Clint Gibler Profile picture
🗡️ Head of Security Research @r2cdev 💙 #DevSecOps and automated bug finding 📚 Creator of newsletter
Durja Profile picture 1 added to My Authors
Mar 8 15 tweets 10 min read
🚨Security Career Resource Thread 🚨

1️⃣ 2️⃣ resources to break into the field or take your career to the next level 👇

#infosec #cybersecurity #security Learn:

🎓 How to get into various fields: pentesting, SOC analyst, AppSec, ...

🎫 Certs - do they matter? For which roles?

🧪 Doing security research

📣 Building your brand via blog posts, conference talks, and more

💸 How to think about compensation
Jan 11 11 tweets 5 min read
✅ How to *actually* roll out YubiKeys/WebAuthN

Industry advice is to "just do it"

But it's actually really hard in practice

8 resources on lessons learned from companies who've done it 🧵 1/ @frgx on how Figma switched their Okta to only allow phish-proof WebAuthn/FIDO MFA

Jul 21, 2022 9 tweets 27 min read
📚 tl;dr sec 142
* @fransrosen Single click account takeovers via OAuth
* @EricMichaud, @ConsensysAudits Cryptocurrency security
* @pry0cc pdiscovery-bot
* @miguelhzbz, @maellyssa k8s Prometheus attack surface
* @joseadanof Awesome Cloud Native Trainings… @fransrosen @EricMichaud @ConsenSysAudits @pry0cc @MiguelHzBz @maellyssa @joseadanof 📢 Sponsor: Are your APIs still at risk? Read the Protecting APIs from Modern Security Risks white paper from @SaltSecurity for critical components needed to secure your APIs…
Dec 16, 2021 12 tweets 45 min read
📚 tl;dr sec 113

* Log4Shell resources
* @JubbaOnJeans, @yashvi3r Security metrics
* How @netflix scales cloud detections
* @orange_8361 CTF challenges
* @prince_of_pasta Least privilege IAM
* Free @falco_org 101 course
* and more!… @JubbaOnJeans @yashvi3r @netflix @orange_8361 @prince_of_pasta @falco_org 📢 Sponsor: @goteleport Teleport 8 delivers industry best practices for remotely accessing Windows and Linux servers, databases, Kubernetes clusters, and internal web applications via a single secure, highly available endpoint. Learn more…
Oct 28, 2021 10 tweets 34 min read
📚 tl;dr sec 107
* @rung Attacking and securing CI/CD pipelines
* @xntrik Threat modeling in HCL
* @NCCGroupInfosec Cracking random number generators w/ML
* @kottireethi GitHub Actions security best practices
* @pdnuclei Easily validate leaked API tokens… @rung @xntrik @NCCGroupInfosec @kottireethi @pdnuclei 📢 Sponsor: Join @Tenable, @awscloud, @techmahindracsr, & more at #Accurics Code to Cloud Security Summit on Wed. Nov 10 @ 8:30am PST. If you’re in the US, register by Fri. to receive a FREE snack box. Preparing for tomorrow’s security challenges today.…
Oct 14, 2021 9 tweets 30 min read
📚 tl;dr sec 105
* #DevSecOps - @NIST on microservices + service mesh
* @ErmeticSec Defending S3 from ransomware
* @falco_org labs
* Risk-Based Security Decision Making at @netflix
* @brutelogic XSS exercises
* @trailofbits osquery + macOS EndpointSec… @NIST @ErmeticSec @falco_org @netflix @brutelogic @trailofbits 📢 Sponsor: Learn how “Detection-as-Code” is changing how security teams write, test and harden detections.…
Oct 7, 2021 9 tweets 27 min read
📚 tl;dr sec 104
* New Phrack
* @hakluke, @farah_hawaa 10 often missed web vulns
* @_fel1x C/C++ semantic search tool
* @black2fan, @s1r1u5_ Finding prototype pollution at scale
* @r2cdev Securing your GitHub Actions
* @alex_dhondt Exploiting drones… @hakluke @Farah_Hawaa @_fel1x @Black2Fan @S1r1u5_ @r2cdev @alex_dhondt 📢 Sponsor: The DevSecGuide to Infrastructure as Code:
🔬 Research on the state of IaC security
🦋 Practical steps for embracing a DevSecOps culture
🔐 Tips for embedding security throughout the DevOps lifecycle
➡️ Download for free from @bridgecrewio…
Aug 24, 2021 18 tweets 35 min read
Ever had to get up to speed in a new cloud environment?

It's tough to figure out what's where and how to start

New guide by @ramimacisabird:

➡️ Cloud Security Orienteering ⬅️

How to rapidly understand 🧠 and secure 🛡️ a cloud environment

A 🧵:… @ramimacisabird Covers:

☁️ Cloud architecture best practices (and why that's so hard)

🏅 Core principles

👷 Corporate Archeology - How and where to dig

📋 Prioritization - ♾ things you could do, where to start?

👩‍💼 Future Planning - Building a roadmap for impactful change
Jan 28, 2021 8 tweets 22 min read
📚 tl;dr sec 68
* >5K subscribers! 🤯
* How AWS secures Lambda
* @DanielMiessler primer on @TomNomNom's recon tools
* @infosec_au Blind SSRF chains
* @RachelTobac InfoSec sea shanty
* @bradgeesaman Creating least priv custom roles in GCP… @DanielMiessler @TomNomNom @infosec_au @RachelTobac @bradgeesaman 📢 Sponsor: Go beyond the network - detect and block malicious actors, not just malicious IPs, with @SqreenIO’s RASP. Schedule your demo today
Jan 8, 2020 4 tweets 4 min read
📚tl;dr sec 19
* @shehackspurple & @j_opdenakker on getting into security
* Google's BeyondProd & code provenance (thx @MayaKaczorowski)
* Cloud, API, and file access bug security tools

... and I've got something big planned next week, stay tuned 🤫… Static analysis tools to find security issues in:

🌎Terraform scripts:

☁️CloudFormation templates: