Ron Perris

I felt a sense of relief today, knowing humans are not on the hook to solve so many problems alone anymore.

New startup has been founded! $12.5M seed round led by Ballistic Ventures. Vulnerability management — everyone knows it’s broken. With ~50% of breach losses originating for remotely exploited vulns, "fixing" this one area will have the greatest impact on cybersecurity. Thank you to everyone who supported us. It means the world.

@JoshCGrossman @manicode I think we agree that Risk-Based Authentication is a real thing. Not sure if you were replying to me or Jim, so sorry if I’m crossing wires here. This reminds me, I need to dig into 5.0. Love the ASVS. 👏

@ronperris @manicode Not sure I understand your point, it is mandating what is commonly known as risk based or adaptive authentication. Googling those phrases indicates this is a well established practice. Certainly not easy to implement but that is why it is a level 3 control.

Does anyone have thoughts on this ASVS 5.0 requirment? 8.2.4 Verify that adaptive security controls based on a consumer's environmental and contextual attributes (such as time of day, location, IP address, or device) are implemented for authentication and authorization decisions, as defined in the application's documentation. These controls must be applied when the consumer tries to start a new session and also during an existing session.

@liran_tal Great point though, Vibe coding of examples for coding concepts you are exploring can rapidly improve your learning cycle.

@ronperris aaaaah yes I'm just now noticing the typo 😆 thanks Ron!

I think there is a deep misunderstanding of how earning works. The more you'll spend time vibe coding, the more you'll learn about code.

Our course on rapidly building secure ReactJS applications with AI is now live! AI is horrible at secure coding. This course makes it dramatically better. udemy.com/course/the-com…

@liran_tal developer.mozilla.org/en-US/docs/Web…

@liran_tal API doesn't have what? The value for the base url of the current document?

Analyzing a vulnerability in safe-axios, an npm package designed to safeguard applications from SSRF attacks: nodejs-security.com/blog/bypassing…

@_ndeyefatoudiop @manicode If we a trying to save space… a => a >= 18 👆🏻 is a valid function expression.

@manicode Yes! And we can also just return age >= 18 😉

What is wrong with this #javascript code?

@liran_tal If I was in client-side code, I’d use the base argument with the URL constructor. In that case, you’d need to resolve the base for the current document. developer.mozilla.org/en-US/docs/Web…

@ronperris Ron, if you had to support URLs (https://...) as well as plain paths (/images/picture.jpg or avatar.png) as an input from the user, what would be your strategy to ensure there's no XSS payloads? new URL('avatar.png') will throw, but it is a legitimate input for href or img src

@liran_tal I’ll play along.

What if I told you that parsing URLs from user input, especially from Markdown content, can be a security risk? nodejs-security.com/blog/how-to-pa… Here is how URL parsing logic an be bypassed and what you need to know to handle it in a secure way

@code_europe @manicode Go Jim! Help us React devs get it right with AI! 🤖

🔥 Breaking: @manicode joins #CodeEurope2025! Don't miss Jim Manico's session on AI-powered React security - learn from a Java Champion & OWASP leader! 🎟️ Early Bird: 589 PLN → Soon: 729 PLN 🔗 Get tickets now: codeeurope.pl/en/buy-ticket

One of the biggest impacts of AI that goes kind of unnoticed is that we’re about to see an explosion of poorly built applications. Specifically, applications built completely by AI with no thought of security whatsoever. 🧵

@cktricky @sethlaw Great course, recommend.

Hello 2025!!! 🥳 @sethlaw and I are starting the year off with our new and improved "Harnessing LLMs for AppSec", course. It will be held virtually on Jan 23 & 24. Anyone is free to register and is highly recommended for novice to intermediate skill sets. training.absoluteappsec.com

@manicode @semgrep F1 scores of up to 14.1% F1 = 2TP / (2TP + FP + FN) TP = True Positives FP = False Positives FN = False Negatives

Interesting AI research on using AI raw for SAST. Summary: SAST tools like @semgrep are still quite important for secure development and #devops automation.

@manicode I love this for you Jim.

Life in Copenhagen 🇩🇰

@dcuthbert @MKBHD Someone explained cyber security products to me the other day in a fascinating way, “Comfort from Purchase - Fear of Loss = Value Provided”. It’s all emotional.

What we really need is @MKBHD-like being reviewing security products and services No bullshit. Just honest reviews

@mattjay I think @paulg got this right in his essay. paulgraham.com/makersschedule…

I've found that I need a minimum window of 3-4 hours to really even consider working on a coding project. I get these little 30-60 minutes throughout my day if I'm lucky and it really isn't good enough to ramp up/down or troubleshoot and get anything done.