[tl;dr sec] #185 - Artisanal to Industrial Security, Securing the EC2 Instance Metadata Service, 12 Threat Modeling Methods
How to deliver security at scale, the security properties of IMDSv2, a summary of many threat modeling approaches.
Posts by Tag
- tldr_sec 182
- summary 19
- aws 19
- cloud_security 16
- 2019 12
- industry 12
- devsecops 11
- static_analysis 11
- fuzzing 11
- privacy 9
- web_security 9
- blue_team 9
- security_culture 8
- red_team 8
- con_appsec_cali 7
- osint 6
- kubernetes 5
- threat_modeling 4
- web_app_security 4
- container_security 4
- original_content 4
- program_analysis 3
- sdlc 3
- bug_bounty 3
- xss 3
- politics 3
- azure 3
- career 3
- scaling_security 3
- reverse_engineering 2
- dns_rebinding 2
- compliance 2
- con_devseccon 2
- asset_inventory 2
- secrets_management 2
- vuln_management 2
- podcast 2
- twitter 2
- terraform 2
- istio 2
- startup 2
- academia 2
- devdatta_akhawe 2
- figma 2
- mfa 2
- okta 2
- sso 2
- our_research 1
- con_bsides_sf 1
- con_appsec_usa 1
- 2018 1
- con_bsidessf 1
- security_metrics 1
- con_blackhat_usa 1
- 2017 1
- keynote 1
- responsible_disclosure 1
- ai 1
- censorship 1
- firefox 1
- con_shellcon 1
- detection_response 1
- con_global_appsec_amsterdam 1
- c 1
- pen_testing 1
- machine_learning 1
- metrics 1
- con_appsec_ali 1
- absolute_appsec 1
- supply_chain_security 1
- humor 1
- economics 1
- ransomware 1
- con_blackhat 1
- google 1
- beyond_corp 1
- startup_security 1
- culture 1
- graphql 1
- deserialization 1
- containers 1
- automatic_exploit_generation 1
- writing 1
- side_channels 1
- entrepreneurship 1
- compensation 1
- soc2 1
- home_security 1
- security_engineering 1
- vault 1
- 2fa 1
- phishing 1
- frida 1
- instrumentation 1
- browser_extension_security 1
- shakespeare 1
- building_security_program 1
- gcp 1
- malware 1
- ebpf 1
- personal_knowledge_management 1
- mobile_security 1
- ios 1
- honeypot 1
- elasticsearch 1
- continus_monitoring 1
- formal_methods 1
- programming_languages 1
- alloy 1
- tlaplus 1
- csp 1
- recon 1
- app_sec 1
- secure_architectures 1
- bsides_sf 1
- 2020 1
- breach 1
- stratechery 1
- business_model 1
- supply_chain 1
- ci 1
- hardening 1
- twitter_thread 1
- signal 1
- cellebrite 1
- patching 1
- travis_mcpeak 1
- rami_mccarthy 1
- lcamtuf 1
tldr_sec
[tl;dr sec] #184 - Public Cloud Security Breaches, OWASP Top 10 for LLMs, Living Off the Orchard: macOS Binaries
Compendium of cloud security incidents and breaches that have affected customers, top risks for software leveraging Large Language Models, a library of macOS...
[tl;dr sec] #183 - The 3 Metrics to Focus On, Build a Purple Team Lab, Damn Vulnerable Android and iOS Apps
If you can only choose 3 metrics, what to choose? How to build a Kubernetes purple teaming lab, vulnerable Android and iOS apps to learn on.
[tl;dr sec] #182 - Cloud Native Security Talks, AI Attack Surface Map, Attacking and securing cloud identities in managed Kubernetes
Video playlists and abstracts from CloudNativeSecurityCon and KubeCon, overview of attacking AI assistants and agents, attack vectors to pivot from an EKS cl...
[tl;dr sec] #181 - Awesome CloudSec Labs, Red Team Infra in 2023, Privilege Escalation in EKS
Free cloud-native security learning labs, the essential components for modern robust red teaming infra, how to privesc from a compromised EKS pod and defeat ...
[tl;dr sec] #180 - Scaling AppSec, tl;dr sec Swag 🤯, GCP Pentesting Guide
Riot Games and Segment on Scaling AppSec, help me decide what tl;dr sec swag to make, resources and techniques to do an effective GCP pentest.
[tl;dr sec] #179 - BSidesSF Summaries, Attacking Kubernetes, OpenAI + Burp Suite
I wrote quick summaries of four BSidesSF presentations, common Kubernetes attack vectors and vulnerable lab, Burp Suite extension that uses OpenAI for recon.
[tl;dr sec] #178 - DevOps Threat Matrix, LLMs in Security, Supply Chain Security
Microsoft techniques and attack vectors for DevOps environments, applications of LLMs in security, the deps.dev API and Golang supply chain security.
[tl;dr sec] #177 - AWS KMS Threat Model, DOM Invader, Forensics in the Cloud
Threat model and attack tree for AWS Key Management Service, Gareth Heyes on how to use the DOM Invader Burp extension, doing cloud forensics when a containe...
[tl;dr sec] #176 - Cloud Security Atlas, Semgrep + AI, Finding Malicious PyPi packages
A searchable database of real-world attacks, vulns, and misconfigurations in cloud environments, Semgrep Assistant supports auto-triaging and fix suggestions...
[tl;dr sec] #175 - The Future of Security Engineering, Awesome Kubernetes Threat Detection, ChatGPT Plugins
The power of open source, flexible tooling, k8s detection resources, ChatGPT just got a whole lot more powerful.
[tl;dr sec] #174 - Mitigating SSRF in 2023, Isolation & Container Namespaces, Offensive AI Compilation
The challenges in mitigating SSRF and the best way to do it, how Linux namespaces provide isolation properties for containers, resources on attacking AI mode...
[tl;dr sec] #173 - What Software Will Be Post GPT-4, the Cybersecurity Landscape, Reducing Attack Surface in AWS
The AI-based architecture that’ll replace most existing software, overview of cybersecurity companies and acquisitions, how to lock down instance creds and r...
[tl;dr sec] #172 - Career Resources, Machine Learning, Jim Manico Webinar
Certs and getting into security, reinforcement learning for security, join Jim and I’s webinar on broken access control.
[tl;dr sec] #171 - AppSec and CloudSec Resilience, Audit Logs Wall of Shame, Compromised Cloud to Kubernetes Takeover
Building an effective AppSec and CloudSec program, vendors that don’t prioritize high quality audit logs, tactics to go from a compromised cloud resource to ...
[tl;dr sec] #170 - Prototype Pollution, Fuzzing, SOC Metrics
Black-box prototype pollution without the DoS, fuzzing curl and gaining coverage with LLMs, and useful metrics to build an effective SOC.
[tl;dr sec] #169 - Top 10 Web Hacking Techniques of 2022, Finding Malicious Dependencies, Fearless CORS
Portswigger released a curated list of awesome web security research from last year, some approaches to finding malicious dependencies + open source tools, a...
[tl;dr sec] #168 - GCP and Azure Storage Threat Models, macOS Security, Red Team Resources
Detailed threat models for Google Cloud Storage and Azure Storage, Mac malware of 2022 and emerging payload obfuscation techniques, reverse engineering Rust ...
[tl;dr sec] #167 - SBOM, Scaling Security Alert Management, Mitigating RBAC-Based PrivEsc in Kubernetes
Generating SBOMs and evaluating their quality, how Brex manages and automates security alerts at scale, how popular k8s platforms hardened themselves.
[tl;dr sec] #166 - 2023 Security Predictions, Vuln Hunting with App Server Logs, Enforcing Device AuthN
Predictions for offense, from security leaders, and AWS, high signal vuln finding from application runtime exceptions, how Pinterest enforces managed and com...
[tl;dr sec] #165 - Hunting for Malicious Persistence in the Cloud, GitHub Action Security, Dark Sides of Machine Learning
How to detect malicious persistence in AWS, GCP, and Azure, leaking GitHub Action secrets and improving OIDC security posture, will ChatGPT degrade communica...
[tl;dr sec] #164 - Becoming Phishless, Machine Learning, Memory Safe Languages in Android 13
How a number of companies adopted WebAuthN and/or hard keys, neat new things in ML, the impact of Rust and memory safety in general in Android 13.
[tl;dr sec] #163 - Rebuilding Detection and IR at LinkedIn, CVEs and Misaligned Incentives, 2022 in Review and 2023 Predictions
How LinkedIn scaled detection and minimized toil, why ReDoS CVEs are mostly noise, and reflecting on security in 2022 and predicting what 2023 has in store.
[tl;dr sec] #162 - Meaningful Security Product Metrics, Vulnerability Inbox Zero, Joe Sullivan Trial Deep Dive
How to justify the value of your security team’s investments and prioritize, how to build an Inbox Zero vulnerability management approach, Magoo’s detailed b...
[tl;dr sec] #161 - ChatGPT, Scaling Vulnerability Management in Microservices, Supply Chain
Many varied examples of using ChatGPT, how Lyft precisely fixes OS and OS-package level vulnerabilities across ~1,000 services, Sigstore and dangerous subtle...
[tl;dr sec] #160 - Application Security Foundations, Machine Learning Uses, Blackbox Regex Fuzzing
Notes from the WeHackPurple courses, a wide variety of applications of machine learning, bypassing validatoins and normalizations in web apps using regex fuz...
[tl;dr sec] #159 - Twitter vs Mastodon, GitHub Attack Trees, ThinkstScapes
Twitter internals and Mastodon benefits/challenges, blue and red team attack trees for attacking GitHub, ThinkstScapes Quarterly covering AI/ML, clever crypt...
[tl;dr sec] #158 - Open Security Jobs, Career Advice, Internet Egress Filtering at Lyft
Open jobs from over 35 companies, great career advice from a variety of people, how Lyft achieved egress filtering on all services.
Companies Hiring for Cybersecurity in 2022+
Over 35 companies you can apply for a security job at right now.
[tl;dr sec] #157 - Transforming Security Champions, Production-ready osquery, Compromising Self-hosted GitHub Runners
Tanya Janca on building a security champions program, highly turned osquery detections, gaining GitHub Runner persistence and how to detect compromises.
[tl;dr sec] #156 - Hipster History of CORS, Serverless Security Event Data Pipelines, Evaluating Container Attack Detection
Dev’s hilarious and useful history of the Internet and browser security, new toolkit from Brex to easily normalize and enrich security event data, additional...
[tl;dr sec] #155 - Understanding IAM, Autogenerate Art from Blog Post, Attacking Closed DNS Resolvers
Understanding AWS permission boundaries and IAM policy evaluation, use ML to create art for your blog post based on its text, taking over your infrastructure...
[tl;dr sec] #154 - The State of AWS Security, Career Resources, Authorization
Insights from the security posture of 600+ orgs, security career pathways mindmap and security communities overview, a number of resources about authorization.
[tl;dr sec] #153 - Postgres’ Insecure Defaults, SBOM, Prototype Pollution
How PostgreSQL server and client TLS defaults will make you sad, SBOM tools and reflections, walkthroughs to learn how prototype pollution works.
[tl;dr sec] #152 - Infra as Code Security, Linux Distro for Supply Chain Security, CI/CD Security
Detailed IaC security guide with ~90 references, new Linux with default security measures for the software supply chain, securing and attacking SCM and CI sy...
[tl;dr sec] #151 - Why Security Products Fail, Pentesting.Cloud, CVE North Stars
Why security products can be ineffective, cloud pen testing exercises, review CVEs to learn vulnerability discovery.
[tl;dr sec] #150 - How to Start an AppSec Program with the OWASP Top 10, Leadership in Cybersecurity, Magic GitHub API Proxy
Building an effective and scalable AppSec program by leaning into secure defaults, leadership tips, proxy that enables least privilege use of GitHub API toke...
[tl;dr sec] #149 - Incident Response in AWS, CISA’s Supply Chain Security Guidance, Recon
How to prep for and handle an incident in AWS well, detailed PDF guide by NSA and CISA on software supply chain security, various OSINT and recon tools.
[tl;dr sec] #148 - OWASP Kubernetes Top 10, GraphQL Batching Attacks, Abusing Debugging in Electron Apps
Top 10 Kubernetes ecosystem risks to consider, more effective GraphQL brute forcing woth Turbo Intruder, running arbitrary JavaScript in Electron apps.
[tl;dr sec] #147 - Twitter Whistleblower, CI/CD Security, How to Think About Endpoint Security
Mudge’s accusations of Twitter’s security posture, identity management risks in GitHub orgs, comparing 6 CI providers and examining GH workflows at scale, Ry...
[tl;dr sec] #146 - CI/CD Security, Lightweight Approach to Secure SDLC, End-to-End Threat Detection Rule Testing
Lessons learned compromising real world CI/CD pipelines, how to implement a lightweight SSDLC, new framework to ensure your threat detection rules work, from...
[tl;dr sec] #145 - Defending Against Phishing, iOS Privacy, DEF CON Advice
Cloudflare’s write-up on a sophisticated phishing campaign, examining Meta apps’ privacy implications and iOS16’s Lockdown Mode, be yourself and find your tr...
[tl;dr sec] #144 - Hacker Summer Camp, Building ProdSec from Scratch, IAM-Deescalate
How to stay healthy and get the most out of Vegas this year, how to build a ProdSec program from scratch, tool to mitigate privilege escalation risks in AWS.
[tl;dr sec] #143 - Career Advice, SBOM, Attack Surface Monitoring
How to get into AppSec, getting a raise, and other career advice, SBOM tools, how to build your own ASM with ProjectDiscovery tools
[tl;dr sec] #142 - OAuth Security, Cryptocurrency, Being Able to Speak Business
OAuth bugs that lead to single-click account takeovers, crypto wallet exploits and Ethereum smart contract best practices, the importance of being able to co...
[tl;dr sec] #141 - CIS Supply Chain Security Guide, Static Analysis on Binaries, Machine Learning
New CIS software supply chain security whitepaper and tool, finding vulnerabilities in binaries using static analysis, impressive ML tools and attacking ML s...
[tl;dr sec] #140 - AppSec, Building AWS Security Guardrails, Linux eBPF Rootkit
Security at start-ups and SAST program building, preventing classes of cloud vulnerabilities with guardrails, a Linux eBPF rootkit with a backdoor, C2, libra...
[tl;dr sec] #139 - 60 RCE in 60 minutes, Free Sigstore Course, Cloud Risk Encyclopedia
A presentation with many real world RCE examples, new free course on using Sigstore for supply chain security, list of 1,200+ cloud security risks.
[tl;dr sec] #138 - Career Resources, Finding Secrets at Scale, Fuzzing
Finding cybersecurity jobs and adding value, secrets from front end web apps and Docker Hub, fuzzing VirtualBox, contributing to OSS-Fuzz, tool to improve fu...
[tl;dr sec] #137 - Malicious Terraform, How GitHub uses Dependabot, Democratizing Security Detection
How to defend against malicious Terraform, great tips from GitHub on effectively rolling out security tooling, and Palantir on building a scalable detection ...
[tl;dr sec] #136 - Career Advice, Scaling AppSec at Netflix, BSidesSF Summaries
Many career resources, lessons learned scaling AppSec at Netflix, 5 mini summaries I wrote of BSidesSF talks.
[tl;dr sec] #135 - BSidesSF, Google’s Cloud Forensics Utils, Running Bug Bounty Programs
Let’s hang out at BSidesSF, Google’s Python library to do DFIR across major clouds, Braze and GitHub on running bug bounty programs.
[tl;dr sec] #134 - DevSecOps, Scalable Canary Tokens, Learning from AWS Customer Security Breaches
Useful ways to think about modern security teams, how to scale honeytokens while maintaining server level attribution, and how to harden your AWS environment...
[tl;dr sec] #133 - Hunting Evasive Vulnerabilities, eBPF, Fuzzing
James Kettle on finding subtle bugs and bug classes, eBPF-related tools and backdoors, fuzzing Golang, malware, and getting higher coverage.
[tl;dr sec] #132 - Application Hacking Methodology, Pwning Cloudflare Pages, Why You Should Be Blogging
Jason Haddix’s new Bug Hunter’s Methodology for apps, write-up of a series of Cloudflare Pages bugs, Jack Rhysider on the power of blogging.
[tl;dr sec] #131 - Compromising Read-Only Containers, Finding 0days in Enterprise Software, Evading Industry Leading EDR
A walkthrough of how to attack read-only containers, Shubham Shah on taking apart complex proprietary software, how your shellcode can evade top EDR products.
[tl;dr sec] #130 - Project Zero on 0day Trends, ThinkstScapes, How Do You Actually Find Bugs?
Maddie Stone on 2021 0day trends, Thinkst’s excellent research round-up, Mark Dowd OffensiveCon keynote on security research
[tl;dr sec] #129 - Maximizing Bug ROI, Tamper-proof GitHub Builds, Being Vulnerable
How Flipkart gets the most value from every vulnerability, setting up a SLSA 3 GitHub Action build process, the power of being vulnerable.
[tl;dr sec] #128 - Security Engineering, CI/CD Goat, Docker Security Playground
How Chime empowers developers to own security via internal tools, purposefully vulnerable CI/CD exercises, a microservices-based framework for learning netwo...
[tl;dr sec] #127 - Trufflehog V3, The Future of InfoSec, IaC Scanning
The revamped secret scanner now is faster and finds more secrets, future projecting where the industry is headed, and security scanning infrastructure as code.
[tl;dr sec] #126 - How to Review Your Company’s Infrastructure, Kubernetes DFIR, Security for Start-ups
How to review the security architecture of a multi-cloud environment and find the most critical components, responding to incidents in k8s, advice for start-...
[tl;dr sec] #125 - Hacking a Billionaire, Automating Incident Response in AWS, Exploiting/Hardening GitHub Actions
Rachel and Evan Tobac vs. Jeffrey Katzenberg, a framework for automatically isolating an EC2 instance and gathering what you need, attacking and hardening Gi...
[tl;dr sec] #124 - GraphQL Cop, GitLab CI/CD CTF, NSA’s Network Infrastructure Security Guidance
Tool to test GraphQL APIs, learn to exploit and pivot a target GitLab instance, PDF by NSA on hardening your network.
[tl;dr sec] #123 - AWS Security Reference Architecture, DevSecOps Playbook, Analyzing Malicious Documents
60 page PDF on using AWS security services in multi-account environment, how to introduce DevSecOps in your company, tools to examine malicious Office docs.
[tl;dr sec] #122 - Developer Experience is Security, Everything as Code Survey, Graph-based Asset Management
Why DevX is so important for security, 50+ examples of Foo as Code, ingest all of your assets and query them in Neo4J.
[tl;dr sec] #121 - Container Security Checklist, DevSecOps & Automating Compliance, Proactive Subdomain Takeovers
A dense checklist of container hardening steps, Cloud Security Alliance whitepaper on automating compliance and better relating it to security requirements, ...
[tl;dr sec] #120 - Supply Chain & Hardening CI, Automate Yourself out of Oncall Burnout, Eliminating Subdomain Takeovers
A thoughtful redesign of CI to mitigate harm from malicious dependencies, how to automate your IR playbooks, tool to eliminate dangling Elastic IP takeovers.
[tl;dr sec] #119 - Picking the Right Terraform Security Tool, BloodHound for Cloud, Awesome-Security-Hardening
Bake-off of multiple Terraform static analysis tools, tool to identify privilege escalation paths within and across different clouds, collection of security ...
[tl;dr sec] #118 - Atomic Red Team for Cloud, Security Program Building, How Not to Do Secrets
Tool to test your cloud detections, how to build and scale a security program, OWASP project to teach you how not to manage secrets.
[tl;dr sec] #117 - WebSocket Security, Securing Dependencies, Authorization Approaches
Great talk on WebSocket security + tool release, understanding your dependencies and the power of lockfiles, enforcing authz at compile time and authz in mic...
[tl;dr sec] #116 - Secrets of Successful Security Programs, Supply Chain, Killing Bug Classes
A masterclass in building a modern, scalable security program by Phil Venables, GitHub Action to check your supply chain security posture, Chrome feature to ...
[tl;dr sec] #115 - Mac Malware of 2021, Preventing SSRF, Moxie on web3
Patrick Wardle’s analysis of a year of Mac malware, library to safely make HTTP requests, and Moxie experiments with distributed apps.
[tl;dr sec] #114 - Web Security, Detecting Container Drift, Reviewing 2021’s Cloud Breaches
CSRF, web cache poisoning, and SSRF, detecting/fixing container drift at runtime, and three frequent sources of cloud security breaches and vulnerabilities i...
[tl;dr sec] #113 - Log4Shell, Security Metrics, Cloud Detections at Scale
Resources for the vuln that’s keeping you away from your family, how to do security metrics effectively, how Netflix scales cloud detections using Snare.
[tl;dr sec] #112 - re:Invent, Python Security, Cloud Service Provider Mistakes
Round-up articles about re:Invent, examining Python package security, Scott Piper’s repo of AWS, GCP, and Azure mistakes and vulnerabilities.
[tl;dr sec] #111 - This Shouldn’t Have Happened, Humble Hacking Bundle, Why NFTs are Bad
An impactful bug in heavily tested C/C++, great security books for cheap, technical and economic reasons why NFTs are bad and don’t work.
[tl;dr sec] #110 - From What to How in Cybersecurity, Detection Engineering for Kubernetes, Fuzzing
Jason Chan BSidesRDU keynote, detecting privilege escalation in Kubernetes, network fuzzing and fuzzing DRAM to discover rowhammer vulns.
[tl;dr sec] #109 - Breaking Stateless Authentication, Secrets, Unicode Chicanery
A tool to detect misconfigured session implementations, scanning Docker Hub for secrets and determining the impact of leaked secrets, Semgrep rule for the Tr...
[tl;dr sec] #108 - How SolarWinds is Securing their Supply Chain, Cloud Security Tooling, Risk-based Security Decision Making
What SolarWinds did after the attack their new high assurance build system, how to succeed as the only cloud security practitioner in your company, how Netfl...
[tl;dr sec] #107 - Supply Chain and CI/CD Security, Threat Modeling in HCL, Cracking PRNGs using ML
Securing build pipelines and ATT&CK for CI/CD, threat modeling in Terraform, using ML to break pseudorandom number generators.
[tl;dr sec] #106 - Least Privilege IAM, Fuzzing, Istio Scanner
Designing least privilege AWS IAM policies for people, fuzzing 5G and CPUs by proxy, the first security scanner for Istio.
[tl;dr sec] #105 - DevSecOps, Ransomware & S3, Falco Labs
Effectively shifting left, protecting your S3 buckets from ransomware, exercises to learn Falco in your browser.
[tl;dr sec] #104 - New Phrack, Often Missed Web Vulnerabilities, Facebook Whistleblower
New issue of Phrack, 10 often missed web vulnerabilities, Facebook whistleblower comes forward about the dangers of its products.
[tl;dr sec] #103 - Cloud Security Guardrails, Lateral Movement in GitHub Orgs, AWS Memes
Setting up strong AWS security guardrails, tool to explore lateral movement and privilege escalation in GitHub orgs, dank AWS memes from Corey Quinn.
[tl;dr sec] #102 - Why AuthZ is Hard, Vendor Security 2.0, TruffleHog Chrome Extension
Detailed breakdown of why authorization is hard, how we should approach vendor security going forward, a Chrome extension to find secrets.
[tl;dr sec] #101 - Securing Netflix at Scale, AWS PrivEsc Playground, Career Advice
How to build security tooling developers love, a playground to practice privilege escalation in AWS, career advice from @lcamtuf and Corey Quinn.
[tl;dr sec] #100 - Visualizing Security, GraphQL, API Token Survey
Infosec infographics, GraphQL guide and server fingerprinting tool, a survey of the trade-offs of various API token types.
[tl;dr sec] #99 - Grow Employees or Lose Them, Advantage: Defense, Ghidra <> Frida
How to mentor and grow employees, Mark Dowd on how and why defense is gaining the advantage, and a plugin to bridge Ghidra and Frida.
[tl;dr sec] 98 - Cloud Security Orienteering, Last S3 Document You’ll Need, Burnout
New guest blog post on rapidly understanding and securing your cloud env, a thorough threat model of S3, burning out in tech during the pandemic.
[tl;dr sec] #97 - Attacking HTTP/2, Securing GitHub Projects, Hacking G Suite
Deep dive into HTTP/2 flaws, continuously enforce GitHub security best practices, phishing, persistence, bypassing protective measures, and more in G Suite.
[tl;dr sec] #96 - Learn Reverse Engineering, Cloud Security Orienteering, Kernel Pwning with eBPF
Free workshops to learn reverse engineering, how to rapidly familiarize yourself in a new cloud environment, eBPF deep dive.
[tl;dr sec] #95 - Preventing SSRF in AWS, Testing AuthN Flows, Hardening Your Supply Chain
Tool to enforce IMDSv2, test authentication flows by modeling them as a finite state machine, detecting malicious dependencies and solving dependency confusi...
[tl;dr sec] #94 - 10X Your SOC, Learn Crypto, Enterprise-grade Attack-surface Monitoring with Open Source
Google whitepaper on how to scale your SOC, 3 free platforms to learn cryptography, Luke Stephens’ guide on rolling your own attack surface monitoring using ...
[tl;dr sec] #93 - Reading Your CSO’s Performance Review, Fuzzing, NSO Group
Gusto’s CSO Fredrick Lee sends his review to the entire company, fuzzing Android native, macOS and libafl, NSO Group data leak and detecting Pegasus.
[tl;dr sec] #92 - Hardening Kubernetes, Ransomware, Authz at Scale
Securing AWS EKS and lessons from a k8s security report, inside the ransomware economy, and building fine-grained authorization that works at scale.
[tl;dr sec] #91 - DOM Invader, Ransomware self-assessment tool, AWS Security Reference Architecture
Burp extension for finding DOM XSS, CISA’s tool for orgs to understand how equipped they are to defend and recover from ransomware, examples and guide to use...
[tl;dr sec] #90 - Eradicating Subdomain Takeovers, GitHub’s AI Pair Programmer, Testing File Upload Functionality
Open source tool to continuously scan for subdomain takeover vulnerabilities, GitHub’s Copilot can suggest whole functions within VS Code, resources for asse...
[tl;dr sec] #89 - MITRE D3FEND, Lambda Authorizer Gotchas, Google’s Supply Chain Integrity Framework
MITRE releases the defensive countermeasures counterpart to ATT&CK, how IAM wildcard expansion can bite you, Google’s 4-level supply chain maturity frame...
[tl;dr sec] #88 - Testing 2FA Implementations, Cloud Visibility/Enforcement, Altar of the Algorithm
Potential bugs to test in 2FA implementations, tools for cloud visibility and enforcement, and how we all conform to please the algorithms around us.
[tl;dr sec] #87 - Easy Temporary Cloud Access, Monopol-easy Money, AWS Account Boundaries can be Porous
Empowering developers’ cloud access while improving security, big tech throwing their weight around, 97+ ways data can be shared across AWS accounts.
[tl;dr sec] #86 - Dockerfile Best Practices, Mobile Security, and Collusion in Academia
20 Dockerfile best practices, free mobile security course, and trade-offs, collusion rings, and more in academia.
[tl;dr sec] #85 - Machine Learning, GraphQL, and Modern Static Analysis
Attacking ML models, deep learning side-channel attacks, CSRF and batch GraphQL attacks, how modern static analysis should work.
[tl;dr sec] #84 - Establishing a Cloud Security Program, Measuring Security, On Signal’s Cellebrite Hack
A roadmap for establishing a cloud security program + a task list, thoughts on measuring security, the legal implications of Signal’s Cellebrite hack.
[tl;dr sec] #83 - Comparing Infrastructure as Code Scanners, Jenkins Attack Framework, Good Design Principles
Benchmarking infra as code scanning tools, offense-focused Jenkins tools, and principles that can help scale security.
[tl;dr sec] #82 - Supply Chain Security, Career Resources, Differentiate or Die
Detecting dependency confusion across many ecosystems, getting started in tech or security, the middle of VCs and products are dying.
[tl;dr sec] #81 - Modern Security Tooling, Visualizing Dependencies, Remembering Dan Kaminsky
Requirements of modern security tooling, graphing your dependencies and their vulnerabilities in Neo4J, and remembering a man who helped so many.
[tl;dr sec] #80 - Celleb-fight me, Hardening CI Infrastructure, Secure Access to 100 AWS Accounts
Signal creator finds bugs in Cellebrite, recommendations on hardening CI, using Okta to secure access to AWS accounts at scale.
[tl;dr sec] #79 - Memory Safety FTW, Reference Architectures, Content Discovery++ with OpenAPI Specs
Moar evidence against memory unsafe languages, the power of secure reference architectures, and leveraging OpenAPI specs to more effectively detect attack su...
[tl;dr sec] #78 - Scaling Threat Modeling at Segment, Bootstrapping vs VCs, Security as Value Unlocker
How Segment democratized threat modeling, the trade-offs of taking money vs not, how security can be more than minimizing risk.
[tl;dr sec] #77 - Hidden OAuth attack vectors, Networking Fundamentals, Career Advice
Three new OAuth2 and OpenID Connect vulnerabilities, great intro/overview of networking concepts, security manager interviews & advancing your career in ...
[tl;dr sec] #76 - Is Secure Design > Patching? and Supply Chain, Breaking Regexes
An argument for why secure design + threat modeling is higher ROI than patching, making code signing easy, finding regex bugs with regexploit or fuzzing.
[tl;dr sec] #75 - IAM Least Privilege at Speed, Spectre, and How to Beat a Grandmaster at Chess
How Netflix enables development velocity + security with ConsoleMe, Spectre PoC and proposed defenses, and why speed is a superpower.
[tl;dr sec] #74 - Building Securely on AWS, Non-fungible Tokens, Deepfake tools
AWS security for small teams & Well-Architected resources, NFT overview, tools for creating and detecting deepfakes.
[tl;dr sec] #73 - JSON Woes, Career Advice, and Blub Studies
JSON libraries parse differently and that can lead to bugs, a number of career advice resources, and how to become compoundingly more effective.
[tl;dr sec] #72 - Finding Access Control Bugs, Supply Chain Security, Security Logging in AWS
Tips + a Burp extension for finding access control issues, tools and reflections on supply chain security, an architecture for multi-account security logging...
[tl;dr sec] #71 - Securing CI/CD, Electron Security, Growing Your Userbase by Ignoring ‘Virality’
Tips and best practices for securing your CI/CD pipeline, Electron tooling and dangerous APIs, what to focus on instead of virality to grow your userbase.
[tl;dr sec] #70 - Scaling Threat Modeling, Dependency Confusion, Automating Open Source Vulnerability Triage
How Jacob Salassi scaled threat modeling at Snowflake, typosquatting company internal package names, automatically determine the versions of open source pack...
[tl;dr sec] #69 - Cloud Security Table Top Exercises, Finding RCE in ExpressJS, InSpec for GKE
Valuable cloud security scenarios to think through, leveraging the Handlebars templating engine for local file read or RCE, check your GKE cluster against CIS.
[tl;dr sec] #68 - Securing Lambda, Recon Tool Primer, Blind SSRF Chains
How AWS secures Lambda, Daniel Miessler’s overview of @TomNomNom’s recon tools, how to demonstrate high impact when you can’t see the SSRF response.
[tl;dr sec] #67 - Infra as Code, Cloud Auto-remediation, C.R.E.A.M
Effectively rolling out IaC scanning, auto-healing your cloud environment, and when sticking it to the man hurts the bottom line.
[tl;dr sec] #66 - Automating Infra as Code Creation, Container Security++ with User Namespaces, #RustLyfe
A tool to create IaC from an existing AWS environment, container defense-in-depth with user namespaces, rewriting things in Rust.
[tl;dr sec] #65 - Lesser Known AWS Attacks, Infra as Code Scanning, Template Injection Workshop
Scott Piper shares how he’d attack AWS, a survey of infra as code scanning tools, free workshop on server-side template injection.
[tl;dr sec] #64 - Kubernetes Guide, XSS for PDFs, SolarWinds FTL
How to do a risk analysis on your Kubernetes cluster, pwning PDFs, and a devastating supply chain attack.
[tl;dr sec] #63 - OWASP, Fuzzing, and a New ‘AWS Swiss Army Knife’ Tool by Netflix
New OWASP security testing guide and GraphQL cheat sheet, new fuzzing research, and a tool to ease administration of complex AWS environments.
[tl;dr sec] #62 - Leaking IAM Users and Roles, AI, and Exploiting Dynamic Renderers
A tool to sneakily enumerate all IAM users and roles in a target AWS account, recent events in AI, and how to attack server-side renderers.
[tl;dr sec] #61 - Effective Security OKRs, Scaling Threat Modeling, Webscan
How to create effective security OKRs, scaling threat modeling in hypergrowth, engineering-driven orgs, and a browser-based internal network scanner.
[tl;dr sec] #60 - Cartography + IAM, Security Scorecard, Self-service Security
Use Cartography to understand AWS permissions, tool to grok the risk of open source libraries, developers taking security into their own hands.
[tl;dr sec] #59 - NAT Slipstreaming, Widespread Injection in GitHub Actions, Greppable Secrets
Attacker’s can remotely access any TCP/UDP service on your machine, serious bugs in many GitHub Actions, and the security value of creating easily greppable ...
[tl;dr sec] #58 - New Job 🎉, Burp Multiplayer, Chaos Engineering Book
I’ve joined r2c as Head of Security Research, tool to sync multiple Burp instances, free book on chaos engineering to help you build reliable distributed sys...
[tl;dr sec] #57 - Bug Bounty Lessons Learned, Content Value Hierarchy, CloudSecDocs
1 year of a private bug bounty program, how to create high value content, and a great resource for cloud-native technologies.
[tl;dr sec] #56 - State of Exploit Development, Hacking Apple, flaws.cloud dataset
Stats on vulnerability discovery, CVE publication, and patches, lengthy write-up of 3 month Apple bug bounty hackathon, and flaws.cloud logs published.
[tl;dr sec] #55 - Detection as Code, Vault Authentication Bugs, Fingerprinting Exploit Developers
Why we should embrace Detection as Code, write-up of two complex AuthN bugs in Vault, tracking exploit developers by their work.
[tl;dr sec] #54 - Complexity in Capital, Communicating a Breach, Offensive Terraform
I contributed to an article in Forbes, how to communicate when you’ve been hacked, Terraform to spin up offensive infrastructure.
[tl;dr sec] #53 - OneFuzz, Program Analysis, Ring Alarm Teardown
Microsoft releases self-hosted fuzzing-as-a-service platform, several solid program analysis resources, detailed teardown of Ring’s hardware and attack surfa...
[tl;dr sec] #52 - Prioritizing 3rd Party Vulnerabilities to Fix, LangSec History, Distilled Compliance Controls
How to prioritize vulnerabilities in your dependencies, some history and context around LangSec, and a set of common controls across 10+ standards.
[tl;dr sec] #51 - Continuous Cloud Monitoring, Web Browser for Hackers, How GitHub Threat Models
Monitor your cloud environment and automatically detect drift, a scriptable browser and bending JavaScript to your will, GitHub’s threat modeling process.
[tl;dr sec] #50 - Engineering Empathy, Golang Security, Bardcore
Applying engineering lessons learned to AppSec teams, common Golang bugs, and medieval covers of modern pop songs take the Internet by storm.
[tl;dr sec] #49 - Web Cache Entanglement, Finding a Mentor, Build Tools Around Workflows
New cache research by James Kettle, how to effectively reach out and build mentor relationships, tools should support workflows, not vice versa.
[tl;dr sec] #48 - Automating Recon Summary, GraphQL Tools, DEF CON 2020 Live Notes
My summary of Daniel Miessler’s talk on automating recon, 2 tools to help with testing GraphQL, quick notes for ~20 DEF CON talks.
[tl;dr sec] #47 - Automating Recon, Podcasts, and Lateral Movement / Privilege Escalation in GCP
Daniel Miessler on automating your recon workflow, I was on a few podcasts, how to compromise GCP orgs via cloud API lateral movement & privilege escalat...
[tl;dr sec] #46 - Grokking CSP, Automating Threat Model ➡️ Security Tests, Unknown Blob ➡️ Plaintext
How to go from no CSP to a solid CSP, automatically creating baseline security tests from a threat model, tools to automagically decode random blobs.
[tl;dr sec] #45 - Bucket Brigade, ReDoS Cheat-sheet, Understanding OAuth
Protecting your public S3 buckets, how to find, prevent, and fix regular expression DoS, and walk step-by-step through the OAuth flow.
[tl;dr sec] #44 - Formal Methods, New Web Security Mechanisms, Have GPT-3 Code for You
Using lightweight formal methods in the real world, new web mitigations for injection vulns and isolation capabilities, GPT-3 is magic.
Container Security
A collection of container security resources and tools, organized by category.
[tl;dr sec] #43 - Continuous AppSec Scanning, Threat Modeling, Career Advice from Feynman
How to continuously discover, monitor, and assess your web assets, threat modeling + agile, Richard Feynman on the problems you choose to tackle.
[tl;dr sec] #42 - tl;dr sec Search, Towards Trusted Sensing, Root Causes of Procrastination
tl;dr sec now supports search, snapshotting VMs at scale in a way malware can’t evade, reflections on why we procrastinate.
[tl;dr sec] #41 - Threat Modeling Kubernetes, Secret Scanner Benchmark, OWASP Software Component Verification Standard
Overview of current work threat modeling Kubernetes, a repo to test your secret scanning, and v1 of OWASP’s standard on identifying/reducing supply chain risk.
[tl;dr sec] #40 - Uber’s Continuous AWS Monitoring, AWS’s Hands-off Deployments, Auto-remove Unneeded Feature Flags
Uber continuous AWS monitoring tool and process, how AWS does safe, fast, continuous deployment, tool to auto-delete no longer needed feature flags.
[tl;dr sec] #39 - Evidence Based Security, Web Security, and Program Analysis
Measuring the effectiveness of your security controls, web security tools and slides, auto-converting between Java/C++/Python and integrating formal methods.
[tl;dr sec] #38 - Threat Modeling for Devs, Attacking JWTs, On Accepting Ads
Effectively teaching devs threat modeling, forging and cracking JWTs, and some radical transparency about our process of deciding to accept sponsors.
On Accepting Sponsors
tl;dr sec’s goals, values, and our thought process behind accepting sponsors. Sponsors will be clearly demarcated and will not affect the rest of the content.
[tl;dr sec] #37 - Kubernetes, SAST Snark, and Malware Targeting Open Source Supply Chain
Using Kubernetes + OPA, Twitter SAST snark & lessons learned, malware discovered on GitHub targeting the open source supply chain.
[tl;dr sec] #36 - AWS Security Maturity Roadmap, Fuzzing, Dynamic Infra for Security Testing
An AWS Security Maturity Roadmap for 2020, fuzzing the Windows kernel & differential crypto fuzzing, easily spin up a cloud env for security testing
[tl;dr sec] #35 - Careers in Security, Testing OAuth, Session Management with Burp
Building a successful career in security and how to specialize, testing OAuth implementations, and a Burp plugin for handling session management.
[tl;dr sec] #34 - Game Theory + 0days, Kubernetes Hacking Practice, AWS Least Privilege
Game theory applied to finding and disclosing 0days, Kubernetes training labs, rightsize your AWS IAM policies to Terraform.
[tl;dr sec] #33 - Splunk’s Attack Range, Detecting Compromised Cloud Creds, Azure AD for Red Teamers
Set up your own range to practice attacking & detection, detection strategies for compromised cloud creds, intro to Azure AD for red teamers.
[tl;dr sec] #32 - Security + Empathy, Chrome Extension Security, Attacking Azure AD
Gusto CISO Flee on building a positive security culture, protecting from/attacking with Chrome extensions, pivot through Azure AD.
[tl;dr sec] #31 - Instrument with Frida, Free Course on Attacking Apps in AWS/Azure, VM with 8 C&C Frameworks
Use Frida from a Burp extension or web interface, continuous cloud security, fighting misinformation at scale.
[tl;dr sec] #30 - Securing Your Home Network, ATT&CK for Kubernetes, Google on Building Secure Systems
How to secure your home WiFi network, Microsoft releases ATT&CK matrix for Kubernetes, free 550+ page book by Google’s SREs on building secure systems.
[tl;dr sec] #29 - Testing GraphQL, Bug Bounty Programs, & AWS Service Control Policy Best Practices
Tool for testing GraphQL endpoints, how to run a great bug bounty program, restricting your AWS account with Service Control Policies, hardening Linux.
[tl;dr sec] #28 - 25 Years of Fuzzing, Secrets Management, Security Questionnaires
Some history and overview of fuzzing, preventing/detecting/remediating leaked secrets, static analysis, macOS security, reflections on privacy post COVID-19.
[tl;dr sec] #27 - AppSec Weekly, SOC2 Starting Seven, Save Encryption
I was on Application Security Weekly #100, a no-nonsense guide to becoming SOC2 compliant, fight a bill that may kill encryption, compensation resources.
[tl;dr sec] #26 - Learnings from Duo, Auto-healing Clouds, Fuzzing
Jon Oberheide on Duo, self-healing AWS environments, Google’s fuzzer benchmarking and CIFuzz, securing Windows & MS accounts at scale.
[tl;dr sec] #25 - BSidesSF and RSA, Demystifying Container Security, Your Privacy Online
Round-up of BSidesSF and RSA + my updated slides, overview of container security, pen testing K8s walkthrough, maintaining privacy online.
[tl;dr sec] #24 - BSidesSF/RSA, tl;dr sec Mascot, REST API Fuzzing, AWS Auto-remediation
I’m speaking at BSidesSF and RSA 2020, tl;dr sec stickers, stateful fuzzing of Swagger APIs, auto-remediate AWS issues, canary pro-tips, red team cheatsheets.
[tl;dr sec] #23 - OSINT, Automatic Exploit Generation, Cloud Security
OSINT tools, tips, & tricks, presentations on automatically find and exploiting bugs, a code-aware grep, how to assess another company’s security posture.
[tl;dr sec] #22 - Post AppSec Cali, K8s Security Monitoring at Scale
DevSecOps talks & tools from AppSec Cali, PoCs to decrypt WhatsApp messages, Kubernetes monitoring and CTF, Python static analysis tools.
[tl;dr sec] #21 - AppSec Cali, Bezos’s Phone, Fuzzing
I’m speaking at AppSec Cali 2020, details on Bezos’s phone being hacked, fuzzing talks and tools, Java deserialization, K8s and GraphQL tools.
[tl;dr sec] #19 - Epic Post Next Week, Beyond Beyond Corp, Cloud Security Tools
Google’s BeyondProd and code provenance whitepapers, tools to scan Terraform scripts / CloudFormation templates, getting into security resources.
[tl;dr sec] #18 - “GitHubification” of Infosec, Ring Privacy, Ransomware Economics
Blue teams can become highly leveraged by sharing knowledge effectively, Ring’s partnerships with the police, viewing ransomware through an economic lens.
[tl;dr sec] #17 - AWS Re:Invent, Supply Chain Security, Absolute AppSec
A number of interesting new AWS services, backdoors on PyPI, I had a blast on the Absolute AppSec podcast, and tl;dr sec hits 500 subscribers! 🚀
[tl;dr sec] #16 - Art of Vulnerability Management, Cloud Security, Flan Scan, SCORE Bot
Building an effective vulnerability management process, K8s/AWS tips, network & code scanning tools, privacy preserving VA, and the Siege of Gondor.
[tl;dr sec] #15 - OSINT + Screenshots, Fuzzing, and 2 Fast 2 Discoverious
Summary of an AppSec Cali 2019 talk on more efficient network penetration tests via clustering similar screenshots, fuzzing tools and articles, Bugcrowd/Bitd...
[tl;dr sec] #14 - DevSecCon TLV, Slack’s Secure Overlay Network, Dangers of Struct Padding
DevSecCon Tel Aviv 2019 talk notes, Slack releases Nebula, AWS instance metadata hardening, OSINT tips, struct padding can leak heap memory, deadlock challen...
[tl;dr sec] #13 - Being Powerful While Powerless, Sadcloud, and Bugcrowd’s Asset Inventory Service
Gusto’s Nathan Yee on being impacful as an IC without a senior title in a start-up, intentionally vulnerable AWS infrastructure for training, and even more a...
[tl;dr sec] #12 - Killing CSRF, MITRE ATT&CK Cloud, Cache Poisoned DoS
Browser default SameSite cookie settings will mostly kill CSRF, and a malicious header can block any web resource served by a CDN or proxy cache.
[tl;dr sec] #11 - ShellCon 2019 Roundup
Some ShellCon talk summaries, Dropbox and Twilio on detection and response automation, updates from the Chrome security team.
[tl;dr sec] #10 - Cloudflare on Security, IAM Least Privilege, & Finding XSS in Firefox’s UI
Cloudflare’s CTO on how they think about security, Salesforce’s tool to make IAM least privilege policy generation easier, and finding XSS in Firefox’s UI us...
[tl;dr sec] #9 - Autonomous Bug Reporting, HTTP Desync Attacks, & Censorship
Fuzzing is finding security bugs faster than CVEs can be issued, HTTP desync attacks advance, China’s censorship power is felt around the world.
[tl;dr sec] #8 - DevSecCon Seattle 2019 Round Up
Notes from DevSecCon Seattle 2019, featuring insights on dev/security organizational structure, secure wrapper libraries, and continuous compliance.
[tl;dr sec] #7 - AppSec Cali 2019 DevSecOps Panel Summary
Notes from an AppSec Cali 2019 panel, AWS security tools, fuzzing with grammars and Gitlab, and Google P0’s iOS exploit chain discovery.
[tl;dr sec] #6 - Post Hacker Summer Camp
Neat talks from Hacker Summer Camp on email -> phone number, DNS rebinding, automated C++ reverse engineering, and publicly exposed AWS EBS volumes.
summary
Dev Akhawe’s Follow-up on Figma’s Experience Switching to WebAuthN
The good, the bad, and the lessons learned.
@lcamtuf on Building a Successful Career in Infosec
Excellent thread by @lcamtuf: friendships last longer than jobs, it’s a volatile industry, focus on the long term, the power of writing.
Grow Your Best Employees or Lose Them
Travis McPeak recommends
How Figma Switched Their Okta to Only Allow Phish-proof WebAuthn/FIDO Multi-factor Authentication
An excellent Twitter thread by Dev Akhawe on the value of making this switch, and challenges and lessons learned along the way.
A framework for effective corporate communication after cyber security incidents
This paper lays out a framework for how organizations should communicate after a security incident.
Peeling the Web Application Security Onion Without Tears
Lessons from Adobe in how building reusable, secure-by-default services and infrastructure improves your security and reduces compliance burden.
Mechanizing the Methodology: How to find vulnerabilities while you’re doing other things
Daniel Miessler describes how to automate your OSINT and recon processes so you can find more and better bugs with less manual effort.
Lightning in a Bottle: 25 Years of Fuzzing
Richard Johnson describes the history of fuzzing, the primary types of fuzzing, modern tools and advancements, SDLC integration, and more.
Learnings from Duo
Jon Oberheide on Duo’s story, from conception through acquisition, and the important lessons he learned along the way.
What I Learned Watching All 44 AppSec Cali 2019 Talks
Detailed summaries of ~32 hours of talks, searchable and grouped by category, to supercharge your security program 🚀
The Art of Vulnerability Management
Alexandra Nassar of Medallia describes how to create a positive vulnerability management culture and process that works for engineers and the security team.
Pose a Threat: How Perceptual Analysis Helps Bug Hunters
How to get faster, more complete external attack surface coverage by automatically clustering exposed web apps by visual similarity.
Being Powerful While Powerless: Elevating Security By Leading Without Authority
Gusto security engineer Nathan Yee describes his experiences and lessons learned on how to be effective as the only AppSec engineer at a start-up, without a ...
Lessons Learned from the DevSecOps Trenches
Learn how Netflix, Dropbox, Datadog, Snap, and DocuSign think about security. A masterclass in DevSecOps and modern AppSec best practices.
(Transcript) Lessons Learned from the DevSecOps Trenches
The transcript for this AppSec Cali 2019 DevSecOps panel featuring security leaders from Netflix, Dropbox, Datadog, Snap, and DocuSign.
Stepping Up Our Game: Re-focusing the Security Community on Defense and Making Security Work for Everyone
In this Black Hat USA 2017 keynote, Alex Stamos discusses how the world has changed around the security community, some ways we’re focusing on the wrong thin...
Data Driven Bug Bounty
Arkadiy Tetelman describes how to effectively launch a bug bounty program and how tracking vulnerability metrics can make an AppSec team more impactful.
(in)Secure Development - Why some product teams are great and others aren’t…
Koen Hendrix describes analyzing the security maturity of Riot product teams, measuring that maturity’s impact quantitatively using bug bounty data, and disc...
SCORE Bot: Shift Left, at Scale!
Vidhu Jayabalan and Laksh Raghavan present SCORE-Bot, PayPal’s light-weight, continuous code scanning tool that hooks into their CI/CD pipeline.
aws
Lesser Known Techniques for Attacking AWS Environments
Techniques for initital access, recon, lateral movement, and exfil of AWS accounts, along with defensive mitigations
How Uber Continuously Monitors the Security of its AWS Environment
Uber describes their continuous cloud monitoring service and the workflows and process design that makes it successfully adopted by engineering teams.
[tl;dr sec] #36 - AWS Security Maturity Roadmap, Fuzzing, Dynamic Infra for Security Testing
An AWS Security Maturity Roadmap for 2020, fuzzing the Windows kernel & differential crypto fuzzing, easily spin up a cloud env for security testing
[tl;dr sec] #33 - Splunk’s Attack Range, Detecting Compromised Cloud Creds, Azure AD for Red Teamers
Set up your own range to practice attacking & detection, detection strategies for compromised cloud creds, intro to Azure AD for red teamers.
[tl;dr sec] #32 - Security + Empathy, Chrome Extension Security, Attacking Azure AD
Gusto CISO Flee on building a positive security culture, protecting from/attacking with Chrome extensions, pivot through Azure AD.
[tl;dr sec] #31 - Instrument with Frida, Free Course on Attacking Apps in AWS/Azure, VM with 8 C&C Frameworks
Use Frida from a Burp extension or web interface, continuous cloud security, fighting misinformation at scale.
[tl;dr sec] #30 - Securing Your Home Network, ATT&CK for Kubernetes, Google on Building Secure Systems
How to secure your home WiFi network, Microsoft releases ATT&CK matrix for Kubernetes, free 550+ page book by Google’s SREs on building secure systems.
[tl;dr sec] #27 - AppSec Weekly, SOC2 Starting Seven, Save Encryption
I was on Application Security Weekly #100, a no-nonsense guide to becoming SOC2 compliant, fight a bill that may kill encryption, compensation resources.
[tl;dr sec] #25 - BSidesSF and RSA, Demystifying Container Security, Your Privacy Online
Round-up of BSidesSF and RSA + my updated slides, overview of container security, pen testing K8s walkthrough, maintaining privacy online.
[tl;dr sec] #24 - BSidesSF/RSA, tl;dr sec Mascot, REST API Fuzzing, AWS Auto-remediation
I’m speaking at BSidesSF and RSA 2020, tl;dr sec stickers, stateful fuzzing of Swagger APIs, auto-remediate AWS issues, canary pro-tips, red team cheatsheets.
[tl;dr sec] #23 - OSINT, Automatic Exploit Generation, Cloud Security
OSINT tools, tips, & tricks, presentations on automatically find and exploiting bugs, a code-aware grep, how to assess another company’s security posture.
[tl;dr sec] #22 - Post AppSec Cali, K8s Security Monitoring at Scale
DevSecOps talks & tools from AppSec Cali, PoCs to decrypt WhatsApp messages, Kubernetes monitoring and CTF, Python static analysis tools.
[tl;dr sec] #19 - Epic Post Next Week, Beyond Beyond Corp, Cloud Security Tools
Google’s BeyondProd and code provenance whitepapers, tools to scan Terraform scripts / CloudFormation templates, getting into security resources.
[tl;dr sec] #17 - AWS Re:Invent, Supply Chain Security, Absolute AppSec
A number of interesting new AWS services, backdoors on PyPI, I had a blast on the Absolute AppSec podcast, and tl;dr sec hits 500 subscribers! 🚀
[tl;dr sec] #14 - DevSecCon TLV, Slack’s Secure Overlay Network, Dangers of Struct Padding
DevSecCon Tel Aviv 2019 talk notes, Slack releases Nebula, AWS instance metadata hardening, OSINT tips, struct padding can leak heap memory, deadlock challen...
[tl;dr sec] #10 - Cloudflare on Security, IAM Least Privilege, & Finding XSS in Firefox’s UI
Cloudflare’s CTO on how they think about security, Salesforce’s tool to make IAM least privilege policy generation easier, and finding XSS in Firefox’s UI us...
[tl;dr sec] #8 - DevSecCon Seattle 2019 Round Up
Notes from DevSecCon Seattle 2019, featuring insights on dev/security organizational structure, secure wrapper libraries, and continuous compliance.
[tl;dr sec] #7 - AppSec Cali 2019 DevSecOps Panel Summary
Notes from an AppSec Cali 2019 panel, AWS security tools, fuzzing with grammars and Gitlab, and Google P0’s iOS exploit chain discovery.
[tl;dr sec] #6 - Post Hacker Summer Camp
Neat talks from Hacker Summer Camp on email -> phone number, DNS rebinding, automated C++ reverse engineering, and publicly exposed AWS EBS volumes.
cloud_security
Cloud Security Orienteering
How to orienteer in a cloud environment, dig in to identify the risks that matter, and put together actionable plans that address short, medium, and long ter...
Lesser Known Techniques for Attacking AWS Environments
Techniques for initital access, recon, lateral movement, and exfil of AWS accounts, along with defensive mitigations
How Uber Continuously Monitors the Security of its AWS Environment
Uber describes their continuous cloud monitoring service and the workflows and process design that makes it successfully adopted by engineering teams.
[tl;dr sec] #36 - AWS Security Maturity Roadmap, Fuzzing, Dynamic Infra for Security Testing
An AWS Security Maturity Roadmap for 2020, fuzzing the Windows kernel & differential crypto fuzzing, easily spin up a cloud env for security testing
[tl;dr sec] #32 - Security + Empathy, Chrome Extension Security, Attacking Azure AD
Gusto CISO Flee on building a positive security culture, protecting from/attacking with Chrome extensions, pivot through Azure AD.
[tl;dr sec] #31 - Instrument with Frida, Free Course on Attacking Apps in AWS/Azure, VM with 8 C&C Frameworks
Use Frida from a Burp extension or web interface, continuous cloud security, fighting misinformation at scale.
[tl;dr sec] #30 - Securing Your Home Network, ATT&CK for Kubernetes, Google on Building Secure Systems
How to secure your home WiFi network, Microsoft releases ATT&CK matrix for Kubernetes, free 550+ page book by Google’s SREs on building secure systems.
[tl;dr sec] #27 - AppSec Weekly, SOC2 Starting Seven, Save Encryption
I was on Application Security Weekly #100, a no-nonsense guide to becoming SOC2 compliant, fight a bill that may kill encryption, compensation resources.
[tl;dr sec] #26 - Learnings from Duo, Auto-healing Clouds, Fuzzing
Jon Oberheide on Duo, self-healing AWS environments, Google’s fuzzer benchmarking and CIFuzz, securing Windows & MS accounts at scale.
[tl;dr sec] #24 - BSidesSF/RSA, tl;dr sec Mascot, REST API Fuzzing, AWS Auto-remediation
I’m speaking at BSidesSF and RSA 2020, tl;dr sec stickers, stateful fuzzing of Swagger APIs, auto-remediate AWS issues, canary pro-tips, red team cheatsheets.
[tl;dr sec] #23 - OSINT, Automatic Exploit Generation, Cloud Security
OSINT tools, tips, & tricks, presentations on automatically find and exploiting bugs, a code-aware grep, how to assess another company’s security posture.
[tl;dr sec] #19 - Epic Post Next Week, Beyond Beyond Corp, Cloud Security Tools
Google’s BeyondProd and code provenance whitepapers, tools to scan Terraform scripts / CloudFormation templates, getting into security resources.
[tl;dr sec] #17 - AWS Re:Invent, Supply Chain Security, Absolute AppSec
A number of interesting new AWS services, backdoors on PyPI, I had a blast on the Absolute AppSec podcast, and tl;dr sec hits 500 subscribers! 🚀
[tl;dr sec] #14 - DevSecCon TLV, Slack’s Secure Overlay Network, Dangers of Struct Padding
DevSecCon Tel Aviv 2019 talk notes, Slack releases Nebula, AWS instance metadata hardening, OSINT tips, struct padding can leak heap memory, deadlock challen...
[tl;dr sec] #13 - Being Powerful While Powerless, Sadcloud, and Bugcrowd’s Asset Inventory Service
Gusto’s Nathan Yee on being impacful as an IC without a senior title in a start-up, intentionally vulnerable AWS infrastructure for training, and even more a...
[tl;dr sec] #12 - Killing CSRF, MITRE ATT&CK Cloud, Cache Poisoned DoS
Browser default SameSite cookie settings will mostly kill CSRF, and a malicious header can block any web resource served by a CDN or proxy cache.
2019
What I Learned Watching All 44 AppSec Cali 2019 Talks
Detailed summaries of ~32 hours of talks, searchable and grouped by category, to supercharge your security program 🚀
Startup Security: Starting a Security Program at a Startup
How to be successful as the first security hire at a startup, what should inform your priorities, where to focus to make an immediate impact, and time sinks ...
The Art of Vulnerability Management
Alexandra Nassar of Medallia describes how to create a positive vulnerability management culture and process that works for engineers and the security team.
Pose a Threat: How Perceptual Analysis Helps Bug Hunters
How to get faster, more complete external attack surface coverage by automatically clustering exposed web apps by visual similarity.
DevSecCon Tel Aviv 2019 Roundup
Practical steps to start managing your secrets properly, continuous threat modeling, container security stats and best practices, and my thoughts on the futu...
Being Powerful While Powerless: Elevating Security By Leading Without Authority
Gusto security engineer Nathan Yee describes his experiences and lessons learned on how to be effective as the only AppSec engineer at a start-up, without a ...
[tl;dr sec] #8 - DevSecCon Seattle 2019 Round Up
Notes from DevSecCon Seattle 2019, featuring insights on dev/security organizational structure, secure wrapper libraries, and continuous compliance.
Lessons Learned from the DevSecOps Trenches
Learn how Netflix, Dropbox, Datadog, Snap, and DocuSign think about security. A masterclass in DevSecOps and modern AppSec best practices.
(Transcript) Lessons Learned from the DevSecOps Trenches
The transcript for this AppSec Cali 2019 DevSecOps panel featuring security leaders from Netflix, Dropbox, Datadog, Snap, and DocuSign.
Data Driven Bug Bounty
Arkadiy Tetelman describes how to effectively launch a bug bounty program and how tracking vulnerability metrics can make an AppSec team more impactful.
(in)Secure Development - Why some product teams are great and others aren’t…
Koen Hendrix describes analyzing the security maturity of Riot product teams, measuring that maturity’s impact quantitatively using bug bounty data, and disc...
BSidesSF 2019: DevSecOps State of the Union
There’s been a lot of great research in SecDevOps over the past few years. This talk organizes and references around 40 useful talks in the space.
industry
Lightning in a Bottle: 25 Years of Fuzzing
Richard Johnson describes the history of fuzzing, the primary types of fuzzing, modern tools and advancements, SDLC integration, and more.
What I Learned Watching All 44 AppSec Cali 2019 Talks
Detailed summaries of ~32 hours of talks, searchable and grouped by category, to supercharge your security program 🚀
The Art of Vulnerability Management
Alexandra Nassar of Medallia describes how to create a positive vulnerability management culture and process that works for engineers and the security team.
Pose a Threat: How Perceptual Analysis Helps Bug Hunters
How to get faster, more complete external attack surface coverage by automatically clustering exposed web apps by visual similarity.
Being Powerful While Powerless: Elevating Security By Leading Without Authority
Gusto security engineer Nathan Yee describes his experiences and lessons learned on how to be effective as the only AppSec engineer at a start-up, without a ...
Lessons Learned from the DevSecOps Trenches
Learn how Netflix, Dropbox, Datadog, Snap, and DocuSign think about security. A masterclass in DevSecOps and modern AppSec best practices.
(Transcript) Lessons Learned from the DevSecOps Trenches
The transcript for this AppSec Cali 2019 DevSecOps panel featuring security leaders from Netflix, Dropbox, Datadog, Snap, and DocuSign.
Stepping Up Our Game: Re-focusing the Security Community on Defense and Making Security Work for Everyone
In this Black Hat USA 2017 keynote, Alex Stamos discusses how the world has changed around the security community, some ways we’re focusing on the wrong thin...
Data Driven Bug Bounty
Arkadiy Tetelman describes how to effectively launch a bug bounty program and how tracking vulnerability metrics can make an AppSec team more impactful.
(in)Secure Development - Why some product teams are great and others aren’t…
Koen Hendrix describes analyzing the security maturity of Riot product teams, measuring that maturity’s impact quantitatively using bug bounty data, and disc...
SCORE Bot: Shift Left, at Scale!
Vidhu Jayabalan and Laksh Raghavan present SCORE-Bot, PayPal’s light-weight, continuous code scanning tool that hooks into their CI/CD pipeline.
BSidesSF 2019: DevSecOps State of the Union
There’s been a lot of great research in SecDevOps over the past few years. This talk organizes and references around 40 useful talks in the space.
devsecops
[tl;dr sec] #26 - Learnings from Duo, Auto-healing Clouds, Fuzzing
Jon Oberheide on Duo, self-healing AWS environments, Google’s fuzzer benchmarking and CIFuzz, securing Windows & MS accounts at scale.
[tl;dr sec] #22 - Post AppSec Cali, K8s Security Monitoring at Scale
DevSecOps talks & tools from AppSec Cali, PoCs to decrypt WhatsApp messages, Kubernetes monitoring and CTF, Python static analysis tools.
DevSecCon Tel Aviv 2019 Roundup
Practical steps to start managing your secrets properly, continuous threat modeling, container security stats and best practices, and my thoughts on the futu...
[tl;dr sec] #12 - Killing CSRF, MITRE ATT&CK Cloud, Cache Poisoned DoS
Browser default SameSite cookie settings will mostly kill CSRF, and a malicious header can block any web resource served by a CDN or proxy cache.
[tl;dr sec] #11 - ShellCon 2019 Roundup
Some ShellCon talk summaries, Dropbox and Twilio on detection and response automation, updates from the Chrome security team.
[tl;dr sec] #8 - DevSecCon Seattle 2019 Round Up
Notes from DevSecCon Seattle 2019, featuring insights on dev/security organizational structure, secure wrapper libraries, and continuous compliance.
[tl;dr sec] #7 - AppSec Cali 2019 DevSecOps Panel Summary
Notes from an AppSec Cali 2019 panel, AWS security tools, fuzzing with grammars and Gitlab, and Google P0’s iOS exploit chain discovery.
Lessons Learned from the DevSecOps Trenches
Learn how Netflix, Dropbox, Datadog, Snap, and DocuSign think about security. A masterclass in DevSecOps and modern AppSec best practices.
(Transcript) Lessons Learned from the DevSecOps Trenches
The transcript for this AppSec Cali 2019 DevSecOps panel featuring security leaders from Netflix, Dropbox, Datadog, Snap, and DocuSign.
SCORE Bot: Shift Left, at Scale!
Vidhu Jayabalan and Laksh Raghavan present SCORE-Bot, PayPal’s light-weight, continuous code scanning tool that hooks into their CI/CD pipeline.
BSidesSF 2019: DevSecOps State of the Union
There’s been a lot of great research in SecDevOps over the past few years. This talk organizes and references around 40 useful talks in the space.
static_analysis
[tl;dr sec] #28 - 25 Years of Fuzzing, Secrets Management, Security Questionnaires
Some history and overview of fuzzing, preventing/detecting/remediating leaked secrets, static analysis, macOS security, reflections on privacy post COVID-19.
[tl;dr sec] #25 - BSidesSF and RSA, Demystifying Container Security, Your Privacy Online
Round-up of BSidesSF and RSA + my updated slides, overview of container security, pen testing K8s walkthrough, maintaining privacy online.
[tl;dr sec] #23 - OSINT, Automatic Exploit Generation, Cloud Security
OSINT tools, tips, & tricks, presentations on automatically find and exploiting bugs, a code-aware grep, how to assess another company’s security posture.
[tl;dr sec] #22 - Post AppSec Cali, K8s Security Monitoring at Scale
DevSecOps talks & tools from AppSec Cali, PoCs to decrypt WhatsApp messages, Kubernetes monitoring and CTF, Python static analysis tools.
[tl;dr sec] #18 - “GitHubification” of Infosec, Ring Privacy, Ransomware Economics
Blue teams can become highly leveraged by sharing knowledge effectively, Ring’s partnerships with the police, viewing ransomware through an economic lens.
[tl;dr sec] #11 - ShellCon 2019 Roundup
Some ShellCon talk summaries, Dropbox and Twilio on detection and response automation, updates from the Chrome security team.
[tl;dr sec] #10 - Cloudflare on Security, IAM Least Privilege, & Finding XSS in Firefox’s UI
Cloudflare’s CTO on how they think about security, Salesforce’s tool to make IAM least privilege policy generation easier, and finding XSS in Firefox’s UI us...
[tl;dr sec] #8 - DevSecCon Seattle 2019 Round Up
Notes from DevSecCon Seattle 2019, featuring insights on dev/security organizational structure, secure wrapper libraries, and continuous compliance.
[tl;dr sec] #6 - Post Hacker Summer Camp
Neat talks from Hacker Summer Camp on email -> phone number, DNS rebinding, automated C++ reverse engineering, and publicly exposed AWS EBS volumes.
SCORE Bot: Shift Left, at Scale!
Vidhu Jayabalan and Laksh Raghavan present SCORE-Bot, PayPal’s light-weight, continuous code scanning tool that hooks into their CI/CD pipeline.
BSidesSF 2019: DevSecOps State of the Union
There’s been a lot of great research in SecDevOps over the past few years. This talk organizes and references around 40 useful talks in the space.
fuzzing
[tl;dr sec] #36 - AWS Security Maturity Roadmap, Fuzzing, Dynamic Infra for Security Testing
An AWS Security Maturity Roadmap for 2020, fuzzing the Windows kernel & differential crypto fuzzing, easily spin up a cloud env for security testing
[tl;dr sec] #28 - 25 Years of Fuzzing, Secrets Management, Security Questionnaires
Some history and overview of fuzzing, preventing/detecting/remediating leaked secrets, static analysis, macOS security, reflections on privacy post COVID-19.
Lightning in a Bottle: 25 Years of Fuzzing
Richard Johnson describes the history of fuzzing, the primary types of fuzzing, modern tools and advancements, SDLC integration, and more.
[tl;dr sec] #26 - Learnings from Duo, Auto-healing Clouds, Fuzzing
Jon Oberheide on Duo, self-healing AWS environments, Google’s fuzzer benchmarking and CIFuzz, securing Windows & MS accounts at scale.
[tl;dr sec] #24 - BSidesSF/RSA, tl;dr sec Mascot, REST API Fuzzing, AWS Auto-remediation
I’m speaking at BSidesSF and RSA 2020, tl;dr sec stickers, stateful fuzzing of Swagger APIs, auto-remediate AWS issues, canary pro-tips, red team cheatsheets.
[tl;dr sec] #21 - AppSec Cali, Bezos’s Phone, Fuzzing
I’m speaking at AppSec Cali 2020, details on Bezos’s phone being hacked, fuzzing talks and tools, Java deserialization, K8s and GraphQL tools.
[tl;dr sec] #15 - OSINT + Screenshots, Fuzzing, and 2 Fast 2 Discoverious
Summary of an AppSec Cali 2019 talk on more efficient network penetration tests via clustering similar screenshots, fuzzing tools and articles, Bugcrowd/Bitd...
[tl;dr sec] #12 - Killing CSRF, MITRE ATT&CK Cloud, Cache Poisoned DoS
Browser default SameSite cookie settings will mostly kill CSRF, and a malicious header can block any web resource served by a CDN or proxy cache.
[tl;dr sec] #11 - ShellCon 2019 Roundup
Some ShellCon talk summaries, Dropbox and Twilio on detection and response automation, updates from the Chrome security team.
[tl;dr sec] #9 - Autonomous Bug Reporting, HTTP Desync Attacks, & Censorship
Fuzzing is finding security bugs faster than CVEs can be issued, HTTP desync attacks advance, China’s censorship power is felt around the world.
[tl;dr sec] #7 - AppSec Cali 2019 DevSecOps Panel Summary
Notes from an AppSec Cali 2019 panel, AWS security tools, fuzzing with grammars and Gitlab, and Google P0’s iOS exploit chain discovery.
privacy
Riana Pfefferkorn: I Have a Lot to Say About Signal’s Cellebrite Hack
Stanford Internet Observatory Research Scholar Riana Pfefferkorn shares her thoughts on legal implications of the Cellebrite hack.
[tl;dr sec] #36 - AWS Security Maturity Roadmap, Fuzzing, Dynamic Infra for Security Testing
An AWS Security Maturity Roadmap for 2020, fuzzing the Windows kernel & differential crypto fuzzing, easily spin up a cloud env for security testing
[tl;dr sec] #33 - Splunk’s Attack Range, Detecting Compromised Cloud Creds, Azure AD for Red Teamers
Set up your own range to practice attacking & detection, detection strategies for compromised cloud creds, intro to Azure AD for red teamers.
[tl;dr sec] #28 - 25 Years of Fuzzing, Secrets Management, Security Questionnaires
Some history and overview of fuzzing, preventing/detecting/remediating leaked secrets, static analysis, macOS security, reflections on privacy post COVID-19.
[tl;dr sec] #27 - AppSec Weekly, SOC2 Starting Seven, Save Encryption
I was on Application Security Weekly #100, a no-nonsense guide to becoming SOC2 compliant, fight a bill that may kill encryption, compensation resources.
[tl;dr sec] #25 - BSidesSF and RSA, Demystifying Container Security, Your Privacy Online
Round-up of BSidesSF and RSA + my updated slides, overview of container security, pen testing K8s walkthrough, maintaining privacy online.
[tl;dr sec] #18 - “GitHubification” of Infosec, Ring Privacy, Ransomware Economics
Blue teams can become highly leveraged by sharing knowledge effectively, Ring’s partnerships with the police, viewing ransomware through an economic lens.
[tl;dr sec] #12 - Killing CSRF, MITRE ATT&CK Cloud, Cache Poisoned DoS
Browser default SameSite cookie settings will mostly kill CSRF, and a malicious header can block any web resource served by a CDN or proxy cache.
[tl;dr sec] #6 - Post Hacker Summer Camp
Neat talks from Hacker Summer Camp on email -> phone number, DNS rebinding, automated C++ reverse engineering, and publicly exposed AWS EBS volumes.
web_security
Content Security Policy: Going From Idea to Afterthought
GitHub security engineer Neil Matatall gives an overview of CSP: how it works, how to go from no CSP to a solid CSP, and how GitHub implements CSP.
[tl;dr sec] #36 - AWS Security Maturity Roadmap, Fuzzing, Dynamic Infra for Security Testing
An AWS Security Maturity Roadmap for 2020, fuzzing the Windows kernel & differential crypto fuzzing, easily spin up a cloud env for security testing
[tl;dr sec] #27 - AppSec Weekly, SOC2 Starting Seven, Save Encryption
I was on Application Security Weekly #100, a no-nonsense guide to becoming SOC2 compliant, fight a bill that may kill encryption, compensation resources.
[tl;dr sec] #26 - Learnings from Duo, Auto-healing Clouds, Fuzzing
Jon Oberheide on Duo, self-healing AWS environments, Google’s fuzzer benchmarking and CIFuzz, securing Windows & MS accounts at scale.
[tl;dr sec] #25 - BSidesSF and RSA, Demystifying Container Security, Your Privacy Online
Round-up of BSidesSF and RSA + my updated slides, overview of container security, pen testing K8s walkthrough, maintaining privacy online.
[tl;dr sec] #24 - BSidesSF/RSA, tl;dr sec Mascot, REST API Fuzzing, AWS Auto-remediation
I’m speaking at BSidesSF and RSA 2020, tl;dr sec stickers, stateful fuzzing of Swagger APIs, auto-remediate AWS issues, canary pro-tips, red team cheatsheets.
[tl;dr sec] #15 - OSINT + Screenshots, Fuzzing, and 2 Fast 2 Discoverious
Summary of an AppSec Cali 2019 talk on more efficient network penetration tests via clustering similar screenshots, fuzzing tools and articles, Bugcrowd/Bitd...
[tl;dr sec] #14 - DevSecCon TLV, Slack’s Secure Overlay Network, Dangers of Struct Padding
DevSecCon Tel Aviv 2019 talk notes, Slack releases Nebula, AWS instance metadata hardening, OSINT tips, struct padding can leak heap memory, deadlock challen...
[tl;dr sec] #13 - Being Powerful While Powerless, Sadcloud, and Bugcrowd’s Asset Inventory Service
Gusto’s Nathan Yee on being impacful as an IC without a senior title in a start-up, intentionally vulnerable AWS infrastructure for training, and even more a...
blue_team
Dino Dai Zovi on Hardening CI Infrastructure
In the wake of SolarWinds, Dino Dai Zovi describes how he recommends hardening your CI environment.
[tl;dr sec] #36 - AWS Security Maturity Roadmap, Fuzzing, Dynamic Infra for Security Testing
An AWS Security Maturity Roadmap for 2020, fuzzing the Windows kernel & differential crypto fuzzing, easily spin up a cloud env for security testing
[tl;dr sec] #32 - Security + Empathy, Chrome Extension Security, Attacking Azure AD
Gusto CISO Flee on building a positive security culture, protecting from/attacking with Chrome extensions, pivot through Azure AD.
[tl;dr sec] #31 - Instrument with Frida, Free Course on Attacking Apps in AWS/Azure, VM with 8 C&C Frameworks
Use Frida from a Burp extension or web interface, continuous cloud security, fighting misinformation at scale.
[tl;dr sec] #27 - AppSec Weekly, SOC2 Starting Seven, Save Encryption
I was on Application Security Weekly #100, a no-nonsense guide to becoming SOC2 compliant, fight a bill that may kill encryption, compensation resources.
[tl;dr sec] #26 - Learnings from Duo, Auto-healing Clouds, Fuzzing
Jon Oberheide on Duo, self-healing AWS environments, Google’s fuzzer benchmarking and CIFuzz, securing Windows & MS accounts at scale.
Startup Security: Starting a Security Program at a Startup
How to be successful as the first security hire at a startup, what should inform your priorities, where to focus to make an immediate impact, and time sinks ...
[tl;dr sec] #18 - “GitHubification” of Infosec, Ring Privacy, Ransomware Economics
Blue teams can become highly leveraged by sharing knowledge effectively, Ring’s partnerships with the police, viewing ransomware through an economic lens.
The Art of Vulnerability Management
Alexandra Nassar of Medallia describes how to create a positive vulnerability management culture and process that works for engineers and the security team.
security_culture
[tl;dr sec] #13 - Being Powerful While Powerless, Sadcloud, and Bugcrowd’s Asset Inventory Service
Gusto’s Nathan Yee on being impacful as an IC without a senior title in a start-up, intentionally vulnerable AWS infrastructure for training, and even more a...
Being Powerful While Powerless: Elevating Security By Leading Without Authority
Gusto security engineer Nathan Yee describes his experiences and lessons learned on how to be effective as the only AppSec engineer at a start-up, without a ...
[tl;dr sec] #12 - Killing CSRF, MITRE ATT&CK Cloud, Cache Poisoned DoS
Browser default SameSite cookie settings will mostly kill CSRF, and a malicious header can block any web resource served by a CDN or proxy cache.
[tl;dr sec] #11 - ShellCon 2019 Roundup
Some ShellCon talk summaries, Dropbox and Twilio on detection and response automation, updates from the Chrome security team.
[tl;dr sec] #10 - Cloudflare on Security, IAM Least Privilege, & Finding XSS in Firefox’s UI
Cloudflare’s CTO on how they think about security, Salesforce’s tool to make IAM least privilege policy generation easier, and finding XSS in Firefox’s UI us...
Lessons Learned from the DevSecOps Trenches
Learn how Netflix, Dropbox, Datadog, Snap, and DocuSign think about security. A masterclass in DevSecOps and modern AppSec best practices.
(Transcript) Lessons Learned from the DevSecOps Trenches
The transcript for this AppSec Cali 2019 DevSecOps panel featuring security leaders from Netflix, Dropbox, Datadog, Snap, and DocuSign.
(in)Secure Development - Why some product teams are great and others aren’t…
Koen Hendrix describes analyzing the security maturity of Riot product teams, measuring that maturity’s impact quantitatively using bug bounty data, and disc...
red_team
Mechanizing the Methodology: How to find vulnerabilities while you’re doing other things
Daniel Miessler describes how to automate your OSINT and recon processes so you can find more and better bugs with less manual effort.
[tl;dr sec] #36 - AWS Security Maturity Roadmap, Fuzzing, Dynamic Infra for Security Testing
An AWS Security Maturity Roadmap for 2020, fuzzing the Windows kernel & differential crypto fuzzing, easily spin up a cloud env for security testing
[tl;dr sec] #32 - Security + Empathy, Chrome Extension Security, Attacking Azure AD
Gusto CISO Flee on building a positive security culture, protecting from/attacking with Chrome extensions, pivot through Azure AD.
[tl;dr sec] #31 - Instrument with Frida, Free Course on Attacking Apps in AWS/Azure, VM with 8 C&C Frameworks
Use Frida from a Burp extension or web interface, continuous cloud security, fighting misinformation at scale.
[tl;dr sec] #28 - 25 Years of Fuzzing, Secrets Management, Security Questionnaires
Some history and overview of fuzzing, preventing/detecting/remediating leaked secrets, static analysis, macOS security, reflections on privacy post COVID-19.
[tl;dr sec] #27 - AppSec Weekly, SOC2 Starting Seven, Save Encryption
I was on Application Security Weekly #100, a no-nonsense guide to becoming SOC2 compliant, fight a bill that may kill encryption, compensation resources.
[tl;dr sec] #25 - BSidesSF and RSA, Demystifying Container Security, Your Privacy Online
Round-up of BSidesSF and RSA + my updated slides, overview of container security, pen testing K8s walkthrough, maintaining privacy online.
[tl;dr sec] #24 - BSidesSF/RSA, tl;dr sec Mascot, REST API Fuzzing, AWS Auto-remediation
I’m speaking at BSidesSF and RSA 2020, tl;dr sec stickers, stateful fuzzing of Swagger APIs, auto-remediate AWS issues, canary pro-tips, red team cheatsheets.
con_appsec_cali
[tl;dr sec] #22 - Post AppSec Cali, K8s Security Monitoring at Scale
DevSecOps talks & tools from AppSec Cali, PoCs to decrypt WhatsApp messages, Kubernetes monitoring and CTF, Python static analysis tools.
What I Learned Watching All 44 AppSec Cali 2019 Talks
Detailed summaries of ~32 hours of talks, searchable and grouped by category, to supercharge your security program 🚀
Startup Security: Starting a Security Program at a Startup
How to be successful as the first security hire at a startup, what should inform your priorities, where to focus to make an immediate impact, and time sinks ...
Pose a Threat: How Perceptual Analysis Helps Bug Hunters
How to get faster, more complete external attack surface coverage by automatically clustering exposed web apps by visual similarity.
Lessons Learned from the DevSecOps Trenches
Learn how Netflix, Dropbox, Datadog, Snap, and DocuSign think about security. A masterclass in DevSecOps and modern AppSec best practices.
(Transcript) Lessons Learned from the DevSecOps Trenches
The transcript for this AppSec Cali 2019 DevSecOps panel featuring security leaders from Netflix, Dropbox, Datadog, Snap, and DocuSign.
(in)Secure Development - Why some product teams are great and others aren’t…
Koen Hendrix describes analyzing the security maturity of Riot product teams, measuring that maturity’s impact quantitatively using bug bounty data, and disc...
osint
Mechanizing the Methodology: How to find vulnerabilities while you’re doing other things
Daniel Miessler describes how to automate your OSINT and recon processes so you can find more and better bugs with less manual effort.
[tl;dr sec] #36 - AWS Security Maturity Roadmap, Fuzzing, Dynamic Infra for Security Testing
An AWS Security Maturity Roadmap for 2020, fuzzing the Windows kernel & differential crypto fuzzing, easily spin up a cloud env for security testing
[tl;dr sec] #23 - OSINT, Automatic Exploit Generation, Cloud Security
OSINT tools, tips, & tricks, presentations on automatically find and exploiting bugs, a code-aware grep, how to assess another company’s security posture.
[tl;dr sec] #15 - OSINT + Screenshots, Fuzzing, and 2 Fast 2 Discoverious
Summary of an AppSec Cali 2019 talk on more efficient network penetration tests via clustering similar screenshots, fuzzing tools and articles, Bugcrowd/Bitd...
[tl;dr sec] #14 - DevSecCon TLV, Slack’s Secure Overlay Network, Dangers of Struct Padding
DevSecCon Tel Aviv 2019 talk notes, Slack releases Nebula, AWS instance metadata hardening, OSINT tips, struct padding can leak heap memory, deadlock challen...
[tl;dr sec] #6 - Post Hacker Summer Camp
Neat talks from Hacker Summer Camp on email -> phone number, DNS rebinding, automated C++ reverse engineering, and publicly exposed AWS EBS volumes.
kubernetes
[tl;dr sec] #31 - Instrument with Frida, Free Course on Attacking Apps in AWS/Azure, VM with 8 C&C Frameworks
Use Frida from a Burp extension or web interface, continuous cloud security, fighting misinformation at scale.
[tl;dr sec] #30 - Securing Your Home Network, ATT&CK for Kubernetes, Google on Building Secure Systems
How to secure your home WiFi network, Microsoft releases ATT&CK matrix for Kubernetes, free 550+ page book by Google’s SREs on building secure systems.
[tl;dr sec] #25 - BSidesSF and RSA, Demystifying Container Security, Your Privacy Online
Round-up of BSidesSF and RSA + my updated slides, overview of container security, pen testing K8s walkthrough, maintaining privacy online.
[tl;dr sec] #22 - Post AppSec Cali, K8s Security Monitoring at Scale
DevSecOps talks & tools from AppSec Cali, PoCs to decrypt WhatsApp messages, Kubernetes monitoring and CTF, Python static analysis tools.
[tl;dr sec] #21 - AppSec Cali, Bezos’s Phone, Fuzzing
I’m speaking at AppSec Cali 2020, details on Bezos’s phone being hacked, fuzzing talks and tools, Java deserialization, K8s and GraphQL tools.
threat_modeling
DevSecCon Tel Aviv 2019 Roundup
Practical steps to start managing your secrets properly, continuous threat modeling, container security stats and best practices, and my thoughts on the futu...
Lessons Learned from the DevSecOps Trenches
Learn how Netflix, Dropbox, Datadog, Snap, and DocuSign think about security. A masterclass in DevSecOps and modern AppSec best practices.
(Transcript) Lessons Learned from the DevSecOps Trenches
The transcript for this AppSec Cali 2019 DevSecOps panel featuring security leaders from Netflix, Dropbox, Datadog, Snap, and DocuSign.
(in)Secure Development - Why some product teams are great and others aren’t…
Koen Hendrix describes analyzing the security maturity of Riot product teams, measuring that maturity’s impact quantitatively using bug bounty data, and disc...
web_app_security
[tl;dr sec] #12 - Killing CSRF, MITRE ATT&CK Cloud, Cache Poisoned DoS
Browser default SameSite cookie settings will mostly kill CSRF, and a malicious header can block any web resource served by a CDN or proxy cache.
[tl;dr sec] #11 - ShellCon 2019 Roundup
Some ShellCon talk summaries, Dropbox and Twilio on detection and response automation, updates from the Chrome security team.
[tl;dr sec] #10 - Cloudflare on Security, IAM Least Privilege, & Finding XSS in Firefox’s UI
Cloudflare’s CTO on how they think about security, Salesforce’s tool to make IAM least privilege policy generation easier, and finding XSS in Firefox’s UI us...
[tl;dr sec] #9 - Autonomous Bug Reporting, HTTP Desync Attacks, & Censorship
Fuzzing is finding security bugs faster than CVEs can be issued, HTTP desync attacks advance, China’s censorship power is felt around the world.
container_security
Container Security
A collection of container security resources and tools, organized by category.
[tl;dr sec] #32 - Security + Empathy, Chrome Extension Security, Attacking Azure AD
Gusto CISO Flee on building a positive security culture, protecting from/attacking with Chrome extensions, pivot through Azure AD.
[tl;dr sec] #31 - Instrument with Frida, Free Course on Attacking Apps in AWS/Azure, VM with 8 C&C Frameworks
Use Frida from a Burp extension or web interface, continuous cloud security, fighting misinformation at scale.
[tl;dr sec] #25 - BSidesSF and RSA, Demystifying Container Security, Your Privacy Online
Round-up of BSidesSF and RSA + my updated slides, overview of container security, pen testing K8s walkthrough, maintaining privacy online.
original_content
Cloud Security Orienteering
How to orienteer in a cloud environment, dig in to identify the risks that matter, and put together actionable plans that address short, medium, and long ter...
Cloud Security Orienteering: Checklist
How to orienteer in a cloud environment, dig in to identify the risks that matter, and put together actionable plans that address short, medium, and long ter...
Lesser Known Techniques for Attacking AWS Environments
Techniques for initital access, recon, lateral movement, and exfil of AWS accounts, along with defensive mitigations
On Accepting Sponsors
tl;dr sec’s goals, values, and our thought process behind accepting sponsors. Sponsors will be clearly demarcated and will not affect the rest of the content.
program_analysis
[tl;dr sec] #23 - OSINT, Automatic Exploit Generation, Cloud Security
OSINT tools, tips, & tricks, presentations on automatically find and exploiting bugs, a code-aware grep, how to assess another company’s security posture.
[tl;dr sec] #6 - Post Hacker Summer Camp
Neat talks from Hacker Summer Camp on email -> phone number, DNS rebinding, automated C++ reverse engineering, and publicly exposed AWS EBS volumes.
BSidesSF 2019: DevSecOps State of the Union
There’s been a lot of great research in SecDevOps over the past few years. This talk organizes and references around 40 useful talks in the space.
sdlc
Lessons Learned from the DevSecOps Trenches
Learn how Netflix, Dropbox, Datadog, Snap, and DocuSign think about security. A masterclass in DevSecOps and modern AppSec best practices.
(Transcript) Lessons Learned from the DevSecOps Trenches
The transcript for this AppSec Cali 2019 DevSecOps panel featuring security leaders from Netflix, Dropbox, Datadog, Snap, and DocuSign.
(in)Secure Development - Why some product teams are great and others aren’t…
Koen Hendrix describes analyzing the security maturity of Riot product teams, measuring that maturity’s impact quantitatively using bug bounty data, and disc...
bug_bounty
[tl;dr sec] #30 - Securing Your Home Network, ATT&CK for Kubernetes, Google on Building Secure Systems
How to secure your home WiFi network, Microsoft releases ATT&CK matrix for Kubernetes, free 550+ page book by Google’s SREs on building secure systems.
[tl;dr sec] #21 - AppSec Cali, Bezos’s Phone, Fuzzing
I’m speaking at AppSec Cali 2020, details on Bezos’s phone being hacked, fuzzing talks and tools, Java deserialization, K8s and GraphQL tools.
Data Driven Bug Bounty
Arkadiy Tetelman describes how to effectively launch a bug bounty program and how tracking vulnerability metrics can make an AppSec team more impactful.
xss
[tl;dr sec] #36 - AWS Security Maturity Roadmap, Fuzzing, Dynamic Infra for Security Testing
An AWS Security Maturity Roadmap for 2020, fuzzing the Windows kernel & differential crypto fuzzing, easily spin up a cloud env for security testing
[tl;dr sec] #33 - Splunk’s Attack Range, Detecting Compromised Cloud Creds, Azure AD for Red Teamers
Set up your own range to practice attacking & detection, detection strategies for compromised cloud creds, intro to Azure AD for red teamers.
[tl;dr sec] #8 - DevSecCon Seattle 2019 Round Up
Notes from DevSecCon Seattle 2019, featuring insights on dev/security organizational structure, secure wrapper libraries, and continuous compliance.
politics
[tl;dr sec] #33 - Splunk’s Attack Range, Detecting Compromised Cloud Creds, Azure AD for Red Teamers
Set up your own range to practice attacking & detection, detection strategies for compromised cloud creds, intro to Azure AD for red teamers.
[tl;dr sec] #27 - AppSec Weekly, SOC2 Starting Seven, Save Encryption
I was on Application Security Weekly #100, a no-nonsense guide to becoming SOC2 compliant, fight a bill that may kill encryption, compensation resources.
[tl;dr sec] #23 - OSINT, Automatic Exploit Generation, Cloud Security
OSINT tools, tips, & tricks, presentations on automatically find and exploiting bugs, a code-aware grep, how to assess another company’s security posture.
azure
[tl;dr sec] #33 - Splunk’s Attack Range, Detecting Compromised Cloud Creds, Azure AD for Red Teamers
Set up your own range to practice attacking & detection, detection strategies for compromised cloud creds, intro to Azure AD for red teamers.
[tl;dr sec] #30 - Securing Your Home Network, ATT&CK for Kubernetes, Google on Building Secure Systems
How to secure your home WiFi network, Microsoft releases ATT&CK matrix for Kubernetes, free 550+ page book by Google’s SREs on building secure systems.
[tl;dr sec] #23 - OSINT, Automatic Exploit Generation, Cloud Security
OSINT tools, tips, & tricks, presentations on automatically find and exploiting bugs, a code-aware grep, how to assess another company’s security posture.
career
@lcamtuf on Building a Successful Career in Infosec
Excellent thread by @lcamtuf: friendships last longer than jobs, it’s a volatile industry, focus on the long term, the power of writing.
[tl;dr sec] #27 - AppSec Weekly, SOC2 Starting Seven, Save Encryption
I was on Application Security Weekly #100, a no-nonsense guide to becoming SOC2 compliant, fight a bill that may kill encryption, compensation resources.
[tl;dr sec] #24 - BSidesSF/RSA, tl;dr sec Mascot, REST API Fuzzing, AWS Auto-remediation
I’m speaking at BSidesSF and RSA 2020, tl;dr sec stickers, stateful fuzzing of Swagger APIs, auto-remediate AWS issues, canary pro-tips, red team cheatsheets.
scaling_security
Dev Akhawe’s Follow-up on Figma’s Experience Switching to WebAuthN
The good, the bad, and the lessons learned.
How Figma Switched Their Okta to Only Allow Phish-proof WebAuthn/FIDO Multi-factor Authentication
An excellent Twitter thread by Dev Akhawe on the value of making this switch, and challenges and lessons learned along the way.
How Uber Continuously Monitors the Security of its AWS Environment
Uber describes their continuous cloud monitoring service and the workflows and process design that makes it successfully adopted by engineering teams.
reverse_engineering
[tl;dr sec] #33 - Splunk’s Attack Range, Detecting Compromised Cloud Creds, Azure AD for Red Teamers
Set up your own range to practice attacking & detection, detection strategies for compromised cloud creds, intro to Azure AD for red teamers.
[tl;dr sec] #6 - Post Hacker Summer Camp
Neat talks from Hacker Summer Camp on email -> phone number, DNS rebinding, automated C++ reverse engineering, and publicly exposed AWS EBS volumes.
dns_rebinding
[tl;dr sec] #30 - Securing Your Home Network, ATT&CK for Kubernetes, Google on Building Secure Systems
How to secure your home WiFi network, Microsoft releases ATT&CK matrix for Kubernetes, free 550+ page book by Google’s SREs on building secure systems.
[tl;dr sec] #6 - Post Hacker Summer Camp
Neat talks from Hacker Summer Camp on email -> phone number, DNS rebinding, automated C++ reverse engineering, and publicly exposed AWS EBS volumes.
compliance
Peeling the Web Application Security Onion Without Tears
Lessons from Adobe in how building reusable, secure-by-default services and infrastructure improves your security and reduces compliance burden.
[tl;dr sec] #8 - DevSecCon Seattle 2019 Round Up
Notes from DevSecCon Seattle 2019, featuring insights on dev/security organizational structure, secure wrapper libraries, and continuous compliance.
con_devseccon
DevSecCon Tel Aviv 2019 Roundup
Practical steps to start managing your secrets properly, continuous threat modeling, container security stats and best practices, and my thoughts on the futu...
[tl;dr sec] #8 - DevSecCon Seattle 2019 Round Up
Notes from DevSecCon Seattle 2019, featuring insights on dev/security organizational structure, secure wrapper libraries, and continuous compliance.
asset_inventory
Pose a Threat: How Perceptual Analysis Helps Bug Hunters
How to get faster, more complete external attack surface coverage by automatically clustering exposed web apps by visual similarity.
[tl;dr sec] #13 - Being Powerful While Powerless, Sadcloud, and Bugcrowd’s Asset Inventory Service
Gusto’s Nathan Yee on being impacful as an IC without a senior title in a start-up, intentionally vulnerable AWS infrastructure for training, and even more a...
secrets_management
[tl;dr sec] #28 - 25 Years of Fuzzing, Secrets Management, Security Questionnaires
Some history and overview of fuzzing, preventing/detecting/remediating leaked secrets, static analysis, macOS security, reflections on privacy post COVID-19.
DevSecCon Tel Aviv 2019 Roundup
Practical steps to start managing your secrets properly, continuous threat modeling, container security stats and best practices, and my thoughts on the futu...
vuln_management
Travis McPeak: Why Companies don’t ‘Just Patch’
Why patching in the real world is hard, and what to do about it.
The Art of Vulnerability Management
Alexandra Nassar of Medallia describes how to create a positive vulnerability management culture and process that works for engineers and the security team.
podcast
[tl;dr sec] #27 - AppSec Weekly, SOC2 Starting Seven, Save Encryption
I was on Application Security Weekly #100, a no-nonsense guide to becoming SOC2 compliant, fight a bill that may kill encryption, compensation resources.
[tl;dr sec] #17 - AWS Re:Invent, Supply Chain Security, Absolute AppSec
A number of interesting new AWS services, backdoors on PyPI, I had a blast on the Absolute AppSec podcast, and tl;dr sec hits 500 subscribers! 🚀
@lcamtuf on Building a Successful Career in Infosec
Excellent thread by @lcamtuf: friendships last longer than jobs, it’s a volatile industry, focus on the long term, the power of writing.
[tl;dr sec] #17 - AWS Re:Invent, Supply Chain Security, Absolute AppSec
A number of interesting new AWS services, backdoors on PyPI, I had a blast on the Absolute AppSec podcast, and tl;dr sec hits 500 subscribers! 🚀
terraform
[tl;dr sec] #33 - Splunk’s Attack Range, Detecting Compromised Cloud Creds, Azure AD for Red Teamers
Set up your own range to practice attacking & detection, detection strategies for compromised cloud creds, intro to Azure AD for red teamers.
[tl;dr sec] #19 - Epic Post Next Week, Beyond Beyond Corp, Cloud Security Tools
Google’s BeyondProd and code provenance whitepapers, tools to scan Terraform scripts / CloudFormation templates, getting into security resources.
istio
[tl;dr sec] #33 - Splunk’s Attack Range, Detecting Compromised Cloud Creds, Azure AD for Red Teamers
Set up your own range to practice attacking & detection, detection strategies for compromised cloud creds, intro to Azure AD for red teamers.
[tl;dr sec] #25 - BSidesSF and RSA, Demystifying Container Security, Your Privacy Online
Round-up of BSidesSF and RSA + my updated slides, overview of container security, pen testing K8s walkthrough, maintaining privacy online.
startup
[tl;dr sec] #33 - Splunk’s Attack Range, Detecting Compromised Cloud Creds, Azure AD for Red Teamers
Set up your own range to practice attacking & detection, detection strategies for compromised cloud creds, intro to Azure AD for red teamers.
Learnings from Duo
Jon Oberheide on Duo’s story, from conception through acquisition, and the important lessons he learned along the way.
academia
A framework for effective corporate communication after cyber security incidents
This paper lays out a framework for how organizations should communicate after a security incident.
[tl;dr sec] #30 - Securing Your Home Network, ATT&CK for Kubernetes, Google on Building Secure Systems
How to secure your home WiFi network, Microsoft releases ATT&CK matrix for Kubernetes, free 550+ page book by Google’s SREs on building secure systems.
devdatta_akhawe
Dev Akhawe’s Follow-up on Figma’s Experience Switching to WebAuthN
The good, the bad, and the lessons learned.
How Figma Switched Their Okta to Only Allow Phish-proof WebAuthn/FIDO Multi-factor Authentication
An excellent Twitter thread by Dev Akhawe on the value of making this switch, and challenges and lessons learned along the way.
figma
Dev Akhawe’s Follow-up on Figma’s Experience Switching to WebAuthN
The good, the bad, and the lessons learned.
How Figma Switched Their Okta to Only Allow Phish-proof WebAuthn/FIDO Multi-factor Authentication
An excellent Twitter thread by Dev Akhawe on the value of making this switch, and challenges and lessons learned along the way.
mfa
Dev Akhawe’s Follow-up on Figma’s Experience Switching to WebAuthN
The good, the bad, and the lessons learned.
How Figma Switched Their Okta to Only Allow Phish-proof WebAuthn/FIDO Multi-factor Authentication
An excellent Twitter thread by Dev Akhawe on the value of making this switch, and challenges and lessons learned along the way.
okta
Dev Akhawe’s Follow-up on Figma’s Experience Switching to WebAuthN
The good, the bad, and the lessons learned.
How Figma Switched Their Okta to Only Allow Phish-proof WebAuthn/FIDO Multi-factor Authentication
An excellent Twitter thread by Dev Akhawe on the value of making this switch, and challenges and lessons learned along the way.
sso
Dev Akhawe’s Follow-up on Figma’s Experience Switching to WebAuthN
The good, the bad, and the lessons learned.
How Figma Switched Their Okta to Only Allow Phish-proof WebAuthn/FIDO Multi-factor Authentication
An excellent Twitter thread by Dev Akhawe on the value of making this switch, and challenges and lessons learned along the way.
our_research
BSidesSF 2019: DevSecOps State of the Union
There’s been a lot of great research in SecDevOps over the past few years. This talk organizes and references around 40 useful talks in the space.
con_bsides_sf
BSidesSF 2019: DevSecOps State of the Union
There’s been a lot of great research in SecDevOps over the past few years. This talk organizes and references around 40 useful talks in the space.
con_appsec_usa
SCORE Bot: Shift Left, at Scale!
Vidhu Jayabalan and Laksh Raghavan present SCORE-Bot, PayPal’s light-weight, continuous code scanning tool that hooks into their CI/CD pipeline.
2018
SCORE Bot: Shift Left, at Scale!
Vidhu Jayabalan and Laksh Raghavan present SCORE-Bot, PayPal’s light-weight, continuous code scanning tool that hooks into their CI/CD pipeline.
con_bsidessf
Data Driven Bug Bounty
Arkadiy Tetelman describes how to effectively launch a bug bounty program and how tracking vulnerability metrics can make an AppSec team more impactful.
security_metrics
Data Driven Bug Bounty
Arkadiy Tetelman describes how to effectively launch a bug bounty program and how tracking vulnerability metrics can make an AppSec team more impactful.
con_blackhat_usa
Stepping Up Our Game: Re-focusing the Security Community on Defense and Making Security Work for Everyone
In this Black Hat USA 2017 keynote, Alex Stamos discusses how the world has changed around the security community, some ways we’re focusing on the wrong thin...
2017
Stepping Up Our Game: Re-focusing the Security Community on Defense and Making Security Work for Everyone
In this Black Hat USA 2017 keynote, Alex Stamos discusses how the world has changed around the security community, some ways we’re focusing on the wrong thin...
keynote
Stepping Up Our Game: Re-focusing the Security Community on Defense and Making Security Work for Everyone
In this Black Hat USA 2017 keynote, Alex Stamos discusses how the world has changed around the security community, some ways we’re focusing on the wrong thin...
responsible_disclosure
[tl;dr sec] #6 - Post Hacker Summer Camp
Neat talks from Hacker Summer Camp on email -> phone number, DNS rebinding, automated C++ reverse engineering, and publicly exposed AWS EBS volumes.
ai
[tl;dr sec] #8 - DevSecCon Seattle 2019 Round Up
Notes from DevSecCon Seattle 2019, featuring insights on dev/security organizational structure, secure wrapper libraries, and continuous compliance.
censorship
[tl;dr sec] #9 - Autonomous Bug Reporting, HTTP Desync Attacks, & Censorship
Fuzzing is finding security bugs faster than CVEs can be issued, HTTP desync attacks advance, China’s censorship power is felt around the world.
firefox
[tl;dr sec] #10 - Cloudflare on Security, IAM Least Privilege, & Finding XSS in Firefox’s UI
Cloudflare’s CTO on how they think about security, Salesforce’s tool to make IAM least privilege policy generation easier, and finding XSS in Firefox’s UI us...
con_shellcon
[tl;dr sec] #11 - ShellCon 2019 Roundup
Some ShellCon talk summaries, Dropbox and Twilio on detection and response automation, updates from the Chrome security team.
detection_response
[tl;dr sec] #11 - ShellCon 2019 Roundup
Some ShellCon talk summaries, Dropbox and Twilio on detection and response automation, updates from the Chrome security team.
con_global_appsec_amsterdam
Being Powerful While Powerless: Elevating Security By Leading Without Authority
Gusto security engineer Nathan Yee describes his experiences and lessons learned on how to be effective as the only AppSec engineer at a start-up, without a ...
c
[tl;dr sec] #14 - DevSecCon TLV, Slack’s Secure Overlay Network, Dangers of Struct Padding
DevSecCon Tel Aviv 2019 talk notes, Slack releases Nebula, AWS instance metadata hardening, OSINT tips, struct padding can leak heap memory, deadlock challen...
pen_testing
Pose a Threat: How Perceptual Analysis Helps Bug Hunters
How to get faster, more complete external attack surface coverage by automatically clustering exposed web apps by visual similarity.
machine_learning
Pose a Threat: How Perceptual Analysis Helps Bug Hunters
How to get faster, more complete external attack surface coverage by automatically clustering exposed web apps by visual similarity.
metrics
The Art of Vulnerability Management
Alexandra Nassar of Medallia describes how to create a positive vulnerability management culture and process that works for engineers and the security team.
con_appsec_ali
The Art of Vulnerability Management
Alexandra Nassar of Medallia describes how to create a positive vulnerability management culture and process that works for engineers and the security team.
absolute_appsec
[tl;dr sec] #17 - AWS Re:Invent, Supply Chain Security, Absolute AppSec
A number of interesting new AWS services, backdoors on PyPI, I had a blast on the Absolute AppSec podcast, and tl;dr sec hits 500 subscribers! 🚀
supply_chain_security
[tl;dr sec] #17 - AWS Re:Invent, Supply Chain Security, Absolute AppSec
A number of interesting new AWS services, backdoors on PyPI, I had a blast on the Absolute AppSec podcast, and tl;dr sec hits 500 subscribers! 🚀
humor
[tl;dr sec] #17 - AWS Re:Invent, Supply Chain Security, Absolute AppSec
A number of interesting new AWS services, backdoors on PyPI, I had a blast on the Absolute AppSec podcast, and tl;dr sec hits 500 subscribers! 🚀
economics
[tl;dr sec] #18 - “GitHubification” of Infosec, Ring Privacy, Ransomware Economics
Blue teams can become highly leveraged by sharing knowledge effectively, Ring’s partnerships with the police, viewing ransomware through an economic lens.
ransomware
[tl;dr sec] #18 - “GitHubification” of Infosec, Ring Privacy, Ransomware Economics
Blue teams can become highly leveraged by sharing knowledge effectively, Ring’s partnerships with the police, viewing ransomware through an economic lens.
con_blackhat
[tl;dr sec] #18 - “GitHubification” of Infosec, Ring Privacy, Ransomware Economics
Blue teams can become highly leveraged by sharing knowledge effectively, Ring’s partnerships with the police, viewing ransomware through an economic lens.
[tl;dr sec] #19 - Epic Post Next Week, Beyond Beyond Corp, Cloud Security Tools
Google’s BeyondProd and code provenance whitepapers, tools to scan Terraform scripts / CloudFormation templates, getting into security resources.
beyond_corp
[tl;dr sec] #19 - Epic Post Next Week, Beyond Beyond Corp, Cloud Security Tools
Google’s BeyondProd and code provenance whitepapers, tools to scan Terraform scripts / CloudFormation templates, getting into security resources.
startup_security
Startup Security: Starting a Security Program at a Startup
How to be successful as the first security hire at a startup, what should inform your priorities, where to focus to make an immediate impact, and time sinks ...
culture
Startup Security: Starting a Security Program at a Startup
How to be successful as the first security hire at a startup, what should inform your priorities, where to focus to make an immediate impact, and time sinks ...
graphql
[tl;dr sec] #21 - AppSec Cali, Bezos’s Phone, Fuzzing
I’m speaking at AppSec Cali 2020, details on Bezos’s phone being hacked, fuzzing talks and tools, Java deserialization, K8s and GraphQL tools.
deserialization
[tl;dr sec] #21 - AppSec Cali, Bezos’s Phone, Fuzzing
I’m speaking at AppSec Cali 2020, details on Bezos’s phone being hacked, fuzzing talks and tools, Java deserialization, K8s and GraphQL tools.
containers
[tl;dr sec] #22 - Post AppSec Cali, K8s Security Monitoring at Scale
DevSecOps talks & tools from AppSec Cali, PoCs to decrypt WhatsApp messages, Kubernetes monitoring and CTF, Python static analysis tools.
automatic_exploit_generation
[tl;dr sec] #23 - OSINT, Automatic Exploit Generation, Cloud Security
OSINT tools, tips, & tricks, presentations on automatically find and exploiting bugs, a code-aware grep, how to assess another company’s security posture.
writing
[tl;dr sec] #24 - BSidesSF/RSA, tl;dr sec Mascot, REST API Fuzzing, AWS Auto-remediation
I’m speaking at BSidesSF and RSA 2020, tl;dr sec stickers, stateful fuzzing of Swagger APIs, auto-remediate AWS issues, canary pro-tips, red team cheatsheets.
side_channels
[tl;dr sec] #24 - BSidesSF/RSA, tl;dr sec Mascot, REST API Fuzzing, AWS Auto-remediation
I’m speaking at BSidesSF and RSA 2020, tl;dr sec stickers, stateful fuzzing of Swagger APIs, auto-remediate AWS issues, canary pro-tips, red team cheatsheets.
entrepreneurship
Learnings from Duo
Jon Oberheide on Duo’s story, from conception through acquisition, and the important lessons he learned along the way.
compensation
[tl;dr sec] #27 - AppSec Weekly, SOC2 Starting Seven, Save Encryption
I was on Application Security Weekly #100, a no-nonsense guide to becoming SOC2 compliant, fight a bill that may kill encryption, compensation resources.
soc2
[tl;dr sec] #27 - AppSec Weekly, SOC2 Starting Seven, Save Encryption
I was on Application Security Weekly #100, a no-nonsense guide to becoming SOC2 compliant, fight a bill that may kill encryption, compensation resources.
home_security
[tl;dr sec] #30 - Securing Your Home Network, ATT&CK for Kubernetes, Google on Building Secure Systems
How to secure your home WiFi network, Microsoft releases ATT&CK matrix for Kubernetes, free 550+ page book by Google’s SREs on building secure systems.
security_engineering
[tl;dr sec] #30 - Securing Your Home Network, ATT&CK for Kubernetes, Google on Building Secure Systems
How to secure your home WiFi network, Microsoft releases ATT&CK matrix for Kubernetes, free 550+ page book by Google’s SREs on building secure systems.
vault
[tl;dr sec] #30 - Securing Your Home Network, ATT&CK for Kubernetes, Google on Building Secure Systems
How to secure your home WiFi network, Microsoft releases ATT&CK matrix for Kubernetes, free 550+ page book by Google’s SREs on building secure systems.
2fa
[tl;dr sec] #30 - Securing Your Home Network, ATT&CK for Kubernetes, Google on Building Secure Systems
How to secure your home WiFi network, Microsoft releases ATT&CK matrix for Kubernetes, free 550+ page book by Google’s SREs on building secure systems.
phishing
[tl;dr sec] #30 - Securing Your Home Network, ATT&CK for Kubernetes, Google on Building Secure Systems
How to secure your home WiFi network, Microsoft releases ATT&CK matrix for Kubernetes, free 550+ page book by Google’s SREs on building secure systems.
frida
[tl;dr sec] #31 - Instrument with Frida, Free Course on Attacking Apps in AWS/Azure, VM with 8 C&C Frameworks
Use Frida from a Burp extension or web interface, continuous cloud security, fighting misinformation at scale.
instrumentation
[tl;dr sec] #31 - Instrument with Frida, Free Course on Attacking Apps in AWS/Azure, VM with 8 C&C Frameworks
Use Frida from a Burp extension or web interface, continuous cloud security, fighting misinformation at scale.
browser_extension_security
[tl;dr sec] #32 - Security + Empathy, Chrome Extension Security, Attacking Azure AD
Gusto CISO Flee on building a positive security culture, protecting from/attacking with Chrome extensions, pivot through Azure AD.
shakespeare
[tl;dr sec] #32 - Security + Empathy, Chrome Extension Security, Attacking Azure AD
Gusto CISO Flee on building a positive security culture, protecting from/attacking with Chrome extensions, pivot through Azure AD.
building_security_program
[tl;dr sec] #32 - Security + Empathy, Chrome Extension Security, Attacking Azure AD
Gusto CISO Flee on building a positive security culture, protecting from/attacking with Chrome extensions, pivot through Azure AD.
gcp
[tl;dr sec] #33 - Splunk’s Attack Range, Detecting Compromised Cloud Creds, Azure AD for Red Teamers
Set up your own range to practice attacking & detection, detection strategies for compromised cloud creds, intro to Azure AD for red teamers.
malware
[tl;dr sec] #33 - Splunk’s Attack Range, Detecting Compromised Cloud Creds, Azure AD for Red Teamers
Set up your own range to practice attacking & detection, detection strategies for compromised cloud creds, intro to Azure AD for red teamers.
ebpf
[tl;dr sec] #33 - Splunk’s Attack Range, Detecting Compromised Cloud Creds, Azure AD for Red Teamers
Set up your own range to practice attacking & detection, detection strategies for compromised cloud creds, intro to Azure AD for red teamers.
personal_knowledge_management
[tl;dr sec] #36 - AWS Security Maturity Roadmap, Fuzzing, Dynamic Infra for Security Testing
An AWS Security Maturity Roadmap for 2020, fuzzing the Windows kernel & differential crypto fuzzing, easily spin up a cloud env for security testing
mobile_security
[tl;dr sec] #36 - AWS Security Maturity Roadmap, Fuzzing, Dynamic Infra for Security Testing
An AWS Security Maturity Roadmap for 2020, fuzzing the Windows kernel & differential crypto fuzzing, easily spin up a cloud env for security testing
ios
[tl;dr sec] #36 - AWS Security Maturity Roadmap, Fuzzing, Dynamic Infra for Security Testing
An AWS Security Maturity Roadmap for 2020, fuzzing the Windows kernel & differential crypto fuzzing, easily spin up a cloud env for security testing
honeypot
[tl;dr sec] #36 - AWS Security Maturity Roadmap, Fuzzing, Dynamic Infra for Security Testing
An AWS Security Maturity Roadmap for 2020, fuzzing the Windows kernel & differential crypto fuzzing, easily spin up a cloud env for security testing
elasticsearch
[tl;dr sec] #36 - AWS Security Maturity Roadmap, Fuzzing, Dynamic Infra for Security Testing
An AWS Security Maturity Roadmap for 2020, fuzzing the Windows kernel & differential crypto fuzzing, easily spin up a cloud env for security testing
continus_monitoring
How Uber Continuously Monitors the Security of its AWS Environment
Uber describes their continuous cloud monitoring service and the workflows and process design that makes it successfully adopted by engineering teams.
formal_methods
PLTalk: Practical Formal Methods with Hillel Wayne
Jean Yang, Hongyi Hu, and Hillel Wayne discuss making programming languages/model checking more accessible, give an overview of TLA+ and Alloy, and successfu...
programming_languages
PLTalk: Practical Formal Methods with Hillel Wayne
Jean Yang, Hongyi Hu, and Hillel Wayne discuss making programming languages/model checking more accessible, give an overview of TLA+ and Alloy, and successfu...
alloy
PLTalk: Practical Formal Methods with Hillel Wayne
Jean Yang, Hongyi Hu, and Hillel Wayne discuss making programming languages/model checking more accessible, give an overview of TLA+ and Alloy, and successfu...
tlaplus
PLTalk: Practical Formal Methods with Hillel Wayne
Jean Yang, Hongyi Hu, and Hillel Wayne discuss making programming languages/model checking more accessible, give an overview of TLA+ and Alloy, and successfu...
csp
Content Security Policy: Going From Idea to Afterthought
GitHub security engineer Neil Matatall gives an overview of CSP: how it works, how to go from no CSP to a solid CSP, and how GitHub implements CSP.
recon
Mechanizing the Methodology: How to find vulnerabilities while you’re doing other things
Daniel Miessler describes how to automate your OSINT and recon processes so you can find more and better bugs with less manual effort.
app_sec
Peeling the Web Application Security Onion Without Tears
Lessons from Adobe in how building reusable, secure-by-default services and infrastructure improves your security and reduces compliance burden.
secure_architectures
Peeling the Web Application Security Onion Without Tears
Lessons from Adobe in how building reusable, secure-by-default services and infrastructure improves your security and reduces compliance burden.
bsides_sf
Peeling the Web Application Security Onion Without Tears
Lessons from Adobe in how building reusable, secure-by-default services and infrastructure improves your security and reduces compliance burden.
2020
Peeling the Web Application Security Onion Without Tears
Lessons from Adobe in how building reusable, secure-by-default services and infrastructure improves your security and reduces compliance burden.
breach
A framework for effective corporate communication after cyber security incidents
This paper lays out a framework for how organizations should communicate after a security incident.
stratechery
Stratechery: Aggregation Theory
Ben Thompson describes how properties of the Internet enable companies providing the best user experience to win, which leads to a virtuous but anti-competit...
business_model
Stratechery: Aggregation Theory
Ben Thompson describes how properties of the Internet enable companies providing the best user experience to win, which leads to a virtuous but anti-competit...
supply_chain
Lesser Known Techniques for Attacking AWS Environments
Techniques for initital access, recon, lateral movement, and exfil of AWS accounts, along with defensive mitigations
ci
Dino Dai Zovi on Hardening CI Infrastructure
In the wake of SolarWinds, Dino Dai Zovi describes how he recommends hardening your CI environment.
hardening
Dino Dai Zovi on Hardening CI Infrastructure
In the wake of SolarWinds, Dino Dai Zovi describes how he recommends hardening your CI environment.
twitter_thread
Dino Dai Zovi on Hardening CI Infrastructure
In the wake of SolarWinds, Dino Dai Zovi describes how he recommends hardening your CI environment.
signal
Riana Pfefferkorn: I Have a Lot to Say About Signal’s Cellebrite Hack
Stanford Internet Observatory Research Scholar Riana Pfefferkorn shares her thoughts on legal implications of the Cellebrite hack.
cellebrite
Riana Pfefferkorn: I Have a Lot to Say About Signal’s Cellebrite Hack
Stanford Internet Observatory Research Scholar Riana Pfefferkorn shares her thoughts on legal implications of the Cellebrite hack.
patching
Travis McPeak: Why Companies don’t ‘Just Patch’
Why patching in the real world is hard, and what to do about it.
travis_mcpeak
Travis McPeak: Why Companies don’t ‘Just Patch’
Why patching in the real world is hard, and what to do about it.
rami_mccarthy
Cloud Security Orienteering
How to orienteer in a cloud environment, dig in to identify the risks that matter, and put together actionable plans that address short, medium, and long ter...
lcamtuf
@lcamtuf on Building a Successful Career in Infosec
Excellent thread by @lcamtuf: friendships last longer than jobs, it’s a volatile industry, focus on the long term, the power of writing.