I hope you’ve been doing well!
Over 18,000 subscribers! 🤯
I’m honored to announce that tl;dr sec has surpassed 18k subscribers!
What started as a way for me to lazily efficiently share links with friends has turned into something that many people rely on for keeping up with the security industry. Which is pretty rad. And humbling.
As always, I’ll continue to work hard every week to make sure this is one of the most densely useful, no fluff things you read. Scout’s honor 🖖
If you’re new, welcome! I’m thrilled you’re here.
I’ll be sharing tools, blog posts, and talks across most every area of security.
If you’re going to Vegas this year I’ll be bringing some exclusive new swag, more details soon…
I’ll leave you with this stealth shot I took recently of a guy pulling his two dogs, who were wearing matching collars and glasses, on a skateboard.
📣 Opal, scalable identity security
Opal is designed to give teams the building blocks for identity-first security: view authorization paths, manage risk, and seamlessly apply intelligent policies built to grow with your organization.
They are built from the ground up to synthesize the data needed to construct and monitor all of your company’s access – from a single pane of glass.
Opal is used by best-in-class security teams today, such as Blend, Databricks, Drata, Figma, Scale AI, and more. There is no one-size-fits-all when it comes to access, but they provide the foundation to scale least privilege the right way.
📜 In this newsletter…
-
Secrets: Thousands of images on Docker Hub leak auth secrets & private keys, new service to browse live secrets found on GitHub/NPM
-
Web Security: IIS short filename enumerator, Burp reshaper extension, Burp GraphQL extension
-
Cloud Security: Tool to find AWS misconfigs, BadZure, workshop on refining IAM permissions, how to monitor AWS root users at scale
-
Container Security: Kubernetes logging best practices
-
Blue Team: Detection and response pipeline compilation
-
Red Team: A reverse shell using curl, tool to sign with expired certificates
-
Startups: Founder’s Choice VC Leaderboard, VC is ripe for disruption, 12 ways to fail a cybersecurity startup
-
Machine Learning + Security: A self-hardening prompt injection detector, leveraging LLMs for phishing, tool to test LLM responses, learnings from Semgrep Assistant, prompt injection with control characters, a framework to securely use LLMs in companies
-
Machine Learning: Automatically vet/improve your prompts, wasting scam callers’ time with AI, the Darwinian argument for worrying about AI, emerging architectures for LLM apps
-
Misc: Normies watching musicals, AI tattoos, legal lullabies, Andrew Huberman bio
Secrets
TIL if you add a .npmignore , .gitignore is no longer used to block files and directories from being published. Yikes.
-
0.1% of pushes (not just commits!) have live credentials in them.
-
90.9% of pushes with live credentials are to personal repositories. 9.1% are to organization repositories.
-
7.8% of pushes with live credentials are to forks rather than the original repository.
📣 How to develop and test cloud-based security detections using Atomic Red Team
With thousands of attack scenarios, over 7,000 GitHub stars, 46,379 weekly views, and around 10 new attacks added weekly, the Atomic Red Team library of scripted cyber attacks has become the industry standard for detection validation and attack simulation.
Learn how to use the most popular execution engine, Invoke-AtomicRedTeam, led by Carrie Roberts (@OrOneEqualsOne) and Atomic Red Team maintainers, and walk through 3 scenarios of developing and testing cloud-based detections using the MITRE ATT&CK Framework.
Web Security
bitquark/shortscan
By Bitquark: An IIS short filename enumeration tool designed to quickly determine which files with short filenames exist on an IIS webserver. Once a short filename has been identified, the tool will try to automatically identify the full filename.
forcesunseen/graphquail:
A Burp Suite extension by Alex Leahu that provides a toolkit for testing GraphQL endpoints, including detecting and building a GraphQL schema from proxy traffic, emulating introspection, and injecting custom headers, among other features.
Cloud Security
mvelazc0/BadZure
By Mauricio Velazco: A PowerShell script that orchestrates the setup of Azure Active Directory tenants, populating them with diverse entities while also introducing common security misconfigurations to create a vulnerable playground with multiple attack paths.
Refining IAM Permissions Like A Pro
This free AWS workshop is designed to teach attendees how to build automation for constant monitoring and analysis of infrequently used and business-critical IAM permissions. It also explores how to use the last accessed information programmatically and discusses remediation approaches towards least privilege.
How to Monitor AWS IAM Root Users at Scale: Best Practices
CloudYali provides insights into best practices and effective strategies for managing IAM users at scale. The article delves into IAM user monitoring, emphasising the importance of the root user, and highlighting essential IAM security practices. It also covers automation of IAM Credential Report generation at scale, streamlining the collection of IAM user information and facilitating more efficient monitoring and management for cloud teams.
Container Security
Kubernetes logging best practices
Selvam Raju discusses Kubernetes logging and shares some best practices, including using a centralized logging solution, implementing log rotation, and streaming logs to a log server, among others. Selvam also provides a few CLI alternatives for log collection and analysis in Kubernetes, such as kubetail, which allows you to tail logs from multiple pods simultaneously.
Startups
We have now reached a point in the startup ecosystem where for large VC funds, a startup achieving a billion-dollar outcome is meaningless. To hit a 3-5x return for a fund, a venture partnership is looking to partner with startups that can go public at north of $50B dollars. In the entire universe of public technology companies, there are only 48 public tech companies that are valued at over $50B. Simultaneously there are close to 1,000 venture funds all trying to find these select few. This is a huge problem. It is likely that many of the funds deployed over recent years will be some of the worst-performing of all time.
Machine Learning + Security
Rebuff.ai
A self-hardening prompt injection detector.
leondz/garak
By Subho Majumdar and Leon Derczynski: A modular tool for testing LLMs for undesirable prompt responses. It comes with >10 types of probes and supports Hugging Face hub models, OpenAI, and more.
This post also had a great, systematic testing methodology that’s also worth reading for.
Machine Learning
-
AutoChain – Build lightweight, extensible, and testable LLM Agents.
-
Code Interpreter API – An open source implementation of the ChatGPT Code Interpreter.
-
Introducing Llama 2 – New and improved version of Llama released by Meta, can be used commercially.
-
NotebookLM – New (hasn’t been killed off yet) project by Google aimed at reimagining what notetaking software would be like with an LLM at its core.
mshumer/gpt-prompt-engineer
Input a description of your task and some test cases, and this tool will generate, test, and rank a multitude of prompts to find the ones that perform the best.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.
If you find this newsletter useful and know other people who would too, I’d really appreciate if you’d forward it to them 🙏