Create accountLogin

Recent searches

No recent searches

Search options

Not available on lingo.lol.
lingo.lol is one of the many independent Mastodon servers you can use to participate in the fediverse.
A place for linguists, philologists, and other lovers of languages.

Administered by:

Server stats:

69
active users

lingo.lol: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

#appsec

0 posts0 participants0 posts today
Public
Sean Martin 🎙️✨:verified_paw: :donor:

Yes, it is true! 😏 🎙️💻 It’s Webinar Time! Secure coding isn’t just about writing safer software—it’s a career game-changer.

But most companies don’t invest in secure coding training, leaving developers without the skills they need to protect their apps.

Join us live on April 16, 2025, for an ITSPmagazine Webinar where we’ll explore how to change that.

💡 Secure Coding = Developer Power: How To Convince Your Boss To Invest In You

With:
🎙️ Jim Manico, Manicode Security
🎙️ Jimmy Mesta 🤙, RAD Security
🎙️ Moderated by yours truly — Sean Martin, CISSP

👉 Register here: crowdcast.io/c/secure-coding-e

Why You Should Attend
Secure coding isn’t just about preventing security failures—it’s a career accelerator. Developers who understand security are more valuable to their companies, build better products, and stand out in the job market. This session will equip you with the knowledge and tools to make the case for secure coding training at your company, giving you an edge as both a developer and an advocate for better software security.

We’ll cover:
🔐 Live code reviews & secure fixes
🔧 Automation tips for secure defaults
📚 What effective training really looks like

If you care about building secure software and stronger engineering teams, don’t miss this one.

👉 Register here: crowdcast.io/c/secure-coding-e

Secure Coding = Developer Power: How to Convince Your Boss to Invest in You — An ITSPmagazine Webinar with Manicode Security
crowdcastSecure Coding = Developer Power: How to Convince Your Boss to Invest in You — An ITSPmagazine Webinar with Manicode SecurityRegister now for Secure Coding = Developer Power: How to Convince Your Boss to Invest in You — An ITSPmagazine Webinar with Manicode Security on crowdcast, scheduled to go live on April 16, 2025, 12:30 PM EDT.
#webinar#securecoding#appsec
Public
Paco Hope #resist

Some of my colleagues at #AWS have created an open-source serverless #AI assisted #threatmodel solution. You upload architecture diagrams to it, and it uses Claude Sonnet via Amazon Bedrock to analyze it.

I'm not too impressed with the threats it comes up with. But I am very impressed with the amount of typing it saves. Given nothing more than a picture and about 2 minutes of computation, it spits out a very good list of what is depicted in the diagram and the flows between them. To the extent that the diagram is accurate/well-labeled, this solution seems to do a very good job writing out what is depicted.

I deployed this "Threat Designer" app. Then I took the architecture image from this blog post and dropped that picture into it. The image analysis produced some of the list of things you see attached.

This is a specialized, context-aware kind of OCR. I was impressed at boundaries, flows, and assets pulled from a graphic. Could save a lot of typing time. I was not impressed with the threats it identifies. Having said that, it did identify a handful of things I hadn't thought of before, like EventBridge event injection. But the majority of the threats are low value.

I suspect this app is not cheap to run. So caveat deployor.
#cloud #cloudsecurity #appsec #threatmodeling

A typical AWS serverless architecture from the blog that I linked to. It shows a very large box representing an AWS account, and bunch of smaller boxes containing icons, with each box representing a capability (like file upload, users and authentication, etc). Inside each of those boxes are some icons representing services, like Lambda, IAM, Cognito, S3, etc.
An screen capture of a list of things in a web browser. The table header is labeled "Flows" and it lists flows like the following: End users authenticate through web browsers or mobile devices via Amplify and CloudFront to Cognito User Pools, potentially using External Identity Provider integration. Source: End Users, Target: Cognito User Pools Authenticated users make API requests through CloudFront and API Gateway to access backend services. Source: End Users. Target: API Gateway API Gateway routes authenticated requests to appropriate Lambda functions for processing. Source: API Gateway. Target: Lambda Functions
An screen capture of a list of things in a web browser. The table header is labeled "Assets" and it lists things like the following: End Users: Users that access the application through web browsers or mobile devices, interacting with the frontend interfaces External Identity Provider: Third-party authentication service integrated with Cognito for user authentication and authorization API Gateway: Manages all API requests, acts as the primary entry point for backend services, controls access to Lambda functions and business logic
A screenshot of a table in a web page. The header is labeled "Trust Boundary" and it contains items like: Public-to-private network boundary separating internet users from AWS cloud resources. Source: End Users. Target: CloudFront Distribution Authentication boundary validating user identity before allowing access to backend resources. Source: End Users. Target: Cognito User Pools External authentication service integration boundary. Source: Cognito User Pools. Target: External Identity Provider
#AI#threatmodel
Public
Suzanne Aldrich (she/her)

Critical Next.js Middleware Vulnerability (CVE-2025-29927)

A major auth bypass vulnerability in Next.js middleware (prior to v14.2.25 / v15.2.3) allows attackers to inject the x-middleware-subrequest header and bypass authorization entirely. Exploitable via simple HTTP requests—no user interaction, no special permissions.

Patch. Now. Or block the header manually.

GitHub scored this 9.1 CRITICAL, but the real issue? This flaw exposes a systemic weakness in middleware validation, and some vendors weren’t exactly upfront about the risks.

Details + POC: zeropath.com/blog/nextjs-middl
NVD: nvd.nist.gov/vuln/detail/CVE-2

Security theater is easy. Secure defaults and transparency are harder—but essential.

zeropath.comNext.js Middleware Exploit: Deep Dive into CVE-2025-29927 Authorization Bypass - ZeroPath BlogExplore the critical CVE-2025-29927 vulnerability in Next.js middleware, enabling attackers to bypass authorization checks and gain unauthorized access.
#infosec#AppSec#NextJS
Public
Marco Ciappelli🎙️✨:verified: :donor:

It’s always a great pleasure to spend time with Jim Manico and learn from his expertise! 🧐✨📚

Turning #Developers into #Security Champions: The Business Case for Secure Development | A Manicode Security Brand Story with Jim Manico

In this insightful episode, hosted by @seanmartin and @Marcociappelli on @ITSPmagazine, Jim shares how enabling developers to embrace secure coding practices can elevate them into true security champions.

He explains why secure development isn’t just about writing safer code—it’s a transformative approach that strengthens #business resilience, protects critical data, and fosters a company-wide culture of security-first thinking.

📺 Watch the full episode here:
youtu.be/OJXD_cS1JJM?si=KGwqwm

🎧Listen and subscribe here:
brand-stories-podcast.simpleca

Follow this link to listen, watch, or read the episode—whichever works best for you.

📚 itspmagazine.com/their-stories

YouTubeTurning Developers into Security Champions: The Business Case for Secure Development Manicode StoryBy ITSPmagazine
#SecureDevelopment#SoftwareSecurity#Manicode
Public
Sean Martin 🎙️✨:verified_paw: :donor:

Security isn’t just about compliance—it’s about building stronger applications. In this episode, @Marcociappelli and @seanmartin chat with Jim Manico about developer training, @owasp and how security fuels business success. Want to build secure software from the start? Tune in now! 🎙️

📺 Watch now: youtu.be/OJXD_cS1JJM
🎧 Listen now: brand-stories-podcast.simpleca
📖 Read now: itspmagazine.com/their-stories

⬇️ Download the Course Catalog: itspm.ag/manicode-x684

YouTubeTurning Developers into Security Champions: The Business Case for Secure Development Manicode StoryBy ITSPmagazine
#Cybersecurity#AppSec#SecureCoding
Replied to Tanya Janca | SheHacksPurple :verified: :verified:
Public
Paco Hope #resist

@SheHacksPurple If someone is just getting started in #AppSec or #infosec I’d recommend they have a backup plan. There is a glut of novice talent. And there aren’t a lot of jobs. So n00bs are competing with veterans for the few jobs that are out there.

linkedin.com/pulse/myth-cybers

www.linkedin.comThe Myth of the Cybersecurity Talent Gap: Why Millions of Jobs Are Not Really Waiting for YouInformation security and Cybersecurity are undoubtedly a promising and important fields that offers many benefits and advantages for those who are interested and qualified. However, it is not a perfect or easy field that guarantees success and happiness for everyone. There are many challenges and realities that make the cybersecurity job market less appealing than it appears, and that require careful consideration and preparation from aspiring and existing professionals. The millions of information security or Cybersecurity jobs are not really waiting for you, unless you are ready and willing to face the truth and overcome the obstacles.
Public
Sam Bent

🚀 Tired of being locked into Google Play?
Discover 𝐎𝐛𝐭𝐚𝐢𝐧𝐢𝐮𝐦, the open-source Android app that lets you update and install apps directly from trusted sources like GitHub, GitLab, and F-Droid. Say goodbye to trackers, bloatware, and slow updates—hello to privacy, control, and freedom!

Check it out on my site:
👉 sambent.com/obtainium-a-privac
#Android #Privacy #OpenSource #TechFreedom #Obtainium
#degoogled #android #updates #appsec

ExploreLive feeds
About