• In [PDF], Mark Thompson and Hassan Takabi of the University of North Texas take a look at the effectiveness of a threat modelling game, . They find that students generally enjoy the game and say that it’s useful – which is more than you can so for many security exercises! – and that it does seem to be mildly effective in raising participants’ scores on a quiz covering the OWASP Top 10. However, they also find that the participants found the exercise confusing, and struggled to map the game back to real-world scenarios. So, it looks like there’s now a bit of proof that these sorts of games really are useful, but that work remains to find ways to make ‘em more effective.
• Zane Lackey takes a look at [Slideshare]. Zane’s been doing the DevSecOps (SecDevOps? OpSecDev?) before it had a (terrible) name, and knows some things. His advice is golden.
• is a curated, machine-readable database of Python security vulnerability data. Looks like it’s what uses to notify you about known security vulnerabilities.
• Over on the sysdig blog, Mark Temm’s is a great introduction to a whole bunch of related security tooling: seccomp, seccomp-bpf, SELinux, AppArmor, Auditd, and Falco.
• For the last couple of weeks I’ve been working my way through ’s videos. There’s a whole bunch of video tutorials on “smash the stack”-style attacks, walkthroughs of CTFs, and some websec topics. They’re short, understandable, and build on each other nicely. is a good example of the style and level of content (and a really clear explanation of a recent vulnerability).
• Nike Engineering’s is a secrets management tool built on and AWS. It includes a dashboard and client libraries – nice!
• Apropos of current events, Lesley Carhart has a couple of blog posts worth reading: talks about the issues and challenges inherent in breach attribution, and this week she posted a sort of follow-up, , which digs more deeply into the “how” of studying threat actors. Good expert context to keep in mind if you’re following the news.

• 在 [ PDF ]，北德克萨斯大学的Mark Thompson和Hassan Takabi考察了威胁模型游戏的有效性。 他们发现学生通常会喜欢这款游戏，并说它很有用–在许多安全练习中，它比您所能拥有的更多！ -在OWASP Top 10的测验中提高参与者的分数似乎确实有效。但是，他们还发现参与者感到练习令人困惑，并且难以将游戏映射回现实场景。 因此，似乎现在有证据表明这类游戏确实有用，但仍需努力寻找使游戏更有效的方法。
• Zane Lackey介绍了 [Slideshare] 。 Zane一直在使用DevSecOps（SecDevOps？OpSecDev？）之前，曾有一个（可怕的）名字，并且知道一些事情。 他的建议是金。
• 是经过 ，机器可读的Python安全漏洞数据数据库。 看起来用来通知您已知的安全漏洞。
• 在sysdig博客上，Mark Temm的是对一大堆相关安全工具的绝妙介绍：seccomp，seccomp-bpf，SELinux，AppArmor，Audit和Falco。
• 在过去的几周中，我一直在研究的视频。 关于“粉碎堆栈”式攻击，CTF演练以及一些Websec主题，有一堆视频教程。 它们简短，易于理解，并且可以很好地相互构建。 是内容样式和级别（很好地说明了最近的漏洞）的一个很好的例子。
• Nike Engineering的是基于和AWS的秘密管理工具。 它包括一个仪表板和客户端库–太好了！
• 关于当前事件，莱斯利·卡哈特（Lesley Carhart）有几篇博客文章值得阅读： 讨论了违规归因所固有的问题和挑战，本周她发布了一种后续文章， 它更深入地研究了威胁行为者的“方式”。 如果您关注新闻，请牢记良好的专家环境。

翻译自: