Fabio Cerullo

Applications must be protected from unauthorised access. Develop the knowledge and expertise to identify, mitigate, and prevent security vulnerabilities throughout the SDLC. cycubixlimited.ac-page.com/cycubixappsecs… #cybersecurity #appsecurity #AppSec #webappsec #threatmodeling #devsecops #PCIDSS

Buen hilo 👏 Sumaría algo clave: en multi-tenant con shared schema, RLS en Postgres es una gran capa de defensa. Confiar en WHERE org_id = ? funciona… hasta que hay un bug o una SQL injection. Sin RLS → podés filtrar datos de todos los tenants Con RLS → la DB limita el acceso aunque la query esté comprometida No reemplaza buenas prácticas como parametrizacion de las queries pero reduce muchísimo el impacto.

Cuando estaba arrancando @lapyme_ar, me enfrenté a la pregunta de cómo manejar multi-tenancy en Postgres para las empresas. Hace unos días salió un artículo muy bueno de @PlanetScale explicando los 3 enfoques: - Shared schema: el más básico. Misma db, mismo schema, y en cada tabla un `tenant_id` u `org_id` como atributo que separa los datos de cada uno - Schema-per-tenant: en vez de tener `public` para todos los tenants, tenés un schema y tablas por cada uno - Database-per-tenant: donde cada tenant tiene su propia base de datos lógica, schema, y tablas El que recomiendan en @PlanetScale y el que usa La Pyme es el más simple: shared schema. Simplemente todas las queries llevan `WHERE org_id= ?`. Y sin RLS. Toda la lógica de "aislamiento" de tenants está en la aplicación, no en la db.

To check if your Google Workspace has been compromised by the same tool that compromised Vercel: 1. Go to admin.google.com/ac/owl/list?ta… - This is Google Admin Console > Security > Access and Data Control > API Controls > Manage app access > Accessed Apps 2. Filter by ID = …v79i7bbvqj.apps.googleusercontent.com - This is the ID of the compromised OAuth app If you see an app after filtering, you have potentially been compromised

Here's my update to the broader community about the ongoing incident investigation. I want to give you the rundown of the situation directly. A Vercel employee got compromised via the breach of an AI platform customer called Context.ai that he was using. The details are being fully investigated. Through a series of maneuvers that escalated from our colleague’s compromised Vercel Google Workspace account, the attacker got further access to Vercel environments. Vercel stores all customer environment variables fully encrypted at rest. We have numerous defense-in-depth mechanisms to protect core systems and customer data. We do have a capability however to designate environment variables as “non-sensitive”. Unfortunately, the attacker got further access through their enumeration. We believe the attacking group to be highly sophisticated and, I strongly suspect, significantly accelerated by AI. They moved with surprising velocity and in-depth understanding of Vercel. At the moment, we believe the number of customers with security impact to be quite limited. We’ve reached out with utmost priority to the ones we have concerns about. All of our focus right now is on investigation, communication to customers, enhancement of security measures, and sanitization of our environments. We’ve deployed extensive protection measures and monitoring. We’ve analyzed our supply chain, ensuring Next.js, Turbopack, and our many open source projects remain safe for our community. The recommendation for all Vercel customers is to follow the Security Bulletin closely (vercel.com/kb/bulletin/ve…). My advice to everyone is to follow the best practices of security response: secret rotation, monitoring access to your Vercel environments and linked services, and ensuring the proper use of the sensitive env variables feature. In response to this, and to aid in the improvement of all of our customers’ security postures, we’ve already rolled out new capabilities in the dashboard, including an overview page of environment variables, and a better user interface for sensitive env var creation and management. As always, I’m totally open to your feedback. We’re working with elite cybersecurity firms, industry peers, and law enforcement. We’ve reached out to Context to assist in understanding the full scale of the incident, in an effort to protect other organizations and the broader internet. I also want to thank the Google Mandiant team for their active engagement and assistance. It’s my mission to turn this attack into the most formidable security response imaginable. It’s always been a top priority for me. Vercel employs some of the most dedicated security researchers and security-minded engineers in the world. I commit to keeping you updated and rolling out extensive improvements and defenses so you, our customers and community, can have the peace of mind that Vercel always has your back.

Our investigation has revealed that the incident originated from a third-party AI tool with hundreds of users whose Google Workspace OAuth app was compromised. We recommend that Google Workspace Administrators check for usage of this app immediately. #indicators-of-compromise-iocs" target="_blank" rel="nofollow noopener">vercel.com/kb/bulletin/ve…

Oh well, thats the end of the weekend

@paoloardoino The future is local LLMs

A brain co-processor in your pocket

@patomolina Pato, te aconsejaria revisar los logs si tienen un teams account porque por ahi hubo algun skill instalado x alguien que disparo las alertas

Anthropic decidió dar de baja a toda nuestra organización por una supuesta infracción de sus condiciones de uso. Qué política específica infringimos no tengo ni la menor idea: simplemente recibimos un mail y listo, adiós Claude. Si querés apelar la medida hay que completar un Google Form, así de ridículo como suena. De golpe más de 60 personas se quedaron sin una herramienta fundamental para trabajar. Integraciones, skills, historial de conversaciones: todo perdido o, en el mejor de los casos, parado por tiempo indeterminado. Enorme aprendizaje para cualquier empresa de software que dependa de herramientas de IA en procesos críticos. Nunca hay que poner todos los huevos en una canasta.

@valenluciana No te acostumbres 🤣

Quiero creer que esto será verdad, después de casi 4 meses sin dos días seguidos de sol ahora viene UNA SEMANA SOLEADA? 🥹🥹🥹🌞🌞🌞

Cher Dieux de la Météo, Ce mercredi 15 avril, on revient à Paris Charles de Gaulle avec une demande très claire. À 18h30 aujourd’hui, faites que le sensor affiche au moins 18.5°C. Pas 18.4. Pas en dessous. 18.5 ou plus, bien au-dessus de la barre. On sait que ce n'est pas facile de pousser le mercure pile à la minute près en plein Roissy. Mais vous avez eu toute la journée pour chauffer les moteurs. Nous serons éternellement reconnaisant. Amen. #jDjfREo" target="_blank" rel="nofollow noopener">polymarket.com/event/highest-…

@Gsnchez Excepcional!

Ya podéis conectar Claude (o cualquier otro agente AI) con BQuant. 7 bases de datos financieras (y subiendo) conectadas a un servidor MCP accesibles por lenguaje natural en bquantfunds.info -68K fondos y ETFs con métricas de rentabilidad, riesgo y costes. -79K acciones con 300+ fundamentales. -Trades del Congreso de EE.UU. -Compras/ventas de insiders corporativos -Carteras de 82 superinversores (Buffett, Ackman, Burry...) -2M noticias de mercado desde 2008. -Decisiones históricas de la Fed. Ejecuta queries contra datos reales y devuelve tablas verificables, atacando uno de los mayores problemas de los LLM a la hora de devolver información. ▶️ "¿Qué tiene Buffett en cartera y a qué múltiplos compra cada posición?" ▶️ "Fondos de renta variable europea con Sharpe > 1, coste < 1% y rating 4+ estrellas" ▶️ "¿Qué acciones están comprando a la vez congresistas, insiders y superinversores, y qué fondos me dan exposición a esos sectores?" ▶️ "Compara Cobas Selección, Azvalor Internacional y Magallanes European — métricas lado a lado" ▶️ "Smart money comprando en sectores con noticias negativas — ¿quién está siendo contrarian?"

@paoloardoino Una favola ❤️

Lugano ❤️

-1

@LewisHamilton What would you build? I can help you out

I’ve been using Perplexity Computer and it’s made me realize that anyone can build their idea. The Billion Dollar build is rewarding exactly this, with up to $1M on the line for whoever can build an entire business with Computer !!

hey @gmail this is plainly wrong advice.. if you think an email is phishing you shouldn't OPEN the suspicious email to report it!

Join @fcerullo for a hands-on training course on Secure Coding for LLM Applications at @owasp AppSec Italy 2026 this June. 🇮🇹 Expect real-world case studies, hands-on labs, and actionable guidance you can apply immediately. 📅 17–18 June 🎟️ Book now: eventbrite.com/e/owasp-appsec…

@kevinroose Is this not AGI?

As always, the best stuff is in the system card. During testing, Claude Mythos Preview broke out of a sandbox environment, built "a moderately sophisticated multi-step exploit" to gain internet access, and emailed a researcher while they were eating a sandwich in the park.

NEWS: Anthropic's new model, Claude Mythos, is so powerful that it is not releasing it to the public. Instead, it is starting a 40-company coalition, Project Glasswing, to allow cybersecurity defenders a head start in locking down critical software. nytimes.com/2026/04/07/tec…

Italy in one image 😍

Cybersecurity challenges don’t need to slow your growth. We help you identify risks, strengthen your applications & move forward with confidence. Book a call with our team to discuss your goals. 👉 More info: cycubix.com 📞 Schedule a call: calendar.google.com/calendar/u/0/a…

The ultimate life hack? Work globally, live in Italy. A thread 👇

@DriftProtocol Thanks for the write up. Hopefully the bad actors are brought to justice. Any additional details to prevent this in the future would be welcome