Mastodon @rwhitworth@infosec.exchange Current: AppSec. S-SDLC. Vulnerability Management. Tester. Coder. Self-doubter.
Atlanta area
Joined March 2009
- Tweets 1,225
- Following 206
- Followers 80
- Likes 2,270
"The (Inter)Net interprets censorship as damage and routes around it" - John Gilmore, First Nation in Cyberspace, 1993
web.archive.org/web/20210408…
Caring about results requires caring about people. Ignore the people aspect of a project and you’ll have no workers or consumers.
I predict keybase.io will be the big winner from Twitter falling apart. Finding your Twitter friends on other platforms will be hectic and a lot more work than it seems.. though keybase solves that problem
1
OpenSSL 3.0 vulns are neat and all, but some of us are struggling with environments still using 1.0.2 (which is mainstream support EOL as of 2019)
The long tail of upgrade cycles is where the hard work is. Patching 'new' stuff is easy.
Tuesday November 1st plan to be triaging and possibly patching your systems. OpenSSL is involved in so many things in a modern Linux OS and in many applications (regardless of OS). Have your SBOMs handy for all the third party apps too!
OpenSSL 3.0.7 update to fix Critical CVE out next Tuesday 1300-1700UTC. Does not affect versions before 3.0. mta.openssl.org/pipermail/op…
re: CVE-2022-40684
Helping a friend review logs for a Fortinet device and found the filters on the system logs page not fully functional. The user 'Local_Process_Access' cannot always be searched for. Instead download the log file and use your text editor to search.
Solid advice for vulnerability management and appsec programs - inv.warpnine.de/watch?v=BlvVwCFo…
A shame I didn't find this a few days ago before I met Aaron for the first time 🤣
Just told a coworker that I'm troubleshooting a broken corn job. I blame @SwiftOnSecurity.
#cornjob #🌽
I like seeing 'what is acronym XYZ?' in response to an infosec celebrity tweeting something out that was not understandable to someone outside infosec. It could be newbies asking the questions. Or it could be people outside the IT sphere. Either way, I'm glad to see it.
Pages 33-37 contain a legal description of DNS and DNS server operations.
"DNS data is public", says the judge. Acknowledging that the recursive resolver, root server, and multiple authoritative servers will all be able to log the request.
Trump’s lawsuit against me and many others just dismissed. The Court had some things to say.
storage.courtlistener.com/re…
Show this thread
1
The NIST Report referenced is also known as NIST 800-81-2 - nvlpubs.nist.gov/nistpubs/sp…
I’ve started seeing job postings using “product security engineer” instead of application security engineer.
Feels like a new trend that makes a lot of sense for security roles invested in QA, code quality, and the development process
1
AppSec has always had too much crossover into DevOps, and not enough focus on being a security ‘developer’ that doesn’t write product code
#appsec
Skipped right past a job posting from @Cloudflare today. Bad press has far reaching effects that are very hard to measure.
1
Oh good the IV is written to the file containing the cipher text. And the key is written to that file too 😳
Thankfully this isn’t work related
Security is a reoccurring cost like maintenance developers or support. It will be paid until the software is end of life.
This tweet is unavailable