Sabitlenmiş Tweet
"Penetration Test" is a crazy overloaded term. Important to start w/ discussion of goals and tradeoffs between testers and client team.
English
Patrick Thomas (@[email protected])
2.7K posts
Patrick Thomas (@[email protected])
@coffeetocode
Software engineer to security consultant, now security partner at @Netflix. Infosec pragmatist.
SF Bay Area Katılım Şubat 2010
887 Takip Edilen1.9K Takipçiler
Thanks for the #BSidesSF Semgrep workshop @enncoded @LewisArdern @onefiftyman . You packed a *ton* into 2 hours. Really appreciate the work that went into it.
English
@bsysop @Bugcrowd @ArmanSameer95 @GodfatherOrwa @mzamat123 Congrats man, that's fantastic. Always a pleasure to see you on the other side of the submissions!
English
Buggy Awards 2022: Community Champion🦾
This was absolutely amazing, Thank you @bugcrowd, you are the best ❤️🤟🏻
Congrats to the champions 🥷🏻 -> @ArmanSameer95 @GodfatherOrwa @mzamat123
#BugBounty #InfoSec #Bugcrowd
English
@kb_awholevibe Thanks for the interest! LocoMocoSec talks aren't recorded, but here's the deck: #slide=id.g13a12939f7a_1_5" target="_blank" rel="nofollow noopener">docs.google.com/presentation/d…
English
Woot! Let's do this! I'm really looking forward to sharing this.
LocoMocoSec: Hawaiʻi Security Conference@LocoMocoSec
Patrick Thomas, Senior Security Partner @netflix, is speaking @LocoMocoSec next week! Register now to see his talk 'Productizing Security For Leverage and Scale' on June 30th🤙 ⛵ Waikīkī Marriott Resort 🏝️ O'ahu, Hawai'i ☀️ June 27-30th 🌟 @coffeetocode
English
What can we say, twitter-driven development sometimes works :)
netflix.com/.well-known/se…
Ya'll are good folks. Keep it going!
security.txt (RFC 9116)@securitytxt
Exciting news! @Apple joins the list of companies with a security.txt file. Now, we only need @netflix to complete the FAANG list. 🙌
English
Expanded a bit on this over at @coffeetocode/109382936048032088" target="_blank" rel="nofollow noopener">infosec.exchange/@coffeetocode/…
English
I love formal forecasting exercises (esp those run by @Magoo) because they really force you to slow down consider all the potentially relevant facts, and introspect your biases. FWIW I was 80% here, but I think I was undervaluing the "autopilot" nature of modern CI/CD.
Ryan McGeehan@Magoo
That's what myself and 26 others sought to gather over the weekend. The panel we put together forecasted a 72.8% belief it would happen. Here's the spread of forecasts magoo.github.io/risk-measureme…
English
@leifdreizler I wonder too, but I promised myself I wouldn't spend that much time on it 🙃
English
@coffeetocode I wonder what the stat would be if you compared people that have tweeted vs tooted (is that what mastodon calls a tweet?) in the last two weeks
English
Of the ~950 people I follow on twitter, some hacky profile scraping says that about 60 of those currently have a Mastodon link. So for me that's basically from ~0% to 15% exodus (or at least strongly hedging) in a *week*.
English
@nart_nos @coffeetocode @hez0_ Yep! I mean the best defense is to ensure you just don’t have XSS in the first place, but service workers can be a nice defense in depth approach to protect sensitive data
English
Wrote a new blogpost! Had a great debate last week about where to store session tokens when building a SPA, so I decided to PoC the main strategies and discuss the pros/cons of each: blog.ropnop.com/storing-tokens…
English
@ropnop @coffeetocode I was learning about OAuth, but somehow found myself looking for bypass :D
Riding on this, here's one more (even though the blogpost is dated, but still useful :)):
Headers.prototype.set = function(arg, arg1){alert("Stolen token: "+arg1)};
makeRequest();
English
@clintgibler @csima @DanielMiessler @shehackspurple @RachelTobac @evantobac @Jhaddix @lancinimarco @hashishrajan @securibee @QuinnyPig @ollieatnccgroup @_JohnHammond @mikepsecuritee @hakluke @antitree @ramimacisabird @0xdabbad00 @bubblewire @HelloArbit @barschachner @zanelackey @bryansolari @LewisArdern @astha_singhal @manicode @dcuthbert @0xine @__muscles @txs Congrats Clint! You're such an amazing example of everything that's great about this community. Know that you're helping a lot of people.
English
@csima @DanielMiessler @shehackspurple @RachelTobac @evantobac @Jhaddix @lancinimarco @hashishrajan @securibee @QuinnyPig @ollieatnccgroup @_JohnHammond @mikepsecuritee @hakluke @antitree @ramimacisabird @0xdabbad00 And finally, to the friends whose encouragement has kept me going when it feels like it's too much work:
@bubblewire, @HelloArbit, @coffeetocode, @barschachner, @zanelackey, @bryansolari, @LewisArdern, @astha_singhal, @manicode, @dcuthbert, @0xine, @__muscles, @txs, ...
English
tl;dr sec is now over 12,000 subscribers 🎉 🤯
Thank you everyone for the kind words and encouragement along the way 🙏
New to tl;dr sec?
Get the latest and greatest security research right in your inbox 👇
tldrsec.com
English
Hah, this makes me feel so much better about my small pile of aborted "I think I should write something about..." drafts.
Troy Hunt@troyhunt
Know how many blog posts I start writing but never finish? *HEAPS*! Sometimes the story just doesn't work out as expected, sometimes I calm down and change my mind, other times... I'm a busy guy 🤷♂️ Are there any here I really should finish?
English
Patrick Thomas (@[email protected]) retweetledi
I don’t think there’s a SOC2 rule against banking 50 pre-approved empty PRs for future use.
English
When looking at a big backlog of known work we want to drive, it's *so easy* to just group into themes and call it good. I can think of times I've done that which really, really would have benefitted from asking if the framing leads to an ability to confidently prioritize. 2/2
English
Someone asked today "Is that list of 'goals' *really* a list of goals, or just a some themes of work?"
I *love* that question & the insight behind it. True "goals" help prioritize among possible work, themes really don't. 1/2
English
Patrick Thomas (@[email protected]) retweetledi
Chrome was delivered without any sprints at all. The team came in at 9 and left at 5 (figuratively, people actually kept their own ~8h schedules) every workday for a couple years like clockwork. No drama. No broken marriages, no broken families.
Hadi Partovi@hadip
Sadly, there were divorces and broken families and bad things that came out of that. But I also learned that even at a 20,000-person company, you can get a team of 100 people to work like their lives depend on it.
Tustin, CA 🇺🇸 English
@caseyjohnellis @timb_machine @UK_Daniel_Card Hah, funny you mention that. @ramimacisabird was saying that the other day, and we've been talking about what an updated, more thoughtful/communicative view would look like. What aspects looking most wrong or dated to you now?
English
@timb_machine @UK_Daniel_Card @coffeetocode full credit to @coffeetocode for kicking off this train of thought with this slide <3
(that said, i don't think it has aged particularly well)
English
Congrats to @Resourcely! Clear, exciting product vision at that critical touchpoint of developer velocity, security, and cloud resources.
Very pleased to have joined this round, and looking forward to seeing where @travismcpeak and @0xshellrider take this idea.
Resourcely@Resourcely
Hello world! We're on a mission to make cloud security easier for users. See our funding announcement (techcrunch.com/2022/07/26/res…) and blog post (resourcely.io/post/introduci…) for more details. We're #Hiring!
English
@deciban Ohhhhh, yes! I remember when TurboIntruder came out, but it didn't stick properly in my brain. I gotta go play with it now. Thanks!
English
@coffeetocode Still janky. Burp is becoming a good platform for such generic tool, but none exists yet.
portswigger.net/research/turbo… github.com/malucart/Timin…
English
Web timing attacks: super cool in principle, still super janky in practice. Seems like TimeTrial (github.com/dmayer/time_tr…) and Nanown (code.blindspotsecurity.com/trac/nanown/) still best tools, but really janky to get running & require a known-good case. Anyone got suggestions? Banging my head.
English