🚨Security Career Resource Thread 🚨

1️⃣ 2️⃣ resources to break into the field or take your career to the next level 👇

#infosec #cybersecurity #security Learn:

🎓 How to get into various fields: pentesting, SOC analyst, AppSec, ...

🎫 Certs - do they matter? For which roles?

🧪 Doing security research

📣 Building your brand via blog posts, conference talks, and more

💸 How to think about compensation

✅ How to *actually* roll out YubiKeys/WebAuthN

Industry advice is to "just do it"

But it's actually really hard in practice

8 resources on lessons learned from companies who've done it 🧵 1/ @frgx on how Figma switched their Okta to only allow phish-proof WebAuthn/FIDO MFA

https://twitter.com/frgx/status/1379504541666701313

📚 tl;dr sec 142
* @fransrosen Single click account takeovers via OAuth
* @EricMichaud, @ConsensysAudits Cryptocurrency security
* @pry0cc pdiscovery-bot
* @miguelhzbz, @maellyssa k8s Prometheus attack surface
* @joseadanof Awesome Cloud Native Trainings

tldrsec.com/blog/tldr-sec-… @fransrosen @EricMichaud @ConsenSysAudits @pry0cc @MiguelHzBz @maellyssa @joseadanof 📢 Sponsor: Are your APIs still at risk? Read the Protecting APIs from Modern Security Risks white paper from @SaltSecurity for critical components needed to secure your APIs content.salt.security/protecting-api…

📚 tl;dr sec 113

* Log4Shell resources
* @JubbaOnJeans, @yashvi3r Security metrics
* How @netflix scales cloud detections
* @orange_8361 CTF challenges
* @prince_of_pasta Least privilege IAM
* Free @falco_org 101 course
* and more!

tldrsec.com/blog/tldr-sec-… @JubbaOnJeans @yashvi3r @netflix @orange_8361 @prince_of_pasta @falco_org 📢 Sponsor: @goteleport Teleport 8 delivers industry best practices for remotely accessing Windows and Linux servers, databases, Kubernetes clusters, and internal web applications via a single secure, highly available endpoint. Learn more goteleport.com/blog/rdp-acces…

📚 tl;dr sec 107
* @rung Attacking and securing CI/CD pipelines
* @xntrik Threat modeling in HCL
* @NCCGroupInfosec Cracking random number generators w/ML
* @kottireethi GitHub Actions security best practices
* @pdnuclei Easily validate leaked API tokens

tldrsec.com/blog/tldr-sec-… @rung @xntrik @NCCGroupInfosec @kottireethi @pdnuclei 📢 Sponsor: Join @Tenable, @awscloud, @techmahindracsr, & more at #Accurics Code to Cloud Security Summit on Wed. Nov 10 @ 8:30am PST. If you’re in the US, register by Fri. to receive a FREE snack box. Preparing for tomorrow’s security challenges today. hopin.com/events/executi…

📚 tl;dr sec 105
* #DevSecOps - @NIST on microservices + service mesh
* @ErmeticSec Defending S3 from ransomware
* @falco_org labs
* Risk-Based Security Decision Making at @netflix
* @brutelogic XSS exercises
* @trailofbits osquery + macOS EndpointSec

tldrsec.com/blog/tldr-sec-… @NIST @ErmeticSec @falco_org @netflix @brutelogic @trailofbits 📢 Sponsor: Learn how “Detection-as-Code” is changing how security teams write, test and harden detections. blog.runpanther.io/detections-as-…

📚 tl;dr sec 104
* New Phrack
* @hakluke, @farah_hawaa 10 often missed web vulns
* @_fel1x C/C++ semantic search tool
* @black2fan, @s1r1u5_ Finding prototype pollution at scale
* @r2cdev Securing your GitHub Actions
* @alex_dhondt Exploiting drones

tldrsec.com/blog/tldr-sec-… @hakluke @Farah_Hawaa @_fel1x @Black2Fan @S1r1u5_ @r2cdev @alex_dhondt 📢 Sponsor: The DevSecGuide to Infrastructure as Code:
🔬 Research on the state of IaC security
🦋 Practical steps for embracing a DevSecOps culture
🔐 Tips for embedding security throughout the DevOps lifecycle
➡️ Download for free from @bridgecrewio
bridgecrew.io/resource/the-d…

Ever had to get up to speed in a new cloud environment?

It's tough to figure out what's where and how to start

New guide by @ramimacisabird:

➡️ Cloud Security Orienteering ⬅️

How to rapidly understand 🧠 and secure 🛡️ a cloud environment

A 🧵:

tldrsec.com/blog/cloud-sec… @ramimacisabird Covers:

☁️ Cloud architecture best practices (and why that's so hard)

🏅 Core principles

👷 Corporate Archeology - How and where to dig

📋 Prioritization - ♾ things you could do, where to start?

👩‍💼 Future Planning - Building a roadmap for impactful change

📚 tl;dr sec 68
* >5K subscribers! 🤯
* How AWS secures Lambda
* @DanielMiessler primer on @TomNomNom's recon tools
* @infosec_au Blind SSRF chains
* @RachelTobac InfoSec sea shanty
* @bradgeesaman Creating least priv custom roles in GCP

tldrsec.com/blog/tldr-sec-… @DanielMiessler @TomNomNom @infosec_au @RachelTobac @bradgeesaman 📢 Sponsor: Go beyond the network - detect and block malicious actors, not just malicious IPs, with @SqreenIO’s RASP. Schedule your demo today sqreen.com/rasp

📚tl;dr sec 19
* @shehackspurple & @j_opdenakker on getting into security
* Google's BeyondProd & code provenance (thx @MayaKaczorowski)
* Cloud, API, and file access bug security tools

... and I've got something big planned next week, stay tuned 🤫

tldrsec.com/blog/tldr-sec-… Static analysis tools to find security issues in:

🌎Terraform scripts:
* github.com/liamg/tfsec
* github.com/bridgecrewio/c…
* github.com/cesar-rodrigue…

☁️CloudFormation templates:
* github.com/Skyscanner/cfr…
* github.com/stelligent/cfn…