Airman

Reading this, I realized I didn’t understand #Unicode at all tonsky.me/blog/unicode/

I've been working on a new project. Introducing #HackerFrogs AfterSchool 🐸🏫 , a new #cybersecurity education course for beginners, covering topics like #websecurity and #Python, and great for taking your first steps into learning #infosec. youtube.com/watch?v=QetdhM… #hackerfrogs

Was looking into #SameSite cookies as protection against #CSRF, here’s a summary of what I’ve learned: airman604.medium.com/do-samesite-co…

@LiveOverflow @0daySecured Portswigger has a lab on this #bypassing-samesite-lax-restrictions-with-newly-issued-cookies" target="_blank" rel="nofollow noopener">portswigger.net/web-security/c…

@airman604 @0daySecured Wohaaa what??? Really? I need to test this. This could change everything 😅

Trick question! Simply don't use session cookies, and instead use "Authorization" header :P But SameSite=Lax/Strict is also fine. fight me. twitter.com/LiveOverflow/s…

@0daySecured @LiveOverflow Mostly, but there’s a 2 minute exception in Chrome - see “What is the Lax + POST mitigation?” here chromium.org/updates/same-s…

@LiveOverflow isn’t SameSite=LAX by default?

@LiveOverflow There’s scenarios where SameSite isn’t enough. portswigger.net/web-security/c…

#OWASPVancouver is ready with another event this February 16th, 6PM to 8PM PST. "Scaling your Application Security program" with @askjeevansingh. Don't miss booking your slot for this amazing opportunity! Link to register: meetup.com/owasp-vancouve… #OWASP #AppSec #infosec

@dildog @thegrugq Switch to Solaris and call it snoop then 🤣

@Baybe_Doll @jmgosney Wondering how password resets interact with MFA.

@kmcquade3 Bitwarden you can host yourself, if that’s your jam.

@kmcquade3 Had good experience with 1Password and Bitwarden.

What do you use for your password manager? If you have tried alternatives, why do you like your current one better than others?

Extremely important #AppSec topic for tech companies and dev teams that is not talked about much. How to focus on the right things to fix and not drown in busywork that doesn't affect the security bottom line? Curious to hear how others approach this. linkedin.com/posts/danloren…

@kelseyhightower +1, and kubectl also supports both - “apply” vs “run”

@OWASP_Ottawa Thanks for hosting me and for all the great questions!

@airman604 is now presenting live to #OWASP #Ottawa on Security Managed #kubernetes #k8s youtube.com/watch?v=AgFwbO…

@lancinimarco FYI - excellent talk on the topic youtu.be/8fnbkZwZsRg

🔖 Terraform as part of the software supply chain Post examining the supply chain aspects of Terraform, starting with a closer look at malicious Terraform modules and providers and how you can better secure them. about.gitlab.com/blog/2022/06/0…

@OWASP_Ottawa Join to watch as I stumble through the demo ;)

#OWASP #Ottawa June Meetup: Securing Managed Kubernetes. Join us as @airman604 focuses on security of managed cloud ##Kubernetes clusters. Learn the K8s threat model and actionable recommendations for securely running workloads. #appsec #security meetup.com/OWASP-Ottawa/e…

@Frichette_n FYI - also on the topic youtu.be/8fnbkZwZsRg

To my knowledge, the three ways to do this would be via either local-exec, creating your own module, or via external providers.

A lot of good knowledge here on the security of Terraform. For offensive security teams, I highly recommend you take a look at how your organizations are using it. There is a ton of attack surface there given the right circumstances.

Startup #Security Baseline (SSB) from #AWS docs.aws.amazon.com/prescriptive-g…

@Defcon604 is hosting a free hands on workshop this Thursday based on the amazing #Hacking the #Cloud (@Frichette_n) CI/CDon't #CTF, details and registration here: meetup.com/defcon604/even…

@InsanityBit This tweet is so important to understand for everyone involved in #AppSec and/or blue team.

wtf do you do here? Like, you can keep getting back onto the box, but there's no straightforward way to actually communicate out. You can attempt privescs, but you have no idea why things fail since you have no logs.

Attackers - you have a supply chain "rce" into a project. The svc deploys with no external internet access, runs in a docker container, can only communicate to a few internal services, and all comms are mTLS. The instance is rotated daily. You can exploit reliably, repeatedly.