Happy Mother’s Day! 🫥

Headed off to #PyConUS, for a little Booth (222 if you want to stop by and maybe win an RGB saber), and a lot of hanging out with fellow Python devs!

We’re ready for the Expo at #PyConUS! Stop by and visit Endor Labs

When you work the weekend, you take a Tuesday off and build a #LEGO kit. #StarWars #AlwaysBeKnolling

Man, there’s a lot of people trying to make the concept of a supply chain dependency really complicated for no reason. Do you depend on it for your stuff to work? Did you get it from outside your org? Congrats, that’s a dependency and it’s in your supply chain.

I had to make this today. I see way too many security people who ought to know better trying to fit facts to theories instead of theories to facts. An adversary doesn’t care about anything except that you have something they want, and whether there’s a path for them to get it.

🍨 If you have a wheat allergy, then it doesn't matter that your cookies-n-cream ice cream doesn't have wheat as a *direct* ingredient, because it's still found *transitively* in the cookie crumble. This applies to software dependencies too! Check it out endorlabs.com/learn/demystif…

In or around Vrije University in Amsterdam? Don’t miss the 20. Juni OWASP Meetup! Two great speakers talking about software dependency management, and of course there will be pizza. Details and free registration: meetup.com/owasp-chapter-…

We AppSec people have to challenge our nature regularly. We tend to be detail-oriented, but there isn't time to give every issue that treatment. So we have to challenge our nature by developing repeatable, automated processes that are "right enough, most of the time".

The CocoaPods vulns that were just disclosed are a big deal. I sincerely hope that they weren’t widely uncovered by adversaries, but we won’t know for sure for a bit. But if you use CocoaPods, you need to figure out what to do. endorlabs.com/learn/new-coco…

I’m seeing a lot of the take that the #CrowdStrike outage is a lesson not to rely on #Windows. That’s the wrong lesson. Sure, Windows itself has plenty to complain about, but the issue is *monocultures*; maybe don’t have one stack be 100% of your critical infrastructure

Does your #SCA respect your time? We built ours from the ground up with the goal of saving time for #AppSec and Developer teams, instead of wasting precious resources chasing noise. Don’t take my word for it; read Jellyfish’s story: endorlabs.com/learn/jellyfis…

It's pretty easy to get sort of consumed by #infosec. But #Burnout is real, and I've seen too many good people get hurt by it. A little #selfcare is important too. Take this as your reminder to drink some water, go for a walk, do something fun and silly with people you care about

Thanks to ringofsteel.org for providing their invaluable expertise — and combat-ready sabers — for the @endorlabs NYC lightsaber training event! Great to work with you, and I’m hoping we get to do so again!

It’s not often you get a chance to lay hands on a prop replica of a lightsaber that actually uses the original parts list!

I did not expect to see a *Flash Player* vulnerability hit the KEV in 2024. inthewild.io/vuln/CVE-2014-…

If I say "do developer education" and you think "have developers sit in an online class", then please re-think what _education_ means for most professional workers. There's a place for classes, but they're a tiny portion of education, and IMO are wasted if you don't do the rest

We made the #Cyber60 List, again! 🎉 Always appreciate recognition of our ability to solve real problems in #AppSec from orgs like FORTUNE and @LightspeedVP Get the report PDF with the full list direct from Lightspeed at lsvp.com/cyber60-2024-2… #SCA #FortuneCyber60

Your SCA tool *completely ignores* transitive dependencies? In 2024? And you're charging a bunch of money for this? I have concerns. Protip: if your expensive tool has a feature doesn't outperform a free, open-source alternative in one important way... stop selling that feature.

The job of a security org isn't necessarily to "reduce risk". It's to make sure that the org stays within its acceptable risk tolerance, and do that as cost-effectively as you can. In most orgs, reducing risk. But that's tactics in service of the objective.