[tl;dr sec] #197 – Career Resources, Modern Security Podcast, Smashing the State Machine

If you don’t know Dev, he’s currently Head of Security at Figma, and was Director of Security Engineering at Dropbox before that.

A few years ago we did some DevSecOps panels with other awesome folks that are still highly worth checking out today.

I feel like Dev is usually thinking about and/or doing things that are a few years ahead of most, so it was great to chat with him about:

• The rise of security engineering

• Career advice

• Secure defaults

• What makes a security tool great

• Fancy stuff like: how to get continuous visibility into the code your company is writing and scale just-in-time developer education

Let me know what you think!

Managing access to cloud infrastructure can be a headache.

ConductorOne’s Cloud PAM solution gives teams just-in-time (JIT) access to cloud resources, drastically reducing standing access and permissions. No more tickets. No more waiting.

Learn how you can take control of accounts and permissions throughout your environment and achieve least privilege access for AWS, GCP, AzureAD, Snowflake and more.

Lissy93/wapalyzer
By Alicia Sykes: Community fork of the now removed Wappalyzer project, which can be used to detect the technologies used by a website.

Zigrin-Security/CakeFuzzer
By Zigrin’s Dawid Czarnecki et al: A tool that uses an Interactive Application Security Testing (IAST) approach to autonomously and consistently uncover vulnerabilities in web applications built with the CakePHP framework.

Key insight: “Every pentester knows that multi-step sequences are a hotbed for vulnerabilities, but with race conditions, everything is multi-step.”

Cloud risk can grow faster than your AWS bill (true story).

That’s why Wiz partnered with Wiley to create the AWS Security for Dummies ebook. This free PDF contains 46 pages of expert tips to harden your AWS environment, including:

• How to get the basics right to help scale security when your footprint (inevitably) grows

• How to secure specific resources based on your usage (VMs, S3, Cloudtrails, and more)

• Which critical weaknesses to prioritize so you aren’t caught off guard

Grab your free digital copy now and boost your AWS security posture.

Methods to Backdoor an AWS Account
Fawaz Masood writes about different methods that adversaries can use to create backdoors in an AWS account and achieve persistence, including access keys, temporary security credentials, AssumeRole, changing Security Groups, EC2 UserData scripts, and EC2 SSM Send-Command.

Semgrep on Tour!
Semgrep is loading up the (metaphorical) tour bus and hosting a series of half-day events across the U.S. where Tanya Janca and other cool people will be teaching AppSec, Semgrep, and more. Dates for San Francisco, San Jose, and Boston are posted, more soon!

ThreatModCon
The first threat modeling conference, October 29 in DC, right before OWASP Global AppSec DC. 10 insightful talks covering 7 key topics in threat modeling, 2 hands-on workshops, 20 industry-leading speakers.

The organizers have been kind enough to offer tl;dr sec readers:

• 3 free tickets – which I’ll randomly raffle to people how comment or share this tl;dr sec (#197) post on Twitter or LinkedIn.

• A 35% discount when you use the code TLDR_SEC.

Prompt Injection Primer for Engineers
Detailed guide by Joseph Thacker to assist developers in creating secure AI-powered applications and features by helping them understand the actual risks of prompt injection. Joseph details different attacker vectors and explains how conventional web vulnerabilities such as SQL Injection or Remote Code Execution can be also accomplished through prompt injection, as well different mitigations to prevent this attack class.

Writing fuzzing test harnesses tends to be very manual/time intensive and a limiting factor in fuzzing effectiveness, so this could be a big deal if it works at scale.

How to Build a Cybersecurity Career
This isn’t new, but if you haven’t read this guide by Daniel Miessler you’re missing out! It covers a wide range of topics from technologies to learn and useful resources, to building your brand and networking, CFP submissions, your first job, and more.

Web AppSec Interview Questions
A tough set of questions by Tib3rius covering a wide range of topics including web cache deception and poisoning, session fixation, XSS, CSRF, SQL injection, the same-origin policy, HTTP request smuggling, DOM clobbering, HTTP parameter pollution, and much more.

Meaningful Exits for Founders
Bryce Roberts shares some interesting stats and tables on the difference between meaningful exits for VCs vs founders. tl;dr: VCs want founders to go for home runs, despite that being a high risk path.

• A “meaningful exit” for a fund should return 33% of the fund, a “home run” exit should return the entire fund in a single investment.

• “A founder selling at the Series D price of $210M, would make the same amount of money at exit as they would have if they’d sold for $38M after having only raised a seed round.”

I’m really happy for Daniel and I found his post inspiring. I hope you find it motivating too.

The best time to start working on yourself and your career is years ago, the second best time is today. Don’t get discouraged if you don’t see immediate traction- it took tl;dr sec 1-2+ years to start getting traction, and Daniel has been writing online for like 20 years. Put in the time, consistency is key. I believe in you ✊ 

If you’re an operator or investor who wants to learn how to analyze cybersecurity technologies and the financials behind those companies, you might want to check out a bootcamp Francis will be co-leading soon.