Share this page!

Clint Gibler Profile picture
Twitter logo
28 Oct, 10 tweets, 34 min read
📚 tl;dr sec 107
* @rung Attacking and securing CI/CD pipelines
* @xntrik Threat modeling in HCL
* @NCCGroupInfosec Cracking random number generators w/ML
* @kottireethi GitHub Actions security best practices
* @pdnuclei Easily validate leaked API tokens

tldrsec.com/blog/tldr-sec-…
@rung @xntrik @NCCGroupInfosec @kottireethi @pdnuclei 📢 Sponsor: Join @Tenable, @awscloud, @techmahindracsr, & more at #Accurics Code to Cloud Security Summit on Wed. Nov 10 @ 8:30am PST. If you’re in the US, register by Fri. to receive a FREE snack box. Preparing for tomorrow’s security challenges today. hopin.com/events/executi…
@rung @xntrik @NCCGroupInfosec @kottireethi @pdnuclei @tenable @awscloud @techmahindracsr Tool for secret management at @elastic
github.com/elastic/harp

Repo of Google's security advisories and accompanying PoCs
github.com/google/securit…

@xntrik: Document your threat models in HCL
github.com/xntrik/hcltm

@daniel_bilar With 👆, you can now lint your TMs with Semgrep
@rung @xntrik @NCCGroupInfosec @kottireethi @pdnuclei @tenable @awscloud @techmahindracsr @elastic @daniel_bilar @NCCGroupInfosec Cracking Random Number Generators using #MachineLearning

Part 1: xorshift128
research.nccgroup.com/2021/10/15/cra…

Part 2: Mersenne Twister
research.nccgroup.com/2021/10/18/cra…

Using ML to guess credit card pins
bleepingcomputer.com/news/security/…
@rung @xntrik @NCCGroupInfosec @kottireethi @pdnuclei @tenable @awscloud @techmahindracsr @elastic @daniel_bilar New @pdnuclei templates allow easily checking the validity of 63+ types of API/service tokens
blog.projectdiscovery.io/nuclei-v2-5-3-…

And here's a related cheatsheet
github.com/streaak/keyhac…

@pentest_swissky SSRF fuzzer w/ built-in payloads
github.com/swisskyrepo/SS…

#osint #recon #bugbountytips
@rung @xntrik @NCCGroupInfosec @kottireethi @pdnuclei @tenable @awscloud @techmahindracsr @elastic @daniel_bilar @pentest_swissky @lancinimarco's CloudSecList - a 💯 cloud and container security newsletter
cloudseclist.com

Lambda script to disable older access keys
github.com/te-papa/aws-ke…

Achieving least-privilege at @FollowAnalytics with Repokid, Aardvark and ConsoleMe
medium.com/followanalytic…
@rung @xntrik @NCCGroupInfosec @kottireethi @pdnuclei @tenable @awscloud @techmahindracsr @elastic @daniel_bilar @pentest_swissky @lancinimarco @FollowAnalytics @kottireethi Github Actions Security Best Practices
H/T @kmcquade3
engineering.salesforce.com/github-actions…

@rung Attacking & securing CI/CD pipelines
speakerdeck.com/rung/cd-pipeli…

ATT&CK for CI/CD pipelines
github.com/rung/threat-ma…
@rung @xntrik @NCCGroupInfosec @kottireethi @pdnuclei @tenable @awscloud @techmahindracsr @elastic @daniel_bilar @pentest_swissky @lancinimarco @FollowAnalytics @kmcquade3 @whyhiannabelle Protecting open source repos from supply chain attacks
opensource.googleblog.com/2021/10/protec…

@cyberark Cracking WiFi at Scale
cyberark.com/resources/thre…

Awesome Linux #Rootkits
github.com/milabs/awesome…

Qiling: An advanced binary emulation framework
github.com/qilingframewor…
@rung @xntrik @NCCGroupInfosec @kottireethi @pdnuclei @tenable @awscloud @techmahindracsr @elastic @daniel_bilar @pentest_swissky @lancinimarco @FollowAnalytics @kmcquade3 @WhyHiAnnabelle @CyberArk Anti-AI clothing
unlabeled.jp/en/camouflage

@fasterthanlime Google antitrust filing


@DanielMiessler Wokeism Will Elect Trump in 2024
danielmiessler.com/blog/wokeism-w…

@citizenlab NY Times journalist targeted by NSO Group malware
citizenlab.ca/2021/10/breaki…
@rung @xntrik @NCCGroupInfosec @kottireethi @pdnuclei @tenable @awscloud @techmahindracsr @elastic @daniel_bilar @pentest_swissky @lancinimarco @FollowAnalytics @kmcquade3 @WhyHiAnnabelle @CyberArk @fasterthanlime @DanielMiessler @citizenlab If you liked this thread, check out tl;dr sec, a weekly newsletter I send out with:

📚 Summaries of great security talks
🛠️ The latest tools and useful blog posts
🧪 My various research projects

Thanks for reading, have a great day! 😎

tldrsec.com

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Clint Gibler

Clint Gibler Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @clintgibler

Clint Gibler Profile picture
14 Oct
📚 tl;dr sec 105
* #DevSecOps - @NIST on microservices + service mesh
* @ErmeticSec Defending S3 from ransomware
* @falco_org labs
* Risk-Based Security Decision Making at @netflix
* @brutelogic XSS exercises
* @trailofbits osquery + macOS EndpointSec

tldrsec.com/blog/tldr-sec-…
@NIST @ErmeticSec @falco_org @netflix @brutelogic @trailofbits 📢 Sponsor: Learn how “Detection-as-Code” is changing how security teams write, test and harden detections. blog.runpanther.io/detections-as-…
@NIST @ErmeticSec @falco_org @netflix @brutelogic @trailofbits Risk-Based Security Decision Making at @netflix
eventbrite.com/e/risk-based-s…

@ztgrace A tool for detecting default and backdoor creds
github.com/ztgrace/change…

@omer_gil Bypassing required reviews using GitHub Actions
medium.com/cider-sec/bypa…
Read 9 tweets
Clint Gibler Profile picture
7 Oct
📚 tl;dr sec 104
* New Phrack
* @hakluke, @farah_hawaa 10 often missed web vulns
* @_fel1x C/C++ semantic search tool
* @black2fan, @s1r1u5_ Finding prototype pollution at scale
* @r2cdev Securing your GitHub Actions
* @alex_dhondt Exploiting drones

tldrsec.com/blog/tldr-sec-…
@hakluke @Farah_Hawaa @_fel1x @Black2Fan @S1r1u5_ @r2cdev @alex_dhondt 📢 Sponsor: The DevSecGuide to Infrastructure as Code:
🔬 Research on the state of IaC security
🦋 Practical steps for embracing a DevSecOps culture
🔐 Tips for embedding security throughout the DevOps lifecycle
➡️ Download for free from @bridgecrewio
bridgecrew.io/resource/the-d…
@hakluke @Farah_Hawaa @_fel1x @Black2Fan @S1r1u5_ @r2cdev @alex_dhondt @bridgecrewio @_fel1x C/C++ semantic search tool
github.com/googleprojectz…

@procenkoeg How we do SAST at Yandex
zeronights.ru/wp-content/upl…

@r2cdev Securing your GitHub Actions
r2c.dev/blog/2021/prot…
Read 9 tweets
Clint Gibler Profile picture
28 Jan
📚 tl;dr sec 68
* >5K subscribers! 🤯
* How AWS secures Lambda
* @DanielMiessler primer on @TomNomNom's recon tools
* @infosec_au Blind SSRF chains
* @RachelTobac InfoSec sea shanty
* @bradgeesaman Creating least priv custom roles in GCP

tldrsec.com/blog/tldr-sec-…
@DanielMiessler @TomNomNom @infosec_au @RachelTobac @bradgeesaman 📢 Sponsor: Go beyond the network - detect and block malicious actors, not just malicious IPs, with @SqreenIO’s RASP. Schedule your demo today sqreen.com/rasp
@DanielMiessler @TomNomNom @infosec_au @RachelTobac @bradgeesaman @SqreenIO @cryptogangsta Bypassing Signature Checks with Electron
parsiya.net/blog/2021-01-0…

SANS Virtual Summits FREE in 2021
sans.org/blog/sans-virt…

@IncludeSecurity Writing custom static analysis rules in Brakeman and Semgrep
blog.includesecurity.com/2021/01/ruby-s…
Read 8 tweets
Clint Gibler Profile picture
8 Jan 20
📚tl;dr sec 19
* @shehackspurple & @j_opdenakker on getting into security
* Google's BeyondProd & code provenance (thx @MayaKaczorowski)
* Cloud, API, and file access bug security tools

... and I've got something big planned next week, stay tuned 🤫

tldrsec.com/blog/tldr-sec-…
Static analysis tools to find security issues in:

🌎Terraform scripts:
* github.com/liamg/tfsec
* github.com/bridgecrewio/c…
* github.com/cesar-rodrigue…

☁️CloudFormation templates:
* github.com/Skyscanner/cfr…
* github.com/stelligent/cfn…
Other #security tools:

Docker container that wraps 7 other #AWS security tools:
github.com/z0ph/aws-secur…

Automatic API attack tool that takes API specs as input:
github.com/imperva/automa…

Finding file access bugs:
github.com/google/path-au…
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @clintgibler has new unrolls!

Check out other threads from @clintgibler!

Read all threads by @clintgibler

:(