A shorter post this week for reasons that will become obvious in the near future.
Show Not Tell
Lately, I've been putting a lot of thought into offensive security. There are so many useful areas of security, such as GRC, security operations, and detection engineering. Why am I so drawn to offensive security when other security domains are just as (if not more) important to a company's security posture?
When done right, offensive security is the most visceral way to prove a point. No abstractions, no assumptions, no spreadsheets. A well-executed offensive security engagement doesn't need supporting evidence, compliance frameworks, or kanban boards to prove a risk is real, because the risk has been realized the moment data has been exfiltrated.
An academic paper, risk scorecard, or AI tool can show the same risk for less work, making it much cheaper in both time and resources. But it's not real - not until your files are replaced with a Bitcoin address and a ransom note appears on your desktop. The former makes your eyes glaze over, the latter makes your heart drop. Which one is more likely to motivate change?
Offensive security shouldn't have to exist, but humans are flawed, and humans run companies (for now). While true, offensive security will still be the best way to show risk.
Hacking Kubernetes
Do you want to learn how to hack Kubernetes? In line with the "Show Not Tell" mentality, I will be doing two hours of live Kubernetes hacking on February 8th at Red Team Village on February 8th 2025. It will be streamed live on Youtube. You should stop by.
Additionally, if you're thinking of attending HackSpaceCon 2025 I will be giving a talk called "A Peek into Offensive Kubernetes Operations". Both will be fun. Many Kubes were harmed in making these presentations.
Caught My Eye
- Guide to secure browser extension deployment: An extensive guide on using secure browser extensions. One of my 2025 predictions was Pandora's box has been opened when it comes to malicious browser extensions and we're about to see a huge uptick in these being discovered (and created).
- Unique 0-click deanonymization attack : The technical content of this is cool. The fascinating part is this was written by a 15-year-old. This is a stellar example of how to get a security job. Prove your competence.
- Alice & Bob Learn Secure Coding: Tanya Janca's new book on secure coding comes out February 5th 2025 and has already reached the #1 best seller spot for software development. I'm excited to receive my copy.
- From Day Zero To Zero Day: Eugene Lim's book on Vulnerability research is coming out of early access soon. I have a copy and am itching to go through it.