Check out our latest blog post! My teammates and I have discovered several, severe vulnerabilities stemming from insecure implementations of the Fiat-Shamir transformation

GitHub has uncovered evidence that an attacker abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI. Read more about the impact to GitHub, npm, and our users. github.blog/2022-04-15-sec…

Update: Heroku Security Notification status.heroku.com/incidents/2413

Listen, Google, I get it, I’m bad about opening a new calendar tab each time rather than finding the open one, but please only play the sound once, not 32 or more times, ok?

Collecting “incredible journeys” one tshirt and tchotchke at a time…

Does anyone know of the *opposite* of a boot2root? Like a local or online blue team CTF where you are given an image/log/whatever and have to find and remediate the problem?

Me: [disables all location information in twitter and phone preferences] Twitter: hey would you like to know what people in your town are tweeting about? Me: literally no.

hardly surprising from experience but super interesting research pinning harder numbers as to the why

Thinking about this further, part of the issue is that CVEs are taken as a quality statement, rather than a point in time, point in environment issue. - Zero CVEs doesn’t mean your system has no flaws - Finding CVEs means your bug tracking issue is public, not how smart you are

It’s interesting that Multics solved certain classes of supply chain attacks (“Trojan horse” in the link below) in the 70s and we now act like this is truly a hard problem that is hard to solve… multicians.org/multics-data-s…

Absolute AppSec presents a special episode at 12 Noon Eastern/ 10 AM Mountain time! Join SeThLaW (l4wke) and guest host Logyi várja a Mikulást with special guest Paddy Kerley. Key topics: #Informationwarfare vis-a-vis the real world case of Ukraine, #infosecurity, etc, youtu.be/YKFnKwR-FoM

It’s basically me acting like Buck Turgidson for an hour

Next part of my PCI Kubernetes series up now, looking at the authorization section raesene.github.io/blog/2022/10/0… - This one's not as long as the last part (thankfully) but some nuances in there to be aware of.

Every public Java library grows until it has some form of OGNL injection. /cc Dan Amodio

attending #RoguelikeCelebration right now and the talks are super good! it barely started, strongly recommend you check it out

this is a niche costume, but one year I want one of my kids to dress up as your company's complete lack of operational security