tl;dr sec is a newsletter about AppSec and scaling security, automated bug finding, conference talk and paper summaries, and useful links from around the web. You can subscribe here and see past issues here.

(You can also read this issue on our blog here)

Hey there,

I hope you’ve been doing well!

Complexity In Capital: Demystifying The Hype In Cybersecurity

One exciting thing that happened this week is an article I collaborated on with my friend, Louisa Xu, a Partner at IVP, was published in Forbes! I’ve never had anything in Forbes before, so that was neat.

In the article, Louisa and I discuss:

  • How product complexity and cheap capital make vetting the quality of security products hard
  • Modern AppSec best practices
  • Why security vendors using machine learning is often overhyped, and some tough questions to ask them

Fun fact: on publishing your first article in Forbes, they mail you a monocle, a smoking jacket, and a personalized copy of The Great Gatsby.

Framed on my wall

Trimmed Descriptions

I’m trying something new: trimming some of the descriptions and snippets in the email and having them on just the blog instead.

That way, if you want to see more, you can go to this blog post, otherwise, you can more easily skim the email.

Feel free to let me know what you think.


📢 Secure Your Business-Critical SaaS with AppOmni

AppOmni is the leading provider of SaaS Security Posture Management (SSPM) solution. AppOmni provides continuous monitoring, management and security of SaaS solutions, enabling organizations to maintain best practices and secure sensitive data. AppOmni’s technology deeply scans APIs, security controls, and configuration settings to evaluate the current state of SaaS deployments and enable simple remediation. With AppOmni, organizations can establish rules for data access, data sharing, and third-party applications that will be continuously and automatically validated. Get a free AppOmni Risk Assessment today.
Get a free Risk Assessment today
If you're not familiar, AppOmni was co-founded by Brendan O'Connor, a super sharp and nice dude, who used to be CSO at Salesforce.
📜 In this newsletter...
  • AppSec: Hacking Artifactory guide, combine HTTP API tools, Java RMI for pen testers
  • Web Security: An opinionated web app pen testing methodology, Twitter account for Burp tips
  • Cloud Security: AWS IAM explained, tool to detect common GKE misconfigurations, walkthrough of enumerating and pivoting through an AWS environment, Amazon Detective can analyze how IAM roles are used, mTLS for Amazon API Gateway
  • Fuzzing: Fuzzing workshop material from EkoParty
  • Red Team: Using VMs to persist and evade detection, Terraform modules to spin up offensive infrastructure
  • Politics / Privacy: Service that scans a provided URL for trackers, China's snooping on important people around the world, the dumpster fire that is U.S. politics
  • OSINT: Tool to download exposed .git directories, a list of subdomains for public bug bounty programs
  • Misc: How to effectively communicate after a breach


Artifactory Hacking Guide
Nice overview by Guillaume Quéré: default users and passwords, checking account permissions and listing users, high severity known vulnerabilities, post exploitation, and how to defend it.

New project by Daniel García that aims to make it easy to integrate HTTP API tools into execution chains, where the output and input of each is JSON, so you can pipe things together like *NIX tools. This approach reminds of Daniel Miessler’s approach in his Red Team Village talk, Mechanizing the Methodology.

Java RMI for pentesters: structure, recon and communication (non-JMX Registries)
Łukasz Mikuła describes what RMI (Remote Method Invocation) interfaces are (tl;dr: expose Java RPC calls over the network), how to build one from source, what info you can learn about an RMI interface using an Nmap scan, how to build an RMI client, and what are typical issues and stack traces you encounter when dealing with RMIs and what they mean.

Web Security

An opinionated guide on how to conduct a web application security assessment by NCC Group’s Tanner Prynn covering a range of topics including application mapping, reviewing the design, authentication and authorization, frontend attacks, input handling, & cryptography.

@Mastering Burp Suite Pro
Twitter account full of Burp tips by Nicolas Grégoire, creator of a popular Burp Suite training course.

Cloud Security

AWS IAM explained for Red and Blue teams
Nice overview by Federico Lago.

A tool to detect a set of common Google Kubernetes Engine misconfigurations.

Exploiting fine-grained AWS IAM permissions for total cloud compromise: a real world example (part 1/2)
Nice write-up by Federico Lago describing a testing flow: Hadoop instance with an exposed unauthenticated ResourceManager service -> RCE with Metasploit -> AWS access keys in core-site.xml -> enumerate permissions with enumerate-iam -> check for privilege escalation with -> enumerate S3 buckets you can read -> more AWS creds, and more.

Amazon Detective introduces IAM Role Session Analysis
“Amazon Detective now analyzes IAM role sessions so that you can visualize and understand the actions that users and apps have performed using assumed roles. Detective enables you to answer questions such as “which federated user invoked APIs that are associated with a security finding?”, “what API calls did a user invoke across a chain of role assumptions?”, “What API activity did an EC2 instance perform?” and “which of my users use this cross-account role?”, all without manually analyzing CloudTrail logs.”

Introducing mutual TLS authentication for Amazon API Gateway
“AWS is introducing certificate-based mTLS authentication for Amazon API Gateway. This is a new method for client-to-server authentication that can be used with API Gateway’s existing authorization options.”


EkoParty Advanced Fuzzing Workshop
Exercises and slides by Antonio Morales.

Red Team

Beware of the Shadowbunny - Using virtual machines to persist and evade detections
Johann Rehberger describes an attacker tactic of deploying a VM on a target host to pivot, provide persistence, and at the same time evade detection.

Offensive Terraform
Terraform modules to automatically exploit certain AWS scenarios, like copying a publicly exposed EBS snapshot, spinning up a Lambda to exfiltrate an AWS temporary credential, and more.

Politics / Privacy

Blacklight by The Markup
Blacklight is a service that will visit a provided URL with a headless browser that fingerprints ad trackers, third-party cookies, session recording services, if it captures keystrokes, and if there are certain Facebook or Google analytics on it.

The data dump that reveals the astonishing breadth of Beijing’s interference operations
China is systematically gathering information on politically or otherwise important people around the world so that they can influence them. Not surprising, but concerning. See relevant snippets on the blog.

The Dumpster Fire that is U.S. Politics
It seems almost impossible to even keep track of current events, but here are a few things that happened recently: the NY Times obtained two decades of the President's tax returns and deep dived into what they found, the 2016 Trump campaign paid for Facebook ads to discourage 3.5 million black Americans in battleground states from voting, the first debate was a $*@#-show. More details on the blog.



By Liam Galvin: Downloads git repositories and extracts their contents from sites where the .git directory has been mistakenly uploaded. It can still recover a significant portion of a repo even where directory listings are disabled.

HunterSuite Assets
A list of subdomains for publicly listed programs.


A framework for effective corporate communication after cyber security incidents
Paper by academics that lays out a framework for how organizations should communicate after a security incident. The paper has some great overview figures, so I pulled them out into a quick summary blog post.

Thanks for reading!




Forwarded this email? Sign up here 🚀
Copyright © 2020 Practical Program Analysis, LLC, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.