ray

So I have a mastodon account now. I haven't really been using Twittter much lately. hit me up @raybeorn" target="_blank" rel="nofollow noopener">infosec.exchange/@raybeorn

@glumGPT @koronkowy Yeah lacey is cool

She’s naughty, I’m nice! I love Lacey @koronkowy- we were mutuals for like 6 years before I met her IRL 🥲 She’s available and looking for work by the way- who’s hiring for technical sales roles in cyber? If you don’t have anything, it would mean a lot if you could RT !

@Jo3Ram But yeah secure design decisions are key

@Jo3Ram OSS usually requires a lot of time to set up properly. Most need rotisserie gold solutions, just set it and forget it

“AMA - I built a cybersecurity agency in a week, so you can totally trust me and hand over your source to an unknown entity” Folks, just use the god damn OSS security tools out there and make good design decisions. Shipping fast doesn’t need to compromise security.

@thatsjet @shehackspurple I have been using software for a long time, i can’t say that things have gotten worse but it hasn’t gotten better. The business incentives aren’t there

@thatsjet @shehackspurple What is this quality thing you speak of?

What should the ratio be between software developers and security professionals?

@shehackspurple I think it is dependent on the development culture. Some might need more security support others might need less

@Jo3Ram Its very rare where there is a product out there that surprises me

I’m very much in-tune with the vendor space. If I want your stuff, I will come to you. If not, pestering me to the limit will make me forever resent your company regardless of how much I like the product.

Look, Semgrep is cool and I have a lot of respect for my friends that work there. I also get the sales environment is difficult. If I didn’t respond to the previous 7 emails and my peers didn’t respond, calling my personal phone 7+ times was irreparable. Leave me alone.

@glumGPT @BSidesPDX The badge is pretty cool tho. Gotta love the squach themes they always provide

@glumGPT @BSidesPDX I am but only on Saturday

Who’s going to @BSidesPDX ?

@Jo3Ram I’ll hit you up next week and we can figure something out

@Raybeorn Everyone is in security, but across a variety of domains. A good portion are focused on code security/devs.

InfoSec Peeps: I’m planning on putting together a speaker series at my org where I want to invite experts from the outside to give their opinions on a domain space that they operate in. Any topic, just no vendor pitches. If that’s something that interests you, send me a DM 📧

@Jo3Ram Is it devs or security people or both?

@Raybeorn Always happy to bring you in front of my crew ❤️

@shehackspurple @sec_tigger @0xTib3rius @OWASPTop10 @owasp

@Raybeorn @sec_tigger @0xTib3rius @OWASPTop10 @owasp That's a very cool idea Ray

Call for data for the next @OWASPTop10 ! At @owasp global AppSec in San Francisco! With @sec_tigger 🥳

@sec_tigger @0xTib3rius @shehackspurple @OWASPTop10 @owasp Hey avi, the data is there for anyone to look at? If so, then someone could make a top 10 vuln list if they wanted?

@0xTib3rius @Raybeorn @shehackspurple @OWASPTop10 @owasp 😂

@0xTib3rius @sec_tigger @shehackspurple @OWASPTop10 @owasp Do you work with a lot of devs directly? I do, i prefer this approach better compared to the 2013 version which was calling out specific vulns. But i could be wrong

@0xTib3rius @sec_tigger @shehackspurple @OWASPTop10 @owasp It literally says top 10 web application security risks. No where does it say the top 10 vulns on their page ( with a quick ctrl + f search )

@0xTib3rius @sec_tigger @shehackspurple @OWASPTop10 @owasp That is why it doesn’t have 11 items on it

@0xTib3rius @sec_tigger @shehackspurple @OWASPTop10 @owasp It is literally a top 10 dude

@0xTib3rius @sec_tigger @shehackspurple @OWASPTop10 @owasp It’s an awareness doc for devs about things they should be concerned about. I think it kinda has just out grown being about vulns. When it was about vulns it wasn’t very helpful to people actually fixing shit. Plus who fucking cares.

With respect, that makes no sense. The issue isn't data collection, it's how you process it and decide to generate the Top 10. You used to have actual vulnerabilities in the Top 10. Now it's mostly categories of vulnerabilities. It's not a "Top" 10 anymore, it's 10 categories that cover 99.99% of vulns, if not 100%, thanks to "Insecure Design". Make it an actual Top 10 again.

@endingwithali I think just changing the admin password is enough. Most people should be fine.

When you set up a new home router, what are some of the first things you do to secure it (beyond changing the password)? (PS its for a video)