Chris (stof) Langton

Our plans for interopability means you control your data, even if you ingest your reports from 30 tools in our system! We know having context for prioritisation so things aren't lost in a sea of duplicates and false positives will solve 80% of the admin you do today. Wait to see what we do next

Vulnetix has a vision to transform this broken system with our implementation of the privacy-preserving vulnerability disclosures so that bug bounty and even a pentest can trigger everyone affected to be notified immediately

There are so many exploitable vulnerabilities going unnoticed even when numbered by CVE, in the sea of findings, regardless of being vulnerable for years before, a lot of post breach investigations unveil the team had knowledge of the CVE at the time of the breach, but that was 1 in 10s of thousands

NVD declaring bankruptcy and the perverse incentives of CVE making it quickly the least useful and smallest collection of numbered vulnerabilities despite over 30% growth - means someone in the private sector has to solve the problem

When you learn log4shell was found 2 years before it had a CVE...

So I recently became a customer of #exetel / #superloop
They don't like good #passwords
First #cybersecurity FAIL was sending passwords in cleartext over email
Second FAIL is forcing customers to deduct password length or use simple characters to crack

Oh wait, I forgot
We have that AAA bill here!

Yeah npm has deleted the package. Doing searches like yours too it seems unlikely to be a risk for ghost but if I was using bots to trade Solana I'd seriously be concerned
Looks like 3 district bots use keypair-utils directly 😱😲

No default confinement?
Yolo K8s

No 'known good' seccomp?
Yolo all syscalls K8s

No identities for requests in your zero trust?
Yolo only server identity authenticated once and blind trust them for a year with all requests allowed through with K8s UNcontrol planes

Co trainers are doing just fine

Of course, no screenshots, all high level buzzwords

Share a public version we can read

The higher version isn't improvement, the version is more like a mode
V1 and V6 are time based, but 6 has a clock sequence and variant to be more precise

V7 is like V1 but has a different ra.dom segment

V8 is just guidelines for a custom UUID where you won't get a generator

And experimental

I'm keen to catch up with any of you at Australian Information Security Association (AISA) #cybercon

let's go!

Tools that don't output to standard formats like SARIF and VEX

Means I need to adjust business process, automation, and reporting logic - to use the proprietary tooling whereas tools that follow standards slide in and out without effecting any of that

Google Docs + ChatGPT

Works with Vulnetix
#Secrets scanners
#SAST
Linters
#Code test coverage
#IaC
#Containers
Compilers
#DAST
#AttackSurface

+ Anything else that exports #CycloneDX, #SPDX, or #SARIF

Vendor Support for CycloneDX here: cyclonedx.org/about/suppor...

Or SPDX here: spdx.dev/use/spdx-too...

Let's chat

Stency.io

Did you know your security metrics need context?
📈
New #PCI DSS requirement in May: Risk-based approach to security control implementation

Because not all risks are created equal! #RiskManagement

Identity crisis? PCI DSS now requires unique IDs for everyone. No more sharing credentials like they're Netflix passwords!

"Why are there so many logs?" Because PCI DSS 4.0.1 treats your system like a crime scene - everything needs to be documented

When we teach new developers to bypass security checks, we're setting them up for a career of poor security practices

The industry's casual approach to security bypasses is creating a generation of developers who don't understand what they're bypassing

#AppSec #fail #SCA

Package managers should make security bypasses harder, not provide convenient flags to disable them

The problem with security in modern development isn't that it's broken - it's that we've normalised breaking it

Golang and JavaScript are the worst offenders

#AppSec #fail #SCA

The industry's approach to hash verification is like having a smoke alarm that everyone's learned to take the batteries out of
#AppSec #fail

Hash verification isn't a development inconvenience - it's your last line of defence against compromised dependencies

Stack Overflow's highest-voted answers for hash mismatch issues are often the most security-unconscious solutions

Junior Devs love them

#AppSec #DevSecOps #SCA #Dev

Want to hire senior Devs better?

The difference between a junior and senior developer often lies in how they handle security warnings - one bypasses, the other investigates

If you have a senior that doesn't investigate hash mismatch, they're still very junior and lack curiosity to level up #AppSec

The most dangerous thing about security bypasses isn't the bypass itself - it's how quickly they become standard practice.
Documentation or CLI output that suggests bypassing security checks without explanation is essentially teaching developers bad habits
#AppSec #DevSecOps #SCA #Software

Software supply chain attacks succeed not because of sophisticated techniques, but because we've trained developers to ignore warning signs
Hash mismatch?
Let me fix that, putting the new hash in my manifest.
Done
All fixed, build passing
#AppSec #SCA #SupplyChain #Security #devsecops

If you're routinely clearing your package cache to resolve hash mismatches, you're probably doing security wrong
#AppSec #supplychain #sca

Respect your supply chain
Nurture it
Understand it's needs

Adversarial or competitive views will destroy you slowly

Factor your supply chain into the business model as the first class focus

Above your own first party product

It may just change under you like a slow leak, as you adjust, unnoticed

You don't understand #SoftwareSupplyChain

Cursor #AI is not competing with VS Code, it's built on it

Brave is not competing with chrome, it's built on it

Apple/Google are not competing with T-Mobile/Verizon

These are supply chains

It's like saying a #SaaS competes with the Internet

Absurd

The best security tool in the world is useless against interdepartmental politics

There's always budget for another tool, but never for enough people to use them properly

#AppSec

This is perhaps the most accurate reflection of government reality I've seen