Jacob Kaplan-Moss

234 items tagged โ€œsecurityโ€

๐Ÿ“ Preventing SQL Injection in Django

๐Ÿ“Œ Kore4 and Python

Thereโ€™s a bunch of interesting stuff hereโ€”async, automatic sslโ€”but the seccomp stuff is _really_ fascinating. I wonder how hard itโ€™d be to do this with Django? #

๐Ÿ“Œ Resources for measuring cybersecurity: a bibliography #
๐Ÿ“Œ AWSume: AWS Assume Made Awesome! | AWSume #
๐Ÿ“Œ toniblyx/my-arsenal-of-aws-security-tools

A huge list of open source AWS security tools. #

๐Ÿ“Œ The Difference Between Red, Blue, and Purple Teams | Daniel Miessler

A really good model for build/break/defend teams and โ€” more importantly โ€” the interactions between them. #

๐Ÿ“Œ 60 Cybersecurity Interview Questions [2019 Update] | Daniel Miessler

Some really good interview questions here! A few tend a bit too far towards trivia for my taste, but most of them are really great. #

๐Ÿ“Œ Securing Local AWS Credentials โ€“ Starting Up Security #
๐Ÿ“Œ awsmfa ยท PyPI

Useful tool to automate some the headaches using IAM, MFA, and short-lived credentials. #

๐Ÿ“Œ If You Say Something Is โ€œLikely,โ€ How Likely Do People Think It Is?

Mapping vague words (โ€œlikelyโ€, โ€œprobablyโ€, โ€œneverโ€) to specific probabilities. Very useful for training and calibrating forecasters. #

๐Ÿ“Œ Bringing Okta to Massdrop โ€“ Zander โ€“ Medium

Details on how a fully-automated, SSO-and-2FA-everywhere account security system works. Zander now runs IT for HackerOne, and Iโ€™ve been blown away by how great the IT security is here. #

๐Ÿ“Œ Engineering dive into Slack Enterprise Key Management

Slackโ€™s EKM is an incredibly promising model for B2B services. It gives customers much more control over how data is stored and retained, and seems to reduce risks of sensitive data on 3rd-party servers. I havenโ€™t dug super-deep into the details, and Iโ€™m sure there are potential problems and downsides. But, I love the model, and hope itโ€™s the start of a trend. #

๐Ÿ“Œ Starting Up Security

The collected security writings of Ryan McGeehan (@magoo). These used to be on Medium where there were really hard to find; here they are all in one place. These articles are a tremendous resource for anyone building a security team/organization/practice; highly recommended. #

๐Ÿ“Œ Reviews of U2F devices

Roundup of the various U2F devices on the market right now. Critically also includes information on which can store TOTP secrets (a key use-case for me). #

๐Ÿ“Œ Personal data removal & credit freeze guide workbook [PDF]

An exhaustive workbook/checklist guiding freezing credit and scrubbing personal data from the web. This is most comprehensive guide to this sort of thing Iโ€™ve found. #

๐Ÿ“Œ Startups: Recruiting for Compliance โ€“ Kat Valentine โ€“ Medium #
๐Ÿ“Œ ImperialViolet - Security Keys #
๐Ÿ“Œ Fleetsmith: Secure, cloud-based Mac management via G Suite

Looks like a great alternative to Casper. #

๐Ÿ“Œ The SaaS CTO Security Checklist #
๐Ÿ“Œ GitHub - minimaxir/big-list-of-naughty-strings: The Big List of Naughty Strings is a list of strings which have a high probability of causing issues when used as user-input data. #
๐Ÿ“Œ Auditing code for crypto flaws: the first 30 minutes #
๐Ÿ“Œ Serverless Security implicationsโ€”from infra to OWASP | Snyk #
๐Ÿ“Œ ThreatHunting Home

Good resources (playbooks, links, tools) for threat hunting. #

๐Ÿ“Œ 1225 - LastPass: global properties can be modified across isolated worlds, allowing remote code execution - project-zero - Monorail

Another Tavis/P0 password manager finding. Could affect other types of plugins, so if you write one, worth reading. Also worth reading through to see a good example of a researcher and vendor working closely to understand a complex issue and deploy a systemic fix. #

๐Ÿ“Œ dxa4481/truffleHog: Searches through git repositories for high entropy strings, digging deep into commit history

A different approach to finding secrets in git repos: rather than pattern matching, look for strings with high entropy. Interesting! #

๐Ÿ“Œ Into the symmetry: CSRF in Facebook/Dropbox - "Mallory added a file using Dropbox"

A variation of the a classic OAuth vulnerabilty. These shorts of things are depressingly common, and this is why people sometimes talk about OAuth itself as being insecure. #

๐Ÿ“Œ Tabletops for Bug Bounty #
๐Ÿ“Œ Lessons Learned in Detection Engineering โ€“ Ryan McGeehan โ€“ Medium

Ryan nails it, as usual. #

๐Ÿ“Œ CVE-2017-7240 - An issue was discovered on Miele Professional PG 8528 PST10 devices. The corresponding embedded webs - CVE-Search

A CVE for a dishwasher. SIGH. #

๐Ÿ“Œ Alexseyโ€™s TTPs

What a real attacker does. No 0days, all chained exploits. Very worth studying, in detail. #