Category: cybersecurity
You are viewing all posts from this category, beginning with the most recent.
๐ Big improvements to calls in Signal: call links
๐๐ฅ Hey, you know how security teams are the worst and nobody wants to work with them?
Anyway, this is a signed going away present from the engineering platform and architecture leaders.
Definitely a keeper, even after itโs empty.
๐ Iโm at the CSO Conferencece and Awards.
Tomorrow, my team will be accepting a CSO50 award for our security automation platform that supports 4000 engineers and 7000 applications.
Iโve since left the company, but am here supporting my previous team. Proud of them!
๐ Banks: practice internet safety!
Also banks: we wonโt let you login if you are blocking junk in your browser or using a VPN
๐ The opportunity: application threat modeling & secure design review is one of the highest value appsec/prodsec activities, but is hard to implement efficiently and at scale.
A bad solution: provide a long list of controls that need to be checked each time
A better solution: generate relevant security requirements automatically based on whatโs being built
Met with primesec yesterday, and this is what they are trying to do! They are using LLM to read whatโs in your user stories (etc.), summarizing the work for the security team, and injecting specific security control requirements.
If this catches even a small portion of the real requirements, it would be a major uplift for teams both from a security and efficiency perspective. Looking forward to checking it out.
๐ Met with the folks from Pangea yesterday.
Looks like it could be an interesting solution for:
- small developer orgs that donโt have time or expertise to deal with common security needs
- large developer orgs that need consistency, scale, and governance of their security capabilities
Iโm at AppSec San Francisco this week.
Mute that โ๐โ tagmoji if you donโt want to hear about it.
Send me a message if you want to meet up.
๐ OSS backdoors: the folly of the easy fix - lcamtufโs thing
Even when it comes to lesser threats, the bottom line is that we have untold trillions of dollars riding on top of code developed by hobbyists. The companies profiting from this infrastructure can afford to thoroughly vet and monitor key dependencies on behalf of the community. To be sure, a comprehensive solution would be a difficult and costly undertaking โ but itโs not any harder or costlier than large language models or self-driving cars.