Mick Grove

🛠️ 𝐀𝐧𝐭𝐢𝐒𝐒𝐑𝐅 New secure-by-default library by @msftsecurity that prevents SSRF attacks. Currently supports .NET and Node.js.

Brendan Hopper, Matt Beane and I have a thesis, one that I've been sharing around lately, and we want CEOs and boards to hear it. Before I get to the thesis, let's revisit Clayton Christensen's Innovator's Dilemma (ID), the theory he developed at HBS to explain why big companies often get eaten by upstarts during technology shifts. In short, the ID says incumbents serve their best customers so well, and tune themselves so ruthlessly for doing exactly what they do today, that they can't chase the disruptor tech coming up from below until it's too late. The classic solution to the Innovator's Dilemma is to create a "bubble" in your company. You carve out an innovation team with a budget and mandate, as unfettered as practical by the parent organization. This is to combat the 2-level trap presented by the dilemma. The economic trap is Christensen's original point: a disruptive technology can't justify itself under your existing P&L, because it serves smaller or weirder customers at margins your real business would never accept. The governance trap is what gets piled on top once you're big: SOC2, FedRAMP, etc. mean every new idea has to clear a lot of process before it can move. The bubble is intended to escape both at once, with its own economics and permission slips. The standard innovation "bubble" solution famously doesn't work very well. You may solve the problem inside your bubble, but you often can't roll it out to the rest of your company for the original reasons. Everyone is focused on doing their current stuff, and nobody has time for a major change. Our thesis is that there is an entirely different way out of the dilemma this time around. No bubble needed, as long as you follow a simple rule. That rule is, let your people play. Give them back any time they earn from automating their jobs with AI. Then incentivize them to use that time to improve the company's processes. When you see an engineering team announce a 40% productivity boost from adopting AI — a number that's been showing up in plenty of LinkedIn posts lately — your first reaction as a CEO or manager is probably to say, that's awesome, we can do more work now! Or you might simply expect to see 40% more output from the team. Either way, you have just asked them to spend their extra time building faster horses (your current business) instead of letting them go figure out what a car would look like for your company. They gained some productivity from AI, which could have been your ticket out of the Dilemma, and you immediately slurped it back for your existing business. This will get your company killed in the medium to long haul, because your company tomorrow will look almost nothing like it does today. Conway's Law says your software and your org chart mirror each other; as AI rewrites how you build software, the org has to shift to match. But if you're stealing the hours back saved by your employees, then you're not letting your org pivot naturally in the direction it needs to shift. @RealGeneKim and I saw this in person at @arkanalabs a few weeks back. As long as your people know they'll be recognized and rewarded if they improve the company's processes — public credit for cross-team workflow wins, promotion criteria that actually count process improvements, managers who treat freed-up hours as a feature rather than a budget line — then they will use their "play time" to seek out other teams, and start pivoting you to becoming AI-native. This way it can unfold in whatever bespoke way is most natural to your company, rather than in some ivory-tower research bubble. For every company, the way it unfolds will be a bit different. I think of this approach, of giving the time back to the humans who automate parts of their jobs with AI, as the new solution to the Innovator's Dilemma. The old bubble solution was to separate a bunch of people from their regular jobs, and try to give them the freedom to solve the problem in isolation. In contrast, by giving your regular employees their hours back, the innovation bubble is still there, but it's now dispersed across the company, as lots of very tiny bubbles: one bubble per person who has liberated some hours. If you've ever read Slack by DeMarco and Lister, a great book from back in the 90s, then our thesis should resonate. What companies need is to empower their own employees, the ones who actually work together (even across departments)--the ones who know how the business works--to shift the company in the new directions together. Gradually, but with intentionality. You still have the frankly awful problem of token budgets. For every employee you upskill into baseline AI literacy (which I'd define loosely as using coding agents throughout the workday), you've added a non-trivial opex spend — for the heaviest agentic users it can run into five figures a year. I won't sugar-coat it; you need to find that money somehow. I don't have a magic solution, but I'm very happy that other models are catching up to Claude, because they're becoming good enough for real work now. But token budgets alone aren't enough. To live through the Innovator's Dilemma this time around, your employees need a time budget, too. Give it to the ones who earn it using AI, then incentivize them properly, and I think you're headed in roughly the right direction. Thank you for coming to my TED tweet.

This, 1M% this: "The principle is to make exploitation harder for an attacker even when a bug exists, so that the gap between when a vulnerability is disclosed and when it is patched matters less. That means defenses that sit in front of the application and block the bug from being reached. It means designing the application so that a flaw in one part of the code cannot give an attacker access to other parts. It means being able to roll out a fix to every place the code is running at the same moment, rather than waiting on individual teams to deploy it."

exploitbench.ai Awesome work from Seunghyun and Prof. Brumley!

One of the long-standing challenges in C++ RE has always been vtable REconstruction. AI now solves this, and you actually get richer context than you'd ever get from manual recovery. Previously, HexRaysCodeXplorer plugin was born to ease that pain back in the day, but now I need to rethink how to make it truly effective in this new reality.

Apparently @SocketSecurity has a firewall app you can use around your package manager 📦 And it's free for the first 1,000 scans per month. Seems like a good call for any production projects. Or even to just not get hacked 😅

👻Is it just me, or are Agent Skills spooky? Skills can: • fetch remote content • Register subagents • Create Hooks • Hide instructions in Unicode Check out my walk through of 19 capabilities that make malicious skills scary: ramimac.me/spooky-skills

mongodb.github.io/kingfisher/vie… Or access locally via Kingfisher binary: kingfisher view ./report.json

Kingfisher's report viewer can now load Kingfisher, TruffleHog, and Gitleaks reports in one web based viewer. De-dupes and enriches TruffleHog + Gitleaks with validation checks + revoke commands. Link in comments #DevSecOps #AppSec #SecretsDetection #OpenSource

Finding Zero-Days with Any Model provos.org/p/finding-zero…

New OSS secret scanner: Kingfisher (Rust) validates exposed creds + maps permissions mongodb.com/company/blog/p…

Full research, benchmark methodology, scoring breakdown, and the obfuscation techniques that worked: go.es.io/3QSJGnI

"Replacing long-lived keys with ephemeral keys is, for my money, one of the best uses of security engineering effort." is the best sentence I've read pertaining to my field in awhile. More at: argemma.com/blog/long-live…

Another little explainer to help cut through Supply Chain related confusion: 🧟Commit Autopsy Most GitHub commit data can be falsified, and misanalysis abounds in investigations. Check out this what can be trusted and what can be forged: ramimac.me/commit-autopsy/

I'm sure this project is great and I wish them all the best but so far as I know we don't use it anywhere at Fly.io; we specifically don't trust v8 isolates, and all our multitenant workloads are KVM/hardware isolated. #who-is-using-isolated-vm" target="_blank" rel="nofollow noopener">github.com/laverdet/isola…

Kingfisher v1.95 is out, now with 825 built-in secret detection + live validation rules! This release makes Kingfisher ~15% faster and cuts binary size by ~37%. Also cool to see it hit 7 million Docker pulls and 100k GitHub downloads over the past several months.

New post: Code coverage for coding agents, by @NearBeteigeuze When an agent audits your codebase, a common question is: what did it actually read and with what intent? Current tools don't answer that. We built a prototype and open-sourced it.

Language-level bug classes, stdlib pitfalls, Linux and Windows issues from usermode to kernel, seccomp sandbox escapes. One checklist, hundreds of checks. appsec.guide/docs/languages…