JavaScript is not available.

When I was on my path to Staff, I found tremendous value in the resources available about Staff+ Software Engineering. Despite the relative glut of content however, security was not well represented.

Dec 6, 2022

How do you get to 🧙‍♂️Staff🧙‍♂️ level in security? Hard to know, as there's not much guidance out there Where is the staffeng.com for security?

@ramimacisabird

went and got stories from 8 Staff+ Sec Engineers, go learn from their experiences 👇

tldrsec.com

StaffEng Security

Show this thread

brightprogrammer.netlify.app

🦀 Reverse Engineering Rustlang Binaries - 5 Part Series * The structure of empty Rust binaries * How the printf function works at a low level * How Rust stores variables and passes them as args for use + more By

@brightprogramer

#infosec

Reverse Engineering Rustlang Binaries - A Series | BrightProgrammer

I’ve been struggling with reverse engineering rustlang binaries for a while in CTF challenges. So I’m starting a reverse engineering series where I reverse engineer several rustlang binariesa and try...

Daniel Cuthbert

@dcuthbert

Yay! Come and join us

Quote Tweet

Semgrep

@semgrep

We're bringing together #security experts @dcuthbert @LewisArdern @AroraMinali and @_amanvir for a panel session in London on Feb 20! Join us and learn their best practices in building & scaling highly effective AppSec/ProdSec teams. Save your seat: bit.ly/3lf8gQ8

Scaling security programs can be challenging. From keeping up with the latest industry security threats and technologies to building a continuous scanning infrastructure, security engineering leaders have a lot on their plate when it comes to leading highly effective AppSec/ProdSec organizations.

Join @LewisArdern @AroraMinali and @_amanvir for a panel session in London on Feb 20!

Come hear what they have to say about best practices in building & scaling highly effective AppSec/ProdSec teams.

Join our panel of experts in this webinar to learn:

- Best practices in building and scaling an efficient AppSec/ProdSec team
- Thoughts on the latest security engineering tools and processes to invest in
- Mitigating security risks in a fast-paced, rapidly-scaling environment
and more!

read image description

ALT

⛈️ Misconfiguration and vulnerabilities biggest risks in cloud security Report by

@sysdig

based on analyzing >7M containers their customers are running daily as well as public data sources such as GitHub, Docker Hub, and the CNCF #cybersecurity csoonline.com/article/368657

research.nccgroup.com/2023/01/31/thr

🎨 Threat Modelling Cloud Platform Services by Example: Google Cloud Storage * Key features and security controls of Google Cloud Storage * Potential threats (STRIDE) * Threat mitigation recommendations By

@NCCGroupInfosec

Vulnerabilities due to XML files processing: XXE in C# applicati…

Feb 4

⚠️ XXE in C# applications in theory and in practice

@_SergVasiliev_

provides an overview of XXE, relevant C# components, an example vulnerability, and how to protect your code

pvs-studio.com

How can simple XML files processing turn into a security weakness? How can a blog deployed on your machine cause a data leak? Today we′ll find answers to these questions, learn what XXE is …

Fast and Furious: Doubling Down on SBOM Drift

🗒️ Doubling Down on SBOM Drift How an application's dependencies, as analyzed by Syft, change from your initial direct dependencies, to transitive dependencies after `npm install`, to adding a container image, etc. By

@anchore

thenewstack.io

The SBOM you generate today might not be the one you create tomorrow. The number of dependencies can change. Some might add or remove things, update versions or vanish entirely.

Ransacking your password reset tokens | Positive Security

🥷 Ransacking your password reset tokens

@positive_sec

o how the "Ransack" Ruby library can be abused to exfiltrate sensitive data via char by char brute-force They compromised multiple applications this way and found 100s more that might be vulnerable

positive.security

We demonstrate how the popular "Ransack" library (Ruby on Rails) can be abused to exfiltrate sensitive data via character by character brute-force, allowing for a full application compromise in some...

Elevating Security Alert Management Using Automation

🤖 Elevating Security Alert Management Using Automation

@jshlbrd

describes the

@brexHQ

Detection and Response Team’s approach to managing and automating security alerts at scale.

medium.com

This post describes the Brex Detection and Response Team’s approach to managing and automating security alerts at scale.

Truffle Security is proud to host a new XSSHunter - Truffle Security

🥳 New XSS Hunter hosted by

@trufflesec

Use for blind XSS detection Feature enhancements: * CORS analysis * Secrets detection * Detect exposed .git directory #bugbounty #bugbountytips

trufflesecurity.com

Truffle Security is proud to be hosting a new XSSHunter, with new features, with the assistance of its original creator, Mandatory.

unit42.paloaltonetworks.com

📦 Mitigating RBAC-Based Privilege Escalation in Popular Kubernetes Platforms

@yuval_avrahami

walks through the different mitigations the platforms (AKS, EKS, GKE, ...) implemented to address privilege escalation and powerful permissions in #Kubernetes

Mitigating RBAC-Based Privilege Escalation in Popular Kubernetes Platforms

We recap our research on privilege escalation and powerful permissions in Kubernetes and analyze the ways various platforms have addressed it.

owasp

@owasp

🍀Are you as excited as we are for #OWASP Global AppSec Dublin? Join us at Foley's Bar for Happy Hour Tues., Feb. 14, 5:00 pm - 8:00 pm, sponsored by Jit and Semgrep, for a unique networking opportunity before the conference starts. RSVP NOW: lu.ma/owasp-dublin-h #appsec

🛠️ automated-security-helper Wraps a number of other open source tools, including: * git-secrets * bandit * Semgrep * Grype * Syft * nbconvert * npm-audit * checkov * cdk-nag * cfn-nag

GitHub - aws-samples/automated-security-helper

Contribute to aws-samples/automated-security-helper development by creating an account on GitHub.

Never write a commit message again (with the help of GPT-3)

✍️ Never write a commit message again gptcommit: a new tool that uses the OpenAI completions API to summarize the changes in each file

zura.wiki

SentinelOne Singularity Cloud Detects and Remediates Ransomware on AWS

Keep up with security research in 10min/week: 📺 Talks 🛠️ Tools and blog posts 🧪 Research projects Join 14,000+ of the best security professionals: tldrsec.com Follow me

for more

📢 Sponsor: ⏱️Don’t blink!...

@SentinelOne

cloud-native #CWPP stops runtime attacks (ransomware, etc) on cloud instances in real-time. Performance, scalable, efficient. Watch the 1-min demo:

assets.sentinelone.com

Neat write-up by

I enjoyed the nuances around bypassing the server's origin check, experimenting with how browsers treat special characters, and dealing with Same Origin Policy preflight requests

Quote Tweet

Liv Matan

@terminatorLM

Jan 19

Recently I discovered a one-click RCE vulnerability in #Azure that affects Function apps, App services, and Logic apps. The vulnerability enables attackers to fully take over the targeted victim's application and managed identity token. This is the story of #EmojiDeploy ._.

Show this thread

GIF

Employee-facing Mutual TLS

Feb 1

👩‍💼 Employee-facing Mutual TLS How

@PinterestEng

has implemented employee-facing mutual TLS with a custom identity provider in a way that results in a positive user experience Tons of subtleties you need to think about when supporting all major platforms

medium.com

Armen Tashjian | Security Engineer, Corporate Security

Super Agent - Automatic Cookie Consent

Feb 1

🦸 Super Agent A browser extension which lets you decide which cookies you want and don't want, auto-accepts cookie pop-ups for you, and warns you whenever it finds a website not respecting your preferences

super-agent.com

No more cookie pop-ups! Privacy can be simple. Super Agent is a browser extension that will auto-accept or reject cookies for you according to your preferences.

Truffle Security

@trufflesec

Truffle Security is proud to host a new XSSHunter - Truffle Security

Truffle Security is proud to host a new XSSHunter, that finds new vulnerabilities

trufflesecurity.com

Truffle Security is proud to be hosting a new XSSHunter, with new features, with the assistance of its original creator, Mandatory.

251

688

Anthony Barbieri - Principal Security Architect at Grainger

(Principal Security Architect

@grainger

) shared his experience at the intersection of enterprise and solution architecture, and talks about "innersourcing" as a lever for Staff+ Impact tldrsec.com/guides/staffen 2/3

tldrsec.com

Anthony Barbieri: Twitter, Polywork, Github, Dev.to Tell us a little about your current role: where do you work, your title and generally the sort of work you and your team do.

Show this thread

rami

@ramimacisabird

Jonathan Fisher - Staff Security Engineer at Praetorian

Excited to share two more Staff+ Security Engineer stories we've just published over on tldrsec.com Jonathan Fisher (from

@praetorianlabs

) shared how he's experienced "Staff Level" work in a consulting team tldrsec.com/guides/staffen 1/3

tldrsec.com

Jonathan Fisher: LinkedIn

🔨 Smithy A protocol-agnostic interface definition language and set of tools for generating clients, servers, and documentation for any programming language

GitHub - awslabs/smithy: Smithy is a protocol-agnostic interface definition language and set of...

Smithy is a protocol-agnostic interface definition language and set of tools for generating clients, servers, and documentation for any programming language. - GitHub - awslabs/smithy: Smithy is a ...

☁️ Precloud An open source CLI that runs checks on infrastructure as code to catch potential deployment issues before deploying It works by comparing resources in CDK diffs and Terraform Plans against the state of your cloud account

GitHub - tinystacks/precloud: An open source command line interface that runs checks on infrastru...

An open source command line interface that runs checks on infrastructure as code to catch potential deployment issues before deploying. - GitHub - tinystacks/precloud: An open source command line i...

🗺️ Caretta An instant #Kubernetes service dependency map, right to your Grafana Leverages eBPF to efficiently map all service network interactions in a k8s cluster, and Grafana to query and visualize the collected data github.com/groundcover-co

GIF

blog.doyensec.com/2023/01/24/tam

🏊 Tampering User Attributes In AWS Cognito User Pools In Cognito, App Integrations (Clients) have default R/W permissions on User Attributes ➡️ Auth'd users can edit their own attributes ➡️ Privilege escalation, etc. By

@lacerenza_fra

@ouadmoha

#bugbounty #bugbountytips

🔥 Capital A built-to-be-vulnerable API application based on the

@OWASP

top 10 API vulnerabilities Use it to learn, train and exploit API Security vulnerabilities within your own API Security #CTF By

@Checkmarx

GitHub - Checkmarx/capital: A built-to-be-vulnerable API application based on the OWASP top 10 API...

A built-to-be-vulnerable API application based on the OWASP top 10 API vulnerabilities. Use c{api}tal to learn, train and exploit API Security vulnerabilities within your own API Security CTF. - ...

☕ jbom Generates Runtime and Static SBOMs for local and remote Java apps

Contribute to eclipse/jbom development by creating an account on GitHub.

GitHub - eclipse/jbom

AWS Could Do More About SSO Device Auth Phishing

🎣 AWS Could Do More About SSO Device Auth Phishing Great overview by

@ramimacisabird

about SSO device auth phishing, what AWS should and could do, and what you can do to protect your org

ramimac.me

In AWS Phishing: Four ways, I mentioned the potential for AWS SSO Device Authentication Phishing.

Solving for Cloud Security at Scale with Chris Farris

☁️ Solving for Cloud Security at Scale with Chris Farris

@jcfarris

joins

@QuinnyPig

to discuss how he wound up in the world of DevRel at Turbot and what he sees for the future of multi-cloud security practitioners

lastweekinaws.com

🗒️ SBOM Scorecard When generating first-party SBOMs, it's hard to know if you're generating something good (e.g. rich metadata that you can query later) or not. This tool hopes to quantify what a well-generated SBOM looks like.

GitHub - eBay/sbom-scorecard: Generate a score for your sbom to understand if it will actually be...

Generate a score for your sbom to understand if it will actually be useful. - GitHub - eBay/sbom-scorecard: Generate a score for your sbom to understand if it will actually be useful.

Jose Selvi

@JoseSelvi

Using Semgrep with Jupyter Notebook files

If you frequently deliver source code review assessments of products including machine learning components, semgrep's "extract mode" now supports Jupyter Notebooks:

research.nccgroup.com

If you frequently deliver source code review assessments of products, including machine learning components, I’m sure you are used to reviewing Jupyter Notebook files (usually python). Althou…

Using Semgrep with Jupyter Notebook files

🐍 Using Semgrep with Jupyter Notebook files

@JoseSelvi

describes how using Semgrep's "extract" mode Extract mode can be used to analyze Bash in a Dockerfile, JS in HTML, etc. He also submitted a PR to make extract mode better, huzzah open source! 🙌

research.nccgroup.com

If you frequently deliver source code review assessments of products, including machine learning components, I’m sure you are used to reviewing Jupyter Notebook files (usually python). Althou…

Swipe right on our new credit card tokens!

Jan 28

💳 Swipe right on our new credit card tokens!

@ThinkstCanary

has released a new canary token type: credit cards They'll create a valid credit card (number, expiration, and CVC) for you, and you'll get notified if it ever gets used

blog.thinkst.com

Detect breaches with Canary credit cards! TL;DR; Today we’re releasing a new Canarytoken type: actual credit cards! Head over to canarytokens.org; We give you a valid credit card (number, exp…

Top 3 Cyber Predictions in 2023 and How You Can Prepare

Jan 27

🔮 3 Predictions for Cyber Offense in 2023 and How You Can Prepare 1. Hackers are going to ransom our cars 2. Attackers will start creating zero day exploit farms 3. The OSS "tragedy of the commons" will continue By

@thedavidbrumley

#cybersecurity

forallsecure.com

I’m David Brumley, CEO of ForAllSecure, and here are my top three predictions for offense in 2023.

New Hires, Lost Keys & Lessons Learned (Passwordless Authentication Series, #3)

Jan 27

🔑 FIDO2, New Hires & Lost Keys Part 3/3 in

@PalantirTech

's Passwordless AuthN Series ➡️ How they handle the "chicken and egg" new FIDO2 user problem (Azure TAP codes) and when users lose keys

blog.palantir.com

Lessons learned implementing FIDO2 authentication, from registering new hires to managing lost keys.