Clint Gibler Profile picture
🗡️ Head of Security Research @r2cdev 💙 #DevSecOps and automated bug finding 📚 Creator of https://t.co/FEoo2LrkjC newsletter
Durja Profile picture 1 added to My Authors
28 Oct
📚 tl;dr sec 107
* @rung Attacking and securing CI/CD pipelines
* @xntrik Threat modeling in HCL
* @NCCGroupInfosec Cracking random number generators w/ML
* @kottireethi GitHub Actions security best practices
* @pdnuclei Easily validate leaked API tokens

tldrsec.com/blog/tldr-sec-…
@rung @xntrik @NCCGroupInfosec @kottireethi @pdnuclei 📢 Sponsor: Join @Tenable, @awscloud, @techmahindracsr, & more at #Accurics Code to Cloud Security Summit on Wed. Nov 10 @ 8:30am PST. If you’re in the US, register by Fri. to receive a FREE snack box. Preparing for tomorrow’s security challenges today. hopin.com/events/executi…
@rung @xntrik @NCCGroupInfosec @kottireethi @pdnuclei @tenable @awscloud @techmahindracsr Tool for secret management at @elastic
github.com/elastic/harp

Repo of Google's security advisories and accompanying PoCs
github.com/google/securit…

@xntrik: Document your threat models in HCL
github.com/xntrik/hcltm

@daniel_bilar With 👆, you can now lint your TMs with Semgrep
Read 10 tweets
14 Oct
📚 tl;dr sec 105
* #DevSecOps - @NIST on microservices + service mesh
* @ErmeticSec Defending S3 from ransomware
* @falco_org labs
* Risk-Based Security Decision Making at @netflix
* @brutelogic XSS exercises
* @trailofbits osquery + macOS EndpointSec

tldrsec.com/blog/tldr-sec-…
@NIST @ErmeticSec @falco_org @netflix @brutelogic @trailofbits 📢 Sponsor: Learn how “Detection-as-Code” is changing how security teams write, test and harden detections. blog.runpanther.io/detections-as-…
@NIST @ErmeticSec @falco_org @netflix @brutelogic @trailofbits Risk-Based Security Decision Making at @netflix
eventbrite.com/e/risk-based-s…

@ztgrace A tool for detecting default and backdoor creds
github.com/ztgrace/change…

@omer_gil Bypassing required reviews using GitHub Actions
medium.com/cider-sec/bypa…
Read 9 tweets
7 Oct
📚 tl;dr sec 104
* New Phrack
* @hakluke, @farah_hawaa 10 often missed web vulns
* @_fel1x C/C++ semantic search tool
* @black2fan, @s1r1u5_ Finding prototype pollution at scale
* @r2cdev Securing your GitHub Actions
* @alex_dhondt Exploiting drones

tldrsec.com/blog/tldr-sec-…
@hakluke @Farah_Hawaa @_fel1x @Black2Fan @S1r1u5_ @r2cdev @alex_dhondt 📢 Sponsor: The DevSecGuide to Infrastructure as Code:
🔬 Research on the state of IaC security
🦋 Practical steps for embracing a DevSecOps culture
🔐 Tips for embedding security throughout the DevOps lifecycle
➡️ Download for free from @bridgecrewio
bridgecrew.io/resource/the-d…
Read 9 tweets
28 Jan
📚 tl;dr sec 68
* >5K subscribers! 🤯
* How AWS secures Lambda
* @DanielMiessler primer on @TomNomNom's recon tools
* @infosec_au Blind SSRF chains
* @RachelTobac InfoSec sea shanty
* @bradgeesaman Creating least priv custom roles in GCP

tldrsec.com/blog/tldr-sec-…
@DanielMiessler @TomNomNom @infosec_au @RachelTobac @bradgeesaman 📢 Sponsor: Go beyond the network - detect and block malicious actors, not just malicious IPs, with @SqreenIO’s RASP. Schedule your demo today sqreen.com/rasp
@DanielMiessler @TomNomNom @infosec_au @RachelTobac @bradgeesaman @SqreenIO @cryptogangsta Bypassing Signature Checks with Electron
parsiya.net/blog/2021-01-0…

SANS Virtual Summits FREE in 2021
sans.org/blog/sans-virt…

@IncludeSecurity Writing custom static analysis rules in Brakeman and Semgrep
blog.includesecurity.com/2021/01/ruby-s…
Read 8 tweets
8 Jan 20
📚tl;dr sec 19
* @shehackspurple & @j_opdenakker on getting into security
* Google's BeyondProd & code provenance (thx @MayaKaczorowski)
* Cloud, API, and file access bug security tools

... and I've got something big planned next week, stay tuned 🤫

tldrsec.com/blog/tldr-sec-…
Static analysis tools to find security issues in:

🌎Terraform scripts:
* github.com/liamg/tfsec
* github.com/bridgecrewio/c…
* github.com/cesar-rodrigue…

☁️CloudFormation templates:
* github.com/Skyscanner/cfr…
* github.com/stelligent/cfn…
Other #security tools:

Docker container that wraps 7 other #AWS security tools:
github.com/z0ph/aws-secur…

Automatic API attack tool that takes API specs as input:
github.com/imperva/automa…

Finding file access bugs:
github.com/google/path-au…
Read 4 tweets