Contents: One (1) Darren @darrenpmeyer@infosec.exchange

I'm hiring two Principal Security Researchers to join my Applied Research Team at Veracode. One focused on application static analysis and auto-remediation, one focused on dynamic analysis of web apps and web APIs.

My team is fully remote always (we have team members in EU, UK, US so far), great support for education (including attending conferences), pursuing your own projects, flexible scheduling, etc.

Boosts appreciated!

More info: https://mobile.twitter.com/chriseng/status/1358900181232713728

To an extend, part of that first thing (tell you what makes your product more appealing) can be a problem too, but it generally comes from people treating marketing information as a _mandate_

It's great to know that X capability makes your product have broader appeal. It's not OK to think that's sufficient reason to prioritize it, or to do it at all. The problem comes when leadership can't say "good data, that doesn't fit with what we want though, so we're not doing it"

It's that second thing, explaining stuff to potential buyers, that has a huge potential for unethical behavior. When marketing starts to try to _manipulate_ buyers or get you to try and sell something you don't really have, that's when the frustrations with marketing make sense.

When marketing people just find the right way to speak to people so that they understand how your product/service can help them, though, that's a huge help

Marketing isn't inherently evil; it's unethical marketers who've given it a bad name.

Marketing does three really important things for any org:

1. figures out who will buy what you're selling, and what would make what you're selling more appealing to them
2. figures out how to explain your stuff to buyers so that they'll understand they want it
3. helps you understand how well you're currently meeting your market's needs

The reactions to the J&J Vaccine being associated with 6 blod clot issues are such a great example of how difficult it is to get people to understand risk

A lot of people who got the J&J recently are freaked out, even though only 6 issues out of 7 million doses *might* have cause a problem. The gov is being smart pausing the use until they know why (might be a fluke, might be a mfg defect, etc), but people are reacting as though the J&J shot is/was inherently high risk. It isn't and wasn't

It's always a joke I think 3 people will laugh at that does well

And the irony is that I ended up getting the single-dose J&J vaccine…

My colleague Mansi wrote an awesome series on Java crypto last year, and just published a great update to it.

https://www.veracode.com/blog/research/java-crypto-catchup

The weather here got up to -5°C over the weekend, so we took a light hike along the Vermillion River. Frozen waterfalls!

And here's my little hacky script to talk to SmartThings to toggle lights: https://github.com/darrenpmeyer/smartthings-onair

It depends on a "just enough to work" implementation of the SmartThings API here: https://github.com/darrenpmeyer/python-smartthings

Built a little Python agent that monitors my macOS process list to see if I'm actively in a Zoom call, and runs an "on air" script when I join one and an "off air" script when I end one. I use this to automatically turn on a smart light I've designated as an "on air light" so my family knows when I'm on a call.

Very much "works on my machine", but people might find this useful

https://github.com/darrenpmeyer/pyzoomproc

@superruserr hey, @ TheGibson @hackers.town mentioned you might be looking, and I'm hiring appsec research. Check latest post and let me know if that's possibly a fit!

I'm hiring two Principal Security Researchers to join my Applied Research Team at Veracode. One focused on application static analysis and auto-remediation, one focused on dynamic analysis of web apps and web APIs.

My team is fully remote always (we have team members in EU, UK, US so far), great support for education (including attending conferences), pursuing your own projects, flexible scheduling, etc.

Boosts appreciated!

More info: https://mobile.twitter.com/chriseng/status/1358900181232713728

Can anyone recommend—by which I mean actually vouch for—good courses/book/programs to teach an already-technical person about web app security from a pentesting standpoint?

I'm enjoying watching people who have no idea the difficulties in scaling federated services throw rocks at Signal for not being able to instantly scale in the face of something like 500% growth in a matter of days

Even though I'm skeptical of the methodology behind things like Gartner's Magic Quadrant and Forrester's WAVE, it is still a nice compliment to be at or near the top on things like that!

And doubly so when it's because we've invested heavily in making a better security tool experience for developers

https://www.businesswire.com/news/home/20210111005821/en/Veracode-Named-a-Leader-in-Newest-Evaluation-of-Static-Analysis-Security-Testing-by-Independent-Research-Firm

I finally am getting around to learning Golang (yay!) and JavaScript (meh!)

And once again I’m reminded that most language tutorials assume this is your first language. There’s got to be something between “learn x in y minutes” and “here let me teach you how to program, incidentally in x”