Hardcoding service account keys?
There’s a better way to handle Google Cloud authentication—especially in CI/CD pipelines like Azure DevOps.

I’ve just published a new blog post:
“Secure Google Cloud Authentication in Python: Avoiding CI/CD Pitfalls with Service Accounts”

In this post, I unpack:
• 6 common anti-patterns (yes, even Secure Files can be insecure )
• A clean, modular way to handle credentials using Azure Key Vault
• Python examples to rebuild service account JSONs securely in memory
• Bonus tips for local testing without polluting your environment

If you’ve ever juggled Terraform, BigQuery, or Cloud Functions automation and thought “there has to be a more secure way”—this one’s for you.

Let’s move beyond insecure quick fixes and build pipelines we’re proud of.

https://cirriustech.co.uk/blog/gcp-auth-antipatterns/

Hi y'all! New to infosec.exchange!

We're RSOLV - building automated security vulnerability detection + remediation (yes, a _fix_, not just a red flag)

While researching AI-generated code, we discovered something wild: 19.6% of AI package suggestions don't exist. Hackers are pre-registering them.

Traditional scanners miss this completely. We detect AND fix it.

Journey: https://www.indiehackers.com/post/built-the-wrong-thing-at-the-wrong-time-but-discovered-something-worse-or-better-0bc8629cc0

Blog: https://rsolv.dev/blog/hidden-cost-ai-generated-code?utm_source=mastodon&utm_medium=social&utm_campaign=slopsquatting

If you use AI to generate code, Codacy Guardrails now offers a free tool to enforce security and quality standards in real time.

Not an endorsement or paid promo, just sharing for awareness.

https://blog.codacy.com/codacy-guardrails-free-real-time-enforcement-of-security-and-quality-standards

A researcher shows how to trivially bypass GitHub Actions policies by using local uses: references after cloning an action repo. GitHub reportedly doesn't consider this a security issue.

https://blog.yossarian.net/2025/06/11/github-actions-policies-dumb-bypass

Non-Human Identities: The Hidden Risk in Your Stack

Non-human identities (NHIs)—like API keys, service accounts, and OAuth tokens—now outnumber human accounts in many enterprises. But are you managing them securely? With 46% of organizations reporting compromises of NHI credentials just this year, it’s clear: these powerful, often-overlooked accounts are the next cybersecurity frontier.

Read The Hacker News article for more details: https://thehackernews.com/2025/06/the-hidden-threat-in-your-stack-why-non.html

Looking for a remote position in #OpenSource? Browse hundreds of jobs in technical and non-technical roles on #OSJH
https://opensourcejobhub.com/jobs/?q=remote&utm_source=mosjh
#career #sysadmin #engineer #sales #security #marketing #developer #DevSecOps #SRE #FOSS

An agent emailed me the "perfect" contract role today. Senior/Lead DevSecOps Engineer, one year contract, outside IR35, and totally my skillset. Sent my CV and got the job spec. It's perfect except for: "working APAC hours: 00:00–09:00 CET".

LOL! Brother I'm 52 years old. Are you trying to kill me?

Exciting opportunity alert! Join us on stage at #OWASP Global #AppSec USA in Washington, DC this November. Share your knowledge and apply to present at this amazing event. Don't miss your chance to shine - submit your presentations here: https://sessionize.com/owasp-global-appsec-USA-2025-cfp2/ #infosec #AI #devsecops #AI

Is Node.js the future of backend development, or just a beautifully wrapped grenade?

Lately, I see more and more backend systems, yes, even monoliths, built entirely in Node.js, sometimes with server-side rendering layered on top. These are not toy projects. These are services touching sensitive PII data, sometimes in regulated industries.

When I first used Node.js years ago, I remember:
• Security concepts were… let’s say aspirational.
• Licensing hell due to questionable npm dependencies.
• Tests were flaky, with mocking turning into dark rituals.
• Behavior of libraries changed weekly like socks, but more dangerous.
• Internet required to run a “local” build. How comforting.

Even with TypeScript, it all melts back into JavaScript at runtime, a language so flexible it can hang itself.

Sure, SSR and monoliths can simplify architecture. But they also widen the attack surface, especially when:
• The backend is non-compiled.
• Every endpoint is a potential open door.
• The system needs Node + a fleet of dependencies + a container + prayer just to run.

Compare that to a compiled, stateless binary that:
• Runs in a scratch container.
• Requires zero runtime dependencies.
• Has encryption at rest, in transit, and ideally per-user.
• Can be observed, scaled, audited, stateless and destroyed with precision.

I’ve shipped frontends that are static, CDN-delivered, secure by design, and light enough to fit on a floppy disk. By running them with Node, I’m loading gigabytes of unknown tooling to render “Hello, user”.

So I wonder:
Is this the future? Or am I just… old?

Are we replacing mature, scalable architectures with serverless spaghetti and 12-factor mayhem because “it works on Vercel”?

Tell me how you build secure, observable, compliant systems in Node.js.
Genuinely curious.
Mildly terrified and maybe old.

Get pumped for #OWASP Global #AppSec EU in May! Enhance your experience by becoming a Mentor and building lasting connections while assisting others on their journey! Don't miss out, sign up here: https://owasp.wufoo.com/forms/zk2cdkr1qla6o8/ #CyberSecurity #AI #threatmodeling #Barcelona #devsecops #infosec

Anchore announces Grype v0.91.2. This release resolves several false positives identified in v0.91.1, enhancing scan accuracy. Users are advised to update.
#VulnerabilityScanning #Security #DevSecOps
https://github.com/anchore/grype/releases/tag/v0.91.2

The Digital Terrain Is Shifting — Are Your Apps and APIs Ready?

As AI adoption accelerates, so do AI-driven attacks.
In their new research report, Akamai Technologies uncovers the evolving threats facing web applications and APIs — and how organizations can respond before attackers get ahead.

State of Apps and API Security 2025: How #AI Is Shifting the Digital Terrain explores the sharp rise in automated, intelligent threats — and the new defenses emerging to meet them.

Download the full report here: https://itspm.ag/akamaixmwd
Research like this helps #security professionals, #leaders, and #developers stay ahead of the curve — and shape the future of #digital defense.

We’re also proud to feature Akamai in our RSAC 2025 coverage — with a Brand Story recorded pre-event and a follow-up conversation happening on location at the conference in San Francisco with Rupesh Chokshi, Sean Martin, CISSP, and Marco Ciappelli.

Watch the pre-event recording here: https://youtu.be/DMm6INJ_2Z8

A huge thank you to the Akamai team for sponsoring our coverage and sharing their insights with our global audience.

Check out the report and stay tuned for more from RSAC:

Download the Report: https://itspm.ag/akamaixmwd
Explore our RSAC 2025 Coverage: https://www.itspmagazine.com/events/rsac-2025

Here we go, with another pre-RSAC 2025 Conference Coverage Brand Story!

#QuantumSecurity, Real Problems, and the Unifying Layer Behind It All
A Brand Story with Marc Manzano, General Manager, Cybersecurity Group at SandboxAQ

As we get ready for RSAC 2025, we’re kicking things off with some Brand Story conversation that sets the tone for what’s coming.

In this pre-event episode, SandboxAQ shares how their flagship platform, Active Guard, is reshaping #cybersecurity at the intersection of #AI and #quantum. From cryptographic asset management to non-human identity oversight and automated compliance, it’s all about solving real challenges and building a more secure, interoperable future.

ITSPmagazine's Co-founders Marco Ciappelli and Sean Martin, CISSP sat down with Marc Manzano for a first look at the #technology and thinking behind it — and what you can expect from their presence at RSA Conference 2025.

We’ll reconnect and record with SandboxAQ on location at #RSAC2025 for a deeper dive into this critical conversation.

A special thank you to SandboxAQ for sponsoring our RSAC 2025 coverage and supporting this exploration into the future of cybersecurity.

Watch, listen, and learn more below:

Video Teaser: https://youtu.be/eCT8qNhp4nc

Full Video Episode: https://youtu.be/aD34MD5IRnc

Full Audio Podcast: https://brand-stories-podcast.simplecast.com/episodes/quantum-security-real-problems-and-the-unifying-layer-behind-it-all-a-brand-story-conversation-with-marc-manzano-general-manager-of-the-cybersecurity-group-at-sandboxaq-a-rsac-conference-2025-brand-story-pre-event-conversation

Explore our full RSAC 2025 Coverage: https://www.itspmagazine.com/events/rsac

Going Live in 15 Minutes — Come Join Us!

I’m about to tune in for a live ITSPmagazine webinar that dives into a topic I truly care about:

Secure Coding = Developer Empowerment

It’s not just about reducing risk — it’s about investing in developers, boosting velocity, and building better software from the start.

Today – April 18

Hosted by ITSPmagazine

In partnership with Manicode Security

Jim Manico

Jimmy Mesta

Sean Martin, CISSP

Will be talking about:

Why most developers never get proper secure coding training

How to get leadership buy-in for better dev security

Why this isn’t just security—it’s a career boost

If you’ve got time, join us live. If not, watch it on demand. Either way, it’s a conversation worth having.

Join here:

https://www.crowdcast.io/c/secure-coding-equals-developer-power-how-to-convince-your-boss-to-invest-in-you-an-itspmagazine-webinar-with-manicode-security-ad147fba034a

#ApplicationSecurity, #DeveloperEmpowerment, #SecureCoding, #DevSecOps, #softwaresecurity, #cybersecurity, #infosec, #ITSPmagazine

Yes, it is true! It’s Webinar Time! Secure coding isn’t just about writing safer software—it’s a career game-changer.

But most companies don’t invest in secure coding training, leaving developers without the skills they need to protect their apps.

Join us live on April 16, 2025, for an ITSPmagazine Webinar where we’ll explore how to change that.

Secure Coding = Developer Power: How To Convince Your Boss To Invest In You

With:
Jim Manico, Manicode Security
Jimmy Mesta , RAD Security
Moderated by yours truly — Sean Martin, CISSP

Register here: https://www.crowdcast.io/c/secure-coding-equals-developer-power-how-to-convince-your-boss-to-invest-in-you-an-itspmagazine-webinar-with-manicode-security-ad147fba034a

Why You Should Attend
Secure coding isn’t just about preventing security failures—it’s a career accelerator. Developers who understand security are more valuable to their companies, build better products, and stand out in the job market. This session will equip you with the knowledge and tools to make the case for secure coding training at your company, giving you an edge as both a developer and an advocate for better software security.

We’ll cover:
Live code reviews & secure fixes
Automation tips for secure defaults
What effective training really looks like

If you care about building secure software and stronger engineering teams, don’t miss this one.

Register here: https://www.crowdcast.io/c/secure-coding-equals-developer-power-how-to-convince-your-boss-to-invest-in-you-an-itspmagazine-webinar-with-manicode-security-ad147fba034a

Yes, it is true!
It's Webinar Time!

... and we’re back with another ITSPmagazine Thought Leadership Webinar — because impactful conversations and meaningful perspective exchanges are what we’re all about.

After the success of our debut session “AI In Healthcare: Who Benefits, Who Pays, And Who’s At Risk?” (missed it? Watch it on demand https://www.crowdcast.io/c/ai-in-healthcare-who-benefits-who-pays-and-whos-at-risk-an-itspmagazine-thought-leadership-webinar-march-2025-3eeb9725b912) —we’re diving back in with a brand-new conversation focused on the heart of what drives our work: cybersecurity, technology, and society.

Secure Coding = Developer Power: How To Convince Your Boss To Invest In You An ITSPmagazine Webinar With Manicode Security April 16, 2025

We’re honored to welcome two brilliant minds joining Sean Martin, CISSP — yes, of course, he’s pretty sharp too — for this one:

Jim Manico, Founder and Secure Coding Educator at Manicode Security
Jimmy Mesta , Course Instructor for Manicode and CTO at RAD Security

Why does #securecoding still feel like an afterthought? This session tackles that question head-on—covering why most companies don’t invest in secure coding training, how developers can advocate for themselves, and how this skillset can seriously boost your career. We’ll even get into some live code reviews and automation demos you won’t want to miss.

Secure Coding = Developer Power: How To Convince Your Boss To Invest In You
LIVE: April 16, 2025
REGISTER HERE: https://www.crowdcast.io/c/secure-coding-equals-developer-power-how-to-convince-your-boss-to-invest-in-you-an-itspmagazine-webinar-with-manicode-security-ad147fba034a

Be sure to share this with your fellow #developers, coworkers, and anyone who cares about building safer software and smarter teams. This is your chance to invest in yourself—and help your company do the same.

LET'S go, we can do this!!!

#webinar, #securecoding, #developerlife, #cybersecurity, #infosec, #softwaresecurity, #devsecops, #itspmagazine #infosecurity #tech #technology #software #programmers

Ready to shine on stage? Share your expertise at #OWASP Global #AppSec USA in Washington, DC this November! Submit your presentations now for this incredible event! Seize the opportunity - apply here: https://sessionize.com/owasp-global-appsec-USA-2025-cfp2/ #infosec #AI #devsecops #SBOMM

Ready to shine on stage? Share your expertise at #OWASP Global #AppSec USA in Washington, DC this November! Submit your presentations now for this incredible event! Seize the opportunity - apply here: https://sessionize.com/owasp-global-appsec-USA-2025-cfp2/ #infosec #AI #devsecops #SBOMM

Středeční #hiring update:

Do interního #DevOps týmu hledám borce na pozici, které říkáme
INFRASTRUCTURE AND DEVOPS SPECIALIST

HPP, nebo IČO, jak chceš.
Hybridní forma práce, kancl #Praha Nusle.
Nezávazná pokec s DevOps Leadem není problém, online/onsite.
Nespěcháme, hledáme oboustranný "match."

Looking to hire a DevSecOps person for my Platform Team at informediq.com. A big chunk of the work is taking care of the technical aspects of SOC 2 and related compliance. Our customers are banks so their compliance needs runs downhill to us so supporting their audits is also a big part.

The other major aspect is actual DevSecOps with a focus on Sec. Ensuring we've got Sec baked in to our apps, CI/CD and Serverless Infrastructure as well as automating as much of the compliance stuff as possible.

Job description: https://informediq.com/job/staff-security-engineer-devsecops/

Apply at jobs@informediq.com and mention you saw the position on Mastadon