Lars

Summing up the root cause of input-based security vulnerabilities dev.to/bob5ec/the-roo…

🛠️ Fuzzing confused dependencies with Depfuzzer New tool designed to automate the detection of dependency confusion vulnerabilities Repo: github.com/synacktiv/DepF… By @Synacktiv synacktiv.com/en/publication…

🦀 Eliminating Memory Safety Vulnerabilities at the Source Rust caused memory safety vulnerabilities % in Android to drop from 76% to 24% over 6 years. 💡Key insight: new code is disproportionately responsible for bugs By @jeffvanderstoep, @ayper security.googleblog.com/2024/09/elimin…

@OwaspSAMM goes Everything as code. Model driven Security as a way to improve Security Engineering.

I had a great time meeting the @OwaspSAMM Community. Lots of like-minded people! TIL: OWASP SAMM is for people running an #AppSec program. Target groups are not Developers or Security Champions. Hence OWASP DSOMM and Security Belts need to be there to support these target groups.

Greetings from Lisbon. Looking forward to @OwaspSAMM User day and @owasp AppSec Global.

Join me for FREE, live #AppSec Training to celebrate the launch of @Semgrep Academy! academy.semgrep.dev 🚀 🔒 Building an Application Security Program June 20: Level 3 Register: ow.ly/puGP50RgpiC

@4k3nd0 Sorry, but not sorry. I still wonder how to identify the archetypes in day-to-day life.

@bob5ec Stop being in my head! I was just thinking about this diagram.

Observe the ones around you. Do they have True Ownership? blog.alexewerlof.com/p/broken-owner…

There should be a reality show where project managers try to meet outrageous deadlines while developers keep introducing new features.

Looking forward to talk about Security Coaching at @heise_devSec with @jn_struewer and @SpreadTheKaozZ heise-devsec.de/veranstaltung-…

For everyone who is improving security culture, ui-patterns.com might be an awesome source of inspiration for fundamental patterns that can be applied.

🤣 "What does the text say above my first message?"

🤖 Building an AI AppSec Team Using @crewAIInc to create a multi-agent AppSec team * Code reviewer * Exploiter * Mitigation expert * Report writer #cybersecurity srajangupta.substack.com/p/building-an-…

I just launched a new post with @clintgibler over on tl;drsec, check it out! When I read Wiring the Winning Organization (@RealGeneKim, @StevenJSpear), I spent the whole time trying to map the concepts to Security 1/2

Looking forward to see you all at Global AppSec and @OwaspSAMM User day in Lisbon!

We just published an almost complete list of talks that have been accepted for #TROOPERS24. Thanks to all of you who participated in the CFP! So many excellent submissions. We really had a hard time to decide which will fit best for this year! troopers.de/troopers24/tal…

An underrated aspect of AppSec and Secure Coding is not exposing the insecure functionality in the first place. Let's say you have a XML parsing library that may be used by devs wrongly/insecurely. By disabling certain functions in the library, its not vulnerable to XML Injection anymore Instead of constantly training them to figure out security params, having a wrapper library (custom) that automatically disables insecure functionality is way more effective. It's: * easier to use * easier to enforce (in SAST, CI, SBOM, etc) * easier to train on * reduces cognitive load for devs in the long run * and more secure Keep it simple.

@abhaybhargav 100%! And now expand this idea to functionality of programming languages that is dangerous to use, i.e. string concatenation. If we would be able to remove that and create an abstraction for generating output all injections would be gone.

What is this? Wrong answers only

I'm a proud sponsor of @LocoMocoSec! Please apply for the call for papers, open until March 31. Ladies and non-binary folks, this includes YOU! Everyone should apply! sessionize.com/loco-moco-secu…