• In Effectiveness Of Using Card Games To Teach Threat Modeling For Secure Web Application Developments [PDF], Mark Thompson and Hassan Takabi of the University of North Texas take a look at the effectiveness of a threat modelling game, OWASP Cornucopia. They find that students generally enjoy the game and say that it’s useful – which is more than you can so for many security exercises! – and that it does seem to be mildly effective in raising participants’ scores on a quiz covering the OWASP Top 10. However, they also find that the participants found the exercise confusing, and struggled to map the game back to real-world scenarios. So, it looks like there’s now a bit of proof that these sorts of games really are useful, but that work remains to find ways to make ‘em more effective.
  • Zane Lackey takes a look at How to adapt the SDLC to the era of DevSecOps [Slideshare]. Zane’s been doing the DevSecOps (SecDevOps? OpSecDev?) before it had a (terrible) name, and knows some things. His advice is golden.
  • pyupio/safety-db is a curated, machine-readable database of Python security vulnerability data. Looks like it’s what pyup.io uses to notify you about known security vulnerabilities.
  • Over on the sysdig blog, Mark Temm’s SELinux, Seccomp, Falco, and You: A Technical Discussion is a great introduction to a whole bunch of related security tooling: seccomp, seccomp-bpf, SELinux, AppArmor, Auditd, and Falco.
  • For the last couple of weeks I’ve been working my way through LiveOverflow’s videos. There’s a whole bunch of video tutorials on “smash the stack”-style attacks, walkthroughs of CTFs, and some websec topics. They’re short, understandable, and build on each other nicely. Explaining Dirty COW local root exploit - CVE-2016-5195 is a good example of the style and level of content (and a really clear explanation of a recent vulnerability).
  • Nike Engineering’s Cerberus is a secrets management tool built on Vault and AWS. It includes a dashboard and client libraries – nice!
  • Apropos of current events, Lesley Carhart has a couple of blog posts worth reading: Nation State Threat Attribution: a FAQ talks about the issues and challenges inherent in breach attribution, and this week she posted a sort of follow-up, How do security professionals study threat actors,, which digs more deeply into the “how” of studying threat actors. Good expert context to keep in mind if you’re following the news.

What’s this?

This is a weekly roundup of interesting infosec related links, inspired by Geek Feminism’s linkspam tradition.

If you’d like to suggest a link for a future roundup, post it to Pinboard tagged with securitylinkspam and I’ll find it there.