本文共 3038 字,大约阅读时间需要 10 分钟。
- In [PDF], Mark Thompson and Hassan Takabi of the University of North Texas take a look at the effectiveness of a threat modelling game, . They find that students generally enjoy the game and say that it’s useful – which is more than you can so for many security exercises! – and that it does seem to be mildly effective in raising participants’ scores on a quiz covering the OWASP Top 10. However, they also find that the participants found the exercise confusing, and struggled to map the game back to real-world scenarios. So, it looks like there’s now a bit of proof that these sorts of games really are useful, but that work remains to find ways to make ‘em more effective.
- Zane Lackey takes a look at [Slideshare]. Zane’s been doing the DevSecOps (SecDevOps? OpSecDev?) before it had a (terrible) name, and knows some things. His advice is golden.
- is a curated, machine-readable database of Python security vulnerability data. Looks like it’s what uses to notify you about known security vulnerabilities.
- Over on the sysdig blog, Mark Temm’s is a great introduction to a whole bunch of related security tooling: seccomp, seccomp-bpf, SELinux, AppArmor, Auditd, and Falco.
- For the last couple of weeks I’ve been working my way through ’s videos. There’s a whole bunch of video tutorials on “smash the stack”-style attacks, walkthroughs of CTFs, and some websec topics. They’re short, understandable, and build on each other nicely. is a good example of the style and level of content (and a really clear explanation of a recent vulnerability).
- Nike Engineering’s is a secrets management tool built on and AWS. It includes a dashboard and client libraries – nice!
- Apropos of current events, Lesley Carhart has a couple of blog posts worth reading: talks about the issues and challenges inherent in breach attribution, and this week she posted a sort of follow-up, , which digs more deeply into the “how” of studying threat actors. Good expert context to keep in mind if you’re following the news.
- 在 [ PDF ],北德克萨斯大学的Mark Thompson和Hassan Takabi考察了威胁模型游戏的有效性。 他们发现学生通常会喜欢这款游戏,并说它很有用–在许多安全练习中,它比您所能拥有的更多! -在OWASP Top 10的测验中提高参与者的分数似乎确实有效。但是,他们还发现参与者感到练习令人困惑,并且难以将游戏映射回现实场景。 因此,似乎现在有证据表明这类游戏确实有用,但仍需努力寻找使游戏更有效的方法。
- Zane Lackey介绍了 [Slideshare] 。 Zane一直在使用DevSecOps(SecDevOps?OpSecDev?)之前,曾有一个(可怕的)名字,并且知道一些事情。 他的建议是金。
- 是经过 ,机器可读的Python安全漏洞数据数据库。 看起来用来通知您已知的安全漏洞。
- 在sysdig博客上,Mark Temm的是对一大堆相关安全工具的绝妙介绍:seccomp,seccomp-bpf,SELinux,AppArmor,Audit和Falco。
- 在过去的几周中,我一直在研究的视频。 关于“粉碎堆栈”式攻击,CTF演练以及一些Websec主题,有一堆视频教程。 它们简短,易于理解,并且可以很好地相互构建。 是内容样式和级别(很好地说明了最近的漏洞)的一个很好的例子。
- Nike Engineering的是基于和AWS的秘密管理工具。 它包括一个仪表板和客户端库–太好了!
- 关于当前事件,莱斯利·卡哈特(Lesley Carhart)有几篇博客文章值得阅读: 讨论了违规归因所固有的问题和挑战,本周她发布了一种后续文章, 它更深入地研究了威胁行为者的“方式”。 如果您关注新闻,请牢记良好的专家环境。
What’s this?
这是什么?
This is a weekly roundup of interesting infosec related links, inspired by .
这是每周一次与信息安全相关的有趣链接 ,其灵感来自 。
If you’d like to suggest a link for a future roundup, post it to Pinboard tagged with securitylinkspam and I’ll find it there.
如果您想建议将来的综述链接,请将其发布到标有securitylinkspam的 Pinboard上,我会在那找到它。
翻译自:
转载地址:http://wtqwd.baihongyu.com/