allies and enemies, my GOTO Chicago keynote is now up for you to enjoy https://www.youtube.com/watch?v=AxqX9ovGViw

it covers my #resilience potion recipe, the five ingredients that matter for systems resilience, and how we can nurture them across the software delivery lifecycle

…and, ofc, where we can sprinkle in some chaos

hoping it inspires software engineers to extend existing practices / tools not only to sustain systems resilience but also make attackers miserable ✨

#chaosengineering #devops #appsec

A week ago (~) I wrote about a research I did on #LLM and #prompt Injection attacks.

The research highlights is in: https://brightsec.com/blog/llm-prompt-injection/

The cool thing is that now at @Brightsec we have added this as a whole new test to our platform!

This is a very cool shiny #AppSec test that I am very happy to see coming from research into full feature

"SVG Security Risks - not just a scalable graphic"

https://www.securesystems.de/blog/svg-security-risks-not-just-a-scalable-graphic/

#security #appsec #svg #webdev

Anyone have a good ELI5 reason for not allowing a SaaS to be embeeded in an iframe? ie... why disabling CSRF protection is a bad thing.

#infosec #appsec

I’ve released more GitHub :github: Secret 🔑 Scanning 🔎 custom patterns, which you can use with Advanced Security.

Some are 🔥 (IMHO), some are for auditing only - e.g. my “common passwords” pattern, written to spot some of the most commonly leaked weak passwords - “P@55word123!” etc.

We have DataDog, Sentry, .Net configs, MS SQLServer user creation, and Bearer tokens.

https://aegilops.github.io/posts/new-github-secret-scanning-custom-patterns/

#GitHub #SecretScanning #AppSec #SDLC #regex

I’ve released more GitHub :github: Secret 🔑 Scanning 🔎 custom patterns, which you can use if you have Advanced Security.

Some are 🔥 (if I say so myself), some are for auditing only - e.g. my “common passwords” pattern, written to spot some of the most commonly leaked weak passwords - “P@55word123!” and the like.

We’ve got DataDog, Sentry, .Net configs, MS SQLServer user creation, and Bearer tokens.

https://lnkd.in/eqRG_FRa

#GitHub #SecretScanning #AppSec #SDLC #SecretsManagement #regex

Bordel de fuck de pompe à zob !
Encore une SQL injection dans #MOVEit : https://securityaffairs.com/148252/security/moveit-transfer-critical-flaw.html?amp=1

Les SQLi sont probablement les failles les plus faciles à éviter en #AppSec ! Ces gens là ne connaissent pas les Prepared Statement ?

#infosec #cybersecurity

@ovid and other Perl :perl: mongers. What, if anything, do you use for code security?

I know that using taint gets you far, but SAST is mostly what I’m thinking (especially for legacy code without taint). Any tips?

Does Perl::Critic do a decent job, and is there a list of what its security policy and 3rd party plug-ins cover?

Other OS SAST I found are: https://github.com/htrgouvea/zarn and this grep-based one: https://github.com/wireghoul/graudit

Are they OK?

#SAST #Perl #AppSec #CodeSecurity #PerlCritic

Listened to a very interesting ep. of the We Hack Purple podcast on AI in security space today. Focusing both on AI as a tool for appsec, but also the new attack vectors that AI models open up. Fascinating stuff!

https://wehackpurple.com/podcast/episode-78-with-jason-haddix/

#security #appsec #ai #dev

Are you into #mathematics?
Do you know #students that still look for a subject to graduate on?

Assign them to implement #Ed25519 in #Erlang.

I was informed that the #Elixir community will thank you.

Would be great if the #AppSec community like #WeHackPurple and friends could spread the word!

Additionally, it comes with some handy features such as basic Parameter Guessing, Proxy Configuration, Throttling, Exclusion for certain strings, Non-Headless mode, ...

PSA: I only tested it on macOS Ventura for now.

#XSS #AppSec #BugBounty

(3/3)

Microsoft :microsoft: have an open job for a Security Program Manager for Open Source.

“Help us solve open source security challenges at scale, both for the company and the world. If you live at the intersection of open source, software engineering, security, and making things happen, please take a look… [It] is US-based, but…up to 100% remote”

https://jobs.careers.microsoft.com/global/en/job/1575779/Senior-Security-Program-Manager

#jobs #SDLC #AppSec #OpenSource #OpenSSF #Security #CodeQL

So, there are formal security considerations on how to implement "OAuth 2.0 for Browser-Based Apps" using Service Workers.

But if you actually decide to go down this rabbit hole, you definitely would want to functional test your solution THOROUGHLY for ALL browsers. 🫠

#OAuth #OIDC #SSO #AppSec #webdevelopment

(4/4)

489 - AppSec Ezine

#ezine #appsec #security

https://github.com/Simpsonpt/AppSecEzine/blob/master/Ezines/489%20-%20AppSec%20Ezine

"Testing GraphQL APIs"

https://portswigger.net/web-security/graphql

#security #websec #appsec #graphql

Referenced link: https://thehackernews.com/2023/05/what-to-look-for-when-selecting-static.html
Discuss on https://discu.eu/q/https://thehackernews.com/2023/05/what-to-look-for-when-selecting-static.html

Originally posted by The Hacker News / @TheHackersNews: http://nitter.platypush.tech/TheHackersNews/status/1674370365294772225#m

Don't let unexpected vulnerabilities delay your app launch! Implement Static Application Security Testing (SAST) early in development to avoid surprises, launch delays, and risky software releases.

Learn how to simplify your #AppSec workflow: https://thehackernews.com/2023/05/what-to-look-for-when-selecting-static.html

#infosec

Just published: Some quick competitive analysis about @hashicorp 's acquisition of #blubracket.

Upshot: potentially sets the stage for increased competition between #HashiCorp #Vault and #Microsoft Defender, #GitHub and existing #SAST / #containersecurity tools.

#DevSecOps #secretsscanning #secretsmanagement #cybersecurity #appsec #applicationsecurity #cloud
https://www.techtarget.com/searchitoperations/news/366542881/HashiCorp-Vault-to-expand-in-DevSecOps-with-BluBracket-buy

Referenced link: https://thehackernews.com/2023/06/over-half-of-security-leaders-lack.html
Discuss on https://discu.eu/q/https://thehackernews.com/2023/06/over-half-of-security-leaders-lack.html

Originally posted by The Hacker News / @TheHackersNews: http://nitter.platypush.tech/TheHackersNews/status/1672195292718874628#m

Secrets management is the overlooked elephant in the #AppSec room.

A recent study by @GitGuardian found that 75% of IT decision-makers reported secret leaks from applications, causing issues for companies.

Read about this here: https://thehackernews.com/2023/06/over-half-of-security-leaders-lack.html

#informationsecurity

Don't let unexpected vulnerabilities delay your app launch! Implement Static Application Security Testing (SAST) early in development to avoid surprises, launch delays, and risky software releases.

Learn how to simplify your AppSec workflow: https://thehackernews.com/2023/05/what-to-look-for-when-selecting-static.html

#AppSec

Referenced link: https://thehackernews.com/2023/05/what-to-look-for-when-selecting-static.html
Discuss on https://discu.eu/q/https://thehackernews.com/2023/05/what-to-look-for-when-selecting-static.html

Originally posted by The Hacker News / @TheHackersNews: http://nitter.platypush.tech/TheHackersNews/status/1671487881242906625#m

Don't let unexpected vulnerabilities delay your app launch! Implement Static Application Security Testing (SAST) early in development to avoid surprises, launch delays, and risky software releases.

Learn how to simplify your AppSec workflow: https://thehackernews.com/2023/05/what-to-look-for-when-selecting-static.html

#AppSec