🔥The 9th Round of Easy Loan, Earn $40 Reward is in progress❗️ ⏰ Promotion Period: January 15th - Feburary 15th, 2025 👉 Register now and check more details at gate.io/campaigns/358

This type of cross-tenant attack against Azure's Cosmos DB is a great example of why you should want client-side, app-layer encryption in your services so that your datastores primarily store ciphertext of any sensitive data: wiz.io/blog/chaosdb-h…

My company is hiring for several security roles (appsec, privacy, cloudsec) if you’re looking for a change! Awesome team and culture, and remote friendly. Come help me solve some really cool and interesting problems! Lmk if you wanna chat DMs open marqeta.com/company/career…

It's great to see GCP include code examples for app-layer, client-side encryption for data stored in MySQL, including how to use the AAD in AEAD to prevent malicious replacement of ciphertexts: cloud.google.com/sql/docs/mysql…

Is there a term for something like “security through obscurity” but for just “redundant security”, or controls that look good at first glance but ultimately don’t solve anything? E.g. hashing passwords client side in a web app before sending over HTTPS to a server

Before I go coding something new, has anyone used HashiCorp Vaults transit engine with ed25519 keys to output minisign compatible signatures? Seems like a great plug-in or feature to have, but I’m pretty sure it wouldn’t be too difficult to wrap the vault api if I have too…

Let's try something different. The Infosec Industry is a hammer. byt3bl33d3r.substack.com/p/the-infosec-…

Welp that wasn't too hard. Minisign's spec is pretty easy to implement. Can now minisign things with ed25519 keys stored in Vault (and eventually other kms's). Might opensource it if i can clean it up and generalize

Oh this neat! Seems like this will also lead to better experience developing in a multi-module monorepo with needing something like Bazel

What's the current take on format preserving encryption (FPE)? I'm not super familiar with it, but the more I research it seems like it's probably not the best idea unless you *really really* have to?

🥳🎉 We are happy to announce that sigstore is now an theopenssf project! 🎉🥳

KringleCon edskoudis ready when you are :)

Finally decided to post 10+ years worth of notes on using ldapsearch - it references great work from Ronnie Flathers Alberto Solino Will Schroeder and Yuval Gordon malicious.link/post/2022/ldap…

So this is a bad/crazy idea right? Maybe? I hacked together a valid OpenPGP entity that uses AWS KMS backed signing and encryption keys. Idea was to use PGP without actually needing to handle key data or mess with gpgagent/pkcs11

Aloha LocoMocoSec: Hawaiʻi Security Conference 😎 so excited to be here - have wanted to attend this con for a long time! Really looking forward to learning a lot, talking prodsec and meeting new friends. Anyone else gonna be here? And can’t wait to catch up Patrick Thomas (@[email protected]) been too long!

When it literally rains on your parade at LocoMocoSec: Hawaiʻi Security Conference with Ronnie Flathers Sam Hepburn Person @h4ck3rky13 and Patrick Thomas (@[email protected]) #stillHavingFun

Brilliant talk from Patrick Thomas (@[email protected]) on bonding security to developer productivity.

Yes great talk!! Tons to unpack and think about how to “productive” security more

100% best group of attendees and conversations I’ve ever had at a con. So many great people it was awesome meeting you all!

🚧 AWS Perimeter Mod for Steampipe An AWS perimeter checking tool that can be used to look for resources that are: * Publicly accessible * Shared with untrusted accounts * Have insecure network configurations + more github.com/turbot/steampi…