Tool for testing GraphQL endpoints, how to run a great bug bounty program, restricting your AWS account with Service Control Policies, hardening Linux.
Some history and overview of fuzzing, preventing/detecting/remediating leaked secrets, static analysis, macOS security, reflections on privacy post COVID-19.
I was on Application Security Weekly #100, a no-nonsense guide to becoming SOC2 compliant, fight a bill that may kill encryption, compensation resources.
Jon Oberheide on Duo, self-healing AWS environments, Google’s fuzzer benchmarking and CIFuzz, securing Windows & MS accounts at scale.
Round-up of BSidesSF and RSA + my updated slides, overview of container security, pen testing K8s walkthrough, maintaining privacy online.
I’m speaking at BSidesSF and RSA 2020, tl;dr sec stickers, stateful fuzzing of Swagger APIs, auto-remediate AWS issues, canary pro-tips, red team cheatsheets.
OSINT tools, tips, & tricks, presentations on automatically find and exploiting bugs, a code-aware grep, how to assess another company’s security posture.
DevSecOps talks & tools from AppSec Cali, PoCs to decrypt WhatsApp messages, Kubernetes monitoring and CTF, Python static analysis tools.
I’m speaking at AppSec Cali 2020, details on Bezos’s phone being hacked, fuzzing talks and tools, Java deserialization, K8s and GraphQL tools.
Google’s BeyondProd and code provenance whitepapers, tools to scan Terraform scripts / CloudFormation templates, getting into security resources.
Blue teams can become highly leveraged by sharing knowledge effectively, Ring’s partnerships with the police, viewing ransomware through an economic lens.
A number of interesting new AWS services, backdoors on PyPI, I had a blast on the Absolute AppSec podcast, and tl;dr sec hits 500 subscribers! 🚀
Building an effective vulnerability management process, K8s/AWS tips, network & code scanning tools, privacy preserving VA, and the Siege of Gondor.
Summary of an AppSec Cali 2019 talk on more efficient network penetration tests via clustering similar screenshots, fuzzing tools and articles, Bugcrowd/Bitd...
DevSecCon Tel Aviv 2019 talk notes, Slack releases Nebula, AWS instance metadata hardening, OSINT tips, struct padding can leak heap memory, deadlock challen...
Gusto’s Nathan Yee on being impacful as an IC without a senior title in a start-up, intentionally vulnerable AWS infrastructure for training, and even more a...
Browser default SameSite cookie settings will mostly kill CSRF, and a malicious header can block any web resource served by a CDN or proxy cache.
Some ShellCon talk summaries, Dropbox and Twilio on detection and response automation, updates from the Chrome security team.
Cloudflare’s CTO on how they think about security, Salesforce’s tool to make IAM least privilege policy generation easier, and finding XSS in Firefox’s UI us...
Fuzzing is finding security bugs faster than CVEs can be issued, HTTP desync attacks advance, China’s censorship power is felt around the world.
Notes from DevSecCon Seattle 2019, featuring insights on dev/security organizational structure, secure wrapper libraries, and continuous compliance.
Notes from an AppSec Cali 2019 panel, AWS security tools, fuzzing with grammars and Gitlab, and Google P0’s iOS exploit chain discovery.
Neat talks from Hacker Summer Camp on email -> phone number, DNS rebinding, automated C++ reverse engineering, and publicly exposed AWS EBS volumes.
Detailed summaries of ~32 hours of talks, searchable and grouped by category, to supercharge your security program 🚀
How to be successful as the first security hire at a startup, what should inform your priorities, where to focus to make an immediate impact, and time sinks ...
Alexandra Nassar of Medallia describes how to create a positive vulnerability management culture and process that works for engineers and the security team.
How to get faster, more complete external attack surface coverage by automatically clustering exposed web apps by visual similarity.
Practical steps to start managing your secrets properly, continuous threat modeling, container security stats and best practices, and my thoughts on the futu...
Gusto security engineer Nathan Yee describes his experiences and lessons learned on how to be effective as the only AppSec engineer at a start-up, without a ...
Notes from DevSecCon Seattle 2019, featuring insights on dev/security organizational structure, secure wrapper libraries, and continuous compliance.
Learn how Netflix, Dropbox, Datadog, Snap, and DocuSign think about security. A masterclass in DevSecOps and modern AppSec best practices.
The transcript for this AppSec Cali 2019 DevSecOps panel featuring security leaders from Netflix, Dropbox, Datadog, Snap, and DocuSign.
Arkadiy Tetelman describes how to effectively launch a bug bounty program and how tracking vulnerability metrics can make an AppSec team more impactful.
Koen Hendrix describes analyzing the security maturity of Riot product teams, measuring that maturity’s impact quantitatively using bug bounty data, and disc...
There’s been a lot of great research in SecDevOps over the past few years. This talk organizes and references around 40 useful talks in the space.
Richard Johnson describes the history of fuzzing, the primary types of fuzzing, modern tools and advancements, SDLC integration, and more.
Detailed summaries of ~32 hours of talks, searchable and grouped by category, to supercharge your security program 🚀
Alexandra Nassar of Medallia describes how to create a positive vulnerability management culture and process that works for engineers and the security team.
How to get faster, more complete external attack surface coverage by automatically clustering exposed web apps by visual similarity.
Gusto security engineer Nathan Yee describes his experiences and lessons learned on how to be effective as the only AppSec engineer at a start-up, without a ...
Learn how Netflix, Dropbox, Datadog, Snap, and DocuSign think about security. A masterclass in DevSecOps and modern AppSec best practices.
The transcript for this AppSec Cali 2019 DevSecOps panel featuring security leaders from Netflix, Dropbox, Datadog, Snap, and DocuSign.
In this Black Hat USA 2017 keynote, Alex Stamos discusses how the world has changed around the security community, some ways we’re focusing on the wrong thin...
Arkadiy Tetelman describes how to effectively launch a bug bounty program and how tracking vulnerability metrics can make an AppSec team more impactful.
Koen Hendrix describes analyzing the security maturity of Riot product teams, measuring that maturity’s impact quantitatively using bug bounty data, and disc...
Vidhu Jayabalan and Laksh Raghavan present SCORE-Bot, PayPal’s light-weight, continuous code scanning tool that hooks into their CI/CD pipeline.
There’s been a lot of great research in SecDevOps over the past few years. This talk organizes and references around 40 useful talks in the space.
Richard Johnson describes the history of fuzzing, the primary types of fuzzing, modern tools and advancements, SDLC integration, and more.
Jon Oberheide on Duo’s story, from conception through acquisition, and the important lessons he learned along the way.
Detailed summaries of ~32 hours of talks, searchable and grouped by category, to supercharge your security program 🚀
Alexandra Nassar of Medallia describes how to create a positive vulnerability management culture and process that works for engineers and the security team.
How to get faster, more complete external attack surface coverage by automatically clustering exposed web apps by visual similarity.
Gusto security engineer Nathan Yee describes his experiences and lessons learned on how to be effective as the only AppSec engineer at a start-up, without a ...
Learn how Netflix, Dropbox, Datadog, Snap, and DocuSign think about security. A masterclass in DevSecOps and modern AppSec best practices.
The transcript for this AppSec Cali 2019 DevSecOps panel featuring security leaders from Netflix, Dropbox, Datadog, Snap, and DocuSign.
In this Black Hat USA 2017 keynote, Alex Stamos discusses how the world has changed around the security community, some ways we’re focusing on the wrong thin...
Arkadiy Tetelman describes how to effectively launch a bug bounty program and how tracking vulnerability metrics can make an AppSec team more impactful.
Koen Hendrix describes analyzing the security maturity of Riot product teams, measuring that maturity’s impact quantitatively using bug bounty data, and disc...
Vidhu Jayabalan and Laksh Raghavan present SCORE-Bot, PayPal’s light-weight, continuous code scanning tool that hooks into their CI/CD pipeline.
I was on Application Security Weekly #100, a no-nonsense guide to becoming SOC2 compliant, fight a bill that may kill encryption, compensation resources.
Round-up of BSidesSF and RSA + my updated slides, overview of container security, pen testing K8s walkthrough, maintaining privacy online.
I’m speaking at BSidesSF and RSA 2020, tl;dr sec stickers, stateful fuzzing of Swagger APIs, auto-remediate AWS issues, canary pro-tips, red team cheatsheets.
OSINT tools, tips, & tricks, presentations on automatically find and exploiting bugs, a code-aware grep, how to assess another company’s security posture.
DevSecOps talks & tools from AppSec Cali, PoCs to decrypt WhatsApp messages, Kubernetes monitoring and CTF, Python static analysis tools.
Google’s BeyondProd and code provenance whitepapers, tools to scan Terraform scripts / CloudFormation templates, getting into security resources.
A number of interesting new AWS services, backdoors on PyPI, I had a blast on the Absolute AppSec podcast, and tl;dr sec hits 500 subscribers! 🚀
DevSecCon Tel Aviv 2019 talk notes, Slack releases Nebula, AWS instance metadata hardening, OSINT tips, struct padding can leak heap memory, deadlock challen...
Cloudflare’s CTO on how they think about security, Salesforce’s tool to make IAM least privilege policy generation easier, and finding XSS in Firefox’s UI us...
Notes from DevSecCon Seattle 2019, featuring insights on dev/security organizational structure, secure wrapper libraries, and continuous compliance.
Notes from an AppSec Cali 2019 panel, AWS security tools, fuzzing with grammars and Gitlab, and Google P0’s iOS exploit chain discovery.
Neat talks from Hacker Summer Camp on email -> phone number, DNS rebinding, automated C++ reverse engineering, and publicly exposed AWS EBS volumes.
Jon Oberheide on Duo, self-healing AWS environments, Google’s fuzzer benchmarking and CIFuzz, securing Windows & MS accounts at scale.
DevSecOps talks & tools from AppSec Cali, PoCs to decrypt WhatsApp messages, Kubernetes monitoring and CTF, Python static analysis tools.
Practical steps to start managing your secrets properly, continuous threat modeling, container security stats and best practices, and my thoughts on the futu...
Browser default SameSite cookie settings will mostly kill CSRF, and a malicious header can block any web resource served by a CDN or proxy cache.
Some ShellCon talk summaries, Dropbox and Twilio on detection and response automation, updates from the Chrome security team.
Notes from DevSecCon Seattle 2019, featuring insights on dev/security organizational structure, secure wrapper libraries, and continuous compliance.
Notes from an AppSec Cali 2019 panel, AWS security tools, fuzzing with grammars and Gitlab, and Google P0’s iOS exploit chain discovery.
Learn how Netflix, Dropbox, Datadog, Snap, and DocuSign think about security. A masterclass in DevSecOps and modern AppSec best practices.
The transcript for this AppSec Cali 2019 DevSecOps panel featuring security leaders from Netflix, Dropbox, Datadog, Snap, and DocuSign.
Vidhu Jayabalan and Laksh Raghavan present SCORE-Bot, PayPal’s light-weight, continuous code scanning tool that hooks into their CI/CD pipeline.
There’s been a lot of great research in SecDevOps over the past few years. This talk organizes and references around 40 useful talks in the space.
Some history and overview of fuzzing, preventing/detecting/remediating leaked secrets, static analysis, macOS security, reflections on privacy post COVID-19.
Round-up of BSidesSF and RSA + my updated slides, overview of container security, pen testing K8s walkthrough, maintaining privacy online.
OSINT tools, tips, & tricks, presentations on automatically find and exploiting bugs, a code-aware grep, how to assess another company’s security posture.
DevSecOps talks & tools from AppSec Cali, PoCs to decrypt WhatsApp messages, Kubernetes monitoring and CTF, Python static analysis tools.
Blue teams can become highly leveraged by sharing knowledge effectively, Ring’s partnerships with the police, viewing ransomware through an economic lens.
Some ShellCon talk summaries, Dropbox and Twilio on detection and response automation, updates from the Chrome security team.
Cloudflare’s CTO on how they think about security, Salesforce’s tool to make IAM least privilege policy generation easier, and finding XSS in Firefox’s UI us...
Notes from DevSecCon Seattle 2019, featuring insights on dev/security organizational structure, secure wrapper libraries, and continuous compliance.
Neat talks from Hacker Summer Camp on email -> phone number, DNS rebinding, automated C++ reverse engineering, and publicly exposed AWS EBS volumes.
Vidhu Jayabalan and Laksh Raghavan present SCORE-Bot, PayPal’s light-weight, continuous code scanning tool that hooks into their CI/CD pipeline.
There’s been a lot of great research in SecDevOps over the past few years. This talk organizes and references around 40 useful talks in the space.
Some history and overview of fuzzing, preventing/detecting/remediating leaked secrets, static analysis, macOS security, reflections on privacy post COVID-19.
Richard Johnson describes the history of fuzzing, the primary types of fuzzing, modern tools and advancements, SDLC integration, and more.
Jon Oberheide on Duo, self-healing AWS environments, Google’s fuzzer benchmarking and CIFuzz, securing Windows & MS accounts at scale.
I’m speaking at BSidesSF and RSA 2020, tl;dr sec stickers, stateful fuzzing of Swagger APIs, auto-remediate AWS issues, canary pro-tips, red team cheatsheets.
I’m speaking at AppSec Cali 2020, details on Bezos’s phone being hacked, fuzzing talks and tools, Java deserialization, K8s and GraphQL tools.
Summary of an AppSec Cali 2019 talk on more efficient network penetration tests via clustering similar screenshots, fuzzing tools and articles, Bugcrowd/Bitd...
Browser default SameSite cookie settings will mostly kill CSRF, and a malicious header can block any web resource served by a CDN or proxy cache.
Some ShellCon talk summaries, Dropbox and Twilio on detection and response automation, updates from the Chrome security team.
Fuzzing is finding security bugs faster than CVEs can be issued, HTTP desync attacks advance, China’s censorship power is felt around the world.
Notes from an AppSec Cali 2019 panel, AWS security tools, fuzzing with grammars and Gitlab, and Google P0’s iOS exploit chain discovery.
I was on Application Security Weekly #100, a no-nonsense guide to becoming SOC2 compliant, fight a bill that may kill encryption, compensation resources.
Jon Oberheide on Duo, self-healing AWS environments, Google’s fuzzer benchmarking and CIFuzz, securing Windows & MS accounts at scale.
I’m speaking at BSidesSF and RSA 2020, tl;dr sec stickers, stateful fuzzing of Swagger APIs, auto-remediate AWS issues, canary pro-tips, red team cheatsheets.
OSINT tools, tips, & tricks, presentations on automatically find and exploiting bugs, a code-aware grep, how to assess another company’s security posture.
Google’s BeyondProd and code provenance whitepapers, tools to scan Terraform scripts / CloudFormation templates, getting into security resources.
A number of interesting new AWS services, backdoors on PyPI, I had a blast on the Absolute AppSec podcast, and tl;dr sec hits 500 subscribers! 🚀
DevSecCon Tel Aviv 2019 talk notes, Slack releases Nebula, AWS instance metadata hardening, OSINT tips, struct padding can leak heap memory, deadlock challen...
Gusto’s Nathan Yee on being impacful as an IC without a senior title in a start-up, intentionally vulnerable AWS infrastructure for training, and even more a...
Browser default SameSite cookie settings will mostly kill CSRF, and a malicious header can block any web resource served by a CDN or proxy cache.
Gusto’s Nathan Yee on being impacful as an IC without a senior title in a start-up, intentionally vulnerable AWS infrastructure for training, and even more a...
Gusto security engineer Nathan Yee describes his experiences and lessons learned on how to be effective as the only AppSec engineer at a start-up, without a ...
Browser default SameSite cookie settings will mostly kill CSRF, and a malicious header can block any web resource served by a CDN or proxy cache.
Some ShellCon talk summaries, Dropbox and Twilio on detection and response automation, updates from the Chrome security team.
Cloudflare’s CTO on how they think about security, Salesforce’s tool to make IAM least privilege policy generation easier, and finding XSS in Firefox’s UI us...
Learn how Netflix, Dropbox, Datadog, Snap, and DocuSign think about security. A masterclass in DevSecOps and modern AppSec best practices.
The transcript for this AppSec Cali 2019 DevSecOps panel featuring security leaders from Netflix, Dropbox, Datadog, Snap, and DocuSign.
Koen Hendrix describes analyzing the security maturity of Riot product teams, measuring that maturity’s impact quantitatively using bug bounty data, and disc...
DevSecOps talks & tools from AppSec Cali, PoCs to decrypt WhatsApp messages, Kubernetes monitoring and CTF, Python static analysis tools.
Detailed summaries of ~32 hours of talks, searchable and grouped by category, to supercharge your security program 🚀
How to be successful as the first security hire at a startup, what should inform your priorities, where to focus to make an immediate impact, and time sinks ...
How to get faster, more complete external attack surface coverage by automatically clustering exposed web apps by visual similarity.
Learn how Netflix, Dropbox, Datadog, Snap, and DocuSign think about security. A masterclass in DevSecOps and modern AppSec best practices.
The transcript for this AppSec Cali 2019 DevSecOps panel featuring security leaders from Netflix, Dropbox, Datadog, Snap, and DocuSign.
Koen Hendrix describes analyzing the security maturity of Riot product teams, measuring that maturity’s impact quantitatively using bug bounty data, and disc...
I was on Application Security Weekly #100, a no-nonsense guide to becoming SOC2 compliant, fight a bill that may kill encryption, compensation resources.
Jon Oberheide on Duo, self-healing AWS environments, Google’s fuzzer benchmarking and CIFuzz, securing Windows & MS accounts at scale.
Round-up of BSidesSF and RSA + my updated slides, overview of container security, pen testing K8s walkthrough, maintaining privacy online.
I’m speaking at BSidesSF and RSA 2020, tl;dr sec stickers, stateful fuzzing of Swagger APIs, auto-remediate AWS issues, canary pro-tips, red team cheatsheets.
Summary of an AppSec Cali 2019 talk on more efficient network penetration tests via clustering similar screenshots, fuzzing tools and articles, Bugcrowd/Bitd...
DevSecCon Tel Aviv 2019 talk notes, Slack releases Nebula, AWS instance metadata hardening, OSINT tips, struct padding can leak heap memory, deadlock challen...
Gusto’s Nathan Yee on being impacful as an IC without a senior title in a start-up, intentionally vulnerable AWS infrastructure for training, and even more a...
Some history and overview of fuzzing, preventing/detecting/remediating leaked secrets, static analysis, macOS security, reflections on privacy post COVID-19.
I was on Application Security Weekly #100, a no-nonsense guide to becoming SOC2 compliant, fight a bill that may kill encryption, compensation resources.
Round-up of BSidesSF and RSA + my updated slides, overview of container security, pen testing K8s walkthrough, maintaining privacy online.
Blue teams can become highly leveraged by sharing knowledge effectively, Ring’s partnerships with the police, viewing ransomware through an economic lens.
Browser default SameSite cookie settings will mostly kill CSRF, and a malicious header can block any web resource served by a CDN or proxy cache.
Neat talks from Hacker Summer Camp on email -> phone number, DNS rebinding, automated C++ reverse engineering, and publicly exposed AWS EBS volumes.
I was on Application Security Weekly #100, a no-nonsense guide to becoming SOC2 compliant, fight a bill that may kill encryption, compensation resources.
Jon Oberheide on Duo, self-healing AWS environments, Google’s fuzzer benchmarking and CIFuzz, securing Windows & MS accounts at scale.
How to be successful as the first security hire at a startup, what should inform your priorities, where to focus to make an immediate impact, and time sinks ...
Blue teams can become highly leveraged by sharing knowledge effectively, Ring’s partnerships with the police, viewing ransomware through an economic lens.
Alexandra Nassar of Medallia describes how to create a positive vulnerability management culture and process that works for engineers and the security team.
Practical steps to start managing your secrets properly, continuous threat modeling, container security stats and best practices, and my thoughts on the futu...
Learn how Netflix, Dropbox, Datadog, Snap, and DocuSign think about security. A masterclass in DevSecOps and modern AppSec best practices.
The transcript for this AppSec Cali 2019 DevSecOps panel featuring security leaders from Netflix, Dropbox, Datadog, Snap, and DocuSign.
Koen Hendrix describes analyzing the security maturity of Riot product teams, measuring that maturity’s impact quantitatively using bug bounty data, and disc...
OSINT tools, tips, & tricks, presentations on automatically find and exploiting bugs, a code-aware grep, how to assess another company’s security posture.
Summary of an AppSec Cali 2019 talk on more efficient network penetration tests via clustering similar screenshots, fuzzing tools and articles, Bugcrowd/Bitd...
DevSecCon Tel Aviv 2019 talk notes, Slack releases Nebula, AWS instance metadata hardening, OSINT tips, struct padding can leak heap memory, deadlock challen...
Neat talks from Hacker Summer Camp on email -> phone number, DNS rebinding, automated C++ reverse engineering, and publicly exposed AWS EBS volumes.
Browser default SameSite cookie settings will mostly kill CSRF, and a malicious header can block any web resource served by a CDN or proxy cache.
Some ShellCon talk summaries, Dropbox and Twilio on detection and response automation, updates from the Chrome security team.
Cloudflare’s CTO on how they think about security, Salesforce’s tool to make IAM least privilege policy generation easier, and finding XSS in Firefox’s UI us...
Fuzzing is finding security bugs faster than CVEs can be issued, HTTP desync attacks advance, China’s censorship power is felt around the world.
Some history and overview of fuzzing, preventing/detecting/remediating leaked secrets, static analysis, macOS security, reflections on privacy post COVID-19.
I was on Application Security Weekly #100, a no-nonsense guide to becoming SOC2 compliant, fight a bill that may kill encryption, compensation resources.
Round-up of BSidesSF and RSA + my updated slides, overview of container security, pen testing K8s walkthrough, maintaining privacy online.
I’m speaking at BSidesSF and RSA 2020, tl;dr sec stickers, stateful fuzzing of Swagger APIs, auto-remediate AWS issues, canary pro-tips, red team cheatsheets.
OSINT tools, tips, & tricks, presentations on automatically find and exploiting bugs, a code-aware grep, how to assess another company’s security posture.
Neat talks from Hacker Summer Camp on email -> phone number, DNS rebinding, automated C++ reverse engineering, and publicly exposed AWS EBS volumes.
There’s been a lot of great research in SecDevOps over the past few years. This talk organizes and references around 40 useful talks in the space.
Learn how Netflix, Dropbox, Datadog, Snap, and DocuSign think about security. A masterclass in DevSecOps and modern AppSec best practices.
The transcript for this AppSec Cali 2019 DevSecOps panel featuring security leaders from Netflix, Dropbox, Datadog, Snap, and DocuSign.
Koen Hendrix describes analyzing the security maturity of Riot product teams, measuring that maturity’s impact quantitatively using bug bounty data, and disc...
Round-up of BSidesSF and RSA + my updated slides, overview of container security, pen testing K8s walkthrough, maintaining privacy online.
DevSecOps talks & tools from AppSec Cali, PoCs to decrypt WhatsApp messages, Kubernetes monitoring and CTF, Python static analysis tools.
I’m speaking at AppSec Cali 2020, details on Bezos’s phone being hacked, fuzzing talks and tools, Java deserialization, K8s and GraphQL tools.
I’m speaking at AppSec Cali 2020, details on Bezos’s phone being hacked, fuzzing talks and tools, Java deserialization, K8s and GraphQL tools.
Arkadiy Tetelman describes how to effectively launch a bug bounty program and how tracking vulnerability metrics can make an AppSec team more impactful.
Practical steps to start managing your secrets properly, continuous threat modeling, container security stats and best practices, and my thoughts on the futu...
Notes from DevSecCon Seattle 2019, featuring insights on dev/security organizational structure, secure wrapper libraries, and continuous compliance.
How to get faster, more complete external attack surface coverage by automatically clustering exposed web apps by visual similarity.
Gusto’s Nathan Yee on being impacful as an IC without a senior title in a start-up, intentionally vulnerable AWS infrastructure for training, and even more a...
Some history and overview of fuzzing, preventing/detecting/remediating leaked secrets, static analysis, macOS security, reflections on privacy post COVID-19.
Practical steps to start managing your secrets properly, continuous threat modeling, container security stats and best practices, and my thoughts on the futu...
I was on Application Security Weekly #100, a no-nonsense guide to becoming SOC2 compliant, fight a bill that may kill encryption, compensation resources.
A number of interesting new AWS services, backdoors on PyPI, I had a blast on the Absolute AppSec podcast, and tl;dr sec hits 500 subscribers! 🚀
I was on Application Security Weekly #100, a no-nonsense guide to becoming SOC2 compliant, fight a bill that may kill encryption, compensation resources.
OSINT tools, tips, & tricks, presentations on automatically find and exploiting bugs, a code-aware grep, how to assess another company’s security posture.
I was on Application Security Weekly #100, a no-nonsense guide to becoming SOC2 compliant, fight a bill that may kill encryption, compensation resources.
I’m speaking at BSidesSF and RSA 2020, tl;dr sec stickers, stateful fuzzing of Swagger APIs, auto-remediate AWS issues, canary pro-tips, red team cheatsheets.
There’s been a lot of great research in SecDevOps over the past few years. This talk organizes and references around 40 useful talks in the space.
There’s been a lot of great research in SecDevOps over the past few years. This talk organizes and references around 40 useful talks in the space.
Vidhu Jayabalan and Laksh Raghavan present SCORE-Bot, PayPal’s light-weight, continuous code scanning tool that hooks into their CI/CD pipeline.
Vidhu Jayabalan and Laksh Raghavan present SCORE-Bot, PayPal’s light-weight, continuous code scanning tool that hooks into their CI/CD pipeline.
Arkadiy Tetelman describes how to effectively launch a bug bounty program and how tracking vulnerability metrics can make an AppSec team more impactful.
Arkadiy Tetelman describes how to effectively launch a bug bounty program and how tracking vulnerability metrics can make an AppSec team more impactful.
In this Black Hat USA 2017 keynote, Alex Stamos discusses how the world has changed around the security community, some ways we’re focusing on the wrong thin...
In this Black Hat USA 2017 keynote, Alex Stamos discusses how the world has changed around the security community, some ways we’re focusing on the wrong thin...
In this Black Hat USA 2017 keynote, Alex Stamos discusses how the world has changed around the security community, some ways we’re focusing on the wrong thin...
Neat talks from Hacker Summer Camp on email -> phone number, DNS rebinding, automated C++ reverse engineering, and publicly exposed AWS EBS volumes.
Neat talks from Hacker Summer Camp on email -> phone number, DNS rebinding, automated C++ reverse engineering, and publicly exposed AWS EBS volumes.
Neat talks from Hacker Summer Camp on email -> phone number, DNS rebinding, automated C++ reverse engineering, and publicly exposed AWS EBS volumes.
Notes from DevSecCon Seattle 2019, featuring insights on dev/security organizational structure, secure wrapper libraries, and continuous compliance.
Notes from DevSecCon Seattle 2019, featuring insights on dev/security organizational structure, secure wrapper libraries, and continuous compliance.
Notes from DevSecCon Seattle 2019, featuring insights on dev/security organizational structure, secure wrapper libraries, and continuous compliance.
Fuzzing is finding security bugs faster than CVEs can be issued, HTTP desync attacks advance, China’s censorship power is felt around the world.
Cloudflare’s CTO on how they think about security, Salesforce’s tool to make IAM least privilege policy generation easier, and finding XSS in Firefox’s UI us...
Some ShellCon talk summaries, Dropbox and Twilio on detection and response automation, updates from the Chrome security team.
Some ShellCon talk summaries, Dropbox and Twilio on detection and response automation, updates from the Chrome security team.
Gusto security engineer Nathan Yee describes his experiences and lessons learned on how to be effective as the only AppSec engineer at a start-up, without a ...
DevSecCon Tel Aviv 2019 talk notes, Slack releases Nebula, AWS instance metadata hardening, OSINT tips, struct padding can leak heap memory, deadlock challen...
How to get faster, more complete external attack surface coverage by automatically clustering exposed web apps by visual similarity.
How to get faster, more complete external attack surface coverage by automatically clustering exposed web apps by visual similarity.
Alexandra Nassar of Medallia describes how to create a positive vulnerability management culture and process that works for engineers and the security team.
Alexandra Nassar of Medallia describes how to create a positive vulnerability management culture and process that works for engineers and the security team.
Alexandra Nassar of Medallia describes how to create a positive vulnerability management culture and process that works for engineers and the security team.
A number of interesting new AWS services, backdoors on PyPI, I had a blast on the Absolute AppSec podcast, and tl;dr sec hits 500 subscribers! 🚀
A number of interesting new AWS services, backdoors on PyPI, I had a blast on the Absolute AppSec podcast, and tl;dr sec hits 500 subscribers! 🚀
A number of interesting new AWS services, backdoors on PyPI, I had a blast on the Absolute AppSec podcast, and tl;dr sec hits 500 subscribers! 🚀
A number of interesting new AWS services, backdoors on PyPI, I had a blast on the Absolute AppSec podcast, and tl;dr sec hits 500 subscribers! 🚀
Blue teams can become highly leveraged by sharing knowledge effectively, Ring’s partnerships with the police, viewing ransomware through an economic lens.
Blue teams can become highly leveraged by sharing knowledge effectively, Ring’s partnerships with the police, viewing ransomware through an economic lens.
Blue teams can become highly leveraged by sharing knowledge effectively, Ring’s partnerships with the police, viewing ransomware through an economic lens.
Google’s BeyondProd and code provenance whitepapers, tools to scan Terraform scripts / CloudFormation templates, getting into security resources.
Google’s BeyondProd and code provenance whitepapers, tools to scan Terraform scripts / CloudFormation templates, getting into security resources.
Google’s BeyondProd and code provenance whitepapers, tools to scan Terraform scripts / CloudFormation templates, getting into security resources.
How to be successful as the first security hire at a startup, what should inform your priorities, where to focus to make an immediate impact, and time sinks ...
How to be successful as the first security hire at a startup, what should inform your priorities, where to focus to make an immediate impact, and time sinks ...
I’m speaking at AppSec Cali 2020, details on Bezos’s phone being hacked, fuzzing talks and tools, Java deserialization, K8s and GraphQL tools.
I’m speaking at AppSec Cali 2020, details on Bezos’s phone being hacked, fuzzing talks and tools, Java deserialization, K8s and GraphQL tools.
DevSecOps talks & tools from AppSec Cali, PoCs to decrypt WhatsApp messages, Kubernetes monitoring and CTF, Python static analysis tools.
OSINT tools, tips, & tricks, presentations on automatically find and exploiting bugs, a code-aware grep, how to assess another company’s security posture.
OSINT tools, tips, & tricks, presentations on automatically find and exploiting bugs, a code-aware grep, how to assess another company’s security posture.
I’m speaking at BSidesSF and RSA 2020, tl;dr sec stickers, stateful fuzzing of Swagger APIs, auto-remediate AWS issues, canary pro-tips, red team cheatsheets.
I’m speaking at BSidesSF and RSA 2020, tl;dr sec stickers, stateful fuzzing of Swagger APIs, auto-remediate AWS issues, canary pro-tips, red team cheatsheets.
Round-up of BSidesSF and RSA + my updated slides, overview of container security, pen testing K8s walkthrough, maintaining privacy online.
Round-up of BSidesSF and RSA + my updated slides, overview of container security, pen testing K8s walkthrough, maintaining privacy online.
Jon Oberheide on Duo’s story, from conception through acquisition, and the important lessons he learned along the way.
Jon Oberheide on Duo’s story, from conception through acquisition, and the important lessons he learned along the way.
I was on Application Security Weekly #100, a no-nonsense guide to becoming SOC2 compliant, fight a bill that may kill encryption, compensation resources.
I was on Application Security Weekly #100, a no-nonsense guide to becoming SOC2 compliant, fight a bill that may kill encryption, compensation resources.