Pinned toot

I'm hiring two Principal Security Researchers to join my Applied Research Team at Veracode. One focused on application static analysis and auto-remediation, one focused on dynamic analysis of web apps and web APIs.

My team is fully remote always (we have team members in EU, UK, US so far), great support for education (including attending conferences), pursuing your own projects, flexible scheduling, etc.

Boosts appreciated!

More info: mobile.twitter.com/chriseng/st

To an extend, part of that first thing (tell you what makes your product more appealing) can be a problem too, but it generally comes from people treating marketing information as a _mandate_

It's great to know that X capability makes your product have broader appeal. It's not OK to think that's sufficient reason to prioritize it, or to do it at all. The problem comes when leadership can't say "good data, that doesn't fit with what we want though, so we're not doing it"

Show thread

It's that second thing, explaining stuff to potential buyers, that has a huge potential for unethical behavior. When marketing starts to try to _manipulate_ buyers or get you to try and sell something you don't really have, that's when the frustrations with marketing make sense.

When marketing people just find the right way to speak to people so that they understand how your product/service can help them, though, that's a huge help

Show thread

Marketing isn't inherently evil; it's unethical marketers who've given it a bad name.

Marketing does three really important things for any org:

1. figures out who will buy what you're selling, and what would make what you're selling more appealing to them
2. figures out how to explain your stuff to buyers so that they'll understand they want it
3. helps you understand how well you're currently meeting your market's needs

The reactions to the J&J Vaccine being associated with 6 blod clot issues are such a great example of how difficult it is to get people to understand risk

A lot of people who got the J&J recently are freaked out, even though only 6 issues out of 7 million doses *might* have cause a problem. The gov is being smart pausing the use until they know why (might be a fluke, might be a mfg defect, etc), but people are reacting as though the J&J shot is/was inherently high risk. It isn't and wasn't

It's always a joke I think 3 people will laugh at that does well

And the irony is that I ended up getting the single-dose J&J vaccine…

My colleague Mansi wrote an awesome series on Java crypto last year, and just published a great update to it.

veracode.com/blog/research/jav

The weather here got up to -5°C over the weekend, so we took a light hike along the Vermillion River. Frozen waterfalls!

Brave browser leaking your TOR data by DNS...

well, I guess I can't use that source anymore...

Get fedi hired! 

looking for a DevSecOps Consultant who has experience building and deploying CI/CD pipelines in the cloud and is an expert in automation using Terraform or Ansible.

Also looking for someone with in-depth Cisco Networking experience, as well as expertise working with Cisco Firepower firewalls. You must be proficient in creating and writing firewall rules, and have in-depth knowledge of network security.

I'm hiring two Principal Security Researchers to join my Applied Research Team at Veracode. One focused on application static analysis and auto-remediation, one focused on dynamic analysis of web apps and web APIs.

My team is fully remote always (we have team members in EU, UK, US so far), great support for education (including attending conferences), pursuing your own projects, flexible scheduling, etc.

Boosts appreciated!

More info: mobile.twitter.com/chriseng/st

And here's my little hacky script to talk to SmartThings to toggle lights: github.com/darrenpmeyer/smartt

It depends on a "just enough to work" implementation of the SmartThings API here: github.com/darrenpmeyer/python

Show thread

Built a little Python agent that monitors my macOS process list to see if I'm actively in a Zoom call, and runs an "on air" script when I join one and an "off air" script when I end one. I use this to automatically turn on a smart light I've designated as an "on air light" so my family knows when I'm on a call.

Very much "works on my machine", but people might find this useful

github.com/darrenpmeyer/pyzoom

@superruserr hey, @ TheGibson @hackers.town mentioned you might be looking, and I'm hiring appsec research. Check latest post and let me know if that's possibly a fit!

I'm hiring two Principal Security Researchers to join my Applied Research Team at Veracode. One focused on application static analysis and auto-remediation, one focused on dynamic analysis of web apps and web APIs.

My team is fully remote always (we have team members in EU, UK, US so far), great support for education (including attending conferences), pursuing your own projects, flexible scheduling, etc.

Boosts appreciated!

More info: mobile.twitter.com/chriseng/st

Can anyone recommend—by which I mean actually vouch for—good courses/book/programs to teach an already-technical person about web app security from a pentesting standpoint?

I'm enjoying watching people who have no idea the difficulties in scaling federated services throw rocks at Signal for not being able to instantly scale in the face of something like 500% growth in a matter of days

Some people work while they're stressed and locked indoors. I wrote most of a book during the covid crisis:

twitter.com/search?q=from%3Ado

I was feeling pretty pleased with myself on that score, but then I found out what Oriol Ferrer Mesià did with his time.

His "Modern Retro Computer Terminals" project are a series of tiny computers built around low-cost processors like the Raspberry Pi and Nvidia Jetson Nano, run off a 3D printer and assembled.

uri.cat/projects/modern-retro-

1/

Even though I'm skeptical of the methodology behind things like Gartner's Magic Quadrant and Forrester's WAVE, it is still a nice compliment to be at or near the top on things like that!

And doubly so when it's because we've invested heavily in making a better security tool experience for developers

businesswire.com/news/home/202

I finally am getting around to learning Golang (yay!) and JavaScript (meh!)

And once again I’m reminded that most language tutorials assume this is your first language. There’s got to be something between “learn x in y minutes” and “here let me teach you how to program, incidentally in x”

Show older
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.