1. How we're creating a threat model framework that works for GitLab

While our Security team owns the framework, we don't "run" it. It is run by the people who are running the project.


2.Deciduous: A Security Decision Tree Generator

Security decision trees are a powerful tool to inform saner security prioritization when designing, building, and operating software systems.


3.npm audit: Broken by Design

I see the point, but I also disagree – SCA and finding/mitigating supply chain issues is a security requirement.


4.Trusted Types - mid 2021 report

"We believe Trusted Types are necessary to obliterate DOM XSS, one of the most prevalent web application vulnerabilities."


5.When shifting security left falls off a cliff

The author talks about the dangers of pushing security too far left, where tools can hinder the dev instead of providing value.

1. Groundhog day: NPM package caught stealing browser passwords

The author intended to trick the targets into executing the malicious package. In cases of malware placed in package repositories, attackers usually rely on typo squatting.

2. TypeScript Doesn't Suck; You Just Don't Care About Security

Security wins against the eleven popular reasons developers disapprove of TypeScript.

3.Recommended Minimum Standard for Vendor or Developer Verification of Code

Threat modeling, automated testing, code-based (static) analysis, DAST, check included software, fix bugs.

4.CVE-2021-3438: 16 Years In Hiding – Millions of Printers Worldwide Vulnerable

An exploitable kernel driver vulnerability can lead an unprivileged user to a SYSTEM account and run code in kernel mode (since the vulnerable driver is locally available to anyone).

5.Over half of exploits sold on underground forums are for Microsoft products

Microsoft Office exploits make up 23 percent, while Windows accounts for 12 percent of exploits sold on hacker forums. Remote Desktop Protocol (RDP) exploits make up 10 percent, with Internet Explorer and Share Point taking three percent each.

1. Sonatype Catches New PyPI Cryptomining Malware

Malicious packages continue to infect our public package repositories; all developers must understand these threats!

2. (Technical) Infosec Core Competencies

While these core competencies stray slightly to the red team / pen test side, this is a solid list of what folks need to know as they grow.

3. SSRF Cheat Sheet & Bypass Techniques

SSRF vulns are growing; application security people must understand SSRF and know how to properly find it and mitigate it.

4. MySQL 101: Installation, care, and feeding on Ubuntu

Security professionals need to have basic skills to understand and operate the technologies in our developers' tech stack.

5. BEC Taxonomy: Extortion

As application security people, we must understand the threats that impact our entire user population and look for ways to help secure the Enterprise.

1. Cybereason: 80% of orgs that paid the ransom were hit again

Prevention of ransomware is a human and technology solution.​

2. Introducing SLSA, an End-to-End Framework for Supply Chain Integrity​

Learn from Google’s eight years of protecting their supply chain.

3. Peloton Bike+ vulnerability allowed complete takeover of devices

Secure your fitness equipment – seems strange that we have to say that, but hey, it is 2021.

4. Irish police to be given powers over passwords

Privacy advocate or crime fighter? Giving anyone power over passwords requires strong checks and balances.

5. New Top 20 Secure-Coding List Positions PLCs as Plant 'Bodyguards' 

Secure coding is for everything, including programmable logic controllers.

1. Impact of GDPR on Cloud Service Providers

Privacy is here to stay -- long live data privacy in the cloud.

2. Static Analysis of Client-Side JavaScript for pen testers and bug bounty hunters

Bug bounty hunter techniques are the same techniques adversaries use.

3. What Every Incident Response Plan Needs

Nobody thinks they’ll need an incident response plan… until it’s too late.

4. Dev-Sec Disconnect Undermines Secure Coding Efforts

Developer empathy – as a security person, walk a mile in the shoes of your developers. It will change your whole perspective.

5. Look how many cybercriminals love Cobalt Strike

Adversaries use the best tools available for any job. Sometimes those tools are the same tools used by those on the side of good.

1. The Unified Kill Chain
The Unified Kill Chain is thorough, and all builders and defenders must understand the techniques of our adversaries.

2. Why Developers Dislike Security -- and What You Can Do About It

Developers that embrace security and learn all the ins and outs rise to the top and have the option to transition into dedicated security professionals in the future.

3. Hacker Tools Used for Good as Exposed Amazon Cloud Storage Accounts Get Warnings

Secure those AWS S3 buckets by disabling public access across your entire account!

4. Modern JavaScript: Everything you missed over the last 10 years

While JavaScript has matured functionally, developers must still apply secure coding principles when using JavaScript.

5.  obheda12/GitDorker

GitDorker is worth considering as another tool that you run at some interval against your Git repos.

 1. I Mailed an AirTag and Tracked Its Progress; Here’s What Happened
AirTags use the network capacity of all other Apple devices. If you own an Apple device, you’re now part of a mesh network that you cannot disable.

2. The Need to Protect Public AWS SSM Documents – What the Research Shows 
Follow the AWS Best Practices for SSM: https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-before-you-share.html​

3. Application Security and the Zen of Python
Application security and the Zen of Python are complementary of each other. All languages can have security applied.

4. More Companies Adopting DevOps & Agile for Security
We saw DevOps & Agile Security move forward in the past year, but we have more room to grow.​

5. Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys
Hardcoded keys should NEVER be embedded in any type of app.​

1. Cross-site scripting (XSS) cheat sheet​

Learn XSS at a depth that you can explain it to anyone, and understand the diversity of attack that exists across the set of XSS vectors.​

2. Why DevOps Will Cease to Exist

Just like DevOps is integrated into every developer’s job, so is security.​

3. OAuth 2.0 Threat Model Pentesting Checklist
​
OAuth 2.0 is used everywhere, and many developers and security people aren’t aware of the depth of threat that exists.

4. A deep dive into how we investigate and secure GitLab packages

Solving the software supply chain security issues requires a coordinated and organizationally wide approach.

5. Modern Static Analysis: how the best tools empower creativity

If you haven’t evaluated semgrep as a tool for inclusion in your application security program, it’s time.

1. JWT should not be your default for sessions
JWT is a bad default -- be deliberate and careful when you use it.

2. Exploiting custom protocol handlers for cross-browser tracking in Chrome, Firefox, Safari, and Tor
Protecting user privacy is a foundational capability of the web browser, and scheme flooding violates that capability.

3. Dustin Lehr -- Advocating and being on the side of developers
As AppSec people, work hard to be an advocate for your developers and evaluate tools that will work for them.​

4. Send My: Arbitrary data transmission via Apple's Find My Network
As consumers, we need to push back on this idea that our devices are used together to form super networks, without us opting in.

5. 47 powerful open-source app sec tools you should consider
Application security tools save us time by doing something manual and providing an automated series of steps to make the action repeatable.​

1. The AppSec Manifesto

The AppSec Manifesto has some good advice contained within, but we think a Manifesto should be the work of multiple people to ensure that the opinions are vetted.

2. Security Chaos Engineering

Security chaos engineering is providing a methodology to prepare your system for the unexpected happenings that could adversely impact security and privacy.

3. Linux bans University of Minnesota for committing malicious code

Open-source is built upon a trust model of the people that contribute towards it. The community only trusts after verifying. The UMN team violated that trust, and the outcome is fair.

4. Looking for Greater Security Culture? Ask an 8-Bit Plumber

There are lessons about security culture to be found in many places – perhaps even in an 8-bit Mario World.

5. “BadAlloc” – Memory allocation vulnerabilities could affect wide range of IoT and OT devices in industrial, medical, and enterprise networks

Application security professionals must understand new threats and new manifestations of threats – this is a new approach to an old problem.