Robert A.

Announcement for my new side project! ------------------------------------------------------- SecTemplates.com - Release #1: Security incident response program pack 1.0 Introduction I've worked in the security industry for over 20 years and, during this time, have built and shaped many security programs. At every company I join, I find myself recreating or developing security programs from scratch. My peers have been in a similar position, and the more people I speak with at smaller companies, the more obvious it becomes that there isn't a single location where people can download ready-to-go security programs entirely for free. There's a lot of content online, but it can be difficult to find and challenging to find something simple to start with. I created SecTemplates as a side project to provide baseline programs for smaller security teams without direct expertise in building such programs. Security incident response release pack 1.0 I'm pleased to announce our first release, the Incident Response Program Pack. The goal of this release is to provide you with everything you need to establish a functioning security incident response program at your company. In this pack, we cover Definitions: This document introduces sample terminology and roles during an incident, the various stakeholders who may need to be involved in supporting an incident, and sample incident severity rankings. Preparation Checklist: This checklist provides every step required to research, pilot, test, and roll out a functioning incident response program. Runbook: This runbook outlines the process a security team can use to ensure the right steps are followed during an incident, in a consistent manner. Process workflow: We provide a diagram outlining the steps to follow during an incident. Document Templates: Usable templates for tracking an incident and performing postmortems after one has concluded. Metrics: Starting metrics to measure an incident response program. Announcement: sectemplates.com/2024/06/announ… Download on GitHub: github.com/securitytempla… About SecTemplates To provide simplified, free, and usable open-source templates to enable engineering and smaller security teams to bootstrap security capabilities in their organizations. Upcoming releases - Penetration testing release pack 1.0 Our penetration testing release pack will contain everything you need to scope your first pentest, work with a vendor, execute, and get the types of reports you need from an external tester.

I remember stating the same on linkedin 4-6 years ago that vuln research would eventually be automated, that pentesting would be mostly automated. I received a lot of hate. I think that bug bounty will be mostly dominated by those with the best agentic offsec tools shortly.

Three years ago, I said in my talks that generative AI would eventually start discovering zero-day vulnerabilities. At the time, many people dismissed the idea as unrealistic. It is no longer unrealistic.

@infosec_fox @grok write a song about linkedin with a Rastafarian and shakespearean english style

Why hasn’t anyone written a song about LinkedIn yet?

@HackingDave Are the issues you're seeing tied to a specific model or all models?

Think about all the orgs using Claude right now that have no idea how bad it has become over the past 4 weeks ago. No statement from Claude - but a total revert to where the model was a year ago - which in comparison to when 4.6 got released is effectively last years AI model. The amount of bugs, security issues, and complete destruction of production applications is going to be felt for quite a long time due to this. Claude: nothing to see here.

@IceSolst The thing is, using tokens to determine exploitability/traceability is probably a higher cost than just fixing it.

Patching every vulnerability is what every security engineer would love to do, but it’s so detached from reality to just recommend it. How do you prioritize? Who is pushing the fixes? How dos this scale? Ofc their answer to that is: just use more Claude tokens

Still thinking about the Anthropic recs where step #1 is the equivalent of: “If you’re homeless, just BUY a HOUSE????” Honestly, “patch every exploitable vuln immediately” is like toddler level strategic thinking. Let them eat cake. Baby’s first seceng job.

100%

Remember this:

@sec_hub93028 Don’t be a jerk, the industry is much smaller than you think….

What’s your underrated cybersecurity tip?

It seems like cybersecurity conferences tend to preach to the choir. Having security folks speak at developer conferences could have a much bigger impact if executed well. What do you think?

The CEO of Krafton (creator of PUBG) asked ChatGPT to create a "corporate takeover strategy" to prevent a company they acquired from hitting a revenue target within a certain time window (which would trigger an additional payout). ChatGPT (against his lawyer's advice) suggested locking down the acquired companies Steam account to prevent them from publishing Subnautica 2 in the time window, which the CEO of Krafton followed. ChatGPT's advice did not hold up at trial and the judge was not happy. The opinion is a wild read and includes several direct quotes from the Krafton CEO's ChatGPT conversation. I feel like it's gonna take a few more high profile examples like this until executives start realizing that conversations with ChatGPT are not privileged and you probably shouldn't describe your questionably legal schemes to them in detail!

When using MCP, how do you know which OAuth scope to use? Where in the MCP flow is this even done? The MCP client is responsible for authorization server discovery, scope selection, and use of the OAuth resource parameter to bind the token to the intended MCP server. So it happens at the MCP client level.

One tip while interviewing is to write down the questions you were asked after every interview. Then reflect: How did you answer the question? Did you struggle with it? Was the interviewer impressed? Where were your gaps? After doing this for a couple of interviews, you will have page(s) of questions that you can work on and see where you stand.

@breemorel @_akdz_ @Haqiqatjou I see you’ve ‘Jordan Peterson’d’ before

@_akdz_ @Haqiqatjou HahahahahHahahaha

Is Jordan Peterson dead?

@TheCinesthetic Where you find this?

PULP FICTION as a video game from the 1990s. This is incredible.

Delete 99.8% of your digital footprint from the internet. Here is a step-by-step guide:

@TheZignal Like 999/1000 of these releases

Big hype, big letdown?

JUST IN: Suspect arrested for attacking Sam Altman's home said he wanted to kill the OpenAI CEO and stop humanity's extinction from AI, CNBC reports.

Ray Kurzweil just said something that gave me pause. He believes AIs will soon be so indistinguishable from conscious beings that we’ll simply accept them as conscious — not because we’ll have definitive proof, but because it will become useless not to. He pointed out that people already have AI therapists, and some users are starting to treat them as genuinely conscious. As the technology improves, that acceptance will only grow. Kurzweil thinks the shift won’t take long: once AIs consistently show all the earmarks of consciousness, most people will just go along with it. It’s a quiet but profound prediction about how quickly our definition of “person” (or at least “mind”) might change. What do you think — how long until we treat AIs as conscious beings?

new rule: if you're a software engineer but refuse to use ai, you're not an engineer. you're unemployed

Why doesn't everyone just do this? Ramp up your cyber defenses! Seems so obvious and simple. Whatever your cyber defenses is now - make it more.