AWS infrastructure for training, and even more a...
[tl;dr sec] #12 - Killing CSRF, MITRE ATT&CK Cloud, Cache Poisoned DoS
Browser default SameSite cookie settings will mostly kill CSRF, and a malicious header can block any web resource served by a CDN or proxy cache.
threat_modeling
DevSecCon Tel Aviv 2019 Roundup
Practical steps to start managing your secrets properly, continuous threat modeling, container security stats and best practices, and my thoughts on the futu...
Lessons Learned from the DevSecOps Trenches
Learn how Netflix, Dropbox, Datadog, Snap, and DocuSign think about security. A masterclass in DevSecOps and modern AppSec best practices.
(Transcript) Lessons Learned from the DevSecOps Trenches
The transcript for this AppSec Cali 2019 DevSecOps panel featuring security leaders from Netflix, Dropbox, Datadog, Snap, and DocuSign.
(in)Secure Development - Why some product teams are great and others aren’t…
Koen Hendrix describes analyzing the security maturity of Riot product teams, measuring that maturity’s impact quantitatively using bug bounty data, and disc...
osint
[tl;dr sec] #23 - OSINT, Automatic Exploit Generation, Cloud Security
OSINT tools, tips, & tricks, presentations on automatically find and exploiting bugs, a code-aware grep, how to assess another company’s security posture.
[tl;dr sec] #15 - OSINT + Screenshots, Fuzzing, and 2 Fast 2 Discoverious
Summary of an AppSec Cali 2019 talk on more efficient network penetration tests via clustering similar screenshots, fuzzing tools and articles, Bugcrowd/Bitd...
[tl;dr sec] #14 - DevSecCon TLV, Slack’s Secure Overlay Network, Dangers of Struct Padding
DevSecCon Tel Aviv 2019 talk notes, Slack releases Nebula, AWS instance metadata hardening, OSINT tips, struct padding can leak heap memory, deadlock challen...
[tl;dr sec] #6 - Post Hacker Summer Camp
Neat talks from Hacker Summer Camp on email -> phone number, DNS rebinding, automated C++ reverse engineering, and publicly exposed AWS EBS volumes.
web_app_security
[tl;dr sec] #12 - Killing CSRF, MITRE ATT&CK Cloud, Cache Poisoned DoS
Browser default SameSite cookie settings will mostly kill CSRF, and a malicious header can block any web resource served by a CDN or proxy cache.
[tl;dr sec] #11 - ShellCon 2019 Roundup
Some ShellCon talk summaries, Dropbox and Twilio on detection and response automation, updates from the Chrome security team.
[tl;dr sec] #10 - Cloudflare on Security, IAM Least Privilege, & Finding XSS in Firefox’s UI
Cloudflare’s CTO on how they think about security, Salesforce’s tool to make IAM least privilege policy generation easier, and finding XSS in Firefox’s UI us...
[tl;dr sec] #9 - Autonomous Bug Reporting, HTTP Desync Attacks, & Censorship
Fuzzing is finding security bugs faster than CVEs can be issued, HTTP desync attacks advance, China’s censorship power is felt around the world.
web_security
[tl;dr sec] #24 - BSidesSF/RSA, tl;dr sec Mascot, REST API Fuzzing, AWS Auto-remediation
I’m speaking at BSidesSF and RSA 2020, tl;dr sec stickers, stateful fuzzing of Swagger APIs, auto-remediate AWS issues, canary pro-tips, red team cheatsheets.
[tl;dr sec] #15 - OSINT + Screenshots, Fuzzing, and 2 Fast 2 Discoverious
Summary of an AppSec Cali 2019 talk on more efficient network penetration tests via clustering similar screenshots, fuzzing tools and articles, Bugcrowd/Bitd...
[tl;dr sec] #14 - DevSecCon TLV, Slack’s Secure Overlay Network, Dangers of Struct Padding
DevSecCon Tel Aviv 2019 talk notes, Slack releases Nebula, AWS instance metadata hardening, OSINT tips, struct padding can leak heap memory, deadlock challen...
[tl;dr sec] #13 - Being Powerful While Powerless, Sadcloud, and Bugcrowd’s Asset Inventory Service
Gusto’s Nathan Yee on being impacful as an IC without a senior title in a start-up, intentionally vulnerable AWS infrastructure for training, and even more a...
program_analysis
[tl;dr sec] #23 - OSINT, Automatic Exploit Generation, Cloud Security
OSINT tools, tips, & tricks, presentations on automatically find and exploiting bugs, a code-aware grep, how to assess another company’s security posture.
[tl;dr sec] #6 - Post Hacker Summer Camp
Neat talks from Hacker Summer Camp on email -> phone number, DNS rebinding, automated C++ reverse engineering, and publicly exposed AWS EBS volumes.
BSidesSF 2019: DevSecOps State of the Union
There’s been a lot of great research in SecDevOps over the past few years. This talk organizes and references around 40 useful talks in the space.
sdlc
Lessons Learned from the DevSecOps Trenches
Learn how Netflix, Dropbox, Datadog, Snap, and DocuSign think about security. A masterclass in DevSecOps and modern AppSec best practices.
(Transcript) Lessons Learned from the DevSecOps Trenches
The transcript for this AppSec Cali 2019 DevSecOps panel featuring security leaders from Netflix, Dropbox, Datadog, Snap, and DocuSign.
(in)Secure Development - Why some product teams are great and others aren’t…
Koen Hendrix describes analyzing the security maturity of Riot product teams, measuring that maturity’s impact quantitatively using bug bounty data, and disc...
privacy
[tl;dr sec] #18 - “GitHubification” of Infosec, Ring Privacy, Ransomware Economics
Blue teams can become highly leveraged by sharing knowledge effectively, Ring’s partnerships with the police, viewing ransomware through an economic lens.
[tl;dr sec] #12 - Killing CSRF, MITRE ATT&CK Cloud, Cache Poisoned DoS
Browser default SameSite cookie settings will mostly kill CSRF, and a malicious header can block any web resource served by a CDN or proxy cache.
[tl;dr sec] #6 - Post Hacker Summer Camp
Neat talks from Hacker Summer Camp on email -> phone number, DNS rebinding, automated C++ reverse engineering, and publicly exposed AWS EBS volumes.
blue_team
Startup Security: Starting a Security Program at a Startup
How to be successful as the first security hire at a startup, what should inform your priorities, where to focus to make an immediate impact, and time sinks ...
[tl;dr sec] #18 - “GitHubification” of Infosec, Ring Privacy, Ransomware Economics
Blue teams can become highly leveraged by sharing knowledge effectively, Ring’s partnerships with the police, viewing ransomware through an economic lens.
The Art of Vulnerability Management
Alexandra Nassar of Medallia describes how to create a positive vulnerability management culture and process that works for engineers and the security team.
bug_bounty
[tl;dr sec] #21 - AppSec Cali, Bezos’s Phone, Fuzzing
I’m speaking at AppSec Cali 2020, details on Bezos’s phone being hacked, fuzzing talks and tools, Java deserialization, K8s and GraphQL tools.
Data Driven Bug Bounty
Arkadiy Tetelman describes how to effectively launch a bug bounty program and how tracking vulnerability metrics can make an AppSec team more impactful.
con_devseccon
DevSecCon Tel Aviv 2019 Roundup
Practical steps to start managing your secrets properly, continuous threat modeling, container security stats and best practices, and my thoughts on the futu...
[tl;dr sec] #8 - DevSecCon Seattle 2019 Round Up
Notes from DevSecCon Seattle 2019, featuring insights on dev/security organizational structure, secure wrapper libraries, and continuous compliance.
asset_inventory
Pose a Threat: How Perceptual Analysis Helps Bug Hunters
How to get faster, more complete external attack surface coverage by automatically clustering exposed web apps by visual similarity.
[tl;dr sec] #13 - Being Powerful While Powerless, Sadcloud, and Bugcrowd’s Asset Inventory Service
Gusto’s Nathan Yee on being impacful as an IC without a senior title in a start-up, intentionally vulnerable AWS infrastructure for training, and even more a...
kubernetes
[tl;dr sec] #22 - Post AppSec Cali, K8s Security Monitoring at Scale
DevSecOps talks & tools from AppSec Cali, PoCs to decrypt WhatsApp messages, Kubernetes monitoring and CTF, Python static analysis tools.
[tl;dr sec] #21 - AppSec Cali, Bezos’s Phone, Fuzzing
I’m speaking at AppSec Cali 2020, details on Bezos’s phone being hacked, fuzzing talks and tools, Java deserialization, K8s and GraphQL tools.
our_research
BSidesSF 2019: DevSecOps State of the Union
There’s been a lot of great research in SecDevOps over the past few years. This talk organizes and references around 40 useful talks in the space.
con_bsides_sf
BSidesSF 2019: DevSecOps State of the Union
There’s been a lot of great research in SecDevOps over the past few years. This talk organizes and references around 40 useful talks in the space.
con_appsec_usa
SCORE Bot: Shift Left, at Scale!
Vidhu Jayabalan and Laksh Raghavan present SCORE-Bot, PayPal’s light-weight, continuous code scanning tool that hooks into their CI/CD pipeline.
2018
SCORE Bot: Shift Left, at Scale!
Vidhu Jayabalan and Laksh Raghavan present SCORE-Bot, PayPal’s light-weight, continuous code scanning tool that hooks into their CI/CD pipeline.
con_bsidessf
Data Driven Bug Bounty
Arkadiy Tetelman describes how to effectively launch a bug bounty program and how tracking vulnerability metrics can make an AppSec team more impactful.
security_metrics
Data Driven Bug Bounty
Arkadiy Tetelman describes how to effectively launch a bug bounty program and how tracking vulnerability metrics can make an AppSec team more impactful.
con_blackhat_usa
Stepping Up Our Game: Re-focusing the Security Community on Defense and Making Security Work for Everyone
In this Black Hat USA 2017 keynote, Alex Stamos discusses how the world has changed around the security community, some ways we’re focusing on the wrong thin...
2017
Stepping Up Our Game: Re-focusing the Security Community on Defense and Making Security Work for Everyone
In this Black Hat USA 2017 keynote, Alex Stamos discusses how the world has changed around the security community, some ways we’re focusing on the wrong thin...
keynote
Stepping Up Our Game: Re-focusing the Security Community on Defense and Making Security Work for Everyone
In this Black Hat USA 2017 keynote, Alex Stamos discusses how the world has changed around the security community, some ways we’re focusing on the wrong thin...
reverse_engineering
[tl;dr sec] #6 - Post Hacker Summer Camp
Neat talks from Hacker Summer Camp on email -> phone number, DNS rebinding, automated C++ reverse engineering, and publicly exposed AWS EBS volumes.
dns_rebinding
[tl;dr sec] #6 - Post Hacker Summer Camp
Neat talks from Hacker Summer Camp on email -> phone number, DNS rebinding, automated C++ reverse engineering, and publicly exposed AWS EBS volumes.
responsible_disclosure
[tl;dr sec] #6 - Post Hacker Summer Camp
Neat talks from Hacker Summer Camp on email -> phone number, DNS rebinding, automated C++ reverse engineering, and publicly exposed AWS EBS volumes.
ai
[tl;dr sec] #8 - DevSecCon Seattle 2019 Round Up
Notes from DevSecCon Seattle 2019, featuring insights on dev/security organizational structure, secure wrapper libraries, and continuous compliance.
xss
[tl;dr sec] #8 - DevSecCon Seattle 2019 Round Up
Notes from DevSecCon Seattle 2019, featuring insights on dev/security organizational structure, secure wrapper libraries, and continuous compliance.
compliance
[tl;dr sec] #8 - DevSecCon Seattle 2019 Round Up
Notes from DevSecCon Seattle 2019, featuring insights on dev/security organizational structure, secure wrapper libraries, and continuous compliance.
censorship
[tl;dr sec] #9 - Autonomous Bug Reporting, HTTP Desync Attacks, & Censorship
Fuzzing is finding security bugs faster than CVEs can be issued, HTTP desync attacks advance, China’s censorship power is felt around the world.
firefox
[tl;dr sec] #10 - Cloudflare on Security, IAM Least Privilege, & Finding XSS in Firefox’s UI
Cloudflare’s CTO on how they think about security, Salesforce’s tool to make IAM least privilege policy generation easier, and finding XSS in Firefox’s UI us...
con_shellcon
[tl;dr sec] #11 - ShellCon 2019 Roundup
Some ShellCon talk summaries, Dropbox and Twilio on detection and response automation, updates from the Chrome security team.
detection_response
[tl;dr sec] #11 - ShellCon 2019 Roundup
Some ShellCon talk summaries, Dropbox and Twilio on detection and response automation, updates from the Chrome security team.
con_global_appsec_amsterdam
Being Powerful While Powerless: Elevating Security By Leading Without Authority
Gusto security engineer Nathan Yee describes his experiences and lessons learned on how to be effective as the only AppSec engineer at a start-up, without a ...
secrets_management
DevSecCon Tel Aviv 2019 Roundup
Practical steps to start managing your secrets properly, continuous threat modeling, container security stats and best practices, and my thoughts on the futu...
c
[tl;dr sec] #14 - DevSecCon TLV, Slack’s Secure Overlay Network, Dangers of Struct Padding
DevSecCon Tel Aviv 2019 talk notes, Slack releases Nebula, AWS instance metadata hardening, OSINT tips, struct padding can leak heap memory, deadlock challen...
pen_testing
Pose a Threat: How Perceptual Analysis Helps Bug Hunters
How to get faster, more complete external attack surface coverage by automatically clustering exposed web apps by visual similarity.
machine_learning
Pose a Threat: How Perceptual Analysis Helps Bug Hunters
How to get faster, more complete external attack surface coverage by automatically clustering exposed web apps by visual similarity.
metrics
The Art of Vulnerability Management
Alexandra Nassar of Medallia describes how to create a positive vulnerability management culture and process that works for engineers and the security team.
vuln_management
The Art of Vulnerability Management
Alexandra Nassar of Medallia describes how to create a positive vulnerability management culture and process that works for engineers and the security team.
con_appsec_ali
The Art of Vulnerability Management
Alexandra Nassar of Medallia describes how to create a positive vulnerability management culture and process that works for engineers and the security team.
podcast
[tl;dr sec] #17 - AWS Re:Invent, Supply Chain Security, Absolute AppSec
A number of interesting new AWS services, backdoors on PyPI, I had a blast on the Absolute AppSec podcast, and tl;dr sec hits 500 subscribers! 🚀
absolute_appsec
[tl;dr sec] #17 - AWS Re:Invent, Supply Chain Security, Absolute AppSec
A number of interesting new AWS services, backdoors on PyPI, I had a blast on the Absolute AppSec podcast, and tl;dr sec hits 500 subscribers! 🚀
supply_chain_security
[tl;dr sec] #17 - AWS Re:Invent, Supply Chain Security, Absolute AppSec
A number of interesting new AWS services, backdoors on PyPI, I had a blast on the Absolute AppSec podcast, and tl;dr sec hits 500 subscribers! 🚀
humor
[tl;dr sec] #17 - AWS Re:Invent, Supply Chain Security, Absolute AppSec
A number of interesting new AWS services, backdoors on PyPI, I had a blast on the Absolute AppSec podcast, and tl;dr sec hits 500 subscribers! 🚀
[tl;dr sec] #17 - AWS Re:Invent, Supply Chain Security, Absolute AppSec
A number of interesting new AWS services, backdoors on PyPI, I had a blast on the Absolute AppSec podcast, and tl;dr sec hits 500 subscribers! 🚀
economics
[tl;dr sec] #18 - “GitHubification” of Infosec, Ring Privacy, Ransomware Economics
Blue teams can become highly leveraged by sharing knowledge effectively, Ring’s partnerships with the police, viewing ransomware through an economic lens.
ransomware
[tl;dr sec] #18 - “GitHubification” of Infosec, Ring Privacy, Ransomware Economics
Blue teams can become highly leveraged by sharing knowledge effectively, Ring’s partnerships with the police, viewing ransomware through an economic lens.
con_blackhat
[tl;dr sec] #18 - “GitHubification” of Infosec, Ring Privacy, Ransomware Economics
Blue teams can become highly leveraged by sharing knowledge effectively, Ring’s partnerships with the police, viewing ransomware through an economic lens.
[tl;dr sec] #19 - Epic Post Next Week, Beyond Beyond Corp, Cloud Security Tools
Google’s BeyondProd and code provenance whitepapers, tools to scan Terraform scripts / CloudFormation templates, getting into security resources.
beyond_corp
[tl;dr sec] #19 - Epic Post Next Week, Beyond Beyond Corp, Cloud Security Tools
Google’s BeyondProd and code provenance whitepapers, tools to scan Terraform scripts / CloudFormation templates, getting into security resources.
terraform
[tl;dr sec] #19 - Epic Post Next Week, Beyond Beyond Corp, Cloud Security Tools
Google’s BeyondProd and code provenance whitepapers, tools to scan Terraform scripts / CloudFormation templates, getting into security resources.
startup_security
Startup Security: Starting a Security Program at a Startup
How to be successful as the first security hire at a startup, what should inform your priorities, where to focus to make an immediate impact, and time sinks ...
culture
Startup Security: Starting a Security Program at a Startup
How to be successful as the first security hire at a startup, what should inform your priorities, where to focus to make an immediate impact, and time sinks ...
graphql
[tl;dr sec] #21 - AppSec Cali, Bezos’s Phone, Fuzzing
I’m speaking at AppSec Cali 2020, details on Bezos’s phone being hacked, fuzzing talks and tools, Java deserialization, K8s and GraphQL tools.
deserialization
[tl;dr sec] #21 - AppSec Cali, Bezos’s Phone, Fuzzing
I’m speaking at AppSec Cali 2020, details on Bezos’s phone being hacked, fuzzing talks and tools, Java deserialization, K8s and GraphQL tools.
containers
[tl;dr sec] #22 - Post AppSec Cali, K8s Security Monitoring at Scale
DevSecOps talks & tools from AppSec Cali, PoCs to decrypt WhatsApp messages, Kubernetes monitoring and CTF, Python static analysis tools.
politics
[tl;dr sec] #23 - OSINT, Automatic Exploit Generation, Cloud Security
OSINT tools, tips, & tricks, presentations on automatically find and exploiting bugs, a code-aware grep, how to assess another company’s security posture.
azure
[tl;dr sec] #23 - OSINT, Automatic Exploit Generation, Cloud Security
OSINT tools, tips, & tricks, presentations on automatically find and exploiting bugs, a code-aware grep, how to assess another company’s security posture.
automatic_exploit_generation
[tl;dr sec] #23 - OSINT, Automatic Exploit Generation, Cloud Security
OSINT tools, tips, & tricks, presentations on automatically find and exploiting bugs, a code-aware grep, how to assess another company’s security posture.
red_team
[tl;dr sec] #24 - BSidesSF/RSA, tl;dr sec Mascot, REST API Fuzzing, AWS Auto-remediation
I’m speaking at BSidesSF and RSA 2020, tl;dr sec stickers, stateful fuzzing of Swagger APIs, auto-remediate AWS issues, canary pro-tips, red team cheatsheets.
career
[tl;dr sec] #24 - BSidesSF/RSA, tl;dr sec Mascot, REST API Fuzzing, AWS Auto-remediation
I’m speaking at BSidesSF and RSA 2020, tl;dr sec stickers, stateful fuzzing of Swagger APIs, auto-remediate AWS issues, canary pro-tips, red team cheatsheets.
writing
[tl;dr sec] #24 - BSidesSF/RSA, tl;dr sec Mascot, REST API Fuzzing, AWS Auto-remediation
I’m speaking at BSidesSF and RSA 2020, tl;dr sec stickers, stateful fuzzing of Swagger APIs, auto-remediate AWS issues, canary pro-tips, red team cheatsheets.
side_channels
[tl;dr sec] #24 - BSidesSF/RSA, tl;dr sec Mascot, REST API Fuzzing, AWS Auto-remediation
I’m speaking at BSidesSF and RSA 2020, tl;dr sec stickers, stateful fuzzing of Swagger APIs, auto-remediate AWS issues, canary pro-tips, red team cheatsheets.