Security Blog

Why do Fortune 10 SOCs with 15 people outpace teams 10x their size? They've stopped using autoregressive LLMs for threat modeling, response,...

Cal.com's 2026 transition to a closed-source model was publicly framed as a response to AI-driven security threats. This case study decomposes the...

Migrating from /etc/network/interfaces to NetworkManager on Debian Trixie is a rite of passage. This lab walks through building a persistent Layer 2...

We assume signed code happens in CI/CD pipelines. We assume certificates live for days or weeks. We assume trust is verified once...

We've been thinking about API keys completely wrong. What if the most secure credential is one that literally can't exist for more...

Your Terraform state files contain the keys to your kingdom—database passwords, API tokens, private keys—all in one convenient JSON file. Yet most...

In a world where database credentials are the crown jewels attackers covet most, what if I told you there's a way to...

Your SSH keys are sitting on your laptop right now. What happens when your device gets compromised? The answer is scarier than...

We've been thinking about API keys all wrong. What if the secret to unbreakable authentication isn't stored anywhere at all?

We've been doing SSH authentication wrong for decades. What if I told you that your SSH keys, password managers, and even your...

We've spent decades building complex identity pipelines rooted in databases and HR software. What if the single source of truth for your...

Managing secrets across one cloud is hard. Managing them across two, synchronously, is a masterclass in distributed systems engineering.

We've all been there; another leaked API key, another compromised credential, another midnight emergency call. The traditional approach to cloud security—rotating passwords,...

We've all been there - juggling AWS access keys, rotating credentials quarterly, and praying that developer laptop that went missing last month...

We’ve all been there - juggling long-lived AWS access keys, managing OCI config files, and praying that the "secret" API token committed...

We've spent decades perfecting code correctness—yet some of the costliest failures come from agents doing exactly what we told them to do....

We talk about “trusting” AI models, but almost no one can prove how they were actually trained. zk-Autograd treats every gradient step...

We built a signing service that doesn't trust its own keys. Here's why that's the future of security.

In most LLM systems, someone has to trust someone else with raw prompts or weights. Mimir shows what happens when nobody is...

In the dynamic and ever-evolving realm of digital technology, the need for adaptability in combating cyber threats has never been more pronounced....

In the rapidly evolving digital landscape, where technology deeply permeates every facet of our lives, the importance of tech literacy and security...

In the rapidly evolving world of technology, a critical and often controversial issue stands at the forefront the balance between robust security...

In an era where digital technology is not just a tool but a societal cornerstone, the concepts of democratic oversight in technology...

It was many and many a year ago, In a realm of digital glow, That the Cypherpunks came to know, A love...

I realized I needed to update the 2021 White House Executive Order …Improving the Nation’s Cybersecurity fundamentals outline. In order to scale...

In the fast-paced world of technological advancement, balancing innovation with regulation is a crucial challenge, especially in the field of security engineering....

I pulled some metrics from my threat intelligence sharing service to generate cute charts and graphs. If you want to keep up...

One would think to rotate their certificates months prior to expiration. Or even the bare minimum

When one takes a step back and looks at a typical agile build, test, and release pipeline with a security bent; one...

Pods hardening is strongly configured and enforced with Pod Security policies (PodSec.). The security context enables not to restrict privileges, volume mounts,...

When we get into the specifics for containers, the challenge is that the detailed advice differs greatly between the different container technologies....

Within Kubernetes, networks are an interesting beast. They become extremely muddled

One will wish to replicate their Master node to minimize downtime events. These nodes will host the control plane building blocks

Overview

We sponsored a Kubernetes security review because of its’ popular adoption, glaring insecurities, default insecure states, wasn’t designed to be secure, and...

As I work through the ecosystem, there is no evident, leading best practice.

This weekend will be ripe of opportunities for nginx exploit writing. Trying a new scheduler algorithm and Stensal's compiler against nginx's stable...

Let’s take a look at the simplest part of the previously documented multi-tenancy architecture

Sometimes, all it takes is cp and rsync. See the image below for an example.

Just when I thought every bit of value was squeezed from the systems, it is continuing to pull out indicators and APT...

How you go about hunting down malware on a macOS endpoint depends a great deal on what access you have to the...

Some of our keen readers may have noticed that if the size of userPass is less than 9, then overflow will still...

Even when validation is used, a common mistake is to use block lists. For example an application will prevent symbols that are...

The number of user records exposed in the United States has been in the billions in 2016 and 2017. 2018 will likely...

Notice that the single quote in the name O’Brien is causing a syntax error. The SQL command processor considers the string ends...

Confidentiality is one of Information Security

It is heavy on the technical content but is entertaining if you spend the time understanding the language.

A friend took up a new InfoSec executive career path but didn't know how to start. She reached out to me and...

Recently penned by Peter, it is worth a read. Especially for those who are concerned about putting all of their eggs in...

One tool that has caught my interest is the [Loki APT scanner

XSS vulnerability in thumb.php in Wikipedia Mediawiki

Thankfully, Naurus has produced a useful infographic to understand the variety of malicious entities. While it is not all inclusive, it suffices...

During Black Hat, BsidesLV, and Defcon, I ended up having a chat with Justin Seitz about his nifty OSINT automation. I decided...

This Thursday, seven research institutions will compete against each other. Unlike other typical hacker challenges, their automations will compete on their behalf....

Let this be a reminder of the joys in programming PHP

From my text library, this is list of software

It will be interesting to watch the infection spread on Google Trends

I have been taking lessons learned from DARPA’s Cyber Grand Challenge and applying it to our automation

Do you feel lucky

As taken from a dummy account, I wish more CTFs were setup like this. [#Polictf](https://twitter.com/search?q=%23Polictf) 2015

It should be noted that no ethically-trained software engineer would ever consent to write a DestroyBaghdad procedure

The image below shows the role confirmatory bias can play in social engineering exploits. Two situations are depicted. In the first, the...

If you haven't already, time to patch Redis. Otherwise, please setup authentication in front of your Redis instance. This remote code execution...

I have uploaded a new ElasticSearch honeypot dataset. It appears there are a few individuals who are attempting to exploit a few...

View fullsize

In 2013, when I last performed a secure code review on Node.JS, it did not look pretty.

I can’t tell you what makes a good Snapchat username. But what I can tell you is what makes a popular Snapchat...

RC4 has long been considered problematic, but until very recently there was no known way to exploit the weaknesses

When addressing potential incidents and applying best practice incident response procedures

The current list of open source critical infrastructure services vulnerability metrics I have released and / or made public

A great beta tool to checkbox their AWS infrastructure and account to known AWS controls. [ Scout2

This vulnerability allows one to bypass weak XSS filtering

If you are just starting this phase, still in this phase, getting out of this phase, you gotta know

If you have ever used OpenSSL, [please donate money to this worthy cause

I love standards. My blackhat persona says this makes it easy to break into systems

Within Chrome's V8 engine, this was an interesting double free vulnerability I uncovered. Thank you V8 team for accepting.

Background

the translated website pops out of Google Translate's iframe and redirects the user to a website or content of their choosing

I remember when Nuxi and I would create computationally compact compressed files and see which mail servers would attempt to inspect the...

I logged into Reddit this morning and observed Carberp

It is interesting to see Batik's parse double vulnerability exist to this day. Anyone want to crash Opera or popular, open source...

Sourcefire and snort vulnerabilities allow remote code execution

A bit back, I looked over Stavrou USB smartphone paper evil power station

You

I am seeing too much echo chamber, saber rattling, foolish dogma about agile SA

There are tools, security tools, and then there are cloud security tools. Especially in the realm of security orchestration. Many cloud snake...

CNN fixed two XSS issues. Congrats

There were two very simple Google Glass Mirror's quickstart DOS and XSS vulnerabilities. The fixes have been introduced in changeset https

Jenny Murphy has some clean code. However, it isn't the most secure. The Google Glass team must be under an intense timeline....

For technical problems, one may struggle to define the specifications. When this happens, look at the behavioral design. Then one may find...

How many other file sharing services are affected by the inadvertant sharing of sensitive information

To significantly test a given XSS filter by specializing

Oh, Firesale WebPanel botnet. How entertaining it is to see you continue to raise your head over the years.... XSS Reflected

WOPR evolved and learned while playing against himself

I saw some code utilizing DPAPI. Given the research around MS's poor DPAPI implementation,

The present need for security products far exceeds the number of individuals capable of designing secure systems

After one has accomplished the scoping phase, then the team should move on to modeling. Due to the large amount of time...

It is a sad day when a PKI private key signing software is able to sign code on behalf of Microsoft. Especially...

Saturday, I noticed my application honeypot collected an interesting sample. The cracker took my bait and attempt to hack the planet via...

I recieved a lovely google alert this weekend.

Either FBI

hope you have a gating process in your finance team which halts the ability to pay vendors without security approval...

In business process management, there is no defined starting point. The solutions are transposable, adaptive, and can be set into motion regardless...

I love programming in PHP. Fairly simple to learn, easy to code, plenty of tools available, and great community. However, due to...

Here is an academic exercise to create the Meltdown exploit prior to publication on Jan. 9th. To keep honest with my CISSP...

I was chatting with Alexander Peters and he mentioned an interesting statistic.

Management 101 - Negotiating Observe yourself negotiating The more time one spends preparing is directly related to win

While finding innovative methods to visualize various web application insecurity practices, I came across a great visual aid. Enjoy. Credit